How To Crack WEP - Part 1: Setup & Network

Recon
Humphrey Cheung
May 10, 2005
Introduction

This article has been superceeded by How to Crack WEP...Reloaded.

Hundreds, perhaps thousands of articles have been written about the vulnerability of WEP
(W ired E quivalent P rivacy), but how many people can actually break WEP encryption?
Beginners to WEP cracking have often been frustrated by the many wireless cards
available and their distribution-specific commands. And things are further complicated
when the beginner is not familiar with Linux.

In this three part series, we will give you a step by step approach to breaking a WEP key.
The approach taken will be to standardize as many variables as possible so that you can
concentrate on the mechanics of WEP cracking without being hindered by hardware and
software bugs. The entire attack is done with publicly available software and doesn't
require special hardware - just a few laptops and wireless cards.

Figure 1: Gotcha!

This first article will help you set up your wireless lab and guide you through the scanning
portion of WEP cracking. After all, you will need to find and document the wireless
networks before you can crack them. The second article will describe the stimulation of
the target WLAN to generate traffic and the actual process of capturing data and cracking
the WEP key. After reading these two articles, you should be able to break WEP keys in a
matter of minutes. A third article will turn things around and describe how to defend
against multiple skill levels of wireless intruders

NOTES:

• A description of the basic approach and techniques used in this How To can be
found in The Feds can own your WLAN too.

• You don't need to be a networking expert to successfully follow this How To, but
you need basic familiarity with networking terminology and principles. You
should know how to ping, open a Windows Command Prompt, enter command
lines and know your way around the Windows networking properties screens.
What you Need

Although WEP cracking can be done from a single laptop, ideally you should have two.
One laptop performs an active attack to stimulate data flow so that a sufficient number of
packets can be captured in a relatively short amount of time, while the other laptop
"sniffs" or captures the traffic produced by the attacking laptop. Figure 2 shows the basic
idea.

You can actually run a WEP crack using one notebook equipped with a single wireless
LAN card, but we don't recommend this configuration as a starting point. With only one
notebook, its easy to get confused about what you're doing and we've found that the
Auditor programs can get a bit unstable when used in this way.

Figure 2: Two Notebook WEP cracking setup

Note that using an active attack vs. passively capturing traffic increases your chances of
detection. But it can significantly speed a WEP key crack by forcing the generation of
more packets than you would normally capture in a short time from a lightly-used
WLAN.

Tip: Although we refer to laptops / notebooks throughout this series, you can also use
desktop computers or a mixture of laptops and desktops. However, you may find using
notebooks easier due their portability and the wider range of compatible PC Card
wireless adapters available.

Here is a list of required hardware:

• Wireless Access Point - This will be the "target" access point and can be any
brand. We used a Netgear WGT624 v2
 • A laptop or computer with wireless capability - This will be the "target"
computer and it doesn't matter which wireless chipset or card the computer uses.
Our lab had a surplus Dell laptop with built-in wireless that worked just fine
• Two 802.11b PC Cards based on the PRISM 2 chipset - Some of the programs
(such as Kismet) we use in this series can support a wide variety of wireless cards.
But we suggest you stick to using cards based on the PRISM 2 chipset, which are
supported by all the programs we will use.

Tip: We used two 2511CD PLUS EXT2 cards. The 2511-CD PLUS EXT2 has
two MMCX connectors for external antennas and does not have an internal
antenna.These cards are typically found under the Senao, Engenius or Wireless
LAN brand names (Figure 3).

You can also search this list compiled by Absolute Value Systems to find other
PRISM 2-based cards.

Figure 3: Senao 2511 802.11 PC Card

If you purchase a wireless card that has an external antenna connector, you may want to
buy an antenna and appropriate "pigtail". (The pigtail is a short cable, that connects the
end of the antenna cable to your Wi-Fi card.) This isn't always necessary since some
cards with external antenna connectors also have internal antennas. But note that the
2511CD PLUS EXT2 series of cards, do not have an internal antenna, so you must
purchase an antenna if you're using that card.

What you Need - more

You are welcome to use any type of external antenna you want (or none at all), but we
purchased the Mobile Patch antenna pictured in Figure 4. The suction cup bottom of the
patch antenna makes it wonderful for wardriving, as you can temporarily attach it to your
car windows.
 Figure 4: Mobile Patch Antenna

This antenna has 8dBi of gain and, like many antennas, has a short cable that terminates
in an N-Female connector. For the Senao / Engenius cards, you will need to buy a pigtail
with MMCX connector on one end. The connector is about 1 mm in diameter, with a
very small pin in the middle (Figure 5).

Figure 5: MMCX connector on pigtail cable

As a side note, pigtail connectors are disliked by many people. It's an extra cable to carry
around, and sometimes the connector breaks off. In addition, it is a pain to disconnect the
pigtail from the Wi-Fi card, as it takes a decent amount of force to pull the connector off.

