This post is something I have been meaning to write about for ages. We all use wireless network connections all the time, At work, home - on the move. For most of us pro's wireless networking has become the norm, so much so that if you get to an airport or train-station that doesn't offer some kind of wireless access you feel like you're sitting in a backwards ultra low tech bumpkinesque farm. In the past few years, my interests have been removed from computer security, but recently its started to turn me on again, I wanted to see just how easy virtual breaking and entering is these days and if its become harder than I remember. So I decided to (metaphorically) smash my own wireless network up a bit. What I used:
- Mac Book Pro 15inch, (Core Duo 2.16Ghz 2GB Ram)
- KisMAC 0.21a - (SVN version - latest snapshot with airport extreme support)
- Sitecom Wireless Network USB Adapter
- Gateway AMD Athlon 3000+, 448GB Ram
- Apple Airport Extreme Base Station
First of all it has to be known the WEP security is piss poor at best, with a weak key (using something like 'aaabbbccc123' or 'qwertyuiopas') will make it stupidly easy to run a dictionary attack on the AP (Access Point). In a nutshell WEP is a 40 or 104 bit 'secret key' that has a 24bit IV or (Initialization Vector) stuck on the end, I am not going to delve into the specifics about WEP (you can read more about it here) but lets just say for now that if you can collect enough IV data, you can easily crack the WEP Key, see "Weaknesses in the Key Scheduling Algorithm of RC4” written by Scott Fluhrer, Itsik Mantin, and Adi Shamir. Before we start this, if you are using an Mac with a built in Airport Extreme card, don't even bother with this because due to the closed nature of the chipset, the KisMAC developers can't engineer a driver to allow it to Inject Packets (vital for the kind of cracking we need to use to break WEP). Go out on eBay and find yourself a cheap and nasty USB wireless network adapter from Netgear or Sitecom, as long as it has a PrismII chipset you should be ok. So anyway, I started to use KisMAC (http://www.kismac.de) and I managed to (using a passive scan) find all the networks in the local area, including my very own one 'ShanNet'. (it must be known that this has been running for ages with 128bit (well 104 + 24bit IV) without any break-ins thus far. So this is what I see. (click to view full) 
A list of all the available networks (if there were any hidden networks, they would be in there as well). So I picked my network and started to listen, I waited and waited and well nothing really came up, I didn't capture any data packets, and no unique IV's. I saw a bunch of captured packets, but those are mostly beacons from the AP saying "hello - come and connect to me". I thought 'hrm maybe this won't be so easy' but of course it was me thinking backwards. - THE WHOLE IDEA behind being able to crack the WEP key (40 / 104bit) is that you collect enough encrypted traffic and enough IV's. However its not a walk in the park because you need to either be lucky enough to have a busy network with lots of different data flying over it, or you can 'trick' your target AP into releasing some of these data packets, these data packets can then have a technique called 'Re-Injection' used on them, where they are sent back to the AP from a fake MAC address or simulated client. These packets then invoke the AP to send out another packet with yet more delicious data that we can snag the IV from. One of the ways to do this is called a 'De-Authorization' Attack (which to be honest on most modern AP's won't work) but still you may get lucky. My Airport Extreme didn't fall for it but most D-LINK or Netgear models should! Basically you send out a request to the AP that pretends to be from another MAC address that is listening to the network - like a Windows box thats already authenticated. However due to the poor implementation of the WEP protocol, these De-Authorize requests DON'T have any authority requirement on them, meaning that if the AP gets the request it doesn't care where it came from or attempt to validate its origin. So you then find that as the already connected clients start dropping off and as they automatically start re-authorizing they generate ARP requests (Address Resolution Protocol). These ARP requests have the IV's attached. In order to crack a 104bit WEP Key (128bit including the IV) you need a good 130,000 to 200,000 IV's if you were to just sit and listen for them you may be waiting for months. So you can speed up this generation process by flooding your AP with Authorization Requests. This may jolt your AP to start firing out encrypted packets trying to cope with the requests. But the main goal of all this is to snatch up they holy grail of WEP packets - a bona-fide packet that will each and every time invoke your AP to send out not only a data packet, but a data packet with a unique IV attached to it. I have found that SSH datagrams do this very very well. I snagged a couple of them from the windows laptop that was connected to my network. Once you have collected some packets that do this, you can 'Re-Inject' them, this means firing the packet(s) over and over with false credentials, using them like a template you re-inject these packets back into the AP and it fires out those IV's like crazy. Within minutes I had over 300,000 unique IV's which was enough to crack the WEP key. In about 4 minutes I had completely smashed the security of my wireless network. Below tada: my key revealed (please note some blocks are covered for security) 
