wireless networks are everywhere

8/13/2019 Wireless Networks Are Everywhere

1/10

Wireless networks are everywhere; they are widely available, cheap,and easy to setup. To avoid the hassle of setting up a wired network in myown home, I chose to go wireless. After a day of enjoying this wireless

freedom, I began thinking about security. How secure is my wirelessnetwork?

I searched the Internet for many days, reading articles, gatheringinformation, and participating on message boards and forums. I soon came tothe realization that the best way for me to understand the security of mywireless network would be to test it myself. Many sources said it was easy,

few said it was hard.

How a wireless network worksA wireless local area network (WLAN) is the linking of 2 or more computerswith Network Interface Cards (NICs) through a technology based on radiowaves. All devices that can connect to a wireless network are known asstations. Stations can be access points (APs), or clients.

Access points are base stations for the wireless network. They receive andtransmit information for the clients to communicate with.

The set of all stations that communicate with each other is referred to as theBasic Service Set (BSS). Every BSS has an Identification known as a BSSID,also known as the MAC address, which is a unique identifier that isassociated with every NIC.

For any client to join a WLAN, it should know the SSID of the WLAN; therefore,the access points typically broadcast their SSID to let the clients know that anAP is in range.

Data streams, known as packets, are sent between the Access Point, and itsclients. You need no physical access to the network or its wires to pick upthese packets, just the right tools. It is with the transmission of these packetsthat pose the largest security threat to any wireless network.

Wireless EncryptionThe majority of home and small business networks are encrypted usingthe two most popular methods:

1. WEP2. WPA

WEPWired Equivalent Privacycomes in 3 different key lengths: 64, 128,and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively. WEPprovides a casual level of security but is more compatible with older devices;therefore, it is still used quite extensively. Each WEP key contains a 24 bit

Initialization Vector (IV), and a user-defined or automatically generated key;


2/10

for instance, WEP 128 is a combination of the 24 bit IV and a userentered 26 digit hex key. ((26*4)+24=128)

WEP also comes in WEP2 and WEP+, which are not as common and still asvulnerable as the standard WEP encryption.

WPAWiFi Protected Accesscomes in WPA and WPA2, and was created toresolve several issues found in WEP. Both provide you with good security;however, they are not compatible with older devices and therefore not usedas widely. WPA was designed to distribute different keys to each client;however, it is still widely used in a (not as secure) pre-shared key (PSK)mode, in which every client has the same passphrase.

To fully utilize WPA, a user would need an 802.1x authentication server,which small businesses and typical home users simply cannot afford. WPAutilizes a 48 bit Initialization Vector (IV), twice the size of WEP, whichcombined with other WEP fixes, allows substantially greater security overWEP.

Packets and IVsIts all in the packets.The bottom line iswhile you may be able to employseveral security features on your WLANanything you broadcast over the aircan be intercepted, and could be used to compromise the security on yournetwork. If that frightens you, start stringing wires throughout your home.

Every encrypted packet contains a 24 or 48 bit IV, depending on the type ofencryption used. Since the pre-shared key is static and could beeasily obtained, the purpose of the IV is to encrypt each packet with adifferent key. For example, to avoid a duplicate encryption key in everypacket sent, the IV is constantly changing. The IV must be known to the clientthat received the encrypted packet in order to decrypt it; therefore, it is sentin plaintext.

The problem with this method is that the Initialization Vectors are not alwaysthe same. In theory, if every IV was different, it would be nearly impossible toobtain the network key; this is not the case. WEP comes with a 24 bit IV;

therefore, giving the encryption 16 million unique values that can be used.This may sound like a large number, but when it comes to busy networktraffic, its not.

Every IV is not different; and this is where the issues arise. Network hackersknow that all the keys used to encrypt packets are related by a known IV(since the user entered WEP part of the key is rarely changed); therefore, theonly change in the key is 24 bits. Since the IV is randomly chosen, there is a50% probability that the same IV will repeat after just 5,000 packets; this isknown as a collision.


3/10

If a hacker knows the content of one packet, he can use the collision to viewthe contents of the other packet. If enough packets are collected with IVmatches, your networks securitycan be compromised.

The SetupMy wireless network was powered by a Linksys WRT54G v6 wireless router; Itis well known that this model is the most widely used wireless router. Out ofthe box, the Linksys router came with 1 CD which was nothing more than avisual step by step, what you should do to connect it.

