The Lack of WiFi Security (Part 1)

by Don Parker [Published on 11 Oct. 2006 / Last Updated on 11 Oct. 2006]

This article discusses how effective various encryption schemes are and some of the tools used to discover WAP's.

If you would like to read the next part in this artice series please go to The Lack of WiFi Security (Part 2).

Hopefully by now everyone has heard that WiFi (wireless) is subject to a series of attacks that will lead to its compromise. How effective are the various encryption schemes though? What are some of the tools used? Read on to find out.

WiFi security or lack thereof

I think we all agree that having the option of wireless connectivity is great. It certainly helps to have it in a corporate setting as well. The freedom to roam about the office with your laptop helps worker efficiency, and is simply nice to have at home as well. No longer are we constrained by cables and such. Heck, I remember having a 100 foot length of CAT-5 in my home that I used to connect my laptop to my router. That was a pain in the butt believe me.

Well with this new found freedom have come certain risks. For everytime you introduce new technologies you can rest assured that exploits for it are soon to follow. So with this in mind it was no great surprise that 64 bit WEP was quickly found to be lacking in terms of its implementation. So the vendors upped the ante and came out with 128 bit WEP, and this in turn was also found to be lacking. It kind of makes you think of the old arms race doesn’t it? For every new weapon that comes out, there is quickly a counter-measure for it.

WiFi hacking has been around for some time now, and oddly enough has really received little press. Since 2001, 64 bit WEP has been breakable. That was also around the time that well known tools such as Airsnort gave the ability to break into wireless networks to the masses. This tool is only half of the equation though for you still require something to let you know if there are any wireless access points around you. We shall now go on to look at various tools which will allow you to do some WEP cracking. Some of the tools shown are Linux based, but some have since been ported to Win32. On that note let’s get to the business of profiling some of the tools used to pull off a WiFi hack.

What tools do you use to crack WEP?

There is a fairly decent variety of tools out there to help you crack WEP keys. One of them, I mentioned already, is Airsnort as coded by Snax of Shmoo group fame. Well much like any hack, there is typically a logical series of events that need to take place first. What do you think the first step would be? Well, seeing as we want to crack WEP keys, then our first step should be to find ourselves a wireless access point (WAP). To that end some tools which will help you detect WAP’s are as follows. Please bear in mind that not all of them are available in Win32. I will indicate as such where one of them is not.

Kismet

This tool does a combination of things for you and is native to *nix. Kismet will not only detect WiFi networks, it is also capable of sniffing packets from them, and can act as an intrusion detection system as well. All in all, it is a very functional tool and is also one that is still actively maintained. Please note that you can run Kismet on your favorite Win32 operating system, but you will need to do so with cygwin. Though this tool is indeed very functional, some people find it a little confusing to work with. That said, should you wish to install it on your Win32 laptop then please click here for a good explanation of how to do it.

Now is a good time to point out that you will need an external wireless card to do WEP cracking as the onboard wireless card you have is simply not up to the task of detecting all WiFi networks that may be around you. Some of the cards that I suggest you get are the Cisco Aironet a/b/g (this is the one I have) 3Com 3CRPAG175 wireless card, and lastly the Linksys Dual Band wireless card. Please bear in mind that this is not an exhaustive list. All said and done I would go for the Cisco Aironet card as it will support both a/b/g modes.

Netstumbler

Netstumbler is a tool which will allow you to detect WAP’s around you. It is fully functional on Win32, specifically W2K Pro and Win XP. You are once again limited by having to have a wifi card that is supported by Netstumbler. However, this software tool will not detect WAP’s that are configured to not broadcast their SSID. A rather limiting factor, and is the main reason why you would be better off using another tool during your discovery phase.

AirMagnet

The tools shown above are both free tools available to you at no cost other then your time to configure them. This tool is commercial in nature, but does a far better job at finding WAP points, and a whole lot more. AirMagnet is also native to Win32 and can be used with ease, vice some of the problems you may have trying to get the above two noted working. Though some tools can do a good job of both detecting and then collecting WAP point traffic, you are likely best off splitting your tool kit into two. With that in mind I would use either Netstumbler or Airmagnet for WAP detection if you are trying to do so with only free tools.


Figure 1

We can see from the above screenshot that there are four wireless networks detected. These are all within range of my wifi card to detect, and in likelihood these networks belong to those of my neighbors. The topmost network with no SSID is mine as I have it set to not broadcast my SSID. Also of note is the fact that only three out of four networks have some form of WEP (64 or 128 bit) enabled.


Figure 2

With the above noted screenshot in mind we see how easy it would be to use this tool to associate yourself to a wireless network whose WEP you have broken. Once you have the key, it would be trivial then to insert yourself into the network. Anyhow I don’t wish to dwell on this tool as it is indeed a commercial one, and I prefer to show you tools that are free in nature. That said, this tool is extremely powerful and easy to use. If your company can afford to buy it then I for one would certainly counsel you to do so.

Wrapup

Well over the course of this article we have seen that there are a fair amount of tools out there for the discovery phase of wireless networks. All you really need is a decent wifi card and you are good to go. Netstumbler is really a rather nice tool for Win32, while Kismet can be made to work as well on your Windows O/S. These tools are just for the discovery of WAP’s, and not really for the collection and subsequent breaking of WEP. What we shall look at in part two of this article series are tools to collect, and in turn, break WEP. Remember, while discovering WAP’s around you may be fun to do, it is still illegal for you to connect to them. Please bear that in mind. On that note I shall see you in part two!

If you would like to read the next part in this artice series please go to The Lack of WiFi Security (Part 2).

See Also


The Author — Don Parker

Don Parker specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security.