What’s Unique about inSSIDer?

• Use Windows Vista and Windows XP 64-bit.
• Uses the Native Wi-Fi API.
• Group by Mac Address, SSID, Channel, RSSI and “Time Last Seen.”
• Compatible with most GPS devices (NMEA v2.3 and higher).

How can inSSIDer help me?

• Inspect your WLAN and surrounding networks to troubleshoot competing access points.
• Track the strength of received signal in dBm over time.
• Filter access points in an easy to use format.
• Highlight access points for areas with high Wi-Fi concentration.
• Export Wi-Fi and GPS data to a KML file to view in Google Earth

InSSIDer is licensed under the Apache License, Version 2.0. The source code is freely available from the public Subversion repository at http://www.metageek.net/svn/trunk.

You can download inSSIDer here:

Inssider_Installer.msi

Or read more here.

The end goal of course is to crack the WEP key of a given Wireless network.

Features

The main part of this is the autonomous nature of the toolkit, it can crack all access points within the range in one go. Other than the the features would be those found in aircrack-ng.

• Mac address filtering bypass (via mac spoofing)
• Auto reveal hidden SSID
• Client-less Access Point injection
• Shared Key Authentication
• WEP Decloaking (future version)
• Whitelists (crack only APs included in the list)
• Blacklists (do not crack APs included in the list)

You can download WEPBuster here:

wepbuster.tgz

Or read more here.

It may clear things up for some people who get overwhelmed by all the jargon, especially with the recent news hitting the mainstream about WPA being partially cracked.

Users have every right to be perplexed by wireless security standards. Faced by an alphabet soup of AES, RADIUS, WEP, WPA, TKIP, EAP, LEAP and 802.1x, many users don’t secure their wireless networks at all. Now that earlier wireless security standards such as Wi-Fi Protected Access and Wired Equivalent Privacy are being cracked, it’s time to examine what all the terms mean and think about changes.

Just about a month ago, in early November, the news came out that the first cracks were appearing in WPA, or Wi-Fi Protected Access, a very popular wireless security standard. The compromise that was accomplished by some researchers was not a real killer, but the affected version of WPA (and the associated encryption process, TKIP, or Temporal Key Integrity Protocol), was always meant as a stopgap standard.

So here you go, the acronyms, hope it’s useful to someone :)

• WEP (Wired Equivalent Privacy)—The old, original, now discredited wireless security standard. Easily cracked.
• WEP 40/128-bit key, WEP 128-bit Passphrase—See WEP. The user key for WEP is generally either 40- or 128-bit, and generally has to be supplied as a hexadecimal string.
• WPA, WPA1—Wi-Fi Protected Access. The initial version of WPA, sometimes called WPA1, is essentially a brand name for TKIP. TKIP was chosen as an interim standard because it could be implemented on WEP hardware with just a firmware upgrade.
• WPA2—The trade name for an implementation of the 802.11i standard, including AES and CCMP.
• TKIP—Temporal Key Integrity Protocol. The replacement encryption system for WEP. Several features were added to make keys more secure than they were under WEP.
• AES—Advanced Encryption Standard. This is now the preferred encryption method, replacing the old TKIP. AES is implemented in WPA2/802.11i.
• Dynamic WEP (802.1x)—When the WEP key/passphrase is entered by a key management service. WEP as such did not support dynamic keys until the advent of TKIP and CCMP.
• EAP—Extensible Authentication Protocol. A standard authentication framework. EAP supplies common functions and a negotiation mechanism, but not a specific authentication method. Currently there are about 40 different methods implemented for EAP. See WPA Enterprise.
• 802.1x, IEEE8021X—The IEEE family of standards for authentication on networks. In this context, the term is hopelessly ambiguous.
• LEAP, 802.1x EAP (Cisco LEAP)—(Lightweight Extensible Authentication Protocol) A proprietary method of wireless LAN authentication developed by Cisco Systems. Supports dynamic WEP, RADIUS and frequent reauthentication.
• WPA-PSK, WPA-Preshared Key—Use of a shared key, meaning one manually set and manually managed. Does not scale with a large network either for manageability or security, but needs no external key management system.
• RADIUS—Remote Authentication Dial In User Service. A very old protocol for centralizing authentication and authorization management. The RADIUS server acts as a remote service for these functions.
• WPA Enterprise, WPA2 Enterprise—A trade name for a set of EAP types. Products certified as WPA Enterprise or WPA2 Enterprise will interoperate (EAP-TLS, EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC & EAP-SIM)
• WPA-Personal, WPA2-Personal—See Pre-Shared Key.
• WPA2-Mixed—Support for both WPA1 and WPA2 on the same access point.
• 802.11i—An IEEE standard specifying security mechanisms for 802.11 networks. 802.11i uses AES and includes improvements in key management, user authentication through 802.1X and data integrity of headers.
• CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol that uses AES.

Enjoy!

