Figure 10-1 NetStumbler on a Windows PC in Software

Drawer Denso QR Bar Code in Software Figure 10-1 NetStumbler on a Windows PC

network card it can support, is a powerful attack tool, as the shared medium of a wireless network exposes all packets to interception and logging Popular wireless sniffers are Wireshark (formerly Ethereal) and Kismet Regular sniffers used on wireline Ethernet have also been updated to include support for wireless Sniffers are also important because they allow you to retrieve the MAC addresses of the nodes of the network APs can be configured to allow access only to prespecified MAC addresses, and an attacker spoofing the MAC can bypass this feature There are specialized sniffer tools designed with a single objective: to crack Wired Equivalent Privacy (WEP) keys WEP is an encryption protocol that 80211 uses to attempt to ensure confidentiality of wireless communications Unfortunately, it has turned out to have several problems WEP s weaknesses are specifically targeted for attack by the specialized sniffer programs They work by exploiting weak initialization vectors in the encryption algorithm To exploit this weakness, an attacker needs a certain number of ciphertext packets; once he has captured enough packets, however, the program can very quickly decipher the encryption key being used WEPCrack was the first available program to use this flaw to crack WEP keys; however, WEPCrack depends on a dump of actual network packets from another sniffer program AirSnort is a standalone program that captures its own packets; once it has captured enough ciphertext, it provides the WEP key of the network All these tools are used by the wireless attacker to compromise the network They are also typically used by security professionals when performing wireless site surveys of organizations The site survey has a simple purpose: To minimize the available wireless signal being sent beyond the physical controls of the organization By using the sniffer and finding AP beacons, a security official can determine which APs are transmitting into uncontrolled areas The APs can then be tuned, either by relocation or through the use of directional antennas, to minimize radiation beyond an organization s walls This type of wireless data emanation is particularly troubling when the AP is located on the internal network Local users of the network are susceptible to having their entire traffic decoded and analyzed A proper site survey is an important step in securing a wireless network to avoid sending critical data beyond company walls Recurring site surveys are important because wireless technology is cheap and typically comes unsecured in its default configuration If anyone attaches a wireless AP to your network, you want to know about it immediately If unauthorized wireless is set up, it is known as a rogue access point These can be set up by well-meaning employees or hidden by an attacker with physical access 80211b has two tools used primarily for security: one is designed solely for authentication, and the other is designed for authentication and confidentiality The authentication function is known as the service set identifier (SSID) This unique 32-character identifier is attached to the header of the packet The SSID is broadcast by default as a network name, but broadcasting this beacon frame can be disabled Many APs also use a default SSID, for Cisco APs this default is tsunami, which can indicate an AP that has not been configured for any security Renaming the SSID and disabling SSID broadcast are both good ideas; however, because the SSID is part of every frame, these measures should not be considered securing the network As the SSID is, hopefully, a unique

identifier, only people who know the identifier will be able to complete association to the AP While the SSID is a good idea in theory, it is sent in plaintext in the packets, so in practice SSID offers little security significance any sniffer can determine the SSID, and some operating systems Windows XP, for instance will display a list of SSIDs active in the area and prompt the user to choose which one to connect to This weakness is magnified by most APs default settings to transmit beacon frames The beacon frame s purpose is to announce the wireless network s presence and capabilities so that WLAN cards can attempt to associate to it This can be disabled in software for many APs, especially the more sophisticated ones From a security perspective, the beacon frame is damaging because it contains the SSID, and this beacon frame is transmitted at a set interval (ten times per second by default) Since a default AP without any other traffic is sending out its SSID in plaintext ten times a second, you can see why the SSID does not provide true authentication Scanning programs such as NetStumbler work by capturing the beacon frames and thereby the SSIDs of all APs WEP encrypts the data traveling across the network with an RC4 stream cipher, attempting to ensure confidentiality This synchronous method of encryption ensures some method of authentication The system depends on the client and the AP having a shared secret key, ensuring that only authorized people with the proper key have access to the wireless network WEP supports two key lengths, 40 and 104 bits, though these are more typically referred to as 64 and 128 bits In 80211a and 80211g, manufacturers have extended this to 152-bit WEP keys This is because in all cases, 24 bits of the overall key length are used for the initialization vector The IV is the primary reason for the weaknesses in WEP The IV is sent in the plaintext part of the message, and because the total keyspace is approximately 16 million keys, the same key will be reused Once the key has been repeated, an attacker has two ciphertexts encrypted with the same key stream This allows the attacker to examine the ciphertext and retrieve the key This attack can be improved by examining only packets that have weak IVs, reducing the amount of packets needed to crack the key Using only weak IV packets, the number of required captured packets is reduced to around four or five million, which can take only a few hours on a fairly busy AP For a point of reference, this means that equipment with an advertised WEP key of 128 bits can be cracked in less than a day, whereas to crack a normal 128-bit key would take roughly 2,000,000,000,000,000,000 years on a computer able to attempt one trillion keys a second As mentioned, AirSnort is a modified sniffing program that takes advantage of this weakness to retrieve the WEP keys The biggest weakness of WEP is that the IV problem exists regardless of key length, because the IV always remains at 24 bits Most APs also have the ability to lock access in only to known MAC addresses, providing a limited authentication capability Given sniffers capacity to grab all active MAC addresses on the network, this capability is not very effective An attacker simply configures his wireless cards to a known good MAC address