Dispelling the Myth of Wireless Security
by Rob Flickenger, author of Wireless Hacks08/14/2003
Editor's note: In this first excerpt from Wireless Hacks, author Rob Flickenger shows how to find out just how "secure" your standard wireless network really is.
|
Related Reading 
Wireless Hacks |
Despite a few good online articles and countless alarmist news items decrying parasitic War Drivers and War Chalkers contributing to the moral decay of the country, a surprising number of people still install wireless equipment with all of the defaults enabled. There are a huge number of access points in use today that unintentionally advertise a default SSID, bridge directly to an Ethernet network, and use no encryption whatsoever (or a WEP key left on the factory setting, and therefore easily deduced).
But even if all standard precautions are in place, how much "security" do wireless access points actually provide? Having heard all sorts of widely varying estimates and assumptions from people who should be able to make an educated guess, I finally decided to see for myself what it would take to circumvent the security of my own standard 802.11b network.
The Test Environment
Since my "production" wireless network is actually an open node on Seattle Wireless, I decided to put together a temporary lab network consisting of the following:
- A "Graphite" AirPort
- An iMac with an AirPort card running OS X
- An iBook with an AirPort card running the Debian Linux distribution
In order to make the test as difficult as possible, I decided to create a "closed" network (that doesn't broadcast the SSID), enable WEP, and also implement a MAC address filter. The AirPort was set to the SSID stealthy, with the unlikely deduced WEP key of t8$Gc. I added a MAC address filter that only allowed the airport card in the iMac to connect to it. I also set the AirPort to channel 1 (the only unused channel in my immediate area). The Ethernet on the AirPort was connected to my local house network, and configured to use NAT.
After resetting the Airport, I verified that I couldn't detect the stealthy SSID from either the iMac or the iBook. I then connected to the AirPort with the iMac, specifying the network name and WEP key explicitly. I got a DHCP lease of 10.0.1.2, and verified that I could in fact browse the web. To be sure that the MAC filter was working properly, I also verified that I could not associate with the AirPort from the iBook, even using the proper WEP key and SSID. I then set the iMac to flood ping the AirPort, in order to generate a large amount of wireless traffic:
rob@imac:~$ sudo ping -f 10.0.1.1
Now everything was in place to test this configuration with the iBook.
Step 1. Detect the Network
Of course, the first step was to detect the network's presence. This was easily accomplished with Kismet. As you can see in Figure 7-1, the stealthy network was detected immediately.
|
| Figure 7-1: A "stealthy" network detected |
Note that the network would be detected instantly (provided that someone was actually using it), regardless of whether I had called it stealthy or something original and tricky like kpX284W_m. Obfuscating the SSID of your network does nothing to enhance the security of your wireless network, regardless of whether you broadcast beacons or not. For the record, I started Kismet at 18:23, at which point it began logging all 802.11 frames that it encountered. Now that I knew the channel and SSID of the target network, it was time to move to the next step.
Step 2. Find a Valid MAC Address
I know of two ways to find valid MAC addresses for a given network. You could associate with the AP and run an IP layer network sniffer such as Ethereal or tcpdump).This is, of course, the hard way, particularly if you already have Kismet handy.
The easy way is to select the network you are interested in (hit ss to sort by SSID, and arrow down to it if necessary) and then view the associated clients (hit c). Presto, you have a list of MAC addresses for clients that are using the network, and presumably are on the permitted MAC table. Wireless clients send their MAC address in the clear, regardless of whether the AP requires WEP or not.
These steps took just a few seconds (it actually took me longer to run the screen grab utility than to execute the attacks). Now came the tricky part: cracking the WEP key.
Step 3: Crack the WEP Key
It is entirely possible to have AirSnort crack an 802.11 stream in real time. In my meager testing, I have found this to be fairly unstable using Debian on an iBook. Rather than risk a crash in the middle of my test, I decided to just run it against the pcap dump that Kismet creates automatically. I opened the dump file immediately, and then checked its progress every ten minutes or so.
As you can see in Figure 7-2, AirSnort was successful in finding the WEP key (t8$Gc) after only 3.4 million packets.
|
| Figure 7-2: WEP key found |
I stopped Kismet, and noted the time. It was now 19:50. One hour and 27 minutes had passed, and Kismet had accumulated only 490,796,602 bytes (that's less than 490MB, or considerably less than a single CD ISO). I think this was a particularly lucky run, as many people have reported having to log a couple of gigabytes of data before AirSnort could guess the key.
Now armed with the correct SSID, a valid MAC address, and the WEP key, I could actually attempt to access the wireless network. Note that until now, absolutely no information has been transmitted by the iBook, making detection of this attack a practical impossibility.
