Inherent weakness in WiFi
The greatest thing about WiFi 802.11 is that its......wireless, data magically propagating through different mediums to network devices together. The problem with these waves moving through the air is that anyone who stands in there way can hear them
Management frames are send in plain sight at 1mb/s to enable all devices to see them. They can be seen by putting your wireless card into monitor mode and you will see in wireshark all the beacons from AP's . Your MAC address can be seen here which means your identity is not necessarily secret.
If you have set up security associations with a range of AP's when you turn wireless on in windows the first thing it does is probe to see who's there and if an AP they have connected to before is available and yes it sends this information for Mr hack in a box to see. A big risk of this is that if Mr hack knows that your computer is wanting to connect to "home" then they could set up a rogue AP with the ssid "home" and sit by you giving that the strongest signal and it would move onto that rogue AP. If the attacker sets up a route for the Internet which is a highly likely service, you wouldn't even know that you've changed connections! Now all your data and transactions can be looked at and saved yum yum yum.
Lets play a game
Why don't we use the fact that your wireless gives out its identity for a game of wireless hide and seek. You get a gaggle of friends to come over with their wireless devices and log their mac addresses and tell them to go hide around the city center. Use a laptop in monitor mode run wireshark or airodump, something that can make a record the data. Make a simple C program that can read through the messages and look for the logged MAC addresses and make a noise to say when its found one. Now run around town and wait for a beep! The rssi can be used to narrow the search. Happy hunting
The same technique could be used for any wireless goods that may have been stolen, assuming you know the MAC, and its powered on, and its not 300 miles away been swapped for some trainers.
Does anyone still use WEP!?
I would really like some feedback leave a comment, let me embrace your views. Why is WEP still around its security is as good as a padlock with the combination wrote on the back. When looking for wireless signal in various places I keep seeing it pop up, often with a default ssid. A few manufacturers and ISP's will give you an AP that is set up with WEP and the key wrote on the side so that average Joe can plug it in and away they go, brilliant it works their happy. The other use i see is often hotels and you either pay for the key or its given to you and pay to go through a tunnel.
WEP is week, it just hands out the IV in all its packets and as that's only 24bit its only a matter of time until it uses that same one again
I went to go visit a relative and noticed that he was using WEP(128bit) as part of a security audit. I tried to explain the weaknesses in this method and demonstrated how easy it is to crack.
The greatest thing about WiFi 802.11 is that its......wireless, data magically propagating through different mediums to network devices together. The problem with these waves moving through the air is that anyone who stands in there way can hear them
Management frames are send in plain sight at 1mb/s to enable all devices to see them. They can be seen by putting your wireless card into monitor mode and you will see in wireshark all the beacons from AP's . Your MAC address can be seen here which means your identity is not necessarily secret.
If you have set up security associations with a range of AP's when you turn wireless on in windows the first thing it does is probe to see who's there and if an AP they have connected to before is available and yes it sends this information for Mr hack in a box to see. A big risk of this is that if Mr hack knows that your computer is wanting to connect to "home" then they could set up a rogue AP with the ssid "home" and sit by you giving that the strongest signal and it would move onto that rogue AP. If the attacker sets up a route for the Internet which is a highly likely service, you wouldn't even know that you've changed connections! Now all your data and transactions can be looked at and saved yum yum yum.
Lets play a game
Why don't we use the fact that your wireless gives out its identity for a game of wireless hide and seek. You get a gaggle of friends to come over with their wireless devices and log their mac addresses and tell them to go hide around the city center. Use a laptop in monitor mode run wireshark or airodump, something that can make a record the data. Make a simple C program that can read through the messages and look for the logged MAC addresses and make a noise to say when its found one. Now run around town and wait for a beep! The rssi can be used to narrow the search. Happy hunting
The same technique could be used for any wireless goods that may have been stolen, assuming you know the MAC, and its powered on, and its not 300 miles away been swapped for some trainers.
Does anyone still use WEP!?
I would really like some feedback leave a comment, let me embrace your views. Why is WEP still around its security is as good as a padlock with the combination wrote on the back. When looking for wireless signal in various places I keep seeing it pop up, often with a default ssid. A few manufacturers and ISP's will give you an AP that is set up with WEP and the key wrote on the side so that average Joe can plug it in and away they go, brilliant it works their happy. The other use i see is often hotels and you either pay for the key or its given to you and pay to go through a tunnel.
WEP is week, it just hands out the IV in all its packets and as that's only 24bit its only a matter of time until it uses that same one again
I went to go visit a relative and noticed that he was using WEP(128bit) as part of a security audit. I tried to explain the weaknesses in this method and demonstrated how easy it is to crack.
- Booted up backtrack from usb (1 minute)
- Used airmon to put the card into monitor mode, airodump to cature data, aireplay to generate data, aircrack to crack the key (30 seconds)
- Aircrack looked at ~8000 IV's and gave me the WEP key (1 minute on the dot)
- Put the key in and started using his wifi
All security can be broke given the resources and time, the crucial decision is deciding what level of security is reasonable. I use WPA2-PSK which can be cracked, it could take a year but i could make it my policy to change the PSK monthly, i may not even live in the same house in a year.
Tip top tips - I'm sure nobody does, don't leave defaults on. Its reckless and an insult to professionals.
Tip top tips - I'm sure nobody does, don't leave defaults on. Its reckless and an insult to professionals.
No comments:
Post a Comment