I have a linksys (model: BEFW 11S4) router. I want to enable WEP encryption. I have a desktop which is 'wired' to the router. I have a laptop that is wireless.
I realise I have to generate an encryption key but will I have to do anything to my desktop machine since it is connected by wire? (Is the wired connection referred to as an 'ethernet' connection?).
Thanks in advance, David
No, WEP is just that Wireless encryption. The wired connectopm, ethernet, is not encrypted.
"David Todtman" hath wroth:
No. The desktop is unaffected. The WEP encryption is only for the wireless part of the puzzle, not the wired.
If you must use WEP (the BEFW11s4 only supports WEP) be sure to use the generated Hex key, not the ASCII key. There are different algorithms for converting from ASCII to Hex for generating keys. There's no guarantee that the method used on the BEFW11S4 matches the method used on your wireless laptop card.
Thanks Jeff and Mike.
Can you tell me why the router generates a key from a passphrase. I am thinking that if you don't want somebody to determine your key, you'd want to start with an ungessable passphrase. The best ungessable passphrase would be a long random string.
So why cannot I just use the random string as a key and bypass the passphrase altogether? (I.e., enter the random string in the "key" field in the WEP setup page.)
TIA, David Todtman
"David Todtman" hath wroth:
Sure. The actual key that gets use for encryption is Hex. Well actually it's binary, but I don't want to confuse things even more. The theory was that mortal users and non-geeks don't converse well in Hexadecimal, unless you happen to have 8 fingers on each hand. So, to make things easy for the customers, the vendors added a "key generator" that creates the Hex key from an ASCII text string. The problem was that everyone had the same idea roughly at the same time, but since there were no standards, everyone did it differently.
See:
True. However, for WEP it doesn't matter. WEP is so insecure that an attacker can recover your WEP key from over the air packets in about
3-10 minutes. One of several WEP key recovery tools.You can and should use random rubbish for keys. I'm not an expert on key generation. See the wireless security section of the FAQ at:
Well thank you for explaining key generation.
And, re WEP: YIKES!
I just went to linksys and had a chat with a tech: my router does not support WPA (and no firmware upgrade that supports it either). Guess it's time for a trip to the store.
Another question: my daughter has a DSL connection, a desktop, and no laptop (wireless device). She uses a software firewall but I think a nat router would be better. If she used my old (non WPA) router simply as a hardware firewall would there be a security issue from someone detecting her router signal? I guess an intruder could steal the signal and surf the net from her ip address. That could be bad if their activity was nefarious and authorities attributed it to her. Could the intruder get access to her desktop, assuming no or inadequate encryption?
Best, David
"David Todtman" hath wroth:
Each have their place. Some software firewalls (i.e. ZoneAlarm, Kerio, Norton, McAfee, etc) control traffic both going in and going out. If her machine catches a worm or spyware, the software firewall will usually ask if it's OK to send something to some destination. The hardware firewall won't do that.
On the other foot, the hardware firewall has other features that are useful. A DHCP server, NAT (network address translation) for connecting more than one client computah, IP port redirection for remote access, etc.
No. I frequently sell and install wireless router to users that do not have any wireless devices simply because there's very little price difference between commodity wired and wireless routers. If they ever plan to add a laptop, wireless is quite useful. On installation, I disable the wireless section so there's no signal. I think that's what you're asking. (I also enable remote administration so that I can turn on the wireless easily as the necessity seems to always happen at an inconvenient time).
Once an intruder is on the LAN side of the firewall, the only limit to what they can do is controlled by the software firewall on the client computers. This is why many people run BOTH a hardware firewall and a software firewall. Unfortunately, many people (including me) are rather sloppy with their internal LAN security, and any intrusion via wireless would be fatal or messy. Just disable the wireless.
Jeff Liebermann hath wroth:
(blah-blah-blah)
I forgot to mention one item. The BEFW11S4 really is a piece of junk. I have a BEFW11S4 v4 at home. In inherited from a customer who wanted something more reliable. It hangs all the time. It also is susceptible to various exploits and attacks from the internet. Go to:
: Introduction : : AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. : AirSnort operates by passively monitoring transmissions, computing the : encryption key when enough packets have been gathered. : : [...] : : AirSnort requires approximately 5-10 million encrypted packets to be : gathered. Once enough packets have been gathered, AirSnort can guess the : encryption password in under a second.
