Wi-Foo: The Secrets of Wireless Hacking

prostoalex writes "Wireless LANs seem to be enjoying the tremendous amount of interest lately, if you judge by the number of book covers and articles written on the topic. It's no wonder that this year the sales of WLAN equipment will grow 20% and generate $2.1 billion - everyone seems to be installing a wireless network in their office, their apartment complex or their own backyard. With extending the network into the radio world one is always extending the opportunities for unwelcome visitors to become part of the network. This book is a hands-on guide on hacking wireless networks followed by the recipes and principles to protect WLANs." Read on for the rest of prostoalex's review of Wi-Foo . Wi-Foo: The Secrets of Wireless Hacking author Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky pages 608 publisher Addison-Wesley rating 9 reviewer Alex Moskalyuk ISBN 0321202171 summary Complete guide to wireless attack and defense

Wi-Foo requires a certain level of expertise, and it's unlikely that the book will be sold left and right or that everyone will want a copy. First of all, to do anything substantial you need to have Linux or FreeBSD operating system installed and know your way around it. Second of all, some knowledge of Perl is required to go through the script source code and enjoy occasional tools that appear on the Internet. The third required bit of knowledge is some familiarity with how wireless networks work and how one can gain advantage of those radio waves that seem to contain pieces of data.

The authors claim that one has little knowledge of wireless security unless he's done some war-driving. So, skipping the first two chapters (which talk about security in general), chapters 3, 4 and 5 take the reader through the hassle of setting up the Linux laptop with all the hardware and software needed to do successful war-driving. The last time I reviewed a book on getting wireless to work with Linux, you guys kept asking what card would work the best with a Linux laptop. To quote p. 28 of Wi-Foo, "if you're serious about 802.11 penetration testing, you should get a decent Prism chipset card. If you plan to base your security audit effort around the BSD platform, you probably cannot do without it. Prism chipset CF and PCMCIA cards are known to be produced by Addtron, Asante, Asus, Belkin, Buffalo, Compaq, Demark, D-Link, Linksys, Netgate, Netgear, Proxim, Senao, SMC, Teletronics, US Robotics, Zcomax and ZoomAir."

What follows could essentially be condensed into a single Web site with links to various Linux tools for network discovery, traffic analysis, encryption cracking, 802.1x cracking, frame generation and traffic injection. Kudos to the authors for providing sometimes detailed instructions on setting up the utility and getting the successful results out of it -- it's obvious that they did not just peruse the Web in search of what's available and provided a list of URLs; they installed, tested and reviewed all the Linux network security utilities listed in the table of contents. As much as many of the products and tools listed complement one another, it was useful for me to see the professionals' take on advantages and disadvantages of free tools out there. Wherever possible, the authors try to stick with free software, which makes the book a pretty useful guide for most enthusiasts out there.

The authors are serious about getting the reader to war-drive at some point, and chapter 8 specifically talks about generating wireless denial-of-service attacks as a last resort for a cracker, who seems to be in the bad mood when other methods of wireless penetration do not work. The books talks about antenna amplifiers and some hardware you might buy to be more successful in wireless hacking. They also discuss the possibilities of war-biking, war-walking and riding a hot air balloon.

By the time you're finished with the chapter 9, if your title includes words like "security" or "administrator," you will probably find yourself quite perplexed. That's where Part 3 (Defense) kicks in, as the authors discuss counter-measures against wireless cracking and possible steps one can take to secure the wireless network. It's not a typical don't-use-WEP-don't-broadcast-your-ID-don't-rely-o n-MAC-filtering preaching one can find in security manuals created for the home user (I am not saying those are bad -- for a home user they do provide necessary guidance in securing a WLAN). This is mostly industrial-level security, which might include multiple levels of protection, such as 802.11i implementation, implementing encryption around the wireless networks, creating hardware Linux-based gateways, deploying VPNs and intrusion detection systems. Setting up honeypots is missing from this list, although one can debate whether this could be considered a worthwhile project outside of academic world.

