It may clear things up for some people who get overwhelmed by all the jargon, especially with the recent news hitting the mainstream about WPA being partially cracked.

Users have every right to be perplexed by wireless security standards. Faced by an alphabet soup of AES, RADIUS, WEP, WPA, TKIP, EAP, LEAP and 802.1x, many users don’t secure their wireless networks at all. Now that earlier wireless security standards such as Wi-Fi Protected Access and Wired Equivalent Privacy are being cracked, it’s time to examine what all the terms mean and think about changes.

Just about a month ago, in early November, the news came out that the first cracks were appearing in WPA, or Wi-Fi Protected Access, a very popular wireless security standard. The compromise that was accomplished by some researchers was not a real killer, but the affected version of WPA (and the associated encryption process, TKIP, or Temporal Key Integrity Protocol), was always meant as a stopgap standard.

So here you go, the acronyms, hope it’s useful to someone

• WEP (Wired Equivalent Privacy)—The old, original, now discredited wireless security standard. Easily cracked.
• WEP 40/128-bit key, WEP 128-bit Passphrase—See WEP. The user key for WEP is generally either 40- or 128-bit, and generally has to be supplied as a hexadecimal string.
• WPA, WPA1—Wi-Fi Protected Access. The initial version of WPA, sometimes called WPA1, is essentially a brand name for TKIP. TKIP was chosen as an interim standard because it could be implemented on WEP hardware with just a firmware upgrade.
• WPA2—The trade name for an implementation of the 802.11i standard, including AES and CCMP.
• TKIP—Temporal Key Integrity Protocol. The replacement encryption system for WEP. Several features were added to make keys more secure than they were under WEP.
• AES—Advanced Encryption Standard. This is now the preferred encryption method, replacing the old TKIP. AES is implemented in WPA2/802.11i.
• Dynamic WEP (802.1x)—When the WEP key/passphrase is entered by a key management service. WEP as such did not support dynamic keys until the advent of TKIP and CCMP.
• EAP—Extensible Authentication Protocol. A standard authentication framework. EAP supplies common functions and a negotiation mechanism, but not a specific authentication method. Currently there are about 40 different methods implemented for EAP. See WPA Enterprise.
• 802.1x, IEEE8021X—The IEEE family of standards for authentication on networks. In this context, the term is hopelessly ambiguous.
• LEAP, 802.1x EAP (Cisco LEAP)—(Lightweight Extensible Authentication Protocol) A proprietary method of wireless LAN authentication developed by Cisco Systems. Supports dynamic WEP, RADIUS and frequent reauthentication.
• WPA-PSK, WPA-Preshared Key—Use of a shared key, meaning one manually set and manually managed. Does not scale with a large network either for manageability or security, but needs no external key management system.
• RADIUS—Remote Authentication Dial In User Service. A very old protocol for centralizing authentication and authorization management. The RADIUS server acts as a remote service for these functions.
• WPA Enterprise, WPA2 Enterprise—A trade name for a set of EAP types. Products certified as WPA Enterprise or WPA2 Enterprise will interoperate (EAP-TLS, EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC & EAP-SIM)
• WPA-Personal, WPA2-Personal—See Pre-Shared Key.
• WPA2-Mixed—Support for both WPA1 and WPA2 on the same access point.
• 802.11i—An IEEE standard specifying security mechanisms for 802.11 networks. 802.11i uses AES and includes improvements in key management, user authentication through 802.1X and data integrity of headers.
• CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol that uses AES.

Enjoy!

Source: eWeek

After the insecurity of WEP was exposed the majority of routers and Wi-Fi devices default to WPA, so this may be a serious and widespread security issue. Especially as though the initial method and information is public, more refined and efficient cracking methods will come to light – of course we shall report on any WPA cracking tools that we come across.

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

It’s a pretty fast attack on the TKIP, WEP cracking requires a relatively large amount of traffic to get hold of enough weak IVs to crack the WEP key.

If you can break WPA in 12-15 minutes, that’s impressive! It’s not a full key cracking method though, it only yields a temporary key and doesn’t give you full access to everything.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

From what I understand it allows the attacked to basically hijack the ARP communications on the network, not the full data available.

So it could open up a router or edge device using WPA to be hijacked with ARP spoofing for some man-in-the-middle kind of attack.

Apparently an experimental implementation of the researchers’ attack has been introduced into a development version of the aircrack-ng tool.