So how will an attacker get 5 - 10 million encrypted packets in 3 - 10 minutes?
On Fri, 30 Jun 2006 21:19:18 +0200, "Axel Hammerschmidt" wrote in :
Use deauthentication and packet replay attacks to stimulate the generation of wireless traffic.
"Axel Hammerschmidt" hath wroth:
Actually, it currently takes far fewer packets. What AirSnort and others look for are unique IV (initialization vector) packets also known as "interesting" packets. The rest care discarded. Under normal traffic conditions, these interesting IV's are fairly sparce. It would take about 1GBloat of captured data to obtain a sufficient number of these to deduce the WEP key.
However, that was last year. This year, someone figured out that if they spray deassociate or deauthenticate frames at the access point, the AP will either assume that a connection is being initialized and send a new IV, or assume that a connection is being disconnected, and send a new IV in the next packet. Either way, this method can generate the necessary number of IV's in a very short time.
As an added bonus, because neigher deassociate or deauthenticate frames are logged or show up on the ethernet side of the wireless bridge, most intrusion detection software never sees it happen.
This is a bit dated but still relevent: Wireless Hacking: Breaking Through |
Can you give some plausible explanation as to how that would give the attacker 5 - 10 million encrypted packets in 3 - 10 minutes?
And a packet replay attack does expose the attacker.
How short time? Can you do the numbers? Do you have a ref for this?
And the routers/APs log...?
I didn't find anything new in the links you provided. Can you be more specific?
On Fri, 30 Jun 2006 23:14:51 +0200, "Axel Hammerschmidt" wrote in :
Under 10 minutes.
"Axel Hammerschmidt" hath wroth:
3-10 minutes. The FBI did a public demo of how easy it was to do. |The generic bottom of the line wireless router's log output does not show failed associations or deauthentications. Even my Linux wireless routers, with syslog cranked up to maximum logging level, doesn't show anything. SNMP on some access points does have a counter for failed association and failed authentication attempts, so these can be monitored. There are also some other clues, which I'm not interested in posting.
How new would you like my information? If you want the latest, check the various security specific web sites and mailing lists.
No, I don't want to be more specific. I'm not interested in writing a tutorial on cracking WEP or publicly disclosing any new exploits.
Can you be more specific as to what you're trying to accomplish and why you're apparently pumping me for hacker detection details?
Good old Toms Networking! I find that article a bit vague about where the 3 minutes come from. Seems to me the auther is referring to the PP presentation.
Looking to the ref
There's very little explained in the Toms article. Could you be a little more specific about what takes you 10 -15 minutes?
Well, it does state in the Toms Networking article:
: In most cases, however, an active attack or series of attacks are : needed to jump start the process and produce more packets. Note that : active attacks generate wireless traffic that can itself be detected : and possibly alert the target of the attack.
and
: The FBI team used the deauth feature of void11 to repeatedly : disassociate the laptop from the access point. Desired additional : traffic was then generated as Windows XP tried to re-associate back to : the AP. Note that this is not a particularly stealthy attack, as the : laptop user will notice a series of "Wireless Network unavailable" : notifications in the taskbar of their desktop screen.
This seems to c : In part one we examined the latest generation of passive WEP cracking : tools that use statistical or brute force techniques to recover WEP : encryption keys from captured wireless network traffic. This time, in : the second and final article, we take a look at active tools that use : 802.11 transmissions to attack WEP networks. : : All of these active wireless attack techniques discussed in this : article require the ability to inject arbitrary packets onto a : wireless network. Although a variety of injection methods are : available, most require Linux, are unsupported, and use hacked drivers : that have support and availability problems. All of them require at : least one wireless PCMCIA card based on the Prism2 chipset (such as : the Senao 2511-CD-PLUS). Fortunately, the Auditor Security Collection : [ref 1] live cd-rom can save you a number of headaches as it includes : ready-to-use drivers for several active attack tools. : : Beware of network disruptions that can be caused by active attacks. : Using these tools may have unpredictable effects in various : environments. In my testing, I have encountered a few systems that had : to be rebooted in order to function again after being bombarded with : injected packets.