Step 4. Logging In
After quitting Kismet and taking the wireless card out of monitor mode, I configured the iBook to use the proper network parameters:
root@ibook:~# ifconfig eth1 hw ether 00:30:65:1E:81:9B
root@ibook:~# iwconfig eth1 key 's:t8$Gc'
root@ibook:~# iwconfig eth1 essid stealthy
Ah, but what IP address information should I use? Up until now, I hadn't looked at any IP layer traffic. Kismet could not reveal the IP range, because it didn't have the WEP key. At this point, I could have started up Ethereal and looked at the captured pcap dump, but it was much simpler to view the network data in real time using tcpdump like so:
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply
^C
Since the ping flood was still running, I quickly hit Control-C to kill tcpdump. Using tcpdump with the -n switch, IP addresses that are actively in use on the network are revealed. Based on this information, it is possible to infer that the stealthy network is using 10.0.1.x, it is most likely using a class C or class A netmask, and 10.0.1.1 is probably a good guess at the default router. Had this been an actual real-world network, it would have been trivial to find the default router and local DNS servers by looking at actual network traffic in Ethereal.
Rather than step on the IP address being used by the iMac (10.0.1.2), I decided to pick a different address altogether. If this would work, it should allow the iMac and iBook to coexist on the network without too much interference.
root@ibook:~# ifconfig eth1 10.0.1.3 netmask 255.255.255.0 broadcast 10.0.1.255
root@ibook:~# route add default gw 10.0.1.1
root@ibook:~# ping -c2 yahoo.com
PING yahoo.com (66.218.71.198): 56 data bytes
64 bytes from 66.218.71.198: icmp_seq=0 ttl=242 time=32.5 ms
64 bytes from 66.218.71.198: icmp_seq=1 ttl=242 time=33.2 ms
--- yahoo.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 32.5/32.8/33.2 ms
As you can see, I was able to ping yahoo.com (and had full network access from that point on). Given the correct SSID, WEP key, and a valid MAC address, the AirPort could not distinguish me from the iMac, and therefore could do nothing to keep me out. Note that while the AirPort can't tell the difference, a program such as arpwatch can detect many sorts of MAC address shenanigans, but only if the AirPort is configured as a bridge. Since it is set up as a NAT in this configuration (as many APs are by default), the sharing of MAC addresses between clients is completely invisible to the rest of the network.
Post Mortem
I hope this little experiment gives you some idea of what you are up against when relying on the built-in security measures of 802.11b. Using inexpensive hardware and freely available tools, a typical Wi-Fi network can be easily cracked in a mere hour and a half (although it will probably take a bit longer on average, depending on how busy the network is, potentially offset by a bit of luck).
What does this mean for wireless security? Should we run screaming to our system administrators and toss the whole lot into the garbage? Of course not. This whole exercise is presented to drive home this point: If you are concerned about wireless security, you must use strong application-layer encryption and authentication. Much of the rest of this chapter details other freely available tools that you can use to protect your network and your wireless users against these attacks.
Resources
Check out these sites for the tools mentioned throughout this hack:
Rob Flickenger is a long time supporter of FreeNetworks and DIY networking. Rob is the author of three O'Reilly books: Building Wireless Community Networks, Linux Server Hacks, and Wireless Hacks.
Return to the Wireless DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 17 of 17.
-
New Flash Demo on Wireless Hackers
2005-06-30 07:06:17 liz123 [Reply | View]
There's a new flash demo of how wireless hackers work, and how they use their cracking tools. Its really interesting to actually get to see what the hackers see. Take a look at www.lucidlink.com
-
LucidLink is giving away it's $99 3-user Wi-Fi security software
2005-04-18 09:41:31 lucidlink [Reply | View]
LucidLink Wireless Security is based upon the most current security technologies available today, including 802.X, 802.11i, WPA, WPA2, and RADIUS. This software is VERY easy to get setup, takes 2 minutes.
LucidLink just announced a free offer of it's $99 wireless security software called Lucid Link. http://www.lucidlink.com/
It received Wi-Fi Planets best of show award twice!
