Slashdot Mirror
Hacker-Built PC Scans 300 Wifi Networks At Once
An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.
Bush would be proud.
Time to enable encryption on your wireless network. It's not foolproof, but it'll make you a smaller target.
I got my Linux laptop at System76.
"In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access.
:)
I use a hammer, you use an instant-off switch that you'll never be able to turn back on. At the end of the day, at least one of us will have released some pent-up frustration and anger.
When they trace the VoIP calls back to your network, just tell the cops; "Um, yeah, I saw those guys leave, just as I as pulling up. They were using my secured network without my permission, then they entered my secure house and took my snacks from my child-proof cabinet. Then drove off in my locked car, carrying my secured weapons safe..."
Just add network access to the list of "secured" items that can be taken.
This issue is a bit more complicated than you think.
The one watt amplifiers mentioned in the article almost guarantees that this device is operating outside the FCC part 15 rules.
/. hates the FCC, but consider how many nearby wireless networks might be effectively DoS'ed while he is trying
I know everyone on
to hack some schmuck's WEP key.
I'm sorry, but I don't see much in the way of commercial application for this thing - we know standard wireless networking encryption isn't secure. We know it can be cracked, and it can be cracked with just 2 cheap laptops to capture the data. There isn't much more of a need for proof-of-concept anymore.
"Better to be vulgar than non-existent" -Bev Henson
Why? Because of WEP 's broadcasting nature smart people make things like Janus Project and capture your data and may break WEP security.
This is known to cyptanalysts long before so it is superseeded by WPA(Wi-Fi Protected Access) and WPA2 standards.
But yes WEP is stil used to avoid casual snooping :).
-- "Genius is 1% inspiration and 99% perspiration" - TAE --
In a world without walls and fences, who needs Windows and Gates?
(OMG - and you thought Geek sites were bad - "hammernet". Sheesh!)
This issue is a bit more complicated than you think.
I imagine that'd be a bit more productive.
[Fuck Beta]
o0t!
but with a secured network it is too difficult to prove.
There is no such thing as a "secured" network, that concept should not be hard to prove at all.
"Your honor, we asked Linksys and Microsoft to come to this court or provide certified letters that the wireless system my client has and the wireless card running on his MS Windows XP machine is and always has been 100% secure, they refused."
Obvoiusly not foolproof. I need to get all the machines to drop the traffic unless it's routed through the router. In other words, it doesn't matter where it comes from, but the machines will only listen to traffic coming in off the VPN subnet, and then only listen to that if it's being routed by the internal router. That keeps someone from being cute somehow and confusing the network by plugging something in with an IP address that's on the VPN subnet; since it wouldn't come via the internal router (VPN server), the machines would go "Uh, WTF?"
The "2000 bit passkey" is really the disk encryption keys for loop-aes. See http://loop-aes.sourceforge.net/loop-AES.README . They are longer than 2000 bits.
/dev/random) and user space applications (openssl, openvpn) are also tweaked to utilize the padlock core described here: http://www.via.com.tw/en/initiatives/padlock/hardw are.jsp . Montgomery multiplication offload is still in the works...
2 /?action=view¤t=janusbox.jpg&refPage=&imgAnc h=imgAnch32 /?action=view¤t=janusbox-dev.jpg&refPage=&im gAnch=imgAnch2
The disk encryption keys are stored on USB and decrypted via passphrase (key encryption key) using a custom init process that mounts the encrypted loop-aes disk(s) and does the pivot_root / exec init into the target. This gives you full disk encryption booting from a trusted read-only kernel+initrd iso image. (or hdd bootloader)
The "instant off" is the key zeroisation mechanism where loop-aes keys (rotated in memory) are flushed and the disks are now inaccesible. A reboot and passphrase auth with USB key device present is then required to get back to a working state.
The use of 8 radios means most of them are in monitor mode attached to different antennas. There are two amplified cards (1W teletronics in line) which can be used for injection / active attacks, but 2 transmitting radios is about the limit practically speaking due to 802.11MAC / CSCA.
The WPA/WPA2 cracking references WPA-PSK dictionary attacks / cowpatty speedup via the Padlock hash engine SHA1 instruction. This gives you about a 10-20x increase in dictionary attack throughput but is still slow compared to most attacks. Many other kernel functions (loop-aes, IPsec, entropy in
[The "breaking SHA1 and RSA encryption in a single processor instruction cycle" line appears to confuse the implementation of these primitives (SHA1/MontMult) in a single instruction. These are not cracked by a single instruction.]
The comment about government sales is likely due to the fact that this system is well over FCC EIRP limits, thus restricting commercial sales to military or emergency services.
Additional images here:
http://s103.photobucket.com/albums/m127/coderman4
http://s103.photobucket.com/albums/m127/coderman4
Nail. Coffin.
Basically: Don't use "pencil" as WEP password.
Yea, I couldn't even grasp what it truly meant here. Is Williams looking for an algorithm to break SHA1 and RSA? Did he prove P = NP yet?
