Re: V/Scan for Wireless LANs

From: Chris Harrington (cmh@nmi.net)
Date: Fri Jul 18 2003 - 14:13:13 EDT


Ian Chilvers wrote:

> Hi all
>
> We've been asked to perform a vulnerability assessment for a company that
> has a Wireless LAN. The W/LAN is running WEP with a random key generated,
> rather than a dictionary word.
>
> Are there any tools out there that can brute force a WEP.
>
> Take this example. A person parks the car in the car park and sniffs the
> air waves with a product like NetStumbler. He discovers the W/LAN but with
> WEP.
>
> Is there a tool he can use to discover the WEP key (possible by brute force)
>
> If there isn't such a tool, how does this sound for an idea.
>
> Run a app that starts at binary 0's and counts upto 128bits of 1's
> For each sequence listen to see if there are any sensible packets or even
> send out a DHCP discover request to see if you get a reply. This would then
> possibly give you the WEP key.
>
> Any comments
>
> Ian....
>
>
>
> ---------------------------------------------------------------------------
> KaVaDo is the first and only company that provides a complete and an
> integrated suite of Web application security products, allowing you to:
> - assess your entire Web environment with a Scanner,
> - automatically set positive security policies for real-time protection,
> and
> - maintain such policies at the Application Firewall without compromising busines performance.
>
> For more information on KaVaDo and to download a FREE white paper on Web applications - security policy automation, please visit:
> http://www.kavado.com/ad.htm
> ----------------------------------------------------------------------------
>
Ian,

Dont know of any brute force tools to find a WEP key. I have used WEP
Crack (Linux) to recover WEP keys but both times it took a lot more than
500mb of traffic (6 gig and 9.25 gig). Some vendors have fixed their
implementations of wep so they do not produce as many IV's
(initialization vectors). So if you try WEP Crack on a Cisco or other
high end AP you will probably come up with no interesting packets.

IMHO the bigger problem is the lack of authentication on the client
part. When a client connects to an AP, the client does not verify that
he is talking to the proper AP. I can use Netstumbler / Kismet /
Wellenreiter to find an AP with WEP. I will also see their BSSID
(usually the AP's MAC address) and SSID and channel. There is a tool
called AirJack that is very useful in demonstrating the problem.

I start AirJack on my laptop using my targets BSSID, SSID, channel, etc.
Airjack sends out a reassociation beacon that causes the client to
reassociate to the AP. When the client tries to reassociate it will see
2 AP's with the same BSSID, SSID on the same channel. It has 50/50 shot
of connecting to my laptop running AirJack. If it does not connect, I'll
just re-run AirJack. Some client cards will "step down" from encrypted
to clear text if the AP they associate with does not have WEP,
regardless if the client is set for WEP or not..

So now the client is connected to my laptopr via AirJack. Now fire up
ethereal or some other sniffer on that interface and watch as he /she
tries to reconnect to their netowrk shares / email / domain controller
etc...You can imagine what you can grab from there.

--Chris

-- 
Christopher Harrington, CISSP
NMI InfoSecurity Solutions
145 Newbury Street, Second Floor
Portland, ME 04101
207-780-6381, x236
207-780-6301, FAX




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:37 EDT