Ryan
-
It has to exist to be insecure
2003-10-23 20:04:39 anonymous2 [Reply | View]
The other evening a friend had me check out his system and help set up his POP email client as he'd only been able to use web-based mail since he switched to DSL. His Mac's networking was set for DHCP but there was no PPPoE info entered making me think that the modem hand some brains and must be configurable. I was curious enough to peek at the configuration/status page for the modem. Low and behold his DSL modem included an 802.11 access point, turned on by default, and he didn't even know it had that feature! He'd opted for a fancier modem on being told it had a firewall. It was a "Wire2" modem. Besides having wireless on when he didn't have use for it, security features in that modem were awful. It has no Mac filtering on the 802.11b, and the so-called firewall only had the option of blocking two ports (139 and one other) everything else was forwarded! I enabled a software firewall on his machine and it showed him being hit about every 30 seconds. Lucky for him he wasn't running a Windows box! It's ironic that he'd switched from cable to DSL over worries that a neighbor was somehow messing with his system. Nothing like having the nearly clueless being guided by a nearly clueless ISP. It's really irresponsible for an ISP to put average consumers online with great speeds and little or incorrect security guidance.
-
The Myth of Easy WEP cracking
2003-10-21 14:21:47 anonymous2 [Reply | View]
The author should disclose the age of his test equipment, it makes a big difference. The methods the author used will only works vs equipment at least 2 years old.
Since the initial panic about WEP in summer 2001, 802.11 manufacturers made changes to their firmware. Fast WEP cracking comes from capturing enough "weak IV" frames, something that occurs randomly. Manufactures have apparently altered the algorythm to not use any weak IVs -- this technology is sometimes known as WEP-plus. For example, Orinocco interfaces with firmware older than fall of 2001 can be cracked. Change the Orinocco firmware to an early 2002 version, Airsnort and Kismet never see weak IVs, thus can not crack the WEP key. Note that either side of a WLAN connection (access points or client interfaces) can send weak IVs if they are using old interfaces.
My impression is that manufacturers have implemented WEP Plus fixes in equipment manufactured since late 2001/early 2002. Typically, old equipment can be upgraded to newer firmware. At a large trade show early this year I fired up kismet and Airsnort. Hundreds of WLAN interfaces were visible, but I collected maybe 2 weak IV frames. I was manning a both at this show, and run the tools all day for 2 days.
Articles like this were important 2 years ago, but really they distort the problem today. Keep up with the firmware updates and you are reasonably secure. I have some many people insisting WEP can can be broken in 15 minutes, it drives me nuts.
AND ... Even if you are attacking a 2-year old WLAN, collecting millions of frames can take many days depending on the traffic load! You can't do a ping flood until you have that WEP key.
Tim F
Network Engineer -
The Myth of Easy WEP cracking
2003-11-23 19:35:05 anonymous2 [Reply | View]
Thanks Tim, I think you hit the nail on the head. The book is really very good but this hack had me scratching my head. What is scary is how few people even use WEP at all! -
The Myth of Easy WEP cracking
2005-02-06 12:31:12 BashT [Reply | View]
I totally agree with you Tim. This was the topic for my research paper and I have about the same set up lab but I was using Knoppix STD. I had Airsnort run for one week and it did not log any weak IV keys. I email the developers of Airsnort asking them what's wrong and they told me the same information that you wrote, that old 802.11b hardware with old firmware are the only ones that are vulnerable to this attack so in other words if you are using 802.11g or n or you updated the latest firmware on your 802.11b hardware then you don't have to worry about the WEP key being hacked for now..
-
Next challenge - VPN and firewalls
2003-10-03 23:51:40 anonymous2 [Reply | View]
I'd like to see how far you can get even if you are "on the network" if all computers are behind some software firewalls like Norton Personal Firewall. Could you even get as far as you have if both wireless devices where using VPN?
I appreciate the "warnings" but I'd like to hear about some solutions - other than buy Lucent. -
Next challenge - VPN and firewalls
2003-10-21 12:31:06 anonymous2 [Reply | View]
Well, considering that he wasn't discussing anything to do with the PC's on the network (not to mention that Norton Personal Firewall will not do anything to protect your Wireless network from being sniffed and potentially infiltrated), I don't see how this is relevant. I suppose with you software firewalls, you're relatively safe from having your individual PC's directly attacked (but the network traffic can still be sniffed), assuming that you don't have other glaring security holes open on your computer. NPF doesn't protect your computer from weak security, but it is a good complement to strong security.
The issue here is that he was able to get access to the router in question and could be using your wireless bandwidth to do anything he wants to do (including illegal activities that can be traced back to your ISP account). What if he decides to run his 20,000 song Kazaa collection from your router without your knowledge? When the lawsuit comes in from the RIAA, you're probably screwed (though, they have no evidence that your computer has ever had the files on it, you can not disprove that it is your internet connection being used. A reasonable deduction would be that you downloaded them and you'd have to have MAJOR proof that your network was hacked to convince anyone otherwise).