The book uses clear language and is easy to read. At the same time it takes a while to go through it, as you keep trying out the presented solution on your Linux laptop. The chapters that talk about the philosophical decisions when securing wireless LANs are helpful as well -- the authors occasionally get away from hands-on approach and talk about general principles to consider. Code examples are easy to follow, and every tool that's presented in the title is accompanied by the URL (for some reason Addison-Wesley did not include a CD with Wi-Foo); a large number of them point to sourceforge.net. All the links are available on the book's Web site; see the attack and defense sections.

If you should decide to take up a career as a wireless security consultant, Appendix G includes a variety of checklists and templates that the authors recommend for the corporate environment. Chapter 8 -- Breaking Through is available for free in PDF format. Overall I liked this book a lot. It seemed to concentrate on what's necessary without going into fluff and chapters like "History of radio" or "Linux on laptops for beginners." It's informative and easy to read; if you're an enthusiast, try out the free chapter and see if you like the authors' style, but if you're network admin or security professional, this book is almost a must. It's a combo of Exploiting Software and Hacking Exposed with specialization on wireless LANs.

You can purchase Wi-Foo from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

unwelcome visitors

[dncsky1530]

you can always not broadcast your wlan name and set a password, it works against most people. And on the other end you can always use KisMac or KisMet

Re:unwelcome visitors

[garcia]

Run everything over encrypted tunnels. Yeah it may be a performance hit but I'd rather not run the risk of an easy snoop.

What we need is a book for router manus that teaches them how to not enable default SSIDs and admin passwords for wireless networks. My neighbor would probably thank them.

Re:unwelcome visitors

[drinkypoo]

Run everything over encrypted tunnels. Yeah it may be a performance hit but I'd rather not run the risk of an easy snoop.

This is exactly what I do, I set up PPTP VPN with 128 bit encryption and forced encrypted passwords. I used PPTP so I could support Win98 clients, but I'm getting ready to get ipsec going too. I don't bother with WEP but I do use MAC whitelisting - sure you can spoof 'em but it will keep the casual lusers away.

Also it doesn't have to be a performance hit but if it isn't it's going to be a wallet hit. You can get crypto accelerator cards and use them in assorted operating systems including Linux. Linux uses pluggable crypto stuff from the kernel so if you have a crypto card in theory it ought to be used automatically, provided you're using an appropriate cipher, but I really don't know for sure what I'm talking about because I don't have a spare fifty bucks to blow on a crypto card. Besides, a $50 processor upgrade (at least when specifying a new system) will probably do almost as much good and will help with other things.

I would think that other free Unixes would do the same sort of thing, but I know even less about them :)

That makes a good quote

[Lord+Grey]

Neo: "I know Wi-Foo."
Morpheus: "Show me."

Re:That makes a good quote

Boy: Do not try and hack the AP. That's impossible. Instead only try to realize the truth.

Neo: What truth?

Boy: There is no password.

Neo: There is no password?

Boy: Then you'll see that it is not the password thats exploitable, it is yourself.

Re:That makes a good quote

Actually, no, it doesn't.

Re:That makes a good quote

[shigelojoe]

Neo: What are you trying to tell me? That I can dodge packet collisions?

Morpheus: No, Neo. I'm trying to tell you that when you're ready, you won't have to.

...

I think I just lost the Matrix quoting competition. :C

Greeeat

[TaintedPastry]

Now the two who replied first can figure out how to bust into my home network, just what I need.

Of the few exploit/hacking books I've read they seem more like "This is how much I (the author) know, that you don't" instead of informative, factual exchange of security-minded information.

I may jump on this one, if not just to see if they laid the hubris on heavy this time...and, well, also because of the simple fact that the future is going to be completely wireless.

