Intruder in my wireless network? / intrusion detection programs

No offense, but that's dangerously naive and complacent. WEP can be easily and quickly hacked with tools readily available on the Internet, as I've shown here previously, and anyone hacking in to your wireless has bypassed any firewall in your router. Use WPA with a strong passphrase.

Reply to
John Navas
Loading thread data ...

That's somewhat like saying, we're all going to die anyway, and the risk is low, so why not smoke? Or not wear a seatbelt.

Indeed, and it's not terribly hard, so not doing it makes no sense.

That's hard, if not impossible, to say with any real certainty -- experts agree that the great majority of intrusions go undetected. Even though my own security is very robust, I would only say that I don't *think* it's ever happened to me.

Likewise, but only because I have very robust security.

Since WEP is pretty much worthless, I personally think WPA should always be used with a strong passphrase. Since takes only a small amount of effort to generate and use a truly strong passphrase (e.g., seven or more diceware words), it makes no sense to set the bar lower ("reasonable secure").

:

Level 1: Home and SOHO WLAN security

Unfortunately, many home users are either using some old equipment, old drivers, or older operating systems that don't natively support WPA so they are still using WEP if anything at all. WEP encryption was thought to be good for a week for most light traffic home wireless networks because the older WEP cracking tools needed 5 to 10 million packets to recover a WEP key, but the newest WEP cracking techniques can break WEP in minutes. Even if there isn't that much traffic, the attacker now has ways to artificially generate traffic and accelerate WEP cracking. Because of this, consumers should avoid any product that doesn't support WPA TKIP mode at a minimum but preferably WPA AES capable or WPA2 certified devices. If they have WEP only devices, check with the vendor to see if there are any firmware and/or driver updates that will upgrade the device to WPA mode. If not, anyone who cares about privacy should throw out those devices. As harsh as that may sound, it is comforting to know that newer Access Points and Client Adapters that do support WPA can be purchased for as little as $30. Client side Wireless LAN software (officially known as Supplicants) also need to be updated to support WPA or WPA2. Windows XP SP1 with the WPA patch can suffice, but Windows XP SP2 is highly recommended.

Reply to
John Navas

Since you can't prove a negative, and since the risk is quite real, it makes no sense to argue that the risk can be safely ignored, as you have.

Different issue that has nothing to do with wireless security.

I've taken a serious look, and know the risk to be very real.

"FBI Teaches Lesson In How To Break Into Wi-Fi Networks"

Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected -- wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard.

At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys.

This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.

WEP Cracking - The Next Generation

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.

Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.

Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets--a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.

Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!" ...

After about three minutes of capturing and cracking, the FBI team found the correct WEP key, and displayed it on a projected notebook screen. Agent Bickers, still speaking to the audience, turned around, looked at the screen and was surprised, "Usually it takes five to ten minutes."

[MORE]
Reply to
John Navas

You assume way too little. These cracking tools and easy-to-follow scripts on how to use them are readily available and heavily downloaded.

Experts agree that the great majority of intrusions go undetected. In other words, you can safely assume from the lack of such stories that there's no risk.

Reply to
John Navas

In fact they are readily available and easy to use. No special knowledge is needed. I know because I've actually checked them out. Have you? If not, how can you justify making such flat statements?

That means nothing, since the great majority of intrusions go undetected, and that certainly isn't enough to rely on in the face of evidence of how easy it is in any event.

I've shown you real world smoke: neatly packaged and documented tools for easily cracking WEP in minutes that are being heavily downloaded. Do you really think this is all just for harmless "education"?

Nothing -- I'm talking about strong encryption of email. For starters, I use SSL when communicating with my email service, and strong encryption on messages when that is warranted.

That's NOT a safe assumption -- the great majority of intrusions go undetected.

Even when intrusions are detected, businesses aren't about to disclose them if they don't have to.

Again, that's not a safe assumption. Experts agree that it's a very real threat. How would you feel if a story appeared (say) tomorrow? Even if it hasn't happened previously, that's no guarantee that it won't happen in the future. Taking unnecessary risks that have been shown to be real when good security is so cheap and easy is just plain dumb.

  • WEP can be cracked in minutes, and thus shouldn't be relied on.
  • WPA is better, but only if a strong passphrase is used, since it's vulnerable to offline attack.
Reply to
John Navas

Doh! You are, of course, right. I know I've been hacked over a wired connection, but I haven't detected such an attempt over the wireless.

Actually, I wasn't thinking WPA vs WEP, I was thinking WPA vs VPN. I'm not sure what I had planned to write there, but any time you see me end a sentence without a period, you can be pretty sure I got distracted. :-) I'm pretty sure I went looking for his exact examples of overkill - I don't think you need to go so far as Diceware, but it doesn't hurt either.

Reply to
Derek Broughton

rico snipped-for-privacy@hotmail.com (Rico) hath wroth:

There's a reason that they're all Linux based. The Windoze drivers disable promiscuous and monitor modes on most wireless cards. This is intentional and designed to prevent passive sniffing. Only a few wireless cards and drivers (and versions) have a useful promiscuous modes under Windoze. However, all Linux drivers support these modes and are therefore more useful for sniffing.

