Encrypt Your Wireless Traffic to Avoid Getting Hacked
Wireless traffic can be captured directly out of the airwaves, making this communications medium susceptible to eavesdropping and hacking. Unless the traffic is encrypted, it’s sent and received in cleartext just as on a standard wired network.
On top of that, the 802.11 encryption protocols, Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA), have their own weakness that allows attackers to crack the encryption keys and decrypt the captured traffic. This vulnerability has really helped put WLANs on the map — so to speak.
WEP, in a certain sense, actually lives up to its name: It provides privacy equivalent to that of a wired network, and then some. However, it wasn’t intended to be cracked so easily. WEP uses a fairly strong symmetric encryption algorithm called RC4.
Hackers can observe encrypted wireless traffic and recover the WEP key because of a flaw in how the RC4 initialization vector (IV) is implemented in the protocol. This weakness is because the IV is only 24 bits long, which causes it to repeat every 16.7 million packets — even sooner in many cases, based on the number of wireless clients entering and leaving the network.
Airodump and aircrack are very simple to run in Windows. You simply download and extract the aircrack programs, the cygwin Linux simulation environment, and the supporting peek files from http://aircrack-ng.org and you’re ready to crack away!
The wireless industry came up with a solution to the WEP problem called Wi-Fi Protected Access. WPA uses the Temporal Key Integrity Protocol encryption system, which fixes all the known WEP issues. WPA2, which replaced the original WPA, uses an even stronger encryption method called Counter Mode with Cipher Block Chaining Message Authentication Code Protocol, or CCMP for short, based on the Advanced Encryption Standard.
WPA and WPA2 running in “enterprise mode” require an 802.1x authentication server, such as a RADIUS server, to manage user accounts for the WLAN. Check with your vendor for WPA updates.
You can also use aircrack to crack WPA and WPA2 pre-shared keys. To crack WPA-PSK encryption, you have to wait for a wireless client to authenticate with its access point. A quick way to force the re-authentication process is to send a de-authenticate packet to the broadcast address.
You can use airodump to capture packets and then start aircrack to initiate cracking the pre-shared key by using the following command-line options:
#aircrack-ng -a2 -w path_to_wordlist <capture file(s)>
CommView for WiFi is a great tool for WEP/WPA cracking. It’s simple to use and works well. Cracking WEP or WPA is simply a matter of 1) loading CommView for WiFi, 2) starting a packet capture on the wireless channel you want test, and 3) clicking the Tools menu and selecting either the WEP or WPA Key Recovery option.
WPA key recovery is dependent on a good dictionary. The dictionary files available at www.outpost9.com/files/WordLists.html are a good starting point.
Another commercial alternative for cracking WPA and WPA2 keys is Elcomsoft Wireless Security Auditor. To use EWSA, you simply capture wireless packets in the tcpdump format, load the capture file into the program, and shortly thereafter you have the PSK. EWSA is a little different because it can crack WPA and WPA2 PSKs in a fraction of the time it would normally take, but there’s a caveat.
You must have a computer with a supported NVIDIA or ATI video card. Yep, EWSA doesn’t just use the processing power of your CPU — it also harnesses the power and mammoth acceleration capabilities of the video card’s graphics processing unit. Now that’s innovation!
Using EWSA, you can try to crack your WPA/WPA2 PSKs at a rate of up to 50,000 WPA/WPA2 pre-shared keys per second. Compare that to the lowly few hundred keys per second using just the CPU and you can see the value in a tool like this.
The simplest solution to the WEP problem is to migrate to WPA, or ideally, WPA2, for all wireless communications. You can also use a VPN in a Windows environment — free — by enabling Point-to-Point Tunneling Protocol (PPTP) for client communications.
You can also use the IPSec support built into Windows, as well as Secure Shell, Secure Sockets Layer/Transport Layer Security, and other proprietary vendor solutions, to keep your traffic secure. Just keep in mind that there are cracking programs for PPTP, IPSec, and other VPN protocols as well, but overall, you’re pretty safe.
Newer 802.11-based solutions exist as well. If you can configure your wireless hosts to regenerate a new key dynamically after a certain number of packets have been sent, the WEP vulnerability can’t be exploited.
Many AP vendors have already implemented this fix as a separate configuration option, so check for the latest firmware with features to manage key rotation. For instance, the proprietary Cisco LEAP protocol uses per-user WEP keys that offer a layer of protection if you’re running Cisco hardware. Again, be careful because cracking programs exist for LEAP, such as asleap.
The 802.11i standard from the IEEE integrates the WPA fixes and more. This standard is an improvement over WPA but is not compatible with older 802.11b hardware because of its implementation of the Advanced Encryption Standard (AES) for encryption.
If you’re using WPA with a pre-shared key, ensure that the key contains at least 20 random characters so it isn’t susceptible to the offline dictionary attacks available in such tools as Aircrack-ng and Elcomsoft Wireless Security Auditor.
Keep in mind that although WEP and weak WPA pre-shared keys are crackable, it’s still much better than no encryption at all. Similar to the effect that home security system signs have on would-be home intruders, a wireless LAN running WEP or weak WPA pre-shared keys is not nearly as attractive to a criminal hacker as one without it.