Slashdot Mirror

← Back to Stories (view on slashdot.org)

AirTraf 802.11b Security Package

Posted by michael on from the bogie-in-corridor-7 dept.

An anonymous reader writes "Being ignorant of network vulnerabilities is a happy condition for only so long. Ignorance is bliss, right up until someone with rogue access drives away with your company secrets. This article covers information about AirTraf, an open source package, which performs a number of tasks, such as determining the Service Set Identifier of the access points, and the channel it is operating under. It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information. The least of your fears should be the leeching of your Internet connectivity. Industrial espionage is a growing reality that you must confront."

16 of 153 comments (clear)

  1. Its a very very simple equation by override11 · · Score: 2, Informative

    Wired Cat5e = Secure
    Wireless 802.11(a,b,g) = unsecure

    I have cracked 'secure' wep's in a matter of hours, and the more traffic going over the network, the easier it is. All you need is about a gig of traffic, and blamo, wep key in shining black letters right in front of you. I'm sorry guys, beaming a signal through the air is not secure (as shown by the amazing security from the satelite TV companies, I think we have all had a h card at some point, or other varients)

    The only problem I have ever had with wired lines is bad planning. Providing you know where your workstations are going to go, and how you plan on growing, wires are just fine and MUCH faster!! :)

    --
    No I didnt spell check this post...
    1. Re:Its a very very simple equation by s20451 · · Score: 4, Informative

      The flaw is not in the medium, it's in the protocol. Many organizations have pointed this out. The IEEE wanted to make key distribution easy, so in a system where the administrator is not absolutely on top of everything, it's very easy to learn the key and crack the network. A point-to-point, RSA encrypted wireless link should theoretically be as difficult to crack as a wired link, if designed properly.

      --
      Toronto-area transit rider? Rate your ride.
    2. Re:Its a very very simple equation by kruczkowski · · Score: 2, Informative

      Paraniod people at the goverment say that CAT 5 is insecure and use fiber for all the connections.

      --
      hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
    3. Re:Its a very very simple equation by stacko · · Score: 3, Informative

      This is simply not true.

      First, you can create a secure wireless network. It's complex, and requires a fair amount of kit, but you can do it. The basic premise is to avoid giving an attacker enough data encrypted with the same WEP key--i.e. rotate your keys frequently. There are several options to do this: EAP/TLS, LEAP, and PEAP to name three. Set your key rotation frequency to 3600 seconds, and you're pretty much set. If you have APs that support EAP/TLS, there is an open source solution.

      OTOH, find an out-of-the-way conference room with an open wired port and you're off to the races. For the longest time the default shipping configuration for Cisco switches came with all ports in monitor mode, allowing you to sniff away. (Fortunately, this appears to no longer be the case.)

    4. Re:Its a very very simple equation by ConsumedByTV · · Score: 1, Informative

      No, your wrong. You cannot create a secure WiFi network. If you can't even secure the first layer, your screwed.

      Tell me, do you know what wifi network your on when your on it?

      You know the SSID, but what channel?

      You can layer cruft on top and pretend it's secure but when I can send a disconnect to your wifi clients and have them associate with my rouge network, I own your ass.

      Did you pay attention at the black hat breifing last year?

      Your real network is on channel 6.

      I can mirror your wavesec setup, make a gatway that accepts any wepkey (LEAP, PEAP and EAP/TLS setup).

      With how wificards join networks, you join mine when I disconnect you.

      Your client will go to channel 7,8, etc until it finds a network that is correct.

      Combine that with my rouge AP and guess what?

      Now your users trust the monitored and owned (upstream) wifi network!

      Good job!

      --


      "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
    5. Re:Its a very very simple equation by stacko · · Score: 3, Informative

      Ok, let's take EAP/TLS.

      EAP/TLS requires that you have PKI in place. To deploy it, you have to set up a CA. Presumably anyone worth their beans will have used a secure connection to distribute the root certificate and client keys to the wireless users.

      The authentication process verifies that both the client and the server are who they claim to be using certificates. If someone tries to forge packets, say with a rogue AP, they won't know the authenticator's secret key and thus the client will reject the connection.

      How does your exploit pretend to be the real AP and authenticator if it doesn't know the correct secret key, or can't fake the CA chain? Welcome to the world of asymetric cryptosystems!

      If you're not familiar with EAP/TLS, a quick google comes up with a whitepaper from Cisco. It covers the concepts of PKI, CA, etc.

      If you can defeat 1024 bit PKI, then I think there are much more profitable things to hack aside from WLAN!

