The intent of this paper is to document the background
behind the current IP address assignments which I have offered to
coordinate. The proposed scheme has been reviewed by Phil Karn,
Bdale Garbee and (verbally with) Mike Chepponis, all of whom have
encouraged that it be used.
Phil's code does NOT currently support the subnetwork
aspects of the scheme but will do so in the future. There is no
real reason for any national coordination of these addresses
until actual networks or at least geographically coordinated
groups of experimenters are formed.
I have offered to issue and keep track of SUBNET addresses
and their "owners" who are presumably responsible *NETWORK*
implementors and managers.
The basic premise behind the proposed plan is that amateur
radio networks will be politically defined. The plan is based
upon the presumption that current voice networks serve as a
proper analog by which to predict general characteristics of the
as yet unconstructed digital networks. Political entities will
build networks; funded, controlled, maintained and used primarily
by their own members and guests.
Each of these separately managed networks should be viewed
as a subnetwork of AMPRNET (with the idea being to somehow
rationally partition the 044.xxx.xxx.xxx AMPRNET address space).
Each subnetwork within AMPRNET will maintain routing tables for
its own constituents. Each will provide its own hosts (TACs,
Gateways, i.e. the mechanism by which users with simple terminals
and AX25 level 2 boxes will access network resources), switches,
rules (network administration), security measures and quite
possibly its own link level protocols.
The natural limitations on span of control will probably
limit the service area of each of these networks. This is
another factor leading to the partitioning of the AMPRNET address
space with respect to separate subnetworks.
This partitioning of the address space will allow for
much simplified routing tables in each host. Internetworking
gateways will connect these independently controlled subnetworks.
Each gateway will maintain routing tables only for local hosts
and for gateways to other networks. Hosts and relay switches on
a given subnet will need to maintain routing information
regarding only members of that subnet and gateways to other
networks. The required routing tables should prove to be very
manageable and make any kind of geographically based hueristic
addressing schemes such as ZIP codes, area codes etc. moot.
1.
I would also like to propose that we coordinate logical
network names and their corresponding addresses based on these
political network subdivisions. The concept of a naming
convention which maps directly into an IP address is purely for
the convenience of network developers and is not considered
necessary. There is, however, some good reasoning behind making
network and host names hierarchical and meaningful to end users.
It will considerably aid in bootstrapping the initial networks
and in being comprehensible to the non-network folks who will be
the primary users of these networks. The naming convention
proposed is of the form USERID@HOST.SUBNET[.AMPRNET.RES].
WESTNET, SBARCnet (Santa Barbara ARC) and GFRN-net represent
three hypothetical networks with which this writer could be
involved, perhaps as a provider of gateway and/or host services.
Each of these subnetwork entities could have a distinct
address and perhaps several internally administered host/user
addresses.
[NOTE: Throughout this paper, Host or Host/User represents
any host or any user running IP protocols that has direct
network access. Also, for the purposes of the following
example, WA6JPR is not a network address, rather it
represents a user-id on a local host. It is the writer's
opinion that the majority of packet users for the forseeable
future will be using simple TNCs connected to hosts via
AX.25 level 2 protocols.]
WA6JPR may be "a user" on hosts on more than one network
such that a station in Washington D.C.,logged onto an AMPRNET
host, may send internet traffic successfully to
WA6JPR@JPRHOST.WESTNET (this traffic would be routed to Westnet
via various AMPRNET gateways and subnetwork level relays and then
to a Santa Barbara host known internally by Westnet to be
reachable via the W6AMT-2 switch). Traffic could also be
directed to Wally@SBARC (presuming that the Santa Barbara
Amateur Radio Club maintains a message server host gatewayed to
the AMPRNET catenet).
Based upon the presumption of the AMPRNET/SUBNET/HOST
hierarchy, it would seem that we could easily decide how to
allocate the 044.xxx.xxx.xxx 24 bit IP address field such that
there are bits allocated for a sufficient number of individually
managed subnetworks while leaving a correspondingly adequate
number of assignable bits for the internal addressing needs of
each individual subnetwork.
Accordingly, the following is proposed as an initial
addressing scheme and methodology for address assignment. [Bit
numbering is per RFC-960 Pg.2]
2
Bit 8 to be 0 for USA stations and 1 for non-USA stations.
[Note. This is not meant to imply a geographic basis for
assignments. It is meant to provide a very quick means for
segregating FCC controlled participants from non-FCC stations.]