I think what this article proves, beyond a doubt, is that security can only keep honest or naive people out of your network, especially a wireless one. Nevertheless, the measures that he was able to circumvent in his article, provide a speedbump for the casual browser... if there's a wide open wireless network next door, they probably wouldn't bother with yours. Kind of like why burglars jiggle door locks to see if the door is already unlocked. Why bother breaking in when plenty of networks are wide open already?
-
Re-try this test with KisMAC...
2003-09-05 11:18:09 anonymous2 [Reply | View]
Michael Rossberg has an application called KisMAC (see http://www.binaervarianz.de/projekte/programmieren/kismac/) that should be able to do the same sort of thing as Kismet for Linux, but under MacOS X instead. It has cracking tools (like AirSnort) built-in.
I'd like to see this sort of test re-run with purely MacOS X tools (such as KisMAC).
-
it works, much like http://www.codon4.com
2003-08-19 18:57:11 anonymous2 [Reply | View]
it works, much like http://www.codon4.com
-
mac to ip matching
2003-08-19 13:50:57 anonymous2 [Reply | View]
In your example, you obtained an already used mac and reused it on another ip. Suppose you disabled dhcp, went for static assignment, and only allowed ibook's mac from a static ip that the ibook is configged with as an example?
-
Airport Extreme Security
2003-08-17 13:54:21 anonymous2 [Reply | View]
This article seems to use the original Airport as it' s test case. I am interested to know if this hack is just as easy on an Airport Extreme network as I own one for my home internet setup.
-
Wireless Security
2003-08-15 14:25:53 anonymous2 [Reply | View]
Your 5 character password shows that you did not crack a wep password but a ascii password. If it had been 64 bit wep it would have been 10 characters and exponentially harder to crack. If wireless is so easy to crack why did you choose the shortest possible password to crack? -
Wireless Security
2003-08-16 04:02:24 trevmar [Reply | View]
Actually, I have found that Airsnort cracks both short and long keys in about the same amount of time (1 million to 10 million packets). The number of packets needed is more dependent on the actual code and the point in the pingflood sequence at which the AP is at any point in time (because certain regions of the WEP key space are more susceptible than others).
I haven't really noticed any extra security from using 'clever' HEX codes rather than the ascii shorthand.
However, Lucent changed its Orinoco firmware in September 2002 to stop its cards transmitting weak packets. I have never managed to crack an Orinoco card running up-to-date software.
Likewise for Cisco - the LM350 series of cards are invisible when running WEP.
But you only need one user on the network to be using a card based on the PRISM or some other chipset (eg, D-Link, Linksys, Zoom) and the whole network can be easily cracked.
Anyway, good work Rob, an excellent explanation...
Sincerely,
Trevor Marshall
http://www.TrevorMarshall.com -
Wireless Security
2003-11-16 14:46:05 trystano [Reply | View]
Hi all,
I was intending to find a forum on this site, but haven't managed to find one :-(.
Anyway, I have a question to ask on security of m-commerce. I am doing a independant study that involves me researching the security measures taken when carrying out transactions over wireless networks.
I was wondering if PKI is used as the main technology used to secure wireless transactions. Is WEP similar to this? If not, what is WEP used for?
Can someone please assit me (if possible, direct me to some decent researches).
Tryst -
About WEP keys
2003-08-15 15:11:13 rflicken [Reply | View]
The various key lengths quoted by manufacturers can certainly be confusing.
The original 802.11b specification defined a 40-bit user-specified key. This key is combined with a 24-bit Initialization Vector (the IV), a random number that is part of the WEP algorithm. Together, this yields 64 bits of "key", although the IV is actually sent in the clear!
Likewise, 104-bit WEP is used with the IV to yield 128 bits of "key". This is why user-defined ASCII keys are five characters long (5 characters times 8 bits/character == 40 bits) or thirteen characters long (13 characters times 8 bits/character == 104 bits). The user doesn't define the IV. Even when specifying long hex keys, these are simply hashed into a 40 bit or 104 bit sequence, and combined with the IV.
Using the real time analysis mode of AirSnort (as I did in this experiment), it doesn't try brute force the key space, but instead collects weak IVs that the AP transmits. Since the IVs are sent in the clear, collecting them is just a matter of observing enough traffic. The key length (40 or 104) does make some difference, but not the exponential increase in work that you might expect. From AirSnort's home page:
"AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second."
I chose to use the 40 bit (or 64 bit, if you like) WEP key for a couple of reasons. It is by far the most common WEP implementation in use, it's the only one defined by the 802.11b standard, and that's all the hardware I had on hand (at the time) would support. When I scrape together an AP and a couple of machines that will do 104 bit WEP, I'll certainly give it another run.
I highly recommend reading any of these papers for more detail about the weaknesses of WEP than I have room to talk about here.
Or buy my book. ;)