The Software

While cracking WEP requires several open source tools, all of these tools are thankfully
pre-installed, on the free Auditor Security Collection LIVE CD. The CD boots a
modified Kanotix Linux distribution into RAM (it doesn't touch your hard-drive) and
auto-detects and configures many wireless cards.

Updated 6/1/2007: The Auditor Security Collection is no longer available. Use

Backtrack instead.

Lab Setup - Preparing the Target WLAN

Proper set up of your lab is important, because you want a controlled environment to
practice in. You will also want to prevent collateral damage to neighboring APs that are
not yours because some of the attacks described in Part 2 will forcibly knock clients off
an AP. This could possibly wreak havoc with other wireless users in the area. So if you
are in an office complex, apartment building or any other area with many wireless
networks, it may be prudent to wait until night hours when the networks are less busy.
Please practice safely and responsibly!

The first step is to connect and configure a "target" wireless LAN comprised of an Access
Point or wireless router and a single wireless client. This WLAN will be secured with the
WEP key that you will be cracking. Give your AP an SSID of your choosing - we called
ours "starbucks". Configure a 64 bit WEP key on the WAP to start - after you successfully
break a 64 bit key, you can try a 128 bit key.

You'll need to record the following information for later use:

• MAC Address of the AP - This is usually displayed in the web configuration

menu. It also may be found on a label on the bottom or side of the AP
• SSID of the AP
• Wireless channel of the AP - by default will probably be Channel 6, but make
sure
• WEP key - If your AP displays the key as 0xFFFFFFFFFF (replace the F's with
whatever your key is), write down only everything past the 0x

With the AP configured, we now need to get a client associated with it. (The following
example uses Windows XP.) Right-click on the My Network Places icon on your
desktop, or in your Start Menu. Then left-click Properties.

Double-click the entry called Wireless Network Connection and a window similar to
Figure 6 will open. Figure 6 shows that multiple WLANs are available, but your window
may show only the "starbucks" AP that you just configured. Connect to your AP by
double-clicking the corresponding SSID.
 Figure 6: Connecting to your WAP
(click image to enlarge)

Because the AP has WEP enabled, Windows will ask for the network key in order to
connect (Figure 7). Type in your WEP key (or cut and paste it from a Notepad or
Wordpad document) and after a short wait Windows should report that you are connected
to the network. Make sure that you are really connected by pinging a known computer on
your wired LAN or opening your browser and checking your favorite website if your
WLAN is connected to the Internet.

Figure 7: Entering WEP Key

(click image to enlarge)

If you can't get a successful ping or browse the web, open your wireless adapter's
Network properties, click on the Support tab and check that you have valid IP address
information. If you don't, check that your LAN's DHCP server is enabled and also check
that the wireless adapter's TCP/IP properties are set to "Obtain an IP address
automatically". You may also need to run a Repair on the connection.

Lab Setup - AP
Once you are successfully connected, record the MAC Address of target computer. You
can do this by opening a command prompt window and entering the ipconfig /all
command. You should get a screen similar to Figure 8, in which I've highlighted the
wireless network adapter MAC address information.

Figure 8: Type in ipconfig /all to find the MAC Address

(click image to enlarge)

Since your client machine is running Windows XP, you can also get the MAC address
from the Wireless Connection Status window. Click on the Support tab, then the
Details button and the MAC address is right at the top (Figure 9), but of course called
something different, i.e. "Physical Address".

Figure 9: MAC address in Network Connection Details

You will notice that in Windows, the MAC address numbers and letters are separated by
dashes. The dashes make the characters more readable, but the actual MAC address
doesn't have dashes.

At this point, our target WLAN is configured and working, so shut down the target client.

Lab Setup - Preparing the Notebooks

Now that the target computer has been set up, it's time to set up the notebooks that will
scan for target WLANs and sniff traffic and run attacks to stimulate network traffic. First
set your notebook to boot from its CD drive. It may be set this way by default, or you
may have to change the boot order by changing BIOS settings.

Next, shut down the notebook, insert a wireless card and Auditor Security Collection CD
into the notebook and turn it on. After you pick the appropriate screen resolution from the
Auditor boot menu, it will install to RAM and you will be presented with the Auditor
start screen (Figure 10).

Figure 10: Auditor start screen

The two most important icons will be the Programs and Command Line icons, which
are located at the bottom left side of the screen (Figure 11).
 Figure 11: Programs and Command Line locations

Before you do anything else, you must make sure that your wireless network card has
been recognized and configured by Auditor. Click on the command line icon to open a
command line window, then type iwconfig. Among the other information that Audior
spews out, you should see wlan0, which is the