Re:Greeeat

[wakejagr]

"I may jump on this one"
Same here. It isn't too often that a Linux/*BSD book comes along that I will actually buy. Usually, anything F/OSS related can be found online, or in one of the bigass "sysadmin bible" type books I bought when I first got into Linux. However, wireless is one area that isn't too well covered in my bigass books, and it might be nice to have all this info in one place. I could probably find a lot of this online, but it's always good to have a starting point that doesn't require that my network is working. Makes even more sense if your network is wireless ;)

Re:Greeeat

[gl4ss]

the future is going to have a lot of free radio frequencies?

home based wireless lan's

[Stypen]

WEP.. simple, easy, mostly effective.

Re:home based wireless lan's

*snort*

More accurately...

*AirSnort*

Re:home based wireless lan's

[storl]

WEP by itself sometimes is not enough, especially if you transfer a lot of data through your wireless network in a heavily congested wireless area. Someone can sit outside and analyze the collisions and deduce your key (I believe that's how it works). If you combine high-level WEP with MAC protection and do not broadcast your ID, the vast majority of people will not be able to get onto your network. Luckily, these three things are relatively easy to do if you RTFM. Changing your key every now and then is a good idea too. Of course, there is always the slashdot crowd to prove me wrong...

Re:home based wireless lan's

This is all enough :). Since the normal user only does some internet surfing and maybe editing a document and no real mass traffic via WLAN, this should be ok.

Re:home based wireless lan's

[Smallpond]

WEP is so insecure it is being replaced by WPA + RADIUS. WPA can change 256-bit keys every 50 minutes to eliminate cracks by programs like Airsnort. RADIUS gives you central admin instead of having to change a key on every device manually. Cisco LEAP uses a separate one-time key for each session, which seems pretty secure.

Re:home based wireless lan's

[bugnuts]

The issue with WEP is that there are predictable packets where you can slowly derive information, and eventually obtain complete key recovery, and increasing the keylength only increases the difficulty LINEARLY, not exponentially.

Normally when you add a single bit, it doubles the time for brute force attacks. Instead of being TWICE as difficult when going from 40 to 41 bits, it's only 1/40'th more difficult.

You need to collect about 2GB of data to recover a 104 bit key, on the average.

Now... that all said, it's arguable that if you even use a 40 bit key that you are proclaiming your network PRIVATE, where unauthorized use is actually a criminal offense. In other words, any use of it requires actually attacking the network, not just turning on your computer, which typically meets or surpasses any implied consent requirements. You will discourage anyone that wants to "ethically" borrow wireless by setting a WEP key.

It's kind of like locking your screen door. It's easy to get past, but pretty obvious it's breaking and entering.

If you're interested in providing an open network but with a "I won't break your network or the law" agreement, check out NoCat.

Re:home based wireless lan's

[bugnuts]

Not true... internet surfing gives lots of data to analyze. And since the key will likely be the same forever, it should be easy to collect enough to analyze.

Re:home based wireless lan's

[Darth_brooks]

From Airsnort.shmoo.com: AirSnort requires approximately 5-10 million encrypted packets to be gathered.

Wanna tell me how you're gonna grab 5 million packets (not counting SSID broadcasts) from a single network whist wardriving? You need quite a few users going for a long time to generate that much traffic.

Yes WPA is bettter, and it's nice to see it becoming a standard. But despite the FUD, WEP is not some disgustingly horribly insecure protocol that's gonna get hacked in 15 seconds by any script kiddie with a wifi card. It takes a *long-ass time* to gather the amount of data needed to crack WEP. There's far easier ways into a network. But then again, it's so much fun to play baby seal and arp away about WEP totally sucking ass.

Try a capture on a home network and see how long it takes. My own net is four machines, including two always-on boxes. It still takes days to generate enough traffic to make an attempt at cracking WEP.

For home (house) use, 128-bit WEP will work just fine. For office environments or apartment buildings, you should still crank things up a notch with MAC whitelisting etc.

Re:home based wireless lan's

[bbdd]

i agree with the parent, and i found these comments to be very interesting. if you are up to date on firmware patches, wep might be enough for you.

if you are trying to protect missile launch codes, i might look elsewhere, but for day-to-day crap...