Source: eWeek

This toolkit is a contribution to the wireless security/auditing community and, as the “Assistant” moniker implies, and is designed for the following groups of people:

• IT-security auditors and professionals who need to execute technical wireless security testing against wireless infrastructure and clients;
• IT professionals who have responsibility for ensuring the secure operation and administration of their organization’s wireless networks;
• SME (Small & Medium Enterprise) and SOHO (SmallOffice-HomeOffice) businesses who do not have either the technical expertise or the resources to employ such expertise to audit their wireless networks;
• Non-technical-users who run wireless networks at home and who would like to audit the security of their wireless home networks and laptops but don’t know how.

You can download OSWA Assistant here:

oswa-assistant.iso

Or read more here.

Russix is a Slax based Wireless Live Linux. It has been designed to be light (circa 230Mb) and dedicated purely to wireless auditing.

It is not a script kiddy phishing tool and as such, while it will allow you to break a WEP key in 6 key strokes and conduct an “Evil Tiny Twin” attack in less than 5, it will not let you become the latest version of Barclays Bank.

Russix evolved from an internal UK Military Wireless auditing tool (debian based) which russ had developed while working for them as a penetration tester.

Russix is a free download for auditing. It scripts together several WLAN attacks and will allow the user to break a WEP key in about 6 keystrokes! It will not be modified by us to make it into a phishing tool as that would be evil.

It comprises a number of tools including aircrack-ng, cowpatty, asleap, nmap, wireshark, hydra, as well as scripted attacks to aid cracking WEP and WPA networks. Currently, it only supports Atheros based chipsets and those of you lucky enough to own 2 atheros cards will be able to use the scripted Evil Twin attack.

Interested in hearing any feedback you may have or improvements you can make.

You can download it here:

Built on 9th Dec 2007: Download latest version

Or read more here.

It’s essentially a tool to get information from open wifi networks without joining any network, and covering all wifi channels. Most of the packet parsing is done by Scapy.

WifiZoo does the following:

• Gathers bssid->ssid information from beacons and probe responses
• Gathers list of unique SSIDS found on probe requests
• Gathers the list and graphs which SSIDS are being probed from what sources
• Gathers bssid->clients information and outputs it in a file
• Gathers ‘useful’ information from unencrypted wifi traffic (like passwords/credentials etc)

Requirements

• Python
• Scapy
• Kismet (if you want to do channel hopping)
• Logs are stored in ./logs/ (so make the directory)

You can download WifiZoo here:

wifizoo_v1.2.tgz

Or you can read more here.

Aircrack-ng is the next generation of aircrack with lots of new features:

• Better documentation (wiki, manpages) and support (Forum, trac, IRC: #aircrack-ng on Freenode).
• More cards/drivers supported
• New WEP attack: PTW
• More OS and platforms supported
• Fragmentation attack
• Improved cracking speed
• WEP dictionary attack
• Capture with multiple cards
• New tools: airtun-ng, packetforge-ng (improved arpforge), wesside-ng and airserv-ng
• Optimizations, other improvements and bug fixing

Download the latest version of aircrack-ng here:

Linux – aircrack-ng-0.9.1.tar.gz

Windows – aircrack-ng-0.9.1-win.zip

Or you can read more here.

Remember you need this to use aircrack-ptw – the fast WEP cracking tool.

A history of WEP and RC4

WEP was previously known to be insecure. In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir published an analysis of the RC4 stream cipher. Some time later, it was shown that this attack can be applied to WEP and the secret key can be recovered from about 4,000,000 to 6,000,000 captured data packets. In 2004 a hacker named KoReK improved the attack: the complexity of recovering a 104 bit secret key was reduced to 500,000 to 2,000,000 captured packets.

In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.

The aircrack-ptw attack

The aircrack team were able to extend Klein’s attack and optimize it for usage against WEP. Using this version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.

Countermeasures

We believe that WEP should not be used anymore in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2.

You can download aircrack-ptw here:

aircrack-ptw-1.0.0.tar.gz

Or read more here.

Find an aircrack-ptw How To here.

Please note aircrack-ptw should be used together with the aircrack-ng toolsuite.

Using LORCON, developers can write tools that inject packets onto the wireless network without writing driver-specific code, simply by asking the user to identify the driver name they are currently using for a specified interface.

The project goal is to create what libradiate could have been: A generic library for injecting 802.11 frames, capable of injection via multiple driver frameworks, without forcing modification of the application code.

Nearing 1.0 public release. Once FreeBSD support is incorporated, the first full packaged release of Lorcon will be made, stay tuned!

Supported drivers:

• wlan-ng
• hostap
• airjack
• prism54
• madwifing
• madwifiold
• rtl8180
• rt2570
• rt2500
• rt73
• rt61
• zd1211rw

You can find some more information here:

LORCON Man Page

You can get the latest code from SVN here:

svn co http://802.11ninja.net/svn/lorcon/trunk

Or read more here.