| < Day Day Up > |
|
One of the most common ways that administrators attempt to protect their wireless networks is with encryption. Unfortunately, the two primary means of protection, Wired Equivalent Protection (WEP) and WiFi Protected Access (WPA), have flaws that allow them to be exploited. This section discusses how to attack networks that are protected by WEP and WPA.
The most commonly used form of encryption protecting wireless networks is WEP. WEP is a flawed implementation of the Rivest Cipher 4 (RC4) encryption standard. Scott Fluhrer of Cisco Systems, Itsik Mantin, and Adi Shamir of the Weizmann Institute detailed the flaws in WEP in their joint paper Weaknesses of the Key Scheduling Algorithm of RC4 (www.drizzle.com/~aboba/IEEE/_rc4_ksaproc.pdf).
In short, WEP utilizes a fixed secret key. Weak initialization vectors are sometimes generated to encrypt WEP packets. When enough weak initialization vectors are captured, the secret key can be cracked. There are a number of tools available on the Internet that can be used to crack WEP encryption. This section details how to use AirSnort on Linux and WEPCrack on Windows to crack WEP.
When enough weak initialization vectors are identified, AirSnort begins attempting to crack the WEP key. There are about sixteen million possible initialization vectors generated by wireless networks using WEP. Approximately nine thousand of these are weak. AirSnort considers these nine thousand weak initialization vectors as “interesting.” According to The Shmoo Group, most WEP keys can be guessed after collecting approximately two thousand weak initialization vectors.
AirSnort is a valuable tool that can be used by WarDrivers to locate wireless networks. It can also be used by attackers to crack WEP encryption on wireless networks.
Installing AirSnort is a relatively straightforward process. First, download the current version from Sourceforge (http://sourceforge.net/_project/showfiles.php?group_id=33358). Then uncompress and untar the source. Afterward, change into the AirSnort directory that is created:
root@roamer:/root# gunzip airsnort-0.2.2b.tar.gz root@roamer:/root# tar –xvf airsnort-0.2.2b.tar root@roamer:/root# cd airsnort-0.2.2b
For most systems, compiling and installing AirSnort requires only three steps:
root@roamer:/root/airsnort-0.2.2b# ./autogen.sh root@roamer:/root/airsnort-0.2.2b # make root@roamer:/root/airsnort-0.2.2b # make install
This compiles AirSnort and places the AirSnort binaries in the /usr/local/bin/ directory.
To start AirSnort, open a terminal window inside your X-Windows environment and issue the airsnort command. This opens the AirSnort program (see Figure 9.19).
root@roamer:/root/airsnort-0.2.2b # airsnort
Figure 9.19: AirSnort Opens
First, you need to select the network device to put into monitor mode. In order for monitor mode to work, you must follow the instructions provided in Chapters 4 and 5 of this book. Using the drop-down menu, select your wireless card (for example, Eth0, eth1, or wlan0).
Next, choose your Card type, as shown in Figure 9.20.
Figure 9.20: Choosing the Card Type
If you know the channel a specific access point is broadcasting on, you can choose to only monitor that channel. If not, or if you just want to discover any wireless networks in the area, choose “scan” to hop channels searching for wireless networks.
After all the settings have been set appropriately, click Start. AirSnort will place your card in monitor mode and begin collecting information. See Figure 9.21.
Figure 9.21: AirSnort Starts Monitoring
After some weak initialization vectors have been collected, AirSnort will begin attempting to crack the WEP key. A vast majority (approximately 95 percent) of weak initialization vectors provide no usable information about the WEP key. One way you can try to decrease the amount of time it takes to crack the key is by increasing the crack breadth in AirSnort. According to the Shmoo group’s Frequently Asked Questions site for AirSnort (http://airsnort.shmoo.com/faq.html) this will increase the number of key possibilities examined when AirSnort attempts to crack the WEP key. See Figure 9.22.
Figure 9.22: Increasing the Crack Breadth
The most difficult part of attacking wireless networks deployed with WEP encryption enabled is the amount of time it takes. It usually requires a minimum of 1200 weak initialization vectors to crack the WEP key. It can take days or even weeks to capture this many weak initialization vectors.
WEPCrack (http://wepcrack.sourceforge.net) is a set of Open Source PERL scripts intended to break 802.11 WEP secret keys. It was the first publicly available implementation of the attack described by Fluhrer, Mantin, and Shamir in their paper. Since a PERL interpreter is not installed by default with Windows Server 2003 (or any version of Windows, for that matter), you will need to install one to run the scripts. One or both of the following freely available solutions will give you what you need: Cygwin (www.cygwin.com) or ActiveState ActivePerl (www.activestate.com/Products/ActivePerl).
The more robust option is to install Cygwin. Cygwin is a Linux-like environment for Windows that consists of a DLL (cygwin1.dll) to provide Linux emulation functionality and a seemingly exhaustive collection of tools, which provide the Linux look and feel. The full suite of PERL development tools and libraries are available; however, the PERL interpreter is all that is required to run the WEPCrack scripts, as shown in Figure 9.23.