Re:home based wireless lan's

[g_kos]

You are not entirely correct, it is possible to inject the traffic into the wep protected network. besides, it is even possbile to portscan the machines on the wep protected networks. e.g. http://sourceforge.net/projects/wepwedgie/

Re:home based wireless lan's

[g_kos]

Joshua has released a tool to "recover" leap passwords a year ago...

http://asleap.sourceforge.net/

Re:home based wireless lan's

[AK+Marc]

WEP by itself sometimes is not enough,

Sure it is. Unless you have specific enemies, or you are next door to someone that has nothing better to do than try to illegally break into your network (not too bright to commit a federal felony just to save a little on the cable modem bill), then WEP is more than enough. Sure, it isn't unbreakable. But it will get anyone mobile looking to get free access or check out someone's computers to move down the block to the unencrypted one.

Your security doesn't have to be foolproof. It just has to be good enough so that the people looking to break in move to the next target.

with MAC protection

Uh, speaking of poor security, it takes all of one captured packed to defeat this. Find the MAC of a card that is on the network (in the headers, easy to get), and manually set your card to that MAC. You'll run into fewer problems if you don't try to get on at the same time they are on, though. Again, that will only keep out the stupid and uncommitted, and can be cracked with inspection of a single packet. For something so utterly useless compared to even the flawed WEP, I'm surprised it even made your list. I don't know of a single person capable of cracking WEP that wouldn't get through your MAC filter in less than 30 seconds (and that's people capable of breaking WEP, not just people who say they've seen some tool available somewhere that may capture packets or something).

Oh, and even if you don't broadcast your SSID, it is included in the packets. There are tools that will scan more than just the beacon packets and will be able to pull the SSID out. Again, someone that knows what they are doing will be much more inconvenienced by WEP than all the other things you mentioned combined. Sure, it improves security. It's like locking the door handle when you have already locked the deadbolt. If someone can defeat a deadbolt, they can easily defeat the handle lock as well.

Of course, there is always the slashdot crowd to prove me wrong...

Not prove you wrong. You are right. It is harder to break into a network that also has MAC filtering enabled and SSID broadcasts disabled. But, even as easy as it is to set up, even easier to break those than it was to set them up (assuming that someone capable of cracking WEP is moderately familiar with the concepts). So, though correct, I'd put it in the FUD category.

Re:home based wireless lan's

[Matje]

Just for my understanding: wouldn't bypassing a MAC filter or eavesdropping on the SSID be illegal as well? If bypassing WEP is illegal, this stuff is too right?

Re:home based wireless lan's

[AK+Marc]

Eavesdropping on the SSID would not be illegal. It is being broadcast. You have to take no special steps to read or understand it. Just because they turn off the packets with no other real purpose than to broadcast the SSID does not mean that the SSID is not continuing to be broadcast.

As for whether bypassing MAC security is illegal, that is for the courts to decide (and they will probably do so poorly, as they do with most technical issues). The SSID is an invitation to join a network. Pulling a MAC is not pulling an invitation, so it is different, but it is still taking unencrypted broadcasts being publicly transmitted and entering the information in your computer. By spirit, it should be illegal, but I don't think it has ever been officially decided.

Not just wireless

[caluml]

As well as being experts in the Wireless field, they also run a very good InfoSec company. www.arhont.com. Highly recommended if you want the view that the black hats would have of your networks.

Hmmmm...Packets

[radiumhahn]

My wireless router's breath smells like packets.

Re:Hmmmm...Packets

[radiumhahn]

Ralph Wiggum, Network Admin.

One word...

[mi]

IPSEC

Windows, BSD, Linux -- whatever...

Re:One word...

[Artega+VH]

Why add that extra layer for most home users? I find its an absolute pain at university and couldn't imagine using it at home...

A combination of WAP/WEP MAC address allow lists and not broadcasting the network name will keep pretty much everyone out. Why would soemone bother breaking in when there are several open wireless networks on every street. (at least in my suburb)

Re:One word...