Source: Computer World

It’s a favourite amongst Windows users, although it can’t do any real hacking (like breaking a WEP key) – it’s extremely fast and effecient in the detection of open WAPs.

What is NetStumbler?

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

• Verify that your network is set up the way you intended.
• Find locations with poor coverage in your WLAN.
• Detect other networks that may be causing interference on your network.
• Detect unauthorized “rogue” access points in your workplace.
• Help aim directional antennas for long-haul WLAN links.
• Use it recreationally for WarDriving.

General Requirements

The requirements for NetStumbler are somewhat complex and depend on hardware, firmware versions, driver versions and operating system. The best way to see if it works on your system is to try it.

Some configurations have been extensively tested and are known to work. These are detailed at http://www.stumbler.net/compat. If your configuration works but is not listed, or is listed but does not work, please follow the instructions on the web site.

The following are rules of thumb that you can follow in case you cannot reach the web site for some reason.

• This version of NetStumbler requires Windows 2000, Windows XP, or better.
• The Proxim models 8410-WD and 8420-WD are known to work. The 8410-WD has also been sold as the Dell TrueMobile 1150, Compaq WL110, Avaya Wireless 802.11b PC Card, and others.
• Most cards based on the Intersil Prism/Prism2 chip set also work.
• Most 802.11b, 802.11a and 802.11g wireless LAN adapters should work on Windows XP. Some may work on Windows 2000 too. Many of them report inaccurate Signal strength, and if using the “NDIS 5.1″ card access method then Noise level will not be reported. This includes cards based on Atheros, Atmel, Broadcom, Cisco and Centrino chip sets.
• I cannot help you figure out what chip set is in any given card.

Firmware Requirements

If you have an old WaveLAN/IEEE card then please note that the WaveLAN firmware (version 4.X and below) does not work with NetStumbler. If your card has this version, you are advised to upgrade to the latest version available from Proxim’s web site. This will also ensure compatibility with the 802.11b standard.

You can download NetStumbler 0.4.0 here:

NetStumblerInstaller_0_4_0.exe

Or read more here (tutorial here).

I wanted to mention this tool separately as I think it’s very cool!

MoocherHunter™ identifies the location of an 802.11-based wireless moocher or hacker by the traffic they send across the network. If they want to mooch from you or use your wireless network for illegal purposes (e.g. warez downloading or illegal filesharing), then they have no choice but to reveal themselves by sending traffic across in order to accomplish their objectives. MoocherHunter™ enables the owner of the wireless network to detect traffic from this unauthorized wireless client (using either MoocherHunter™’s Passive or Active mode) and enables the owner, armed with a laptop and directional antenna, to isolate and track down the source.

Because it is not based on fixed or statically-positioned hardware, MoocherHunter™ allows the user to move freely and walk towards the actual geographical location of the moocher/hacker. In residential and commercial multi-tenant building field trials held in Singapore in March 2008, MoocherHunter™ allowed a single trained operator to geo-locate a wireless moocher with a geographical positional accuracy of as little as 2 meters within an average of 30 minutes.

You can download OSWA Assistant here to get MoocherHunter:

oswa-assistant.iso

Or read more here.

This toolkit is a contribution to the wireless security/auditing community and, as the “Assistant” moniker implies, and is designed for the following groups of people:

• IT-security auditors and professionals who need to execute technical wireless security testing against wireless infrastructure and clients;
• IT professionals who have responsibility for ensuring the secure operation and administration of their organization’s wireless networks;
• SME (Small & Medium Enterprise) and SOHO (SmallOffice-HomeOffice) businesses who do not have either the technical expertise or the resources to employ such expertise to audit their wireless networks;
• Non-technical-users who run wireless networks at home and who would like to audit the security of their wireless home networks and laptops but don’t know how.

You can download OSWA Assistant here:

oswa-assistant.iso

Or read more here.

The tool is intended to get all possible info from open wifi networks (and possibly encrypted also in the future, at least with WEP) without joining any network, and covering all wifi channels.

WifiZoo does the following:

• gathers bssid->ssid information from beacons and probe responses
• gathers list of unique SSIDS found on probe requests
• gathers the list and graphs which SSIDS are being probed from what sources
• gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with “802.11 bssids->clients”.
• gathers ‘useful’ information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc.

You can download WifiZoo v1.3 here:

wifizoo_v1.3.tgz

Or read more here.

Russix is a Slax based Wireless Live Linux. It has been designed to be light (circa 230Mb) and dedicated purely to wireless auditing.