This was doing it the hard-way! you can run a dictionary attack against any WEP network, for example on my Mac Book Pro, a wordlist with 240,000 words in it could be run against as little as 8 data packets in under 10 seconds. I changed my AP password to something a little more 'common' and I broke into it again, this time in a few seconds. Of course now there is WPA encryption which is much better, but still rubbish if up against a determined cracker or war driver. What's the point of this article? its that you may be sitting there browsing securityfocus.com whilst reading your sunday papers, safe in the knowledge that your WEP encrypted wireless network is perfectly safe, but in reality no matter HOW strong your key is, it can be cracked easily. Your network is sat there screaming out beacons to every Tom Dick and Harry in the world, don't forget that its not just the bad guys on the outside of your VPN and firewall, its the guys sitting in a car outside your office laughing at you because they managed to break into your WEP security in minutes, just like I did. I will show you how easy WPA can be to crack next time, An element of luck is involved but if you get lucky, you can leave - let your machines crack the cipher and come back at a later date and walk straight onto your freely cracked wireless network. In the mean time, here are some really interesting links for you to check out WEP Vulnerabilities How To Crack WEP on Windows CrackingWEP EthicalHack.org
This is the very reason I’d originally moved to utilizing WPA Shared Keys as opposed to WEP to protect the studio’s network. I’ve setup two Linksys G routers in the home, one top floor and the other bottom. Stripping them of their stock OS and replacing it with the scalable DD-WRT while using WDS (a distribution system for signal throughout a selective area using two or more routers; unfortunately, it forces the transmissions at a half-duplex mode as opposed to full), I successfully extended the range in the home and outside. This, of course, created new issues however, regarding the security of the network and the ability for the neighborhood block to access it freely. I ran half a dozen tests with the Dell Axim X5 PDA/CF card and the Dell Latitude/Orinoco combinations to sniff the network/addresses/SSIDs/etc to include cracking of the worthless WEP algorithm, which took no more than 6-7 minutes at the 40 bit. How sad, considering the scan turned up 13 wireless network around my house that ALL were using such shotty protection, some with the default SSIDs at that.
I think another key point which you touched on with this passage,”Your network is sat there screaming out beacons to every Tom Dick and Harry in the world, don’t forget that its not just the bad guys on the outside of your VPN and firewall, its the guys sitting in a car outside your office laughing at you because they managed to break into your WEP security in minutes, just like I did”. I firmly believe it is important NOT to broadcast your SSID - you network’s presence. If your the only member using it, why broadcast when you obviously know what it is already? Have you devices poll for net information as needed and enjoy this simple, first layer of security through privacy and lack of advertising.
Great article Davey!
Quote:
” I firmly believe it is important NOT to broadcast your SSID ”
A simple ‘De-Authentication” Attack will normally revel a hidden SSID, WPA is more secure, but easier to crack than WEP. For example I set up a particularly complex WPA-PSK on my recently cracked AP, I then managed to collect the magic four-way handshake packets. I used a 5million word dictionary (30mb) and spent 4 hours trying to break the key. It failed on the simple premise of the strength of the key.
However if the key was dictionary based, it would have been cracked in minutes. I took my laptop on a wardrive the other night just to see how many WPA networks I could look at, MOST of them had default SSID’s and no bloody encryption at all, I didn’t attempt any cracking, but it was amazing to see just how many completely open and un-protected networks there are, no WEP or WPA.
Like lambs to the slaughter.
I should have mentioned to usage of a non-dictionary set as of course such a flimsy setup will undoubtedly provide the keys to the city so to speak - my fault. A deauthentication attack, CAN reveal the SSID, however, I don’t believe I would classify it as a normal event/consequence.
The importance of not broadcasting, is relative: “Out of sight, out of mind”, as it were. In theory, a determined individual is going to take the time no matter what to discover the goods, that doesn’t mean we should create the opportunities though. You wouldn’t leave(shouldn’t anyways) your prized jewelry out of the lockbox in front of a window - that is the same defining premise here as well.
Funny enough, I did the same thing two nights ago in South Beach/Miami Beach, FL (on holiday vacation, got bored - go figure). In a 5 block area cruising at @ 20mph, I picked up 172 wifi networks, 34 of which were completely open. The ramifications are immense, considering any devious individuals could most certainly park and utilize the connections at their leisure for the most disasterous of malicious activities. I was appauled to say the least.