    6. Re:Its a very very simple equation by ConsumedByTV · · Score: 2, Informative

      Assuming that your clients ARE never allowed to click "accept anyway?" when it comes to SSL certs.

      You might be correct.

      I think that this is *more* secure than something as simple as just WEP. But with that said, I think you really should check out the black hat demo from last year.

      The point is that the client chooses to associate with the rouge network.

      I am not talking about breaking 1024bit PKI, that's foolish. I am talking about breaking the implementation that involves humans.

      If I can get a client to send me the right information, I can then pretend to be the client when I talk to the real server.

      Makes sense?

      --


      "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  2. Re:Wireless security by illusion_2K · · Score: 3, Informative

    Use IPSec, or some other VPN technology. They seem to fix the problem pretty well.

  3. Re:triangulation by killthiskid · · Score: 4, Informative

    Yes, you can.

  4. air traf's site by ih8apple · · Score: 3, Informative

    Since no one else linked to it: AirTraf's web site

    Also, This link goes to Elixar, the AirTraf project team's new company.

    --


    Why do I h8 apple?
  5. WEP = Weak Encryption Protocol by Bowie+J.+Poag · · Score: 4, Informative



    WEP is a miserable encryption algorithm. It can be brute-forced within hours, or passively within a day or two. Simply by having WEP enabled on your access point is *no* guarantee whatsoever that your data is secure.

    Now, having everything SSH tunnelled and then wrapped in a flaky WEP crust, that's different... But WEP for 802.11(x) makes about as much sense as a bicycle for a mermaid.

    --
    Bowie J. Poag

  6. No Go for Prism2 + HostAP by Lumin+Inverse · · Score: 2, Informative
    Here's what I get with my DWL-650 Prism2 based card:
    KOS-MOS:/home/linverse/temp/airtraf-1.0/src# airtraf

    Airtraf 1.0.0 (c)2001,2002 Elixar, Inc.
    Mode: sniffing server
    Author: Peter K. Lee All Rights Reserved

    You have (1) wireless devices configured in your system
    Found wlan0: IEEE 802.11-b on IRQ: 3, BaseAddr: 0x0100 Status: UP
    Using Driver: (hostap_cs)
    Filename: /lib/modules/2.4.20/pcmcia/hostap_cs.o
    Author: "SSH Communications Security Corp, Jouni Malinen"
    success: above driver's compatibility verified!
    Do you wish to enable monitor mode for your interface at this time? [y|n] y
    error: HostAP monitor mode incompatible with AirTraf at this time...

    Bummer
  7. 3 simple steps to improved wireless security by Anonymous Coward · · Score: 3, Informative

    1) Terminate your wireless AP outside your network
    2) Use strong VPN software to access your network
    3) Only allow the AP to talk to the VPN box

    So what's the result?

    - no WEP problems
    - nobody on wireless is inside your network
    - nobody can steal access

    It's certainly the only sane response I've seen. Other than, of course, "Don't allow wireless at work" which is rapidly becoming the standard.

  8. Re:Growing reality ? by hpa · · Score: 2, Informative

    That might be the case for the Tu-144, but the Soviet lunar project was hardly a copy of the Apollo. They were, after all, trying to get there before the U.S. (although they didn't succeed.) It had some very different attributes, and was derived from the Soyuz program.

    Buran certainly was, ahem, heavily inspired by the U.S. space shuttle, but was different in some ways -- for one thing it was intended to be able to operate without any crew.

  9. Re:Growing reality ? by hughk · · Score: 2, Informative
    Ahem, Buran was only flown without crew because the life support system wasn't ready. It was always intended to be flown with a crew in normal service. What was interesting and very non-Shuttle-like was the ability

    The word about the Tu144 is that the Concorde prototype plans that were acquired by the Soviets contained some deliberate mistakes (an old engineering trick) and these led to the crash.

    The Russians did have some very good copies of the VAX 11/780 though running VMS. It was only through an almighty balls up by Digital that they lost their advantage after the end of the Soviet Union. HP did wel out of Digital's mistake.

    --
    See my journal, I write things there
  10. The Casual /.ers's guide to 802.11(a,b,g) Security by Spyder · · Score: 3, Informative

    The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.

    OK here we go:

    All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.

    Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.

    Security for the wireless:

    Most commercial access points will allow at least some of the following:

    Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.

    Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.

    Stuff only a few vendors do:

    Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).

    Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.

    A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.

    Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).

    Stuff you should know about site surving:

    Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.

    The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.

    Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).

    Good luck and happy hunting,

    --
    Spyder