Slashdot Mirror
AirTraf 802.11b Security Package
An anonymous reader writes "Being ignorant of network vulnerabilities is a happy condition for only so long. Ignorance is bliss, right up until someone with rogue access drives away with your company secrets. This article covers information about AirTraf, an open source package, which performs a number of tasks, such as determining the Service Set Identifier of the access points, and the channel it is operating under. It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information. The least of your fears should be the leeching of your Internet connectivity. Industrial espionage is a growing reality that you must confront."
As the article points out, they can be a hastle. Metal in the walls, elevators, stairs, etc.
The problem with site surveys is that you have to load expensive software onto a laptop or handheld computer, and go wandering the halls looking for rogue bases, rogue access, and other violations of good security practices. The wandering minstrel who's singing the song of good security must be in the right place at the right time. Invariably, this is a hit-or-miss process, great for finding good places to mount access points, but horrible at making a hit on a security violation. You'd have to traipse the halls and haunt the parking lots, lurking... waiting... like a creepy stalker, trying to find anything out of the ordinary; and you'd still be unable to be in all places at once.
--------
Free your mind.
But like most wireless security tools, are the people with ill intent just going to turn it around and use it for their own ends?
Oh well...if the claims are correct, it will all be irrelevant when WPA releases later in the summer.
Is there any way to do triangulation if you have more than one base station? Then you could do some spatial security as well, by restricting access to particular zones (say, within your own building). I know the cell phone companies have been trying to implement E911 locating for a while ... could you do such a thing with a carefully written 802.11 driver?
Toronto-area transit rider? Rate your ride.
I've always wondered why wireless security can be such a problem. Why hasn't someone devised a wireless system where encryption is hard to crack? Take a look at SSL: if you have someone listening to the wire, it's hard to get any good information from it based on the way the protocol works. Why can't the same thing be applied to wireless? The only real difference is you don't have to go through the trouble of intercepting the packets on a wire.
- tristan
If anyone knows of any agencies progressive enough to jump on the wireless bandwagon, pipe up. Otherwise I think it's just another victim of the hype monster.
Wired Cat5e = Secure
:)
Wireless 802.11(a,b,g) = unsecure
I have cracked 'secure' wep's in a matter of hours, and the more traffic going over the network, the easier it is. All you need is about a gig of traffic, and blamo, wep key in shining black letters right in front of you. I'm sorry guys, beaming a signal through the air is not secure (as shown by the amazing security from the satelite TV companies, I think we have all had a h card at some point, or other varients)
The only problem I have ever had with wired lines is bad planning. Providing you know where your workstations are going to go, and how you plan on growing, wires are just fine and MUCH faster!!
No I didnt spell check this post...
And it's open source so it would take about a day for someone to start wondering what that bit of code was for.
Industrial espionage is a growing reality that you must confront
Is that a fact ? I'd say since the collapse of the USSR, it must have gone better actually.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
It's clear to me that no matter how much arm waving is done by security experts and those who stand to profit from the implementation of wireless security (cough, IBM), nothing short of tragedy can motivate American organizations to take security seriously.
Security is NOT a necessity - in fact, many of the things people are trying to "protect" these days don't need to be protected at all - security consultants just want to rake in commissions as they help their clients "secure" their data.
It's high time that these profiteers take off their Microsoft hats and start acting with the best interest of the end-user in mind.
without purchasing other software?
Is the Linksys wireless router wide open to traffic straight out of the box?
I want to share printers and disks behind a wireless router but not allow external access - is that difficult or expensive to accomplish?
That really makes me want to install your "security" software.
It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information.
As useful as this is, its not going todo much to detect or stop the fact that these are just radio waves. And you can't "detect" a hunk of metal out there picking up on them. Almost all new cards are capable of being put into RF monitor mode and sniffing raw 802.11b frames without transmitting anything.
Prism II and Cisco based cards can do it out of the box. Orinoco cards can do it with a patched driver (patched orinoco-cs on linux, WildPackets driver on Windows).