If you’re not too worried about the concentration of RF at 5GHz, use a waveguide antenna. Use alternate firmware that allows for both of the “radios” to be turned down in strength. Point the antenna from one end of the house diagonally to the opposite end. Allow a little bit of signal
just past your outside wall, but not to the neighbor’s yard or out to the street. Adjust this scenario accordingly if you live in a condo, apartment, or out on a farm. Use WPA2 Enterprise encryption with session-based keys. If you have to use WPA2 personal, use it with AES encryption and a 40 to 63 character “password”. Turn of the SSID broadcast, and even though hidden SSID’s can be viewed using the right tools, make it significantly difficult for the hacker to type in by hand. Change the SSID and key frequently, and turn the access point or router off when not in use. Restrict usage via MAC address, and put the wired end of the router or access point behind a firewall or authentication proxy. Do not put any identifiable information on any machine accessing the wireless connection, and if the router or access point allows it, make sure each PC can only see itself on the wireless network. I believe on most routers, this last item is part of some type of “isolate” option.
One item I forgot to mention:
If your router or access point allows for “wired” connections in addition to wireless, enable logging to a secured “wired” client, and check the logs frequently.
hello ! I’m french student, so soory for my english.
I see you are using the latest version of kismac whit svn (actually it’s the release 217) , I done the seem but the website say what this version doesn’t support the passive mode for Macbook pro and Macbook , so I don’t know how you use this version on your macbook in passive mode ?
Thanks.
Hello,
Does Kismac have to be compiled?
If you want to use the passive mode using your Airport Express on your MacBook(Pro) then you will need to download the CVS / SVN version of the source code from the public SVN server and yes compile it. It is very easy, the site has instructions for compiling it. However as I mentioned above you CANNOT use an Airport Express card for injection attacks because it’s not supported, I used a USB SiteCom wireless adapter that supports the Prism II chipset.
I’ve got an Airport Extreme card which I don’t believe is supported in passive mode. If I use a USB device with a Prism II chipset, would I need to compile it?
Props on the use of BBX Mercury
Hi,
I’ve been using Kismac with a Sitecom WL-012 - finding weak scheduling attack takes ages….hours.
How can I perform a Wordlist attack? Where can I do I get a dictionary?
Thanks
Please I will be greateful if you can help me to get software for checking when my mother can wipe my nose and change my diaper.
I have seen some signals from my area and there security was disaled but SSID’s were hidden.
How can I hack there network?
i got some isp around me how can i hack into their network and make use of heir services.
is there any way i can get a software which i can use to hack into an examination body website and then ulter their result
i HATE folks that just ask HOw can I crack my local friend.
But I must admit, that lately, I been thinking that the only way to TRULY HAVE FREE SPEECH is to be Anonymous. And the only way I see to do that now is by coming in on an open WAP.
I personally don’t see how you can secure a radio transmission.
If desperate to stop you, I could jam the signal. (not that I’d want to.)
this whole discussion makes me sick, but then it’s well needed, cause hell I seen WAP’s in bank windows recently!!! idiots!!
The thing is that anything you do, to secure your boxes, can be undone to un-secure your boxes. Ya just can’t trust electronics. there ain’t no way, and it’s the same argument I will make against Electronic Voting Machines.
ps - pop the cover on one of them and I can destroy it in one second! Don’t tell me I can’t crack the vote! Maybe I might apply to be a poll worker (theoretically) I won’t because I am patriotic and I want these OATH OF OFFICE breakers in JAIL FOR LIFE!!!
Truth. As well, the more we integrate with the electronics, the weaker we make ourselves.
For those of you that are interested in the extreme possibilities or consequences of our actions today, research the Course of Empire theory - then look at the parallels between that and our current global state of affairs in technology.
J,
You heard about the WORM in FL-13? omfg
A worm (to me) means some IDIOT ran an executable.
Maybe idiot == corrupt
Oh well, hopefully these evil machines will be gone soon in Florida.
I just got to ask, and this going hell of OFF TOPIC here….
But why can’t we just count paper ballots with public oversight, using whatever fsckin printing technology? To print those ballots.
Spare no expense, just look at the current expenses, from the war in iraq to the miss appropriation of funds for non-certified boXen!!! aaarrrghhhh! this is national security.
If the goal is to crack a home network from the curb, who’s going to be monitoring the wireless network for a flood of ARPs?
Even with a corporate network, is an attack of this sort likely to be noticed? Running a spoofed mac id and pounding the network for say 5-10 seconds (to spread it out a bit), is anyone going to notice that host A seemed excessively curious about host B (at the ARP level, not at the IP firewall level?)
I WANT TO HACK HIM HE HAS HACK IN TO MEY
hi i will like to have soft to haked into network arround me
ive got a macbook 2.0 core 2 duo with an airport card in it and using kismac, what brand or model wireless adapter would you recommend getting? i just want to be sure before i drop money on something that it will let me do what i want it to do..
What version of the ‘Sitecom Wireless Network USB Adapter’ did you use. I’ve had a little trouble locating an adapter that is old enough to work. It seems the newer hardware does not have compatible chipsets. Please let me know if you might have any info/ideas. Thanks.