A nice big red panic button that dials a good lawyer if you get caught.
first I code named it Preparation H. V2 is called the Allen Parson's Project.
FYI, it's a Pelican box, I have several that I use for SCUBA diving.
2000-bit passkey? I'm not a cryptographer, but aren't these usually in powers of 2?
300 networks simultaneously? The picture appears to be Kismet and that uses channel hopping, so unless he's got 300 wireless cards packed into that (not that it couldn't be done), I'm skeptical
encrypting the captured data? unless he fears the device being captured, I think that's unnecessary
~Eric Betts
~Eric
In other news, he has also announced that the next version of the Janus project will be powered by the Easter Bunny running on a very small, internally mounted gerbil wheel.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
SSID="linksys" (or SSID="default")
The WiFi bandwidth has 17 data channels, each of which can be controlled by only one network at one time. How can a single node sniff more than 17 networks simultaneously.
--
make install -not war
The link above is to a blog which links to a blog which links to... It seems the original info came from http://www.tgdaily.com/2006/08/30/defcon2006_janus _project/ more info is available there than at the site linked at parent.
I love my sig.
I have neither a fancy hat, nor a yellow wifi-scanning PC.
However, my penis is touched by a woman regularly[*]. I win.
.
[*] Just to clarify, this woman is 1) human, 2) alive, 3) not related to me, 4) not paid by me to perform this service, 5) does not require electricity to perform this service.
I'm skeptical. If all you had to do to recieve faint signals was to amplify the antenna, then everyone would do it and you'd have awesome range without needing to increase the signal strength. But it doesn't work like that. The higher the gain, the more noise you get. And with all those people broadcasting on overlapping channels along with normal interferrence, noise is exactly what you're going to get.
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Okay, this is one of the most informative posts ever. People are thinking this is Williams, the original guy who built the box (even though the thread credits someone else).
I don't see how that post could be modded overrated. If I get modded troll and otherwise ignored...
The K9 version of this project will lack the J in the beginning for sniffing.
Let the wardriving games commence.
This sig will self destruct in 5 seconds.
I'm sure this is a misquote.
He can already crack WEP in under five minutes, I could see where he could possibly crack WEP in a single "for" loop or something using recursion (in which case why would it need to loop? Maybe if something goes wrong, the router doesn't respond or something).
And then SHA1 and RSA encryption would be his next target, and eventually he'd get it to where he can crack that in a single "for" loop.
www.linuxpenguin.net
i don't know who suggested/queued the original article intro posted by Zonk. i am involved on the software side and posted the anonymous corrections (prior to recovering this long idle acct) since neither Kyle nor myself were contacted prior to publication to verify technical details in content as evidenced by the couple of mis-quoted or mis-interpreted points above.
;)
or perhaps this is all an elaborate rouse designed to make you think in that direction...
So what exactly does he do with all those purloined keys?
I employ two of three possible methods to secure my network, MAC filters and WPA keys. So I was thinking, how does this deal with MAC filters. Then it came to me that the first two octets of the MAC are easy - Intel has a pretty big lock on wireless, as does Broadcom. So that's 65,535 fewer combinations to look for. But where it gets interesting is in the last four octets. That leaves 4,294,967,296 possible combinations. Not that you couldn't brute it, but that coupled with the WPA keys might take more than five minutes to crack.
So the Janus project is interesting, and they'll score lots of keys. But I don't see the overall usefullness.
...but with a secured network it [hacking] is too difficult to prove.
There you have it. Even a less-savvy judge will be convinced that it is possible and feasible, if there are tools like that mainstream.
Drop the leading letter off the name of your project then it would be funny.
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
I don't even bother with WEP or WPA - I figure it'll just slow things down. My home wireless router is running OpenWRT, so setting up WPA is an ass-ache anyway. I MAC-locked the wireless to keep the drooling masses from connecting (clueless neighbors, etc.) If the client has a correct MAC, they can get an address from DHCP and talk to my OpenVPN port. That's all. If someone were determined to DoS me, they certainly could do so in this arrangement, but then you can DoS wifi even if it's running WEP or WPA, too - those provide no protection against a flood of forged disassocate packets, for example. And I do have to worry about security holes in OpenVPN or dnsmasq (which does DHCP from the OpenWRT box), but this is an acceptable security/convenience trade-off for me. It's just a home network, after all.
Even windows users know how to sniff your MAC and clone it. WPA is good, though; while it's certainly crackable the crack's too hard to bother with when there are plenty of unsecured (or WEP-secured) networks available.
I tested kismet and aircrack on ubuntu dapper a few weeks ago and it readily cracked dozens of WEP keys; but I could only get WPA keys through dictionary attacks, which is annoyingly time consuming and thus not worth the effort.
I'm pretty sure most of us are strongly in the Bill of Rights camp. And that means freedom of speech, which I believe FUCK is a part of.
Go back to church and don't hurt yourself by attempting to think. Leave that to us science and nerd types, please.
rhY
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.