On top of that, AirSnort now compiles on Windows. Its not a fun/easy setup and still has a lot of problems, but it works.
FACT: The Illuminati is using 802.11b as a carrier for their Mind Control Rays. When "reputable sources" speak of 802.11b security, they really want you to work closely with an 802.11b source for a while so you receive their programming.
Real 802.11b security can be achieved by the following means:
Purchase a 15 meter (~50') roll of tin foil.
Wash your hair with baking soda. Don't use commerical brands, they have 802.11b signal enhancers which tune your noggin to their Mind Control Ray.
Once dry, wrap your head in a clockwise fashion with the tin foil. Ensure you cover the top of your head, your ears and base of the neck. You can poke small holes in each side to allow sound to reach your ears.
Sit back and laugh knowing that you have true 802.11b security and are safe from The Illuminati's Mind Control Rays.
Who's that at my door? )(#@Ujf0d923j 329 32
CARRIER LOST
Trolling is a art,
Wouldn't it be easier to detect rogue base stations by searching for SNMP agents. The rogue base stations are identified as 802.11 devices through SNMP queries for host id.
Another approach would be to scan for new MAC addresses attached to LAN and identify WLAN APs based on manufacturer code in MAC address. No need to deploy new hardware in the network. Just create couple scripts...
They might have written the trojan code very, very, very small and hidden it between the lines ;-)
-psy
P.S: It was a joke, lighten up!
Since no one else linked to it: AirTraf's web site
Also, This link goes to Elixar, the AirTraf project team's new company.
Why do I h8 apple?
WEP is a miserable encryption algorithm. It can be brute-forced within hours, or passively within a day or two. Simply by having WEP enabled on your access point is *no* guarantee whatsoever that your data is secure.
Now, having everything SSH tunnelled and then wrapped in a flaky WEP crust, that's different... But WEP for 802.11(x) makes about as much sense as a bicycle for a mermaid.
Bowie J. Poag
Bummer
Ignorance is bliss, right up until someone with rogue access drives away with your company secrets
Most wardriving is about finding an open network where you can pull your favorite pr0n from your car on your laptop. And probably for the sheer fun of hacking too. Now, if the admin(s) of a company relie on pirates not being able to plug into the physical ethernet socket for his security, he/they surely should be fired.
In most companies, even if someone gains access to the intranet through 802.11b, he's not going to do much, as the real meat of the company will probably be protected even there. He might get to play with some Windows boxes, see hostnames, sniff this or that, but that's all. True, it's very much better if the guy doesn't see anything in the intranet in the first place, but still, in that worst-case scenario, there is a reasonable level of security left in companies with a decent admin.
Now, 802.11b isn't so secure. If you're really worried, don't use it. If you're really worried and you really want wi-fi, run tunnels over it : it's far from ideal but it's quite secure.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Yet nobody will put the latest service pack on.
Microsoft software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux. The amount of FUD spread about it is all out of proportion to its flaws, and is probably due to a complete lack of familiarity of its features by its detractors, who would of course use it if it was free. It is this same lack of familiarity that is preyed upon by vendors who would rather sell a $10,000 band-aid than a $50 book.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Imagine a beowulf cluster ... erm ... imagine a cluster at least of these. You could easily setup a massive centrally located system and have some real fun with a wireless system. With this and AirSnort, you're bound to be able to just about do anything anywhere with a 802.11b access point laying around.
I can see where this would definantelly help out a site admin having a birds eye view of the system itself, but boy was the article right with the comparison that a power tool can be very useful and can also cut your fingers off.
Good analogy if you ask me, nice article for sure.
Ignore the "p2p is theft" trolls, they're just uninformed
1) Terminate your wireless AP outside your network
2) Use strong VPN software to access your network
3) Only allow the AP to talk to the VPN box
So what's the result?
- no WEP problems
- nobody on wireless is inside your network
- nobody can steal access
It's certainly the only sane response I've seen. Other than, of course, "Don't allow wireless at work" which is rapidly becoming the standard.