It is not a script kiddy phishing tool and as such, while it will allow you to break a WEP key in 6 key strokes and conduct an “Evil Tiny Twin” attack in less than 5, it will not let you become the latest version of Barclays Bank.

Russix evolved from an internal UK Military Wireless auditing tool (debian based) which russ had developed while working for them as a penetration tester.

Russix is a free download for auditing. It scripts together several WLAN attacks and will allow the user to break a WEP key in about 6 keystrokes! It will not be modified by us to make it into a phishing tool as that would be evil.

It comprises a number of tools including aircrack-ng, cowpatty, asleap, nmap, wireshark, hydra, as well as scripted attacks to aid cracking WEP and WPA networks. Currently, it only supports Atheros based chipsets and those of you lucky enough to own 2 atheros cards will be able to use the scripted Evil Twin attack.

Interested in hearing any feedback you may have or improvements you can make.

You can download it here:

Built on 9th Dec 2007: Download latest version

Or read more here.

Kismet is one of foundation tools Wireless Hacking, it’s very mature and does what it’s supposed to do.

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

Features

• Ethereal/Tcpdump compatible data logging
• Airsnort compatible weak-iv packet logging
• Network IP range detection
• Built-in channel hopping and multicard split channel hopping
• Hidden network SSID decloaking
• Graphical mapping of networks
• Client/Server architecture allows multiple clients to view a single
• Kismet server simultaneously
• Manufacturer and model identification of access points and clients
• Detection of known default access point configurations
• Runtime decoding of WEP packets for known networks
• Named pipe output for integration with other tools, such as a layer3 IDS like Snort
• Multiplexing of multiple simultaneous capture sources on a single Kismet instance
• Distributed remote drone sniffing
• XML output
• Over 20 supported card types

If you need to get funky with a wireless network, grab Kismet for a start.

You can download the latest stable source here:

kismet-2007-10-R1.tar.gz (sig)

Or read more here.

KisMAC supports several third party PCMCIA cards – Orinoco, PrismII, Cisco Aironet, Atheros and PrismGT. USB Prism2 is supported as well, and USB Ralink support is in development. All of the internal AirPort hardware is supported as well.

System Requirements

• Mac OS 10.4
• A Mac with a supported PCMCIA, USB or internal AirPort

Features

• Reveals hidden/cloaked/closed SSIDs
• Shows logged in Clients (with MAC Addresses, IP addresses and signal strengths)
• Mapping and GPS support
• Can draw area maps of network coverage
• PCAP import and export
• Support for 802.11b,g,n
• Different attacks against encrypted networks
• Deauthentication attacks
• AppleScript-able
• Kismet drone support (capture from a Kismet drone)

Active mode, also referred to as managed mode, sends probe requests and is pretty boring.
Passive mode is more commonly known as monitor mode, and passively monitors what’s already in the air without interfering in it.
Active attacks like deauth and reinjection (where supported) require your device to be in monitor or passive mode.

You can download KisMAC here:

KisMAC

Or read more here.

We can blame it on the manufacturers for having lax default security settings, but they have to do it because if they enforced WEP for example by default..most people wouldn’t be able to connect and would most likely return it to the shop claiming that it’s ‘broken’.

Sophos has revealed new research into the use of other people’s Wi-Fi networks to piggyback onto the internet without payment. The research shows that 54 percent of computer users have admitted breaking the law, by using someone else’s wireless internet access without permission.

According to Sophos, many internet-enabled homes fail to properly secure their wireless connection properly with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an internet service provider (ISP) for their own.

As for the legal and ethical side, it’s hard to say. In most countries it’s still a fairly grey area – if you don’t do anything illegal with the connection (sniffing, cracking, hacking, DoS etc.) and you don’t use enough bandwidth to cause a problem it’s hard to say it’s illegal.

Stealing Wi-Fi internet access may feel like a victimless crime, but it deprives ISPs of revenue. Furthermore, if you’ve hopped onto your next door neighbours’ wireless broadband connection to illegally download movies and music from the net, chances are that you are also slowing down their internet access and impacting on their download limit. For this reason, most ISPs put a clause in their contracts ordering users not to share access with neighbours – but it’s very hard for them to enforce this.

The contract clause is interested but as mentioned, extremely hard to enforce.

I guess Wifi jacking will continue and as more mobile devices support Wifi (n95, E61i, PSP, iPhone etc) it will get even more common.

Source: Net Security