SciELO - Scientific Electronic Library Online

vol.27 issue47Analysis of precipitation and recharge of aquifers in Tota and Ibagué (Colombia) from stable isotopes (18O and 2H)Enterprise file synchronization and sharing services for educational environments in case of disaster author indexsubject indexarticles search
Home Pagealphabetic serial listing  

Services on Demand



Related links

  • On index processCited by Google
  • Have no similar articlesSimilars in SciELO
  • On index processSimilars in Google


Revista Facultad de Ingeniería

Print version ISSN 0121-1129

Rev. Fac. ing. vol.27 no.47 Tunja Jan./Apr. 2018 


Evaluation of the WPFI2-PSK wireless network security protocol using the Linset and Aircrack-ng tools

Evaluación de seguridad en protocolo do rod inalámbrico UUPA2-PSK usando las herramientas Linset y Aircrack-ng

Avaliação de segurança em protocolo de rede sem fio WPA2-PSK usando as ferramentas Linset e Aircrack-ng

Alberto Acosta-López1  , Elver Yesid Melo-Monroy2  , Pablo Andrés Linares-Murcia3 

1 M. Sc. Universidad Distrital Francisco José de Caldas (Bogotá-Distrito Capital, Colombia).

2 Universidad Distrital Francisco José de Caldas (Bogotá-Distrito Capital, Colombia).

3 Universidad Distrital Francisco José de Caldas (Bogotá-Distrito Capital, Colombia).


Due to the emergence of new techniques and technologies of intrusion, the wireless network protocols have become obsolete; for this reason, this research seeks to violate and evaluate the security of the WPA2 protocol that is widely used by the Colombian service providers. The first section of this paper introduces the WPA2 protocol by describing its operation and the potential attacks it may suffer; the second part details the methodology used to collect the tests data and to carry out the evaluation necessary for the preparation of this article. In addition, we present the Linset and Aircrack-ng tools for auditing wireless networks that were selected to assess the security of the protocol. Finally, we show the results and conclusions.

Key words: data security; information security; intrusion detection; wireless security


Debido al surgimiento de nuevas técnicas y tecnologías de intrusión, los protocolos de redes inalámbricas quedan obsoletos; para ello se busca vulnerar la seguridad del protocolo WPA2, que es ampliamente usado por los proveedores de servicios colombianos. En la primera parte, el artículo hace una introducción del protocolo WPA2, describiendo su funcionamiento y los ataques de los cuales puede ser objeto; en la segunda parte se muestra la metodología que se usó para recolectar pruebas y realizar la evaluación necesaria para la elaboración de este documento. Se presentan las herramientas para auditoría de las redes inalámbricas Linset y Aircrack-ng, las cuales fueron seleccionadas para la evaluación de seguridad del protocolo. Finalmente, se muestran los resultados y las conclusiones.

Palabras-clave: detección de intrusión; seguridad de datos; seguridad de la información; seguridad inalámbrica


Devido ao surgimento de novas técnicas e tecnologias de intrusão, os protocolos de redes sem fio ficam obsoletas; para isso, busca-se vulnerar a segurança do protocolo WPA2, que é amplamente usado pelos provedores de serviços colombianos. Na primeira parte, o artigo faz uma introdução do protocolo WPA2, descrevendo seu funcionamento e os ataques dos quais pode ser objeto; na segunda parte mostra-se a metodologia que se usou para recolher provas e realizar a avaliação necessária para a elaboração deste documento. Apresentam-se as ferramentas para auditoria das redes sem fio Linset e Aircrack-ng, as quais foram selecionadas para a avaliação de segurança do protocolo. Finalmente, mostram-se os resultados e as conclusões.

Palavras-Chave: detecção de intrusão; segurança de dados; segurança da informação; segurança sem fio


Cyber-attacks are a growing trend in modern Colombian society. These attacks impact users with information on the Internet [1] because the information traffic generated when files are moved from a computer or cell phone to the Internet, always creates an encryption that allows hiding information frames and packages necessary between the modem and the sending device. For this reason, it is necessary to know how such information packages, which contain important information for the security of our data, are attacked.

A. What is WPA2-PSK?

Among the existent wireless networks that allow interconnecting two or more computers to transmit data, the best known are WPAN (Wireless Personal Area Network), WLAN (Wireless Local Area Network), WMAN (Wireless Metropolitan Network), and WWAN (Wireless Wide Area Network). Each network has an associated protocol and IEEE standard that allow the review and the subsequent communication in a local or global network. We will focus on the WLAN wireless network with WPA2-PSK protocol based on the IEEE 802.11i standard that was released on July 24, 2014 [3-5].