And this also seems to contradict what you were claiming.
That's up to you.
Like I say, it's entirely up to you if you want to substantiate your claims.
You have discovered new exploits?
All I'm doing is giving you the opportunity to substatiate your claims.
snipped-for-privacy@hotmail.com (Axel Hammerschmidt) hath wroth:
Please read the first page of the article. There were two agents giving the presentation. One was giving a power point presentation explaining what was happening, while the other was running the live demo with a pair of laptops and a Netgear AP. Deauthentication frames were generated by void11. The output was captured by Airodump/AirCrack. Airsnort did the decoding. Aireplay was also used to replay captured APR packets. Runtime was 3 minutes. It's all in the article.
Keep reading the above URL starting with the "How Long Does It Take" section which notes: I often find that aircrack determines a WEP key within a few seconds, but the execution time is highly variable.
Using 256bit payloads, at 11Mbits/sec, an attacker can generate about
10,000 packets per second. If all the packets were "interesting", the decode would take 5 seconds. However, that's not realistic as only a few packets are sufficiently "interesting" to be useable.The exact method is explained in the 3 part article I previously posted. As I indicated, I'm not interested in writing a tutorial on WEP cracking for your benefit.
I think that's roughly what I said. If the AP owner was specifically looking for deauth or deassoc attacks, then it is possible to detect the traffic. At this time, I know of no commodity access points that can do that. The ones with SNMP features are a bit better because they can detect and log unusual errors.
I should point out that even if there were a way to detect an attack, there's little that can be done about it. One could shut down the AP if an attack is detected, but that would just turn it into a denial of service exploit. The only effective method would be make it part of an IDS (intrusion detection system) which would drop excessive packets that are part of known exploits.
Well, of course. Sending deassoc and deauth frames will show up as a lost connection. However, many wireless systems are sufficiently flaky that such messages are all too common and will probably be ignored. After 3 minutes of pounding on an AP, service will be magically restored, so chances are high that an unsophisticated user will miss the implications, especially since a microwave oven or cordless phone can cause the same effect.
I also said was that nothing shows up in the log files and that's still the case.
Same here. I was able to erratically lockup wireless routers and access points with my testing. For entertainment, you might try running a router exploits test on commodity hardware:
Hanging the wireless router or AP is of course a bad idea. If anything, it might prevent the completion of the attack. However, I've found that most home users and coffee shops have simply become used to having the box hang erratically. They usually curse the manufacturer for selling junk hardware, power cycle the router, and continue working. An unusual number of hangs would probably precipitate a repair job or warranty issue, but not a suspicion of an attack.
Nice try. I chose not to be pumped for security related information. When the problems are fixed (in firmware), then I'll discuss how they work, how they're detected, and how to "test" the security.
No. I've discovered a way of detecting some exploits. I'm NOT a security expert and may be either duplicating someone else's work, or am simply wrong. Either way, it's not for general consumption.
That doesn't answer my question. What are you trying to accomplish by having me substantiate my claims? If you find that my time to decrypt is in error, you can always try it yourself and obtain your own numbers.
Jeff hasn't made many claims. He's pointed you at various websites which detail how to do something you seem inordinately interested in, noted that he himself finds it a bit harder than the FBI did, wondered why you seem to keen to get Jeff to detail exactly how to do something potentially illegal, and left you to do your own research.
Seems however you prefer to make disingenuous postings implying that Jeff is fabricating this stuff. Perhaps you need to study your motives?
It sounds more like he was too lazy to do his own googling and was trying to goad Jeff into providing links.
Well, he's in luck. I believe that full disclosure is the only way to get lazy admins to get off their fat duffs. I posted a link to a blog earlier today that gives what looks like full instructions. (Although I don't have a second AP to setup with wep so I can test against.)
-wolfgang
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.