Bits 9 - 18 to represent politically separate subnetworks within
AMPRNET. These bits are to be assigned in an inverse binary
sequence (see example below) beginning with the *MOST
SIGNIFICANT* bit first.
Bits 19 - 23 to be unassigned and reserved for future allocation
as network addresses, to network administrations for internally
assigned host and/or user addresses, to a combination of the
above or to a completely new intermediate class of addresses.
Bits 24 - 31 to be used within politically separate AMPRNET
subnetworks for individual hosts, switches, workstations etc. as
determined by local network administration. It would be
recommended that these bits be assigned in binary sequence with
the *LEAST SIGNIFICANT* bits being assigned first.
The resulting network addresses would be as follows:
AMPRNET
||
|| SUBNET----+
|| | |
|| | | HOST--+
|| | | | |
44:0...127:000:0...255------- 32,768 addresses assignable
44:0...127:001:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:031:0...255--+
44:0...127:032:0...255------- 32,768 addresses assignable
44:0...127:033:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:063:0...255--+
44:0...127:064:0...255------- 32,768 addresses assignable
44:0...127:065:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:095:0...255--+
44:0...127:096:0...255------- 32,768 addresses assignable
44:0...127:097:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:127:0...255--+
44:0...127:128:0...255------- 32,768 addresses assignable
44:0...127:129:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:159:0...255--+
44:0...127:160:0...255------- 32,768 addresses assignable
44:0...127:161:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:191:0...255--+
44:0...127:192:0...255------- 32,768 addresses assignable
3
44:0...127:193:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:223:0...255--+
44:0...127:224:0...255------- 32,768 addresses assignable
44:0...127:225:0...255--+
| +- 1,015,808 addresses reserved
44:0...127:255:0...255--+
44:128:xxx:xxx----------+
| +- 8,388,608 addresses assignable (non USA)
44:255:xxx:xxx----------+
The above allocation and assignment scheme allows network
(subnet) and intranet (host/user) addresses to begin to be
immediately assigned to experimenters while retaining the largest
possible contiguous block of unassigned bits whose assignments
can be defined in the future with little or no impact on
previously allocated addresses. The USER @ HOSTNAME .
SUBNET/ADMINISTRATION naming scheme represents a human-friendly
network naming convention which maps easily into numerical
network addresses. I believe that the above approach is in
general conformance with the requirements of RFC-950, "Internet
Standard Subnetting Procedure."
The numbering scheme as initially proposed allows for up to
1024 AMPRNET subnetworks of up to 256 hosts in the USA while
retaining five bits for future expansion. That's 262,144
individual AMPRNET addressable entities. If the proposed method
of address assignment is followed and we run out of Host/User
addresses before we run out of network addresses, we can simply
pick up the least significant reserved bit and assign more
Host/User addresses. Conversely, if network addresses are more
popular we could easily expand by taking the most significant
reserved bit and allocating it for network addressing.
If it should become clear that every user on a network needs his
or her own IP address, each network could allocate user blocks in
256 user increments from the least significant reserved bits.
Possible combinations are 1024 networks each with up to 8192
individually addressable units or 2048 networks each with 4096
hosts/users (8,388,608 individually addressable entities).
The writer presumes that 8 million plus addresses ought to
last the US amateur population for some time to come. All we need
to do to avoid painting ourselves in a corner is to assign them
in a logical sequence rather than randomly.
4
The following table serves as an example of the "high bit
first" network address assignment table and some actual and
requested initial networking assignments.
"this" 44.000.000.xxx ;special case
KARNnet 44.064.000.xxx ;network admin: KA9Q
BDALEnet 44.032.000.xxx ;network admin: N3EUA
DCnet1 44.096.000.xxx ;network admin: WB6RQN
SOCALnet1 44.016.000.xxx ;network admin: WB5EKU
DCnet2 44.080.000.xxx ;network admin: WB6RQN
SOCALnet2 44.048.000.xxx ;network admin: WA6JPR
PITTNET 44.112.000.xxx ;network admin: N3CVL
next 44.008.000.xxx
next 44.072.000.xxx
.
.
.
last 44.063.000.xxx
"all" 44.127.000.xxx ;special case
21.8.09
Wifi Hack!!
Wireless networks are everywhere; they are widely available, cheap, and easy to setup. To avoid the hassle of setting up a wired network in my own home, I chose to go wireless. After a day of enjoying this wireless freedom, I began thinking about security. How secure is my wireless network?