It doesn't matter much for WEP cracking. Once the SSID is identified, the WEP cracker can do its thing without promiscuous mode. It's only needed to do passive sniffing for finding the SSID (as in Kismet).

As for knowledge of known WEP cracking and breakins.... I used to do quite a bit of network "instrumentation" which is basically network monitoring with various SNMP based tools. Many of these networks have expanded into wireless and have applied the same monitoring tools to the wireless network. It's quite easy to spot WEP or WPA cracking attempts by the number of DEAUTH packets. Normal traffic will have a DEAUTH only at the end of a session. More often, there won't even be one as the user just closes their laptop, goes into hibernate, and disappears. WEP and WPA crackers generate thousands of DEAUTH packets which are easy to spot. Note that you only see these type of management packets over the air and therefore require a wireless sniffer AP to do the monitoring.

When I setup monitoring originally, I was getting far too many DEAUTH packets. I thought my scripts were broken. Nope. There were two unoccupied cars in the company parking lot, running scripted tools, looking for SSID's, and running automated crack sessions. Since the wireless was on its own seperate network, I decided to do something stupid, and switched one of the AP's from WPA-RADIUS to WEP-128. The DEAUTH packets continued for about 45 minutes and suddenly stopped. OK, they found the key and have moved on to attacking someone else.

About 4 days later, on a Saturday evening, I got a call from IT indicating that security had spotted someone near the parking lot playing with a dish antenna. I identified the car as one of the two that were in the parking lot the previous week doing the cracking[1]. The car took off before anyone could find out what they were doing or expected to find. The security camera photos were lousy as usual.

After getting yelled at by everyone in IT and management, and doing a marginally successful job of trying to convince them that there was no risk in changing the encryption, I promised to not do that again. Despite having the license numbers, they decided not to persue legal action.

I just ran a very quick and very sloppy check of the last 2 days worth of capture log summaries for this customer. Large numbers of DEAUTH packets lasting as long as an hour, usually during working hours. Multiple probe request packets (Netstumbler, etc) almost continuously during the day tapering off to a few at night. There is some nearby student housing, which is probably the main source.

I have a few more such monitoring stories, but they're less dramatic.

If there are no "known" breakins, why are they trying so hard?

[1] I found them with Wi-Spy and the salad bowl dish antenna. Trying to play direction finder in the middle of a highly reflective parking lot was not easy. I ended up just walking through the lot looking for the strongest signal.
Reply to
Jeff Liebermann

Its worth pointing out that an install of say Fedora Core is as easy to install as Windows, and requires no knowledge of vi, let alone sed, awk or perl. Heck, you can even install samba and configure it through a GUI these days.

Reply to
Mark McIntyre

Well, to be fair, you first have to be bothered to download a CD ISO. Then you have to be bothered to burn it to a bootable CD (and you have to own s/w to do this), and then you have to learn how to use Linux enough to get it working

Reply to
Mark McIntyre

Please feel free to quote where I have said ignore the risk and do nothing. (Use google in needed)

fundamentalism, fundamentally wrong.

Reply to
Rico

What college campus do you live near?

fundamentalism, fundamentally wrong.

Reply to
Rico

Bet if you actually look you can find criminal cases where people have 'broken' into unprotected wireless networks. Key here being unprotected.

fundamentalism, fundamentally wrong.

Reply to
Rico

Then how do you account for the cases where people have been caught in unprotected networks:

formatting link
fundamentalism, fundamentally wrong.

Reply to
Rico

Ask your mom to do this

fundamentalism, fundamentally wrong.

Reply to
Rico

If it is so trivial, Windows sales to the home user should be about zero.

fundamentalism, fundamentally wrong.

Reply to
Rico

Hmm, aren't you in the computer biz, are you suggesting that makes you typical? Really?

fundamentalism, fundamentally wrong.

Reply to
Rico

Tada

I don't think they are, most of this stuff is just 'proof of concept' Someone did it in a lab so let me write some code...

I'm not suggesting you can't do this, but the typical guy in Best Buy on any given Saturday?

fundamentalism, fundamentally wrong.

Reply to
Rico

The sun could easily explode, but it hasn't and is unlikely too anytime soon. Where is that news story?

fundamentalism, fundamentally wrong.

Reply to
Rico

What do you want to bet that had you been able to find one, John or not you would have shared the link?

Relieved to hear that, hope it stays that way (unless YOU decide to open your router)

My point, just basic security, but even here, I just don't see the neighbors going after your AP with some sort of brut force attack. What's to gain from the effort.

It has, from within the network or some penetrated the firewall on your internet connection (the other side of the WAP)? Also please quote where I suggest doing nothing. (use google groups if needed)

Probably would work and would just act as a target for vandalism, but set a (cheap) trash can out for them to use. As I said likely won't work, but maybe...

fundamentalism, fundamentally wrong.

Reply to
Rico

And yet, we can easily find links showing where smoking or not wearing seatbelts leads to early demise, but not a breached home network with just a modicome of security enabled (WAP).

fundamentalism, fundamentally wrong.

Reply to
Rico

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.