A few things concern me with this router. There was no part in the setup thatallowed me, or even told me to change my routers default password. Tochange the password, I had to go into the routers web-based setup utility;this was accessible via the IP address 192.168.1.1 in my Internet browser.The default username and password was admin. If someone was able tocompromise the security on my network, they could have easily done this forme; and locked me out of my own network. Sure, I could have performed ahard reset on the router, but Id have little luck withoutthe Internet orany documentation to help.

If youre lookingto find your default username and password, there is quite acomprehensive list located atwww.phenoelit.deMy advice is to change thisimmediately, for it may save you some trouble down the road.

Being my first time, I decided to go easy; I set my router up with a basic WEP

64 encryption; it required a 10 digit hex key. I entered the key into the 2 othercomputers in my home, and I was ready to start.

HardwareOut of everything Ive experienced over the last couple weeks, this was thehardest obstacle, by far. I started with a Dell Latitude C610 notebook with aLinksys WPC54GS Wireless-G notebook adapter (Broadcom chipset) runningWindows XP Pro; looking back, it was a bad choice.

When selecting hardware, be warned, not all network cards are the equal. It

turns out that nearly 99% of the software used to crack network keys are notcompatible with notebook cards that have a Broadcom chipset; the ones thatwerejust didnt work.

9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA networkcard by Lucent was the absolute best pick and most compatible will all thegood software. A trip to E-Bay, $30 later, and I was ready.

The software we will be using is strictly dependent on the chipset of theWNIC, and unfortunately, the operating system. Your best approach would beto research what software you will be using, and then find a card based on

the chipset the software is compatible with.
http://www.phenoelit.de/http://www.phenoelit.de/http://www.phenoelit.de/http://www.phenoelit.de/


4/10

There are many types of chipsets; too many, in fact, to mention.Linux-wlan.orghas an unbelievably comprehensive list of WNICs and theircorresponding chipset.

All the best programs are made for Linux; windows is certainly a drag when it

comes to WLAN penetrating software, but if you dont haveLinux, dont betoo concerned.

It may be in your best interest to invest in a wireless card that has an externalantenna jack. The Orinoco Gold WNIC I purchased has one, but since Imcompromising my own network in a short range, it wont be necessary.

The SoftwareThere are hundreds of applications you can use to do a variety of things withwireless networks. The largest list of software, that I came across, can be

found atWardrive.net.The term wardriving is more commonly used for thispractice, and involves driving around neighborhoods to look for wirelessnetworks. I refuse to use this term because that is not what I am doing; I amsitting in my home testing the vulnerabilities of my own network.

Let it be known, that it is not illegal to use software to detect the presence ofwireless networks; however, if you crack the network and start stealingbandwidth, you could be in a world of trouble. Especially if youre inSingapore.

Once I received my Orinoco card, I began re-installing software which did notpreviously work with my Linksys card. It was a nightmare; Windows XP keptgetting in the way, software that had been moded to run on windows requireddaunting tasks for installation, some programs simply didnt work, somerequired special run time modules to be installed.

After nearly 48 hours of time-wasting, aggravating, disappointment; I cameacross the answer. A small penguin shone a beam of light upon my browserand blessed me; I foundAuditor.

(2/6/07 - The link is currently not working, but you can obtain Auditor through

any Torrent service.)

Auditor Security Collection is a self booting Linux-based CD that comes pre-loaded with all the best security software for auditing a system. It comes in a.ISO file that can be downloaded fromremote-exploit.org;the ISO image file isroughly 649 Mb, and can be burned to a CD or DVD using most CD/DVDwriting utilities.