Wireless security should be setup via obsticles. The best examples have already been featured on slashdot. Use the light bulbs that distrupt the same 2.4Ghz frequency (can't find the old slashdot article). Just place these around the perimiter of your wifi network. Great for corporate campuses.
Has anyone been able to download the source from Elixar? I submit the form and just get redirected back to it. Does someone have a URL for the source?
I'm unqualified to speculate on more than one half of the question.
I don't need no estinkin'
Jeepmeister
For fucks sake, how the fuck do you post a link on slashdot!
Sorry for the swearing but I've just waisted an hour trying to post a fucking link and this pos faq doesn't cover it.
I guess I'm stupid so please help me out here!
Note that WaveSEC is NOT a replacement for end-to-end security. All it does is protect you from wireless eavesdroppers. If you are using WaveSEC or end-to-end IPsec for all your network connections, you don't need WAVEsec.
- In fact, one of the more common questions asked at Slashdot.org, the open source "News for Nerds" page, is "How do I get developers to join my project?"
And the most common answers are:BSD is dying
Stephen King, American icon, dead at 53
CmdrTaco is Michael's mutilated sex slave
Micro$oft suxors
Hot grits
Natalie Portman petrified
Mod parent up/down
Frost pist
Another question: why is there a picture of Mr Lee's crotch proudly displayed in the article referenced? Very disturbing. Perhaps that's IBM's answer to SCO?
-- @rjamestaylor on Ello
More than one-half? Which would be, what, 100% speculation?
Rather than saying that 802.11x is analogous to a network, think of it as being analogous to an RJ-45 wall jack. If you placed a wall jack in a public area of your local shopping mall you would realize that it is insecure and is exposing your network to the world. Knowing this you would take some action to secure that wall jack. You might disable the port at the switch or you may have a firewall set up to allow the wall jack to be used but prevent unauthorized access to your private network.
The same procedure should be used with wireless. Setting up an access point is the same as placing that RJ-45 jack in the shopping mall. You need to isolate the traffic to and from the wireless access point. A firewall could be used for this but, perhaps the best way would be to establish a VPN server between the access point and your private network. This way, unathorized access can only see the front facing VPN server and nothing else on your network.
Don't look for security in 802.11x, it isn't there. At the same time, Cat5e by itself offers no security. The security that you associate with Cat5e comes only from the physical security surrounding the wall jacks and switches. If you expose the wall jacks, it's a whole new ball game.
See simple huh?
Ok, ok, write it just like you would an html link.
Someone who actually READS articles here!!
In reality, you want to firewall off the AP and then use SSL to tunnel through it as you suggest. If they had built something better into the spec like IPsec (as good as SSL, but implemented deeper in the protocol stack), it would have been much better. Setting up SSL properly isn't so easy and it woould be nice to give the average WEP user something that works 'out of the box'.
See my journal, I write things there
good article on ars about 802.11b security
t y- 1.html
http://arstechnica.com/paedia/w/wireless/securi
I recently flash to wap11 v2.2's to the dlink dwl-900ap+ bios, and set them up to bridge mac address to mac address with the SSID broadcast turned off, and I used the 256k bit encryption.
How secure is this?
Yes you dumb fuck.
airtraf.tar.gz
The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.
OK here we go:
All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.
Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.
Security for the wireless:
Most commercial access points will allow at least some of the following:
Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.
Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.
Stuff only a few vendors do:
Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).
Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.
A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.
Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).
Stuff you should know about site surving:
Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.
The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.
Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).
Good luck and happy hunting,
Spyder
What does this package offer that Kismet doesn't? Perhaps if it offered on-the-fly WEP cracking I would take a look at it.
Unfortunately, I fear that I'll never be able to forget...make it stop hurting!