[Fuzzums]

For what I know, IPSEC doesn't stop me from (ab)using your wi-fi internetconnection.

Re:One word...

[mi]

For what I know, IPSEC doesn't stop me from (ab)using your wi-fi internetconnection.

You don't know enough -- it does. My NAT-ing gateway will not talk to you, nor will anything else on my network. You will not be able to read, what my network talks about, nor will you be able to use the Internet through my uplink.

Slow internet...

[livhan28]

And my neighbor will never know...why his internet got so much slower the day i came home from college...

Re:Bad Name

[outsider007]

Kung Fu is a martial art skill.
Kung Foo is programming skill.
Therefore Wifi Foo is skill at hacking/securing wifi networks.
You overthought this one.

Re:Cracking a pswd

f you have physical access to a Win XP machine that is on the wireless network how can you obtain the WEP pswd

Type 'network'. If that doesn't work, open a browser window and type file:///c:/windows/system32/format%20c:/

Man, you guys Rock! W00t!!! I'm gonna try this right n

WPA-PSK?

[Proc6]

With a really decently long key? I've not heard of any compromises of WPA-PSK yet. WEP yes, WPA no.

Missing anything?

[NEOtaku17]

Steps to securing my WLAN:

1.Change default router login password
2.Enabled firewall
3.Mac address filtering
4.AES encryption with non-dictionary 15 charcter passphrase
5.Disabled SSID broadcast
6.Updated to latest firmware
7.Disabled remote router login
8.Enabled 802.11g only
9.Updated to latest wirelss network card drivers

Am I missing anything really obvious?

Re:Missing anything?

[redwoodtree]

Yes, a few things:

* Change the Key monthly or otherwise periodically.
* Even with all this, run encrypted protocols as much as possible SSH, SSL, etc. No clear text protocols
* Run a monitor on your access point to monitor against your MAC Address filtering list, send a trap when an unkown Mac address connects. By definition if you have a Mac address allow list you should be able to do this easily.

Re:Missing anything?

[j1m+5n0w]

Am I missing anything really obvious?

10. A tin-foil hat?

-jim

Re:Missing anything?

[g_kos]

1. Change default router login password - wise thing to do, but will not help if your windoze box is accessible through the wireless.
2. Enabled firewall - you forgot to mention that it has to be properly configured :)
3. Mac address filtering - takes seconds to bypass, by sniffing the air.
4.AES encryption with non-dictionary 15 charcter passphrase - are we talking about 802.11i ???
6 Disabled SSID broadcast - NOT TRUE. the SSID is sniffable in the air
5. Updated to latest firmware & 9. Updated to latest wirelss network card drivers - what difference does it make if the flaw is in the standard itself.
7.Disabled remote router login - well, not always works on every router, might still be configurable through SNMP, what stops from owning your windoze through wireless and finally strict source routing might help.

apart from the above, it is a good attempt ;)

Re:Missing anything?

[ambit]

Disable the router from serving DHCP.
Assign yourself static addresses.

Re:Missing anything?

[mikewas]

256 bit WEP? Only a couple of manufacturers support it.

Re:Missing anything?

I did not use a passphrase to generate my WEP key. Instead I generated as a hexadecimal string using a d20 (20 sided die found at hobbiest stores, used in the D&D faimly of role playing games). Each hexadecimal digit may be generated as follows:

20 = 0
1=9 = face value
10=A
11=B
12=C
13=D
14=E
15=F
16-19=r e-roll.

The advantage of this method is it produces a key that is immune to a dictionary attack as it is highly unlikely that any pass phrase corresponds to it. Every bit has an equal chance of being set or unset.

Note -- do NOT roll a standard 6 sided die 3 times and add the result subtracting three. Although this does produce digits from 0-15, there is not an equal distribution. A 7 is far more likely than the combined odds of a 0 or F.

Re:Missing anything?