It was truly amazing; a simple check in the Bios of the laptop to set the bootorder to CD/DVD first, a slip of the Auditor CD, and a press of the powerbutton was all it took. I was ready. Be not afraid of this Linux-based CD;everything is laid out on a GUI and all commands have shortcuts linking tothem on a desktop similar to a windows environment.
http://www.linux-wlan.org/docs/wlan_adapters.html.gzhttp://www.linux-wlan.org/docs/wlan_adapters.html.gzhttp://www.linux-wlan.org/docs/wlan_adapters.html.gzhttp://www.linux-wlan.org/docs/wlan_adapters.html.gzhttp://www.wardrive.net/wardriving/toolshttp://www.wardrive.net/wardriving/toolshttp://www.wardrive.net/wardriving/toolshttp://www.theinquirer.net/default.aspx?article=37005http://www.theinquirer.net/default.aspx?article=37005http://www.remote-exploit.org/index.php/Auditor_mainhttp://www.remote-exploit.org/index.php/Auditor_mainhttp://www.remote-exploit.org/index.php/Auditor_mainhttp://www.remote-exploit.org/http://www.remote-exploit.org/http://www.remote-exploit.org/http://www.remote-exploit.org/http://www.remote-exploit.org/index.php/Auditor_mainhttp://www.theinquirer.net/default.aspx?article=37005http://www.wardrive.net/wardriving/toolshttp://www.linux-wlan.org/docs/wlan_adapters.html.gzhttp://www.linux-wlan.org/docs/wlan_adapters.html.gz


5/10

Auditor Security Collection does not touch a single file on your hard drive. Allfiles used and saved in the ASC are stored in your notebooks RAM; once youremove the CD and reboot, everything is exactly as it was.

Detecting my wireless networkIf youve come this far, believe me, youre doing well. The first step is to findthe network you want to penetrate. As there are a variety of apps that allowyou to do this, we will be focusing in on the 2 most popular:Netstumbler,andKismet.

Netstumber - is a widely popular tool used for detecting 802.11a/b/g wirelessnetworks. The latest version is Netstumbler 0.4.0, and will run in WindowsXP. For compatible hardware and requirements, you can check theread meon the Netstumbler forums; or you could just try it. Id like to point out thatmany sources have said the Linksys WPC54G/S WNIC does not work withNetstumbler; however, I have been able to make it work by launching theprogram, then removing and re-inserting the WNIC. The Orinoco Gold works

fine with Netstumbler.

Kismetdoes a little more than just detecting networks. Aside from providingevery detail about a network except the encryption key, Kismet is a packetsniffer and intrusion detection system; well get into sniffing packets a littlelater.

For this demonstration, well be using the pre-loaded Kismet on the Auditor

Security Collection. After inserting and booting the Auditor CD, I was ready tomake sure everything was working properly.

From this point, the first thing that needed to be done was to ensure thewireless card was recognized by Auditor; to do this, you will have to ventureinto the dark world of the command prompt. In Auditor, the command promptcan be reached by clicking on the little black monitor icon located at thebottom of your screen.

Simply typing in iwconfigwill allow you to see all the wireless extensionsconfigured on the machine. If you see a screen full of data next to a WLAN0 or

ETH0, youre ready to continue to the next step; otherwise, you will see a listof no wireless extensions messages.

Next, you will need to start the Kismet program. Youll initially be prompted toenter a destination to save data to; you can just select the desktop andcontinue. When Kismet loads, you will see a black screen with green textshowing all the wireless networks within you signal range.

Kismet will give you all the information you need to start cracking. Pressings on your keyboard will bring up aSort Network dialogue box. From thereyou can press any of the desired sorting methods. This step is important as it

allows you to select a particular wireless network on a list to view moredetails. Select your network with the arrow keys and press enter.
http://www.stumbler.net/http://www.stumbler.net/http://www.stumbler.net/http://www.kismetwireless.net/http://www.kismetwireless.net/http://www.stumbler.net/readme/readme_0_4_0.htmlhttp://www.stumbler.net/readme/readme_0_4_0.htmlhttp://www.stumbler.net/readme/readme_0_4_0.htmlhttp://www.stumbler.net/readme/readme_0_4_0.htmlhttp://www.kismetwireless.net/http://www.stumbler.net/


6/10

You will then be looking at nearly all your network details such as name, ssid,server IP, bssid, etc Most are not relevant in this case, but you should writedown a few things:

1. BSSID2. Channel #3. Encryption method

Pressing x in Kismet will return you to the previous screen. re-select yourtarget WLAN; then press SHFT+C to bring up a list of associated clients tothe Access Point. Write down the MAC address of all clients as it will proveuseful.

apturing packetsWhile you may have not been aware, at this point, Kismet has also beencapturing packets. This is the bread and butter of cracking any wirelessencryption; without data to process you have nothing.

Capturing packets, also known as packet sniffing, is the process ofintercepting and logging traffic passing over a network. As information issent and received over your wireless network, the software captures everypacket to allow you to analyze and decode it.