I searched the Internet for many days, reading articles, gathering information, and participating on message boards and forums. I soon came to the realization that the best way for me to understand the security of my wireless network would be to test it myself. Many sources said it was easy, few said it was hard.
How a wireless network works
A wireless local area network (WLAN) is the linking of 2 or more computers with Network Interface Cards (NICs) through a technology based on radio waves. All devices that can connect to a wireless network are known as stations. Stations can be access points (APs), or clients.
Access points are base stations for the wireless network. They receive and transmit information for the clients to communicate with.
The set of all stations that communicate with each other is referred to as the Basic Service Set (BSS). Every BSS has an Identification known as a BSSID, also known as the MAC address, which is a unique identifier that is associated with every NIC.
For any client to join a WLAN, it should know the SSID of the WLAN; therefore, the access points typically broadcast their SSID to let the clients know that an AP is in range.
Data streams, known as packets, are sent between the Access Point, and it’s clients. You need no physical access to the network or its wires to pick up these packets, just the right tools. It is with the transmission of these packets that pose the largest security threat to any wireless network.
Wireless Encryption
The majority of home and small business networks are encrypted using the two most popular methods:
1. WEP
2. WPA
WEP – Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128, and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively. WEP provides a casual level of security but is more compatible with older devices; therefore, it is still used quite extensively. Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key; for instance, WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)
WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.
WPA – WiFi Protected Access – comes in WPA and WPA2, and was created to resolve several issues found in WEP. Both provide you with good security; however, they are not compatible with older devices and therefore not used as widely. WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase.
To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users simply cannot afford. WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.
Packets and IVs
It’s all in the packets. The bottom line is – while you may be able to employ several security features on your WLAN – anything you broadcast over the air can be intercepted, and could be used to compromise the security on your network. If that frightens you, start stringing wires throughout your home.
Every encrypted packet contains a 24 or 48 bit IV, depending on the type of encryption used. Since the pre-shared key is static and could be easily obtained, the purpose of the IV is to encrypt each packet with a different key. For example, to avoid a duplicate encryption key in every packet sent, the IV is constantly changing. The IV must be known to the client that received the encrypted packet in order to decrypt it; therefore, it is sent in plaintext.
The problem with this method is that the Initialization Vectors are not always the same. In theory, if every IV was different, it would be nearly impossible to obtain the network key; this is not the case. WEP comes with a 24 bit IV; therefore, giving the encryption 16 million unique values that can be used. This may sound like a large number, but when it comes to busy network traffic, it’s not.
Every IV is not different; and this is where the issues arise. Network hackers know that all the keys used to encrypt packets are related by a known IV (since the user entered WEP part of the key is rarely changed); therefore, the only change in the key is 24 bits. Since the IV is randomly chosen, there is a 50% probability that the same IV will repeat after just 5,000 packets; this is known as a collision.
If a hacker knows the content of one packet, he can use the collision to view the contents of the other packet. If enough packets are collected with IV matches, your network’s security can be compromised.
The Setup
My wireless network was powered by a Linksys WRT54G v6 wireless router; It is well known that this model is the most widely used wireless router. Out of the box, the Linksys router came with 1 CD which was nothing more than a visual step by step, what you should do to connect it.
A few things concern me with this router. There was no part in the setup that allowed me, or even told me to change my router’s default password. To change the password, I had to go into the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in my Internet browser. The default username and password was admin. If someone was able to compromise the security on my network, they could have easily done this for me; and locked me out of my own network. Sure, I could have performed a hard reset on the router, but I’d have little luck without the Internet or any documentation to help.
If you’re looking to find your default username and password, there is quite a comprehensive list located at www.phenoelit.de My advice is to change this immediately, for it may save you some trouble down the road.
Being my first time, I decided to go easy; I set my router up with a basic WEP 64 encryption; it required a 10 digit hex key. I entered the key into the 2 other computers in my home, and I was ready to start.
Hardware
Out of everything I’ve experienced over the last couple weeks, this was the hardest obstacle, by far. I started with a Dell Latitude C610 notebook with a Linksys WPC54GS Wireless-G notebook adapter (Broadcom chipset) running Windows XP Pro; looking back, it was a bad choice.
