Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker-Built PC Scans 300 Wifi Networks At Once

Posted by ryuzaki0 on from the quite-the-multitasker dept.

An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.

7 of 121 comments (clear)

  1. Re:Just about time by TheOtherChimeraTwin · · Score: 2, Informative
    It is pretty good at cracking WEP

    In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic.
  2. Some corrections by Anonymous Coward · · Score: 5, Informative

    The "2000 bit passkey" is really the disk encryption keys for loop-aes. See http://loop-aes.sourceforge.net/loop-AES.README . They are longer than 2000 bits.

    The disk encryption keys are stored on USB and decrypted via passphrase (key encryption key) using a custom init process that mounts the encrypted loop-aes disk(s) and does the pivot_root / exec init into the target. This gives you full disk encryption booting from a trusted read-only kernel+initrd iso image. (or hdd bootloader)

    The "instant off" is the key zeroisation mechanism where loop-aes keys (rotated in memory) are flushed and the disks are now inaccesible. A reboot and passphrase auth with USB key device present is then required to get back to a working state.

    The use of 8 radios means most of them are in monitor mode attached to different antennas. There are two amplified cards (1W teletronics in line) which can be used for injection / active attacks, but 2 transmitting radios is about the limit practically speaking due to 802.11MAC / CSCA.

    The WPA/WPA2 cracking references WPA-PSK dictionary attacks / cowpatty speedup via the Padlock hash engine SHA1 instruction. This gives you about a 10-20x increase in dictionary attack throughput but is still slow compared to most attacks. Many other kernel functions (loop-aes, IPsec, entropy in /dev/random) and user space applications (openssl, openvpn) are also tweaked to utilize the padlock core described here: http://www.via.com.tw/en/initiatives/padlock/hardw are.jsp . Montgomery multiplication offload is still in the works...

    [The "breaking SHA1 and RSA encryption in a single processor instruction cycle" line appears to confuse the implementation of these primitives (SHA1/MontMult) in a single instruction. These are not cracked by a single instruction.]

    The comment about government sales is likely due to the fact that this system is well over FCC EIRP limits, thus restricting commercial sales to military or emergency services.

    Additional images here:
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox.jpg&refPage=&imgAnc h=imgAnch3
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox-dev.jpg&refPage=&im gAnch=imgAnch2

  3. Snazzy little yellow box? by Ec|ipse · · Score: 2, Informative

    FYI, it's a Pelican box, I have several that I use for SCUBA diving.

  4. Re:Just another way to get thrown into Gitmo. by LiquidCoooled · · Score: 2, Informative

    The poster isn't wrong, from the thg article

    After the Instant Off switch is hit, a USB key with a 2000-bit passkey and a manually entered password are needed to access the computer. Williams said that even if someone managed to grab the USB key, they would still have to "torture or bribe me" to get the password.

    In the UK, the RIP act allows you to be thrown in jail for 3 years for not supplying the encryption keys, in America I can quite easily picture this guy wearing his leather hat and some fetching orange clothing.

    After all, his box does look like the computers the criminal ring leaders use in most movies.

    --
    liqbase :: faster than paper
  5. Re:I wish them good luck! by LiquidCoooled · · Score: 3, Informative

    Actually, if you read the documentation for the VIA Padlock hardware encryption/decryption engine, you would realise that they talk about realtime encryption/decryption, its not a software operation, its a set of on-die commands.

    --
    liqbase :: faster than paper
  6. Re:So use VPNs. by walt-sjc · · Score: 2, Informative

    I don't bother with wep at all. My AP is wide open, and connects to a dedicated interface on my gateway server. Similar to your setup, the only ports open on that interface are for VPN - other than that it's stealth. No point in the additional encryption that just slows things down without proividing any real security.

  7. Re:283 * 0 = 0 by anethema · · Score: 2, Informative

    Actually, while 11 channels are claimed, there really are only 3.

    1, 6, 11.

    Any other channels are just varying degrees of overlap with these 3.

    --


    It's easier to fight for one's principles than to live up to them.