[TriLUG] WEP insecure? What else?

Tue Aug 24 16:09:11 EDT 2004

Jim Thompson wrote:

>Hi all,
>
>I've seen several posts to the effect of "never use WEP because it's
>incredibly easy to break". To test this, I've been using Airsnort to
>monitor my own 128-WEP network at home. I've been capturing packets
>for awhile now and have only one "interesting" packet.  This link:
>
>http://www.knoppix-std.org/forum/viewtopic.php?t=1714
>
>seems to say similar things: guy captures millions of packets and gets
>only one "interesting" one. Has anyone actually *used* Airsnort or
>some other sniffing tool to successfully crack a 128bit WEP-enabled
>wireless link before (and not just "I've heard it's really easy to
>kr4ck LOL")? How long is a practical window on a home connection
>before enough "interesting" packets get collected (even assuming that
>the network is relatively busy instead of idle most of the time)? Is
>the risk of a  neighbor cracking your WEP really practical? Certainly,
>if it takes days or weeks to get enough packets, that sort of rules
>out the casual wardriver, right?
>  
>
First off, Kudos to you for not taking the parrot's word for it, and 
testing the methods yourself.  This is the right way to look at the 
world, in my humble (yet accurate) opinion.  Having done the same thing 
myself in the past, I can say that your initial assertions are correct - 
on your average residential network, with passive methods, it can take a 
long time to crack a WEP key.  On the other hand, on a very busy 
network, or if you consider the possibility of injection, things change 
very quickly.

I have tinkered with this method under KisMac, for OS X, and it requires 
two wireless NICs in the same box.  I haven't tried it under Linux with 
AirSnort, but I'd be really surprised if AirSnort didn't support 
something along the same lines in terms of functionality.  Here's an 
excerpt from the KisMac docs that describes how it works:

> Packet reinjection is a very advanced WEP cracking technique. Be aware 
> that this is the bleeding edge of technology, so it might not be 
> working right away. When you use this attack, KisMAC will try to find 
> packets, that cause another computer to respond. The program will now 
> send these packets over and over again. If KisMAC detects answers, it 
> will go into injection mode. Now the network will generate huge 
> amounts of traffic, and more weak frames will be generated. Wireless 
> networks with WEP can be broken within an hour.
> Please be aware that all detections are of a heurisitic nature, 
> therefore it might not always be working.
>
> *Note: Packet re-injection requires a PrismII as well as a Apple 
> Airport card. Make sure that the PrismII card uses the latest 
> firmware. Please select the Viha Driver in the preferences, the 
> MACJack driver will be loaded automatically. Also make sure that you 
> do not use channel hopping.*
>
I have successfully broken a network or two with this method, but it was 
probably a year ago when I was trying it.  Since then I've upgraded OS X 
to 10.3.x, and my second wireless NIC is not supported (yet).  So I lack 
the ability to play with this currently.

>My current project is
>to put a *BSD box in between the wireless router and the internet/LAN
>access, but that's kind of an end-run around getting Linux wireless to
>be more secure.
>  
>
End-run or not, you should often do what works best.  Linux is a 
powerful tool, but don't neglect to use the right tool for the right job.

Aaron J.