Slashdot Mirror
Feds Hack Wireless Network in 3 Minutes
xs3 writes At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys. This article will be a general overview of the procedures used by the FBI team.."
Assembled, for your pleasure:
-------
Title: The Feds can own your WLAN too
Introduction
Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected--wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard.
At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys.
This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.
WEP Cracking - The Next Generation
WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.
Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.
Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets--a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.
Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"
On with the Show
Before we get into the steps that the FBI used to break WEP, it should be noted there are numerous ways of hacking into a wireless network. The FBI team used publicly available tools and emphasized that they are demonstrating an attack that many other people are capable of performing. On the other hand, breaking the WEP key may not necessarily give an attacker complete access to a wireless network. There could also be other protection mechanisms such as VPNs or proxy servers to deal with.
For the demonstration, Special Agent Bickers brought in a NETGEAR wireless access point and assigned it a SSID of NETGEARWEP. He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers.
Note that normally, you have to find wireless networks before you can crack them. The two wireless scanning tools of choice are Netstumbler for Windows or Kismet for Linux. Since the other WEP cracking tools are mainly Linux-based, most people find it easier to stick with Kismet, so they don't have to switch between Windows and Linux.
Another FBI agent started Kismet and immediately found the NETGEARWEP access point. Just for fun, a third agent used his laptop and ran FakeAP, a program that confuses scanning programs by putting up fake access points.
Attack!
After a target WLAN is found, the next step is to start capturing packets and convert th
They didn't do a dictionary attack. What they did was use aircrack that uses a statistical method to crack the key. You need lots and lots of packets and they got those using void/deauth and a replay attack. It's all in the article.
Also, you also only need one packet to brute force a key.
If you're going to cut-and-paste for karma, please CITE YOUR REFERENCES!
w w.tomsnetworking.com/Sections-print-article111.php +%22definite+improvement+over+WEP+in+providing+wir eless+security%22&hl=en&client=firefox-a
The page you snipped this from is cached here:
http://66.102.7.104/search?q=cache:ChC8gBE_LsEJ:w
I only managed to get to the third page of the useless article (seriously people, put more than 2 paragraphs on a page!)
But so far I have "He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers." which makes me wonder if they actually used a dictionary attack...
Finally loaded the 4th page. Apparently they knocked an authorized user off the AP repeatedly and collected the resulting flood of reauthentication packets, plus used packet replay attacks to get the AP to respond to replayed ARP requests (apparently they are easy to spot in a pcap dump despite encryption). This gave them all the IVs they needed to crack the key.
If I have been able to see further than others, it is because I bought a pair of binoculars.
On top of WEP encryption, you should also try to filter access to your wireless network using MAC addresses. I do not think a hacker would be able to easily get around that...
;) MAC filtering will only stop the very casual person from gaining access to your network.
OK, just in case you seriously don't know, MAC addresses are not encrypted, so it is dead simple to sniff traffic to find valid MAC addresses and then change the MAC address of the hacking box to the valid MAC address (usually during a time when that machine is not actually connected). I've heard that this is a good way to gain access at pay to play locations like Starbucks
Also keep in mind that MAC filtering only prevents someone from joining the network, you can still sniff at will at the packets.
At least we "geeks" have not been so foolish as to forget history. The FBI *earned* the mistrust and fear that we, and other people who haven't already been brainwashed yet. The story of COINTELPRO is a case in point. There are many other similarly creepy programs that they've embarked on in their history, and since the Patriot act has practically removed the checks on their authority that once existed, there is more reason than ever to be mistrustful and fearful of them.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
I always click on the printer-friendly format. That usually gives you the article and pictures on one continuous page.
I'm the author of the article.
1. Where in the article does it say the FBI developed the attacks? Did you RTFA?
2. For the IDS comment, I did state that it is NOT a stealthy attack. Not stealthy = IDS will pick it up.
3. You weren't at the talk, and it shows. They did give credit (a LOT of credit) to KoreK and Devine, but I didn't put it in the article. So you can blame me for it.