It was at 4:25am on the morning of May 27th 2003 that, after many failed attempts to resuscitate the dying OS, *BSD finally passed away. While *BSD has been in it's death throes for many months now and it's death has been foreseen for many years, this is still a very sad moment; a great loss for OS dilettante dabblers and *BSD lovers the world over. Though *BSD has passed away, it will surely be fondly remembered for years to come by users, developers, and trolls alike. Even if you didn't enjoy using *BSD, there's no denying it's contributions to popular OS culture. Truly a Berkeley icon. It will be missed :(
So, how can I share the wireless connection in my apartment with other nearby apartments (just to be nice) without jeopardizing my PCs, which share files among each other? (A mix of win 98 and linux.)
airtraf.tar.gz
Never trust your depth of exploit to the benevolence of the attacker. Lots of networks don't have things like interior IDS, regular vuln scanning, or even decent administration practices. More over, all those attacks concerning physical location are now possible. Even little defacements can require substantail response in the form of rebuilt systems, reports to management, PR issues. God help you if you have overdeveloped incedent handling procedures and have to spent weeks writing reports and answering questions to your boss, legal, the feds, the customers, and upper managment.
No compromise is small, no attacker benign. Like there is an opportunity cost to be considered when undertaking a new effort, there is an incedent cost that is the cost of handling, and the risk of compromise. Security is a weak link system, and you never know where the big incedents come from.
I know I responded to a troll, I won't pass go and I'll go get the 200 lashes with CAT5.
Spyder
HTH, HAND.
Part Time Philosopher, Oft Times Romantic, Full Time Unix Geek
>Why can't the same thing be applied to wireless?
Or better yet why aren't vendors doing this on their APs? All these companies are targeting the home market, they should make things *gasp* easy.
Sure there are standards to consider, but considering what a mess WEP is its surprising to see that there's no big movement (or is there?) to repair it. Sure Cisco's method of filtering out weak IV packets is nice, but is anyone else going to pay to use their patents?
I'm expecting, or perhaps hoping, that by the time 802.11g hits critical mass there will be an easy and secure encryption method standard on most of the equipment, especially for home buyers.
The industry should learn from 802.11b. It was new-ish, a huge gamble, and the WEP protocol was known to be weak. Now that wifi is as common as it is, perhaps we'll be seeing 802.11b being phased out because of its slow speed and security problems and being replaced by a more mature 802.11g standard.
It's not even the correct search. Every result of that google search was some form of cellular triangulation, not 802.11 (Since they improperly searched for WAP, which is a protocol for cellular services.)
Interesting results, but completely offtopic and noninformative regarding the original question.
It is possible to triangulate access points, although most software I've seen to do it uses signal strength interpolation instead of triangulation. Kismet - http://www.kismetwireless.net/ is able to do this if enough signal strength data is collected. (Or more specifically, the "gpsmap" tool that comes with Kismet.)
retrorocket.o not found, launch anyway?
Nope. SSID is strictly a wireless thing, and has nothing to do with the definition of LLC. 802.3, for example, doesn't know anything about SSIDs.
a 56-bit key was really a ~26-bit key
Wrong again: it's a 64-bit key with 24 bits for the Initialization Vector, leaving 40 bits of actual encryption. I think you are confusing this with 56-bit SSL. Likewise, 128-bit WEP is 104 bits + 24 bits IV.
Need a Linux consultant in New Orleans?
I'd highly dispute this for a few reasons. I've worked in few large companies (> 5000 employees) and here a few reasons why this is an issue for someone that cares.
1. People are lazy - They will use easy to guess passwords most of the time, especially developers. Not to slam them, but since they tend to set things up quickly, often for testing, they take the easy way out. Since they are not audited as much as admins, they aren't as strict.
2. Passwords don't get changed - Systems get complex, people change, people are lazy (#1) and so passwords don't get changed that often. EVEN ON CRITICAL (Sales, Finance) systems. People don't like change and I constantly see passwords that have been in use for years, including admin passwords. Try to change them and people scream.
So, find an access point then search Monster and Dice for ex employees. How much do you think it would take for them to drop you a password? How many disgruntled GE/M$/Oracle/etc. employees are out there?