When selecting hardware, be warned, not all network cards are the equal. It turns out that nearly 99% of the software used to crack network keys are not compatible with notebook cards that have a Broadcom chipset; the ones that were just didn’t work.
9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA network card by Lucent was the absolute best pick and most compatible will all the good software. A trip to E-Bay, $30 later, and I was ready.
The software we will be using is strictly dependent on the chipset of the WNIC, and unfortunately, the operating system. Your best approach would be to research what software you will be using, and then find a card based on the chipset the software is compatible with.
There are many types of chipsets; too many, in fact, to mention. Linux-wlan.org has an unbelievably comprehensive list of WNICs and their corresponding chipset.
All the best programs are made for Linux; windows is certainly a drag when it comes to WLAN penetrating software, but if you don’t have Linux, don’t be too concerned.
It may be in your best interest to invest in a wireless card that has an external antenna jack. The Orinoco Gold WNIC I purchased has one, but since I’m compromising my own network in a short range, it won’t be necessary.
The Software
There are hundreds of applications you can use to do a variety of things with wireless networks. The largest list of software, that I came across, can be found at Wardrive.net. The term “wardriving” is more commonly used for this practice, and involves driving around neighborhoods to look for wireless networks. I refuse to use this term because that is not what I am doing; I am sitting in my home testing the vulnerabilities of my own network.
Let it be known, that it is not illegal to use software to detect the presence of wireless networks; however, if you crack the network and start “stealing” bandwidth, you could be in a world of trouble. Especially if you’re in Singapore.
Once I received my Orinoco card, I began re-installing software which did not previously work with my Linksys card. It was a nightmare; Windows XP kept getting in the way, software that had been moded to run on windows required daunting tasks for installation, some programs simply didn’t work, some required special run time modules to be installed.
After nearly 48 hours of time-wasting, aggravating, disappointment; I came across the answer. A small penguin shone a beam of light upon my browser and blessed me; I found Auditor.
(2/6/07 - The link is currently not working, but you can obtain Auditor through any Torrent service.)
Auditor Security Collection is a self booting Linux-based CD that comes pre-loaded with all the best security software for auditing a system. It comes in a .ISO file that can be downloaded from remote-exploit.org; the ISO image file is roughly 649 Mb, and can be burned to a CD or DVD using most CD/DVD writing utilities.
It was truly amazing; a simple check in the Bios of the laptop to set the boot order to CD/DVD first, a slip of the Auditor CD, and a press of the power button was all it took. I was ready. Be not afraid of this Linux-based CD; everything is laid out on a GUI and all commands have “shortcuts” linking to them on a desktop similar to a windows environment.
Auditor Security Collection does not touch a single file on your hard drive. All files used and saved in the ASC are stored in your notebook’s RAM; once you remove the CD and reboot, everything is exactly as it was.
Detecting my wireless network
If you’ve come this far, believe me, you’re doing well. The first step is to find the network you want to penetrate. As there are a variety of apps that allow you to do this, we will be focusing in on the 2 most popular: Netstumbler, and Kismet.
Netstumber - is a widely popular tool used for detecting 802.11a/b/g wireless networks. The latest version is Netstumbler 0.4.0, and will run in Windows XP. For compatible hardware and requirements, you can check the read me on the Netstumbler forums; or you could just try it. I’d like to point out that many sources have said the Linksys WPC54G/S WNIC does not work with Netstumbler; however, I have been able to make it work by launching the program, then removing and re-inserting the WNIC. The Orinoco Gold works fine with Netstumbler.
Kismet – does a little more than just detecting networks. Aside from providing every detail about a network except the encryption key, Kismet is a packet sniffer and intrusion detection system; we’ll get into sniffing packets a little later.
For this demonstration, we’ll be using the pre-loaded Kismet on the Auditor Security Collection. After inserting and booting the Auditor CD, I was ready to make sure everything was working properly.
From this point, the first thing that needed to be done was to ensure the wireless card was recognized by Auditor; to do this, you will have to venture into the dark world of the command prompt. In Auditor, the command prompt can be reached by clicking on the little black monitor icon located at the bottom of your screen.
Simply typing in iwconfig will allow you to see all the wireless extensions configured on the machine. If you see a screen full of data next to a WLAN0 or ETH0, you’re ready to continue to the next step; otherwise, you will see a list of “no wireless extensions” messages.
Next, you will need to start the Kismet program. You’ll initially be prompted to enter a destination to save data to; you can just select the ’desktop’ and continue. When Kismet loads, you will see a black screen with green text showing all the wireless networks within you signal range.