WPA (Wireless Protected Access) originated in the problems detected in the WEP, a previous security system created for wireless networks [6]. WPA2-PSK (PSK acronym for Pre-Shared Key) is the evolution of the WPA protocol; it implements an algorithm based on a key of 8 to 63 characters, which is taken as a parameter, and with this value, a new key is randomly generated [6].

Fig.1 Operation of the protocol WPA2-PSK [6]

The operation of WPA2-PSK involves the following steps (Fig. 1):

  1. The authenticator sends a message to the supplicant with a value generated randomly using its PSK key (an arbitrary value with no special meaning). This message is known as an authenticated nonce or simply nonce, because it contains a field called nonce whose value is generated randomly with the PSK key of the authenticator, as shown in Fig. 1, which was captured with Wireshark. In addition, the Replay Counter is an indicator that allows the authenticator and the supplicant to know the number of packages that have been previously sent [6].

  2. The supplicant receives the message and generates another message called snonce (supplicant nonce), which is basically of the same type as the received anonce package, but contains a different nonce (an arbitrary text generated randomly using the PSK key of the supplicant) [6].

  3. With the previous information, the supplicant creates the Pairwise Transient Key (PTK); this step is extremely important and, therefore, the reader should pay more attention, because is where the "magic" of PSK and the dynamic generation of keys take place, which was implemented in the beginning to improve the security of WEP against fairly widespread attacks. PTK are the keys generated in each packet exchanged between the supplicant and the authenticator, and are generated using the Pairwise Master Key (PMK), but they are the same PSK code generated in step 1; that is, each PTK is generated dynamically by the supplicant PSK and the authenticator [6].

  4. The procedure for generating the PTK key is really important, hence, its understanding is necessary. The PTK is generated by the PMK using a PTK random key generation function that takes the following parameters: 1) anonce, which is the package generated by the authenticator that contains a random text encrypted with its PSK key; 2) snonce, which is the package generated by the supplicant that contains a random text encrypted with its PSK key; 3) MAC authenticator; and 4) MAC supplicant [6].

  5. The supplicant sends a packet to the authenticator with the snonce message and a MIC field (field encrypted using the Michael encryption mechanism) that allow performing an integral and consistent check of the packet; this field is generated by the supplicant using the PTK and the PMK [6].

  6. With the package sent by the supplicant in step 5, the authenticator derives the PTK key, since it already knows the fields necessary to do the calculation: PMK, which is the same for both the supplicant and the authenticator, anonce, snonce, and the MAC addresses of the authenticator and the supplicant [6].

  7. Once the authenticator has generated the PTK with the fields received from the previous packet (with the snonce field), it tries to generate the MIC field, since it has the same PTK and PSK as the supplicant. The MIC generated by the authenticator and the supplicant must be the same, and if that is the case, the authenticator sends a message to the supplicant of the type "Key Installation"; this message can be seen with the "Flag" of the type "Install Flag", which in turn can be seen in the third package exchanged in the authentication process [6].

  8. The supplicant sends to the authenticator a "Key Install Acknowledgment" message, which simply confirms that, in this session of package exchange, the same PTK generated in the client and the AP were used. This package contains a "Key ACK" field with a value of zero, indicating that it is the last message sent in the authentication process between the supplicant and the authenticator [6].

Once the function of the WPA2-PSK protocol is understood, we can perform different types of attacks to detect its vulnerabilities.

B. Types of attack

Modems that create wireless networks for their users are vulnerable to several types of attack. The most common attacks are the following:

  1. SYN saturation attack: flood network traffic. In other words, a single individual makes a large number of requests to the server, in this case the modem, which denies access to the rest of its users [7].

  2. DoS attack: It is a denial of service attack [8].

  3. DDoS attack: it is an extension of the DoS attack, but it attacks from different connection points [8].

  4. Identity theft: Phishing is based on social engineering that focuses on the fact that humans make the greatest errors [8].

  5. Attack by intermediary: It diverts packet information by changing it and returning altered information, or just checking what information is being handled by the target user [8].


A. Software

  1. WIFISLAX. Operating system based on Linux that can be used as a live cd or boot access on a USB; it was designed by, and was adapted for Wireless [9]. This OS is an audit tool for wireless networks that contains a set of tools to function.

  2. Linset. Application to audit wireless networks that does not use decryption dictionaries to obtain the access code to the network. With this tool, the cooperation of the user, who is unaware of the attack, is of vital importance, which implies that the user has little or no knowledge of computer security. Linset creates a fake AP with the same ESSID, as the one we are attacking and without any type of encryption; in addition, it authenticates the APs of the legitimate clients, preventing them to authenticate, and making them access the AP created by this tool and enter the password of the network [10].