Figure 9.23: Executing WEPCrack.pl in Cygwin
The other option, using a Windows-based PERL interpreter, may be desirable if you have no need for Linux emulation functionality on your workstation or server. ActiveState ActivePerl, available by free download from the ActiveState Web site (www.activestate.com), provides a robust PERL development environment that is native to Windows. WEPCrack was written so that it could be ported to any platform that has a PERL interpreter without needing to modify the code. Figure 9.24 demonstrates the WEPCrack.pl script running natively in Windows without modification from a Windows command prompt.
Figure 9.24: Executing WEPCrack.pl at the Windows Command Prompt
Once you have cracked the WEP key, you must configure your client to access the network. In Windows XP, this requires the following four steps:
Open the Wireless Network Properties.
Add a Preferred Network.
Enter the SSID.
Enter the WEP key.
First, double-click the Wireless Network Connection icon on the Windows taskbar. This will open the Wireless Network Connection status window. Select the Wireless Networks tab. See Figure 9.25.
Figure 9.25: The Wireless Network Properties
Click the Add… button to open the Wireless Network Properties window. Enter the SSID of the network that you want to access. Next, uncheck the This key is provided for me automatically checkbox. This will make the Network Key and Confirm Network Key text boxes available. See Figure 9.26.
Figure 9.26: Preparing to Enter the Captured Key
Enter the WEP key that you obtained in the Network Key and Confirm Network Key textboxes and then click OK. You have now accessed a WEP-protected network. See Figure 9.27.
Figure 9.27: Accessing the Network
To access a wireless network that you have cracked the WEP key for from Windows 2000, follow these four steps:
Open the Client Manager.
Create a new Profile.
Enter the SSID of the target network.
Enter the captured WEP key.
The first thing you need to do is open your client manager. Double-click the client manager icon on the Windows taskbar. This will bring up the Client Manager window, as shown in Figure 9.28.
Figure 9.28: The ORiNOCO Client Manager
Navigate to Actions | Add/Edit Configuration Profile to create a new configuration profile for the network you want to associate with. See Figure 9.29.
Figure 9.29: Preparing to Add a New Configuration Profile
This opens the Add/Edit Configuration Profile window. Select the radio button beside an empty configuration profile and add a name for the target network. See Figure 9.30.
Figure 9.30: Naming the Target
Click on Edit Profile to open the Edit Configuration window. In the Network Name textbox, enter the SSID of the network you want to associate with. See Figure 9.31.
Figure 9.31: The Edit Configuration Window
Next, click the Encryption tab and enter the WEP key that you cracked, and then click OK. You have now accessed a WEP-protected network. See Figure 9.32.
Figure 9.32: Entering the Cracked WEP Key
Accessing a wireless network that you have cracked the WEP key for from Linux requires only two steps.
Edit the wireless.opts file.
Restart PCMCIA services.
The first thing you will need to do is edit the /etc/pcmcia/wireless.conf file to include the SSID of the target network and the WEP key that you cracked. See Figure 9.33.
Figure 9.33: Open wireless.opts for Editing
Make sure that you have commented out the appropriate lines in the /etc/pcmcia/wireless.opts file, as shown in Figure 9.34. Then find the appropriate section for your wireless card and enter the SSID in the “ESSID” field. Next, change the Mode to “Ad-Hoc” and the Key to the WEP key that you cracked, as shown in Figure 9.35.
Figure 9.34: Configuring the wireless.opts File
Figure 9.35: More Configurations for the wirless.opts File
The last thing you need to do is restart PCMCIA services so that the changes you have made will take effect. In Slackware Linux, this is accomplished by issuing the restart option to the /etc/rc/d/rc.pcmcia startup script, as shown in Figure 9.36. The method of restarting PCMCIA services varies from distribution to distribution, but when necessary, you can reboot the system. Any changes you have made will take effect when PCMCIA services are started at boot time.
Figure 9.36: Restarting PCMCIA Services
Once PCMCIA services restart, you are associated with the target access point.
Because of the vulnerabilities associated with WEP, a new wireless encryption standard was developed, WiFI Protected Access (WPA). In November, 2003, Robert Moskowitz of ICSA Labs discovered that WPA is vulnerable to an offline dictionary attack, a brute force attack that tries passwords and or keys from a precompiled list of values (http://wifinetnews.com/archives/002452.html).
WPA utilizes a 256-bit pre-shared key or a passphrase that can vary in length from eight to sixty-three bytes. Short passphrase-based keys (less than 20 bytes) are vulnerable to the offline dictionary attack. The pre-shared key that is used to set up the WPA encryption can be captured during the initial communication between the access point and the client card. Once you have captured the pre-shared key, you can use that to essentially “guess” the WPA key using the same concepts that are used in any password dictionary attack. In theory, this type of dictionary attack takes less time and effort than attacking WEP.
While there are currently no tools available to automate cracking WPA, it is only a matter of time before they are available.
| < Day Day Up > |
|