Kismet will give you all the information you need to start cracking. Pressing ’s’ on your keyboard will bring up a ”Sort Network” dialogue box. From there you can press any of the desired sorting methods. This step is important as it allows you to select a particular wireless network on a list to view more details. Select your network with the arrow keys and press enter.
You will then be looking at nearly all your network details such as name, ssid, server IP, bssid, etc… Most are not relevant in this case, but you should write down a few things:
1. BSSID
2. Channel #
3. Encryption method
Pressing ‘x’ in Kismet will return you to the previous screen. re-select your target WLAN; then press ‘SHFT+C’ to bring up a list of associated clients to the Access Point. Write down the MAC address of all clients as it will prove useful.
Capturing packets
While you may have not been aware, at this point, Kismet has also been capturing packets. This is the bread and butter of cracking any wireless encryption; without data to process you have nothing.
Capturing packets, also known as packet sniffing, is the process of intercepting and logging traffic passing over a network. As information is sent and received over your wireless network, the software captures every packet to allow you to analyze and decode it.
Capturing network traffic can be a timely process; especially if it is a slow network. With no-one on any computers in my home, I generally capture around 3,000 packets within 5 minutes; with users on the other 2 computers, this number is substantially greater. Don’t get confused, it’s not the packet itself that we want; but rather the IVs in the packets.
The programs we will be using to sniff packets are Kismet and Airodump (part of the Aircrack Suite). We’ve already touched Kismet, so lets take a look at Airodump.
Before running Airodump, you must configure your wireless interface to go into ’monitor’ mode; the methods to achieve this require you to go back to the command prompt (konsole).
For most WNICs, you would use the command:
iwconfig mode monitor
And in some instances would have to set the channel number on your WNIC to match that of the target access point:
iwconfig channel #
Note that you will have to replace with the network interface specific to your machine. Using an Orinoco Gold card, my network interface was eth0; but on most machines, it is wlan0 or ath0. So you may have to adjust those commands accordingly. You can find out for sure by simply typing iwconfig.
I should also point out that putting the Orinoco Gold card in ‘monitor’ mode had a different command altogether:
iwpriv eth0 monitor 2 1
Once your in monitor mode, you’re ready to run Airodump. The command used to start Airodump is:
airodump
I searched the Internet for many days, reading articles, gathering information, and participating on message boards and forums. I soon came to the realization that the best way for me to understand the security of my wireless network would be to test it myself. Many sources said it was easy, few said it was hard.
How a wireless network works
A wireless local area network (WLAN) is the linking of 2 or more computers with Network Interface Cards (NICs) through a technology based on radio waves. All devices that can connect to a wireless network are known as stations. Stations can be access points (APs), or clients.
Access points are base stations for the wireless network. They receive and transmit information for the clients to communicate with.
The set of all stations that communicate with each other is referred to as the Basic Service Set (BSS). Every BSS has an Identification known as a BSSID, also known as the MAC address, which is a unique identifier that is associated with every NIC.
For any client to join a WLAN, it should know the SSID of the WLAN; therefore, the access points typically broadcast their SSID to let the clients know that an AP is in range.
Data streams, known as packets, are sent between the Access Point, and it’s clients. You need no physical access to the network or its wires to pick up these packets, just the right tools. It is with the transmission of these packets that pose the largest security threat to any wireless network.
Wireless Encryption
The majority of home and small business networks are encrypted using the two most popular methods:
1. WEP
2. WPA
WEP – Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128, and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively. WEP provides a casual level of security but is more compatible with older devices; therefore, it is still used quite extensively. Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key; for instance, WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)
WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.
WPA – WiFi Protected Access – comes in WPA and WPA2, and was created to resolve several issues found in WEP. Both provide you with good security; however, they are not compatible with older devices and therefore not used as widely. WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase.
To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users simply cannot afford. WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.
Packets and IVs
It’s all in the packets. The bottom line is – while you may be able to employ several security features on your WLAN – anything you broadcast over the air can be intercepted, and could be used to compromise the security on your network. If that frightens you, start stringing wires throughout your home.
Every encrypted packet contains a 24 or 48 bit IV, depending on the type of encryption used. Since the pre-shared key is static and could be easily obtained, the purpose of the IV is to encrypt each packet with a different key. For example, to avoid a duplicate encryption key in every packet sent, the IV is constantly changing. The IV must be known to the client that received the encrypted packet in order to decrypt it; therefore, it is sent in plaintext.