  3. Operation. This tool attack the modem, allowing network users to connect, and then, creating a fake network to which users will connect and provide the network password. Once the password is obtained, the fake network is closed and the modem operation is released.

  4. Aircrack-ng. Complete suite of tools that audit wireless Wi-Fi networks. This tool focuses on different areas of security in wireless networks: packet-monitoring, attack, testing, and cracking [11].

  5. VMware Workstation PRO (trial version). This tool is one of the industry standard products to run multiple operating systems as virtual machines on a single PC. Thousands of IT professionals, developers, and businesses use Workstation Pro and Workstation Player to improve agility, productivity, and security [12].

  6. Windows 8 Pro (trial version). New operating system created by Microsoft. In this case, we will use Windows pro test version for the development of this research.

B. Hardware

Modem ZTE ZXV10 W300E (for home network use)

Desktop computer corei7 16 RAM

Network adapter TP-LINK WN725 (Does not support monitoring)

Network adapter TP-LINK WN722N (Supports packet monitoring)

C. Methods

The modem was configured to generate a wireless network called Security, use the WPA2-PSK protocol, and generate the password for accessing the newly created network. In this case, the network was called Prueba Articulo, and the password was @Prueba@.

We performed the audit using attack by intermediary and DoS attack (for using decryption dictionaries known as brute force), and run ten tests for each technique.

First, we carried out a brute-force attack, that is, an information package was captured with the wireless network encrypted access key. Afterwards, we carried out an impersonation attack, in which a third network that impersonates the original network is created, while the victim sends the password of his/her wireless network. In both attacks, we evaluated anonymity and waiting time to obtain access.


This study allowed us to understand better the use of the audit tools. The focus of our analyses was to highlight the vulnerabilities of the security protocol; for this, we studied the following items: time to obtain the password, method, and visualization of the attack (Table 1).

TABLE 1 Comparative table between the Linset and Aircrack tools 

Table 2 shows the length (hours) of each of the 10 tests conducted with the Aircrack tool; whereas Table 3 shows the length (minutes) of the attacks with the Linset tool.

TABLE 2 length (in hours approx.) of an attack with Aircrack 

TABLE 3 length (in min approx.) of an attack with Linset 

The network attack using Linset was one of the most effective; however, this is not because of the results, but because of the lack of defense methods. Therefore, as long as the attacker has a good network card, the attack is imminent and difficult to avoid if the user is unaware of it.


Although companies in Colombia like Digiware are dedicated to computer security, no system is 100 % safe. What is really important for an adequate protection of our data is education; however, how do we obtain this knowledge? Are the supplier companies willing to give us basic training to at least change the password of our wireless network? The truth is that the knowledge we have today is quickly becoming obsolete, particularly in technology; what before lasted a little over a year, nowadays only last for weeks or sometimes days. In the current information age, it is necessary to have a minimum of security in our data, which is why a question arises: who will train us for this?

This article presents two tools to evaluate the security of our wireless networks, and the way the WPA2 security protocol works. Additionally, we provided elementary knowledge about the different types of attacks that currently affect wireless networks. Evidently, besides computer viruses, the attacks to the network infrastructure are problematic because they allow access to the users' sensitive data.


Linset employs more advanced techniques than Aircrack, seeking the ingenuousness of the user to appropriate the networks password. It also uses a technique of alternative creation of networks contrary to Aircrack, which collects identification packages; in terms of time, Aircrack method is more expensive than Linset. Aircrack attacks on vulnerable networks are totally unavoidable, therefore, it would be necessary to find a solution. The delay time that the Linset tool has against Aircrack is limited with respect to time: A Linset attack is limited by the user's patience who usually does not tolerate more than 15 minutes without giving up the password. An Aircrack attack is limited by the power of the attacking machine; depending on the capacity of the machine, the search can take from days to weeks or even up to one month.

Depending on the management of the company, it is necessary to train the employees to identify the attacks on the networks, and thus avoid providing relevant information so the attacker can access the network. A mechanism to increase the security of entry to a private Wi-Fi network is the authentication through the devices Mac addresses. This mechanism not only allows the known devices to access, but also provide a degree of security.


The authors acknowledge the collaboration and funding from the research group TRHISCUD (Treatment of clinical historical information -Universidad Distrital) of the Engineering School at the Universidad Distrital Francisco José de Caldas. We plan to continue with this collaboration in future studies.