[MsGeek]

Also keep your WAP on a separate "real world" IP from the rest of your system. Thanks to DSL Extreme, I now have the ability to completely separate the wireless traffic from the wired traffic. If someone gets around these obstacles:

* SSID broadcast OFF
* DHCP OFF and static address in a non-obvious non-routable range (not 192.168.0.x, 192.168.1.x, 192.168.2.x or 192.168.254.x. Most routers default to these ranges and so does Windows Internet Connection Sharing)
* MAC address whitelisting
* WEP key

all they'll get is the ability to piggyback on my connection. That's it. They will be on a different subnet to anything I care about. Knock yourself out, l33t b0i.

(Note: this can be accomplished with some fancy routing and non-routing on a firewall box with two nics and a WAP. But this way is easier. And yes, I know that nothing is uncrackable.)

Re:Missing anything?

[syukton]

There are ways of changing a device's MAC address, aren't there?

If the MAC address is the kind of information that you can glean from captured packets, then you might want to consider also cycling the MAC addresses of your devices on a regular basis as well. I mean, for the utmost in security. It depends, I suppose, on how much somebody wants to get inside your network and whether or not you know about it...

Re:wireless boosting?

[bugnuts]

Get one of these.

Read mine for free

[rworne]

I did something similar for my Master's Thesis.

Mainly I looked at various tools and how effective they were. I also looked at setups in the surrounding neighborhood and pwn3d (with permission) the campus VPN via the wireless network.

Re:Bad Name

[AK+Marc]

You must have missed out on all the americanisms. "Foo" has been coopted (with the mispelling) to mean skill, and must be combined with another noun. "Boy, she has some dance foo going." "He has some serious computer foo, he broke into that network like it was nothing." And of course, all the people that post stupid repsonses but get moderated up anyway have Slashdot foo.

wep is secure?

[8400_RPM]

I've been trying to hack wep for days in my test lab. With newer network cards, it seems wep is more secure than people give it credit for. After over 100million encrypted packets, I had 0 interesting packets....

Re:wep is secure?

[rworne]

Firmware after early 2001 implements "weak key avoidance" or WEP+. I've collected from 16M to 20M packets and have not been able to crack a key although I've had plenty of interesting packets.

Wanna try something fun? Use a 40-bit WEP key and try Newsham's attack, that's scary.

Re:wep is secure?

[rworne]

Yes, but Prism firmware also has weak key avoidance as well. Proxim/Lucent just give it a cool-sounding name.

Re:Bad Name

[Agent+Green]

And then there's B.A. Baracus of the A-Team...'cos he always pitied the foo'.

Factory settings, gotta love 'em

[glass_window]

As I sit here at my aunt's house, I am currently logged in via the friendly neighborhood linksys 802.11b router (BEFW11S4) complete with it's default settings. I've been enjoying internet access all week and I thought I'd check to see if they at least changed the factory default settings and low and behold I logged right in. It's good to know I can remove my mac address before I leave (just in case).

Re:wireless boosting?

[mrconnors]

Depends on the brand of your router, but I have seen some really good performance out of the firmware at http://sveasoft.com/

Wireless Protected Access

[el+americano]

You should expect, with a name like Wi-Foo, that the author will try to mystify a rather simple topic. There's nothing here that isn't covered better on the Internet. The state of wireless hacking is sniffing obscured but open networks, compromising WEP, and compromising LEAP.

Wireless Protected Access (WPA) with TKIP or AES is all you need to stop the author and any of his readers. Someone mentioned WPA-PSK - end of drama. [No weak passphrase, of course] If you have a RADIUS server running anyway, or need to serve a large pool of users, try WPA EAP-TLS. The real security issues faced by corporate wireless network administrators, such as rogue access points and other AP management issues, are better dealt with by books for security administrators, not wanna-be hackers.

The free chapter is filled vague, yet dismissive descriptions of non-existent PSK and TKIP attacks. In fact, the reader would have to surpass the author to learn how to really implement a man-in-the-middle attack, based on those "buy this hardware and use this software" descriptions. Use it how?! The obligatory reprint of the published WEP exploitation theory did not include any additional practical code. The rest, it seems, is left as an exercise for the reader, as it is everywhere else. How did this get such a fawning review?