The problem with this method is that the Initialization Vectors are not always the same. In theory, if every IV was different, it would be nearly impossible to obtain the network key; this is not the case. WEP comes with a 24 bit IV; therefore, giving the encryption 16 million unique values that can be used. This may sound like a large number, but when it comes to busy network traffic, it’s not.
Every IV is not different; and this is where the issues arise. Network hackers know that all the keys used to encrypt packets are related by a known IV (since the user entered WEP part of the key is rarely changed); therefore, the only change in the key is 24 bits. Since the IV is randomly chosen, there is a 50% probability that the same IV will repeat after just 5,000 packets; this is known as a collision.
If a hacker knows the content of one packet, he can use the collision to view the contents of the other packet. If enough packets are collected with IV matches, your network’s security can be compromised.
The Setup
My wireless network was powered by a Linksys WRT54G v6 wireless router; It is well known that this model is the most widely used wireless router. Out of the box, the Linksys router came with 1 CD which was nothing more than a visual step by step, what you should do to connect it.
A few things concern me with this router. There was no part in the setup that allowed me, or even told me to change my router’s default password. To change the password, I had to go into the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in my Internet browser. The default username and password was admin. If someone was able to compromise the security on my network, they could have easily done this for me; and locked me out of my own network. Sure, I could have performed a hard reset on the router, but I’d have little luck without the Internet or any documentation to help.
If you’re looking to find your default username and password, there is quite a comprehensive list located at www.phenoelit.de My advice is to change this immediately, for it may save you some trouble down the road.
Being my first time, I decided to go easy; I set my router up with a basic WEP 64 encryption; it required a 10 digit hex key. I entered the key into the 2 other computers in my home, and I was ready to start.
Hardware
Out of everything I’ve experienced over the last couple weeks, this was the hardest obstacle, by far. I started with a Dell Latitude C610 notebook with a Linksys WPC54GS Wireless-G notebook adapter (Broadcom chipset) running Windows XP Pro; looking back, it was a bad choice.
When selecting hardware, be warned, not all network cards are the equal. It turns out that nearly 99% of the software used to crack network keys are not compatible with notebook cards that have a Broadcom chipset; the ones that were just didn’t work.
9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA network card by Lucent was the absolute best pick and most compatible will all the good software. A trip to E-Bay, $30 later, and I was ready.
The software we will be using is strictly dependent on the chipset of the WNIC, and unfortunately, the operating system. Your best approach would be to research what software you will be using, and then find a card based on the chipset the software is compatible with.
There are many types of chipsets; too many, in fact, to mention. Linux-wlan.org has an unbelievably comprehensive list of WNICs and their corresponding chipset.
All the best programs are made for Linux; windows is certainly a drag when it comes to WLAN penetrating software, but if you don’t have Linux, don’t be too concerned.
It may be in your best interest to invest in a wireless card that has an external antenna jack. The Orinoco Gold WNIC I purchased has one, but since I’m compromising my own network in a short range, it won’t be necessary.
The Software
There are hundreds of applications you can use to do a variety of things with wireless networks. The largest list of software, that I came across, can be found at Wardrive.net. The term “wardriving” is more commonly used for this practice, and involves driving around neighborhoods to look for wireless networks. I refuse to use this term because that is not what I am doing; I am sitting in my home testing the vulnerabilities of my own network.
Let it be known, that it is not illegal to use software to detect the presence of wireless networks; however, if you crack the network and start “stealing” bandwidth, you could be in a world of trouble. Especially if you’re in Singapore.
Once I received my Orinoco card, I began re-installing software which did not previously work with my Linksys card. It was a nightmare; Windows XP kept getting in the way, software that had been moded to run on windows required daunting tasks for installation, some programs simply didn’t work, some required special run time modules to be installed.
After nearly 48 hours of time-wasting, aggravating, disappointment; I came across the answer. A small penguin shone a beam of light upon my browser and blessed me; I found Auditor.
(2/6/07 - The link is currently not working, but you can obtain Auditor through any Torrent service.)
Auditor Security Collection is a self booting Linux-based CD that comes pre-loaded with all the best security software for auditing a system. It comes in a .ISO file that can be downloaded from remote-exploit.org; the ISO image file is roughly 649 Mb, and can be burned to a CD or DVD using most CD/DVD writing utilities.
