Wireless Security

From ChekMate Security Group

• Calgary WarDrive Map
• Presentation: ChekMate Wireless WEP Cracking Presentation
• HandsOn Training Session - Cracking Wireless WEP - March 7, 2006
• Wireless Quiz 802.11 a/b/g Wireless Quiz
• Tutorial test: Identifying WLAN threats - http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci894995,00.html
• Google Secure Access (Beta): Frequently Asked Questions - Would like to dig into this deeper.
• VirtualWifi Connecting to multiple IEEE 802.11 networks with one WiFi card
• Wireless Security Checklist Version 4, Release 1.1 Just added (posted Jul 25, 2006)
• Wireless Security FAQ's DISA Wireless Security Frequently Asked Questions

Wireless Tools

• * Microsoft Windows Wireless Zero Configuration Utility can be enabled when running NetStumbler. (Chronicles Of A Wardriver)
• PISA Workshop - Wireless LAN Security Demo Presenation by PISA from Hong Kong on July 27, 2002
• WLAN Adapter Chipset Directory - See what chipset your network card is. PRISM2 is recommended for best results.
• How To Crack WEP - Part 1: Setup & Network Recon Detailed tutorial
• How To Crack WEP - Part 2: Performing the Crack Detailed tutorial
• How To Crack WEP - Part 3: Securing your WLAN Detailed tutorial
• Kismet is an 802.11 wireless network sniffer - this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card which is capable of reporting raw packets (rfmon support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards which use the ar5k chipset.
  • Home: http://www.kismetwireless.net/
  • Kismet on Windows: http://www.renderlab.net/projects/wrt54g/kismetonwindows.html

http://www.renderlab.net/projects/wrt54g/kiswin.html

• Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
  • Home: http://www.ethereal.com/
• AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
  • Home: http://airsnort.shmoo.com/
  • AirSnort on Windows: http://airsnort.shmoo.com/windows.html
• bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.
  • Home: http://www.dachb0den.com/
• WiStumbler2 is a fork of original wistumbler caused by the incommunication of the original author, because seems that development was getting stopped.
  • Home: http://www.nopcode.org/
• Wireless Access Point Utilites for Unix - it's a set of utilites to configure and monitor Wireless Access Points under Unix using SNMP protocol. Utilites knownly compiles by GCC and IBM C compiler and run under Linux, FreeBSD, NetBSD, MacOS-X, AIX, QNX, OpenBSD.
  • Home: http://ap-utils.polesye.net/
• WifiScanner is a tool that has been designed to discover wireless node (i.e access point and wireless clients). It is distributed under the GPL License. It work with CISCO® card and prism card with hostap driver or wlan-ng driver. An IDS system is integrated to detect anomaly like MAC usurpation.
  • Home: http://wifiscanner.sourceforge.net/
• WepLab is a tool designed to teach how WEP works, what different vulnerabilities has, and how they can be used in practice to break a WEP protected wireless network. So far, WepLab more than a Wep Key Cracker, is a Wep Security Analyzer designed from an educational point of view. The author has tried to leave the source code as clear as possible, running away from optimizations that would offuscate it.
  • Home: http://weplab.sourceforge.net/
• Wepdecrypt is a Wireless LAN Tool written in c which guesses WEP Keys based on a active dictionary attack, key generator, distributed network attack and some other methods, it's based on wepattack and GPL licensed.
• * Home: http://wepdecrypt.sourceforge.net/
• WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This tool is is an implementation of the attack described by Fluhrer, Mantin, and Shamir in the paper "Weaknesses in the Key Scheduling Algorithm of RC4"
  • Home: http://wepcrack.sourceforge.net/
• Wellenreiter is a GTK/Perl program that makes the discovery and auditing of 802.11b wireless networks much easier. All three major wireless cards (Prism2 , Lucent, and Cisco) are supported. It has an embedded statistics engine for the common parameters provided by wireless drivers. Its scanner window can be used to discover access-points, networks, and ad-hoc cards. It detects essid broadcasting or non-broadcasting networks in every channel. Non-broadcasting networks could be uncovered automatically. The manufacturer and WEP is automaticly detected.
  • Home: http://www.remote-exploit.org/
• Prismstumbler is a wireless LAN (WLAN) discovery tool which scans for beaconframes from accesspoints. Prismstumbler operates by constantly switching channels and monitors any frames recived on the currently selected channel.
  • Home: http://prismstumbler.sourceforge.net/
• Mognet is a free, open source wireless ethernet sniffer/analyzer written in Java. It is licensed under the GNU General Public License. It was designed with handheld devices like the iPaq in mind, but will run just as well on a desktop or laptop.
  • Home: http://node99.org/
• MacStumbler is a small utility I wrote to emulate the functionality of projects like netstumbler, bsd-airtools, and kismet. It's meant purely for educational or auditing purposes, although many people enjoy using these types of programs to check out how many networks are in their area, usually known as war driving.
  • Home: http://www.macstumbler.com/
• KisMAC is a free stumbler application for MacOS X, that puts your card into the monitor mode. Unlike most other applications for OS X we are completely invisible and send no probe requests. KisMAC supports third party PCMCIA cards with Orinoco and PrismII chipsets, as well as Cisco Aironet cards.
  • Home: http://www.binaervarianz.de/
• Garuda is an intrusion detection system against wireless threats. It is a progressive proof of concept project to ward off wireless threats such as war-drivers, rogue AP, wifi DoS and MAC spoofing attacks.
  • Home: http://garuda.sourceforge.net/
• Fake AP Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.
  • Home: http://www.blackalchemy.to/
• WPA Cracking Proof of Concept Available
  • http://wifinetnews.com/archives/004428.html
  • http://www.tinypeap.com/