[1] D. Lemos, "El secreto en la nube," [Online]. Available: [Accessed Apr. 30, 2017]. [ Links ]

[2] R. Juan, "Redes inalámbricas Principales protocolos," 2011. [Online]. Available: Available: [Accessed Apr. 28, 2017]. [ Links ]

[3] A. Hassan Adnan, "A comparative study of WLAN security protocols: WPA, WPA2," in International Conference on advances in Eletronical Engineering (IEEE), Dhaka, Bangladesh, 2015. [ Links ]

[4] Intel, "Wi-Fi diferentes protocolos y velocidades de datos," 2017. [Online] Aviable: [Online] Aviable: [Accessed May. 20 2017]. [ Links ]

[5] IEEE "802.11-2016 - IEEE Standard for information technology," 2016. [Online]. Available: Available: [Accessed May 21, 2017]. [ Links ]

[6] J. Ruz Maluenda , B. Riveros Vasquez, and A. Varas Escobar, "Redes WPA/WPA2," [Online] Available: Available: [Accessed May. 20, 2017]. [ Links ]

[7] Ciberseguridad wikia, "Ataques TCP/IP," 2013. [Online] Available: Available: [Accessed May. 24, 2017]. Evaluation of the WPA2-PSK wireless network security protocol using the Linset and Aircrackng tools [ Links ]

[8] S. Dietrich, D. Dittrich, and P. Reiher. Denial of Service. Attack and Defense Mechanisms. NJ: Prentice Hall. 2004. [ Links ]

[9] Wifislax "Presentación," [Online] Available: Available: [Accessed Jun. 4, 2017]. [ Links ]

[10] A. Maroto, "Crackeando Redes Wi-Fi: WPA y WPA2 -PSK," 2016 [Online] Available: Available: [Accessed Jan. 20, 2017]. [ Links ]

[11] Aircrack-ng, "Introduction," [Online] Available: Available: [Accessed Mar. 27, 2017]. [ Links ]

[12] VMware, "Workstation pro," [Online] Available: Available: [Accessed Mar, 30 2017]. [ Links ]

[13] V. Paranjape, and V. Pandey, “An Innovation in Education Through Cloud Computing,” in All India Seminar on Biomedical Engineering, 2012. [ Links ]

[14] X. Wang, and Q. Cai, “The Analysis of the Application of Cloud Computing in the Field of Basic Education,” in Second International Conference Technology in Education, 2015. DOI: [ Links ]

[15] S. Pizard, F. Aceranza, V. Casella, S. Moreno, and D. Vallespir, “Conceptos de Ingeniería de Software Basada en Evidencias,” Reporte Técnico, RT 15-08, 2015. [ Links ]

[16] M. Basso, C. Smulders, and J. Mann, “Magic Quadrant for Enterprise File Synchronization and Sharing Market,” Gart. Inc ., Jul. 2015, pp. 16, 2014. [ Links ]

[17] F. J. Díaz, C. M. Banchoff Tzancoff, A. S. Rodríguez, and V. Soria, “Usando Jmeter para pruebas de rendimiento,” in XIV Congreso Argentino de Ciencias de la Computación, 2008. [ Links ]

[18] S. Powers, “Graph Any Data with Cacti!,” Linux Journal, vol. 271. pp. 50-68, Nov. 2016. [ Links ]

[19] ULEAM, “Reporte de matriculados 2016 y 2017,” Universidad Laica Eloy Alfaro de Manabí, 2017. [ Links ]

[20] ISO/IEC, “ISO/IEC 22301:2012 Societal security -- Business continuity management systems ---Requirements,” 2012. [ Links ]

[21] Alberta Education, “IT Disaster Recovery Planning Guide”, 2016. Available in: [ Links ]

[22] ISO/IEC, “ISO/IEC 25010 (2011) - Systems and software Quality Requirements and Evaluation (SQuaRE) - System and software quality models,” 2011. [ Links ]

[23] K. Esaki, “Verification of Quality Requirement Method Based on the SQuaRE System Quality Model,” Am. J. Oper. Res., vol. 3 (1), pp. 70-79, 2013. DOI: [ Links ]

Para citar este artículo: A. Acosta-López, E. Y. Melo-Monroy, and P. A. Linares-Murcia, "Evaluation of the WPA2-PSK wireless network security protocol using the Linset and Aircrack-ng tools," Revista Facultad de Ingeniería, vol. 27 (47), pp. 73-80, Jan. 2018

AUTHOR CONTRIBUTIONS Alberto Acosta supervised the study. Pablo Linares was the rapporteur of the project, made the first tests, and created the base methodology. Elver Melo helped validating the results and complemented the technical and bibliographic data for the realization of the practice

Received: September 13, 2017; Accepted: September 27, 2017

Creative Commons License This is an open-access article distributed under the terms of the Creative Commons Attribution License