It was truly amazing; a simple check in the Bios of the laptop to set the boot order to CD/DVD first, a slip of the Auditor CD, and a press of the power button was all it took. I was ready. Be not afraid of this Linux-based CD; everything is laid out on a GUI and all commands have “shortcuts” linking to them on a desktop similar to a windows environment.
Auditor Security Collection does not touch a single file on your hard drive. All files used and saved in the ASC are stored in your notebook’s RAM; once you remove the CD and reboot, everything is exactly as it was.
Detecting my wireless network
If you’ve come this far, believe me, you’re doing well. The first step is to find the network you want to penetrate. As there are a variety of apps that allow you to do this, we will be focusing in on the 2 most popular: Netstumbler, and Kismet.
Netstumber - is a widely popular tool used for detecting 802.11a/b/g wireless networks. The latest version is Netstumbler 0.4.0, and will run in Windows XP. For compatible hardware and requirements, you can check the read me on the Netstumbler forums; or you could just try it. I’d like to point out that many sources have said the Linksys WPC54G/S WNIC does not work with Netstumbler; however, I have been able to make it work by launching the program, then removing and re-inserting the WNIC. The Orinoco Gold works fine with Netstumbler.
Kismet – does a little more than just detecting networks. Aside from providing every detail about a network except the encryption key, Kismet is a packet sniffer and intrusion detection system; we’ll get into sniffing packets a little later.
For this demonstration, we’ll be using the pre-loaded Kismet on the Auditor Security Collection. After inserting and booting the Auditor CD, I was ready to make sure everything was working properly.
From this point, the first thing that needed to be done was to ensure the wireless card was recognized by Auditor; to do this, you will have to venture into the dark world of the command prompt. In Auditor, the command prompt can be reached by clicking on the little black monitor icon located at the bottom of your screen.
Simply typing in iwconfig will allow you to see all the wireless extensions configured on the machine. If you see a screen full of data next to a WLAN0 or ETH0, you’re ready to continue to the next step; otherwise, you will see a list of “no wireless extensions” messages.
Next, you will need to start the Kismet program. You’ll initially be prompted to enter a destination to save data to; you can just select the ’desktop’ and continue. When Kismet loads, you will see a black screen with green text showing all the wireless networks within you signal range.
Kismet will give you all the information you need to start cracking. Pressing ’s’ on your keyboard will bring up a ”Sort Network” dialogue box. From there you can press any of the desired sorting methods. This step is important as it allows you to select a particular wireless network on a list to view more details. Select your network with the arrow keys and press enter.
You will then be looking at nearly all your network details such as name, ssid, server IP, bssid, etc… Most are not relevant in this case, but you should write down a few things:
1. BSSID
2. Channel #
3. Encryption method
Pressing ‘x’ in Kismet will return you to the previous screen. re-select your target WLAN; then press ‘SHFT+C’ to bring up a list of associated clients to the Access Point. Write down the MAC address of all clients as it will prove useful.
Capturing packets
While you may have not been aware, at this point, Kismet has also been capturing packets. This is the bread and butter of cracking any wireless encryption; without data to process you have nothing.
Capturing packets, also known as packet sniffing, is the process of intercepting and logging traffic passing over a network. As information is sent and received over your wireless network, the software captures every packet to allow you to analyze and decode it.
Capturing network traffic can be a timely process; especially if it is a slow network. With no-one on any computers in my home, I generally capture around 3,000 packets within 5 minutes; with users on the other 2 computers, this number is substantially greater. Don’t get confused, it’s not the packet itself that we want; but rather the IVs in the packets.
The programs we will be using to sniff packets are Kismet and Airodump (part of the Aircrack Suite). We’ve already touched Kismet, so lets take a look at Airodump.
Before running Airodump, you must configure your wireless interface to go into ’monitor’ mode; the methods to achieve this require you to go back to the command prompt (konsole).
For most WNICs, you would use the command:
iwconfig
And in some instances would have to set the channel number on your WNIC to match that of the target access point:
iwconfig
Note that you will have to replace
I should also point out that putting the Orinoco Gold card in ‘monitor’ mode had a different command altogether:
iwpriv eth0 monitor 2 1
Once your in monitor mode, you’re ready to run Airodump. The command used to start Airodump is:
airodump
Subscribe to:
Comments (Atom)