Capturing network traffic can be a timely process; especially if it is a slownetwork. With no-one on any computers in my home, I generally capture

around 3,000 packets within 5 minutes; with users on the other 2 computers,this number is substantially greater. Dont get confused, its not the packetitself that we want; but rather the IVs in the packets.

The programs we will be using to sniff packets areKismetand Airodump(part of the Aircrack Suite). Weve already touched Kismet, so lets take a lookat Airodump.

Before running Airodump, you must configure your wireless interface to gointo monitor mode; the methods to achieve this require you to go back to thecommand prompt (konsole).

For most WNICs, you would use the command:iwconfig mode monitor

And in some instances would have to set the channel number on your WNICto match that of the target access point:iwconfig channel #

Note that you will have to replace with the network interfacespecific to your machine. Using an Orinoco Gold card, my network interfacewas eth0; but on most machines, it is wlan0 orath0. So you may have to

adjust those commands accordingly. You can find out for sure by simplytyping iwconfig.
http://www.kismetwireless.net/http://www.kismetwireless.net/http://www.kismetwireless.net/http://www.kismetwireless.net/


7/10

I should also point out that putting the Orinoco Gold card in monitor modehad a different command altogether:iwpriv eth0 monitor 2 1

Once your in monitor mode, youre ready to run Airodump. The command

used to start Airodump is:airodump [mac filter]

can be anything you wish; Airodump will put a .capextension on the end of the name. The mac filter is used to only capturepackets from a specific access point. For instance, I used:airodump eth0 george 00:18:f8:65:fe:41to capture packets just from my access point - where 00:18:f8:65:fe:41 is theBSSID of the AP.

Airodump looks similar to Kismet, but there are no selectable objects on thescreen; it gets right down to it, capturing packets and storing them in the .cap

file as defined in the command. Youll notice Airodump keeps a running countof all the packets captured, and better yet, shows you the number of IVscollected.

The waiting gameThe hard truth is that you will need to collect nearly 150,000 IVs to crack a 64bit WEP key, and around 600,000 IVs to crack a 128 bit WEP key. This numbervaries, but is mostly dependent on how luck you are. If you watch the IV count

in Airodump, youll notice that, under normal circumstances, they do not riserapidly.

This can cause a problem; particularly if youre as impatient as I am. Letstake a look at some ways we can speed up this process.

Until now, weve been using a method known as a passive attack. A passiveattack is basically doing nothing other than passively capturing packets untilyou have achieved enough data to perform the crack.

Most access points need their client to re-associate after a certain period of

time to confirm their connection; therefore, the AP will send out an AddressResolution Protocol (ARP) packet. The ARP packet is unique in that is alwaysaddressed to the MAC address FF:FF:FF:FF:FF:FF, usually has a size of 68bytes, and has the ToDS flag set.

We can use this information to implement an ARP replay attack. For thismethod, we will be using Aireplay (part of the Aircrack Suite). Aireplay can beused to actually re-send packets that it has received.

Leave Airodump running, and open a new command window. The commandwell be using for Aireplay is:aireplay -i -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0


8/10

The -itells Aireplay to capture packets on the fly; the -m 68and -n 68tellsaireplay that you only want it to replay packets that are 68 bytes. The -dand -bare the destination MAC address and AP MAC Address(BSSID)respectively. This is the criteria that is defined for our ARP packet, which isusually associated with an IV.

Alternatively, you may have already captured one of these packets. You canhave Aireplay check the .cap file from Airodump with the -f switch:aireplay -f george.cap -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0

In either case, If Aireplay finds a match to our specifications, it will show youthe details of the packet and ask if you would like to replay it. If the detailslook exactly as shown below, press y for yes.

FromDS = 0, ToDS = 1BSSID =

Src. MAC = Dst. MAC = ff:ff:ff:ff:ff:ff

Aireplay will then begin to replay the packet; if youve found a winningpacket, you will notice your packet and IV count in Airodump rise extremelyquick. If not, only the packet count in Airodump will rise; If this be thecase, press CTRL+C to abort the operation, restart aireplay, and try again.

It has been noted that some routers will detect this erratic behavior and blockthe MAC address of the WNIC you are using. Adding a -x switch followed by areplay per second # will slow down the rate at which Airplay replays these

packets.

