"Mind if I come in ?"

A Small Introduction in Wireless Lan Penetration


Wireless LANs (WLAN) are becoming increasingly popular. They're extremely convenient for lap top users, and for home networks : no need for cables all over the place, just sniff the air waves and connect. Obviously, this poses kind of a risk : anyone with a WLAN enabled computer can look around, see what WLAN's are there to be found, and come in to have a look. While IT professionals (hopefully) understand these risks, the average home user or DIY adept might just unpack his new toys, set them up, and leave the wireless network unprotected. Happens all the time. After all, buyers expect things to work "out of the box" - so vendors sell their stuff so that it will.

Used to be so that WLAN's were secured through WEP - Wired Equivalent Privacy : without the right key, it would be impossible to decrypt the data flying around on the air waves. Unfortunately, WEP encryption proved quite weak, and can easily be broken. What follows is a 5 step intrusion guideline : it shows how easy it can be to get access to a wireless network. It is based on a commercial from a company that sells security ... (used to be at http://www.lucidlink.com/wireless_hackers.asp -- link is now dead), and a small tutorial made by someone at www.governmentsecurity.org (link gone stale, butcached here)

The Tools

Kismet (Linux)
Tool to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. Alternatives : MacStumbler (Macintosh), NetStumbler (Windows).
Aireplay (Linux)
DataCapturing. Collects the (encrypted) data in transit on the WLAN. Alternatives : Airodump (Linux)
Aircrack (Linux)
Analyses the encrypted data and calculates a valid key for decryption. It can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. Also it can attack WPA1/2 networks with some advanced methods or simply by brute force.
802ether(Linux, part of the aircrack package)
Decrypts the captured data with the key found with Aircrack.
Airsnort (linux)
AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
ethereal
Ethereal is a network protocol analyzer for Unix and Windows. It has an extensive list of features - including the ability to show captured data in human readable form.

The Tricks

step 1 : Find a wireless network

Here's a screenshot of NetStumbler :
NetStumbler

step 2 : Capture Data

In order to calculate the WEP key (in step 3), you 'll need to capture data. The stronger the encryption (longer keys), the more data you'll need to be able to calculmate the key. E.g. you will need between 200000 and 700000 IV's to be able to crack a 128 bit WEP key.
Aireplay

step 3 : Find the key

With enough data to analyse, it's quite simple to find a valid decryption key :
aircrack

step 4 : Decrypt

Once you have a key, decrypting is a piece of cake
802ether

step 5 : Read the data

With Ethereal, captured data is presented in human readable form, allowing you to look for usernames and passwords being transmitted (so you can use these to log on), or to read mail and chat while it's being transferred ...
ethereal

Bart Simpson - It's just that easy

The Disclaimer

The purpose of this article is to illustrate how cracking and intrusion can be done, so that people can check if any of the above methods could be applied against their systems. This article should not, in any way, be seen as a manual for or encouragement to criminal activity of any kind.

Some of my opinions about cracking can be found here .


More ...

Updated April 2008 :


Koen Noens
September 2005
Updated April 2008