Re:Wireless Protected Access

[el+americano]

It seems to me that you have not read through the book, just glanced through the free chapter and the table of contents, if you derive to such conclusions.

Imagine, basing my comments on the actual contents of the book. You have nothing to complain about here, I think. From what I've seen, I'm not going to waste my $35 for the whole book.

Pretty much every topic you can think of is covered on the Internet, so what?!

Usually a book presents more and better organization than what is found on amatuer websites. We disagree on whether this book is worth charging for.

How many APs have been sold in the world, that do not support WPA? How many people who have such APs would buy a new one...

We are presuming people who care about security, right? $60 for a WPA enabled G access point is cheap. If we're talking about really old stuff, they'll want to upgrade from 802.11b anyway.

Suggesting a RADIUS server is OK for corporate users willing to spend a $$$ on protecting the wireless infrastructure, but for for a home use of one AP and one client...

I didn't say 1 AP and 1 client. For someone with a home network who is already running RADIUS, TLS is not a big overhead. Surely, someone with Wi-Foo like yourself would have no problem setting up Free RADIUS and Open CA.

I hope I've been able to answer some of your questions, but if your position continues to be that I'm on drugs and you're not, then you should just ask yourself, what is the best wireless security that you been able to defeat with your Wi-Foo? Oh, is that all? What does THAT tell you, Grasshopper?

Re:Wireless Protected Access

[el+americano]

WEP looked pretty secure when it was just released.

Excuse me, WEP was a known vulnerability even before it was released. WPA and RSN are looking forward to provided a sufficient number of years of protection before future processing power is able to defeat it.

Anyway, there was a fat report claiming that only 22 % of WPAv1-enable devices from different vendors can interoperate.

I hadn't heard, but this was probably before Wi-Fi certification became so commonplace. Anything with a Wi-Fi logo supports WPA and is proven to interoperate with the major chipset manufacturers.

By the way, TKIP-PSK key-from-passphrase generation algorithm is, indeed, flawed...

PSK with weak passwords is theoretically attackable. I don't think there's a script for the kiddies yet, but if you choose a passphrase like "i read about this on slashdot, Wi-Fooers!", then you are not at risk from that attack.

Yes, I would choose to distribute the user certs for TLS. There are many managment tools for this. The problem with PEAP is that the CA cert is widely distributed, if not actually public, which could allow someone to attack weak passwords.

I glad you got something out of the book. I do think they present it as a practical guide, but then are too vague in spots, and even resort to hand waving at the higher end. Take their advice on acquiring a WLAN card with the Prism chipset. Many of the manufacturers they mention don't sell Prism based cards anymore. Just another example of how you have to figure it out yourself anyway (as with most of the software). So, who needs the book?

Homebrew it.

[Gordonjcp]

Not a "Pringles can" antenna - they suck, badly. Nope, what you want is an 800g soup can to make a stopped waveguide antenna. Use one at each end. If that doesn't do it, use it as the feed for a dish.

EAP-TLS

[Jacco+de+Leeuw]

You write in your thesis that EAP-TTLS and PEAP are more secure than EAP-TLS. Could you elaborate on this?

Re:EAP-TLS

[rworne]

IIRC, at the time the paper was written, EAP-TTLS and PEAP leaked the least amount of info to a possible attacker and had no known exploits at the time. Check the link offered in the bibliography, it explains it in more detail.

The key point of that section (as miserably brief as it was, I admit) was to point out there are developments helping the situation, but the overall opinion is that wireless networks are not secure and people need to be aware of the traffic that is sent over them and what this traffic might reveal to an attacker.

Frankly, I needed another semester to work on the thesis, but schedules are a pain.

Wireless has made the internet free for me.

[eBayDoug]

I'm in the city.

I have 2 or 3 open wireless networks to to tap into at anytime, right from the office.

I love my free internet.