We warned you: short WPA passphrases could be cracked—and now the software exists: The folks who wrote tinyPEAP, a firmware replacement for two Linksys router models that has on-board RADIUS authentication using 802.1X plus PEAP, released a WPA cracking tool.

• WEP Packet Fragmentation Attack
  • Research Paper: http://www.cs.ucl.ac.uk/staff/M.Handley/papers/fragmentation.pdf
  • Tool (FreeBSD/Atheros dependent): http://www.cs.ucl.ac.uk/staff/a.bittau/frag-0.1.tgz

Tutorials

• Securing WLAN Technologies Secure Configuration Advice on Wireless Network Setup by Gunter Ollmann
• A War Driving Experience - Part I: The Results - Several hours driving around and some analysis provide some interesting data that show how we’re doing when it comes to Wi-Fi security. (Wi-Fi Planet)
• Explaining Wi-Fi Authentication and Encryption - A curious reader — eager to understand how wireless encryption and security works — runs two scenarios by our columnist. Read on to find out if logical assumptions pan out in the world of Wi-Fi. (Wi-Fi Planet)
• Your SSID Isn’t Hidden Forever - Don’t let the disabling of SSID broadcasting give you a false sense of security. Learn what really happens. (Wi-Fi Planet)
• Windows Wireless Zero Configuration: Five Steps to Sanity - Windows wants to help you get on a Wi-Fi network, but many times, it just gets in the way. Here's how to work around, if not bypass, XP's WLAN connection software. (Wi-Fi Planet)
• Just Filtering Your MAC Won't Do Jack - In addition to running MAC filtering, you need to add multiple security layers to protect your wireless network. (Wi-Fi Planet)
• Make Your Wi-Fi Network Cover Your Larger Digs - Can a router that has been providing wireless Internet access to every room in a one-floor apartment adjust to life in a three-floor townhouse? We offer some pointers to make it work. Plus, why won't your boss's notebook connect to a wireless network? (Wi-Fi Planet)
• Wireless Hackers 101 - What they do, how they do it, and what you can do about it. (Wi-Fi Planet)
• Troubleshooting Poor WLAN Performance - Sooner or later, you'll need to check on performance issues in your Wi-Fi network. Learn how to pinpoint root causes, and what solutions to implement. (Wi-Fi Planet)
• So You Want to Be a Hotspot - Making your small business a Wi-Fi hotspot can be a great boost to customer satisfaction and profits. (Wi-Fi Planet)
• Making a Case for Wireless Networks - Some small businesses — especially those concerned with compliance, confidentiality and liability issues — are still reluctant to trust wireless networks. In this week's column, we help a network manager at a small law firm go extreme with wireless security. (Wi-Fi Planet)
• Hotrod Your Linksys WAP with Linux (Part 3) - Those little, blue consumer-grade WAPS make nice experimental Linux boxes. This week we cover setting up DNS and DHCP services. (Wi-Fi Planet)
• Setting Up WEP data encryption with OTC Wireless products
• Magoo's Wise Words - Guide to Wireless Networking This article is intended for the home or small office user. Magoo's focus is making things easy to set up and educating readers on wireless security. Business users requiring higher security should consider setting up wireless authentication through a RADIUS server and using a VPN to further encrypt wireless connections.
• WPA Cracking (Author: Digi) Cracking The WPA using Auditor Security Collection (auditor-150405-04) Flash (14.81 Megs)

Download : http://www.crimemachine.com/Tuts/Flash/WPA.swf

• Void11 Mass De-Authentication - (Author: Digi) Mass De-Authentication using void11 and Auditor Security Collection (auditor -06-05-rc3) Flash (16.5 Megs)
• 128 Bit Wep cracking - (Author: Digi) Cracking a 128 bit WEP key using Auditor Security Collection (auditor-150405-04) Flash (51 Megs)
• Wireless Security - Protocols & Cryptography