If your lucky enough, you will have collected enough IVs in little time. For me,it took 28 minutes including booting up, writing down the network specs, andtyping all those lengthy commands.

There are other methods such as Dueth attacks which force the clients off theAP, causing them to have to re-associate; but these methods require asecond computer.

The crackTwo of the most popular programs used for actually cracking the WEP keyare Airsnort and Aircrack. Airsnort can be used with the .dump files thatKismet provides; and Aircrack can be used with the .cap files that Airodumpprovides.

Airsnort can be used on its own without any other software capturingpackets; although, it has been reported to be extremely unstable in this state,and you should probably not chance loosing all your captured data. A bettermethod would be to let Airsnort recover the encryption key from your Kismet

.dump file. Kismet and Airsnort can run simultaneously.


9/10

For this demonstration, well be using Aircrack. You can use Airodump tocapture the packets, and Aircrack to crack the encryption key at the sametime.

With Airodump running, open a new command window and type:

aircrack -f 3 -n 64 -q 3 george.cap

The -f switch followed by a number is the fudgefactor; which is a variable thatthe program uses to define how thoroughly it scans the .cap file. Alarger number will give you a better chance of finding the key, but will usuallytake longer. The default is 2.

The -nswitch followed by 64 represents that you are trying to crack a WEP 64key. I knew because it was a setup; In the real world there is no way todetermine what WEP key length a target access point is using. You may haveto try both 64 and 128.

The -q 3 switch was used to display the progress of the software. It can be leftout altogether to provide a faster crack; although, if youve obtainedenoughunique IVs, you should not be waiting more than a couple minutes.

A -mswitch can be used, followed by a MAC address, to filter aspecific APsusable packets; this would come in handy if you werecollecting packets from multiple APs in Airodump.

Aircrack recovered my WEP 64 key within 1 minute using 76,000 unique IVs;

the whole process took around 34 minutes.

The same experiment was repeated with WEP 128 and it took about 43minutes. The reason it was not substantially longer is because I simply letAirplay replay more packets. Sometimes you can get lucky and capture anARP Request packet within a few minutes; otherwise, it could take a couplehours.

After I had access to the network, many doors opened up. Aside from havingaccess to the Internet, I was able to useNetworkviewa network discoverytoolto obtain my networks workgroup name. From there, I had access to all

the shared files on my drives.

While Im no expert in the subject, I can at least assume that many horriblethings could happen if the wrong hands were to obtain my WLAN encryptionkey.

The conclusionAlways use WPA or WPA2 encryption when possible. If your using WPA with apre-shared key, use a strong password; hackers can use dictionary attacks,and they will be quite effective if you have an easy password. You may want to

use a strong password generator like the one atgrc.com.
http://www.networkview.com/http://www.networkview.com/http://www.networkview.com/https://www.grc.com/passwords.htmhttps://www.grc.com/passwords.htmhttps://www.grc.com/passwords.htmhttps://www.grc.com/passwords.htmhttp://www.networkview.com/


10/10

If your access point supports it, you may want to consider disabling wirelessSSID broadcast; however, this may raise some issues with the APs clientsrecognizing it. (Kismet will still recognize it)

Many routers will allow you to filter what clients can access the network; this

is known as Wireless MAC Filtering. If you know the MAC address of theclients you are using, you can enter them into your configuration utility asPermit ONLY. This is not a 100% effective method;MAC addresses can becloned to match the APs associated clients, but it does provide you with aslightly higher level of security. (there is a utility on Auditor to allow you to dothis)

By default, your router may be set to mixed mode; this allows 802.11b and802.11g devices to access your network. If you use only 802.11g devices, setyour router to G-ONLY. Had my router been set this way, I would have neverbeen able to do any of this. The Orinoco Gold card is 802.11b, and isobviously not compatible with a 802.11g network. Many 802.11g cards arenot supported by the software weve used in this tutorial, butfew are. Whileyour at it, please change your default router username and password.

While I havent tried my hand at cracking a WPA encryption, the methods aresimilar when the WLANs use pre-shared keys (psk); I do plan on trying it, andI will surely write an update to let you know how/if it was done.

By no means am I claiming to be an expert in this field; If youve noticedanything that was incorrect or just have something to add, please feel free to

drop a comment.

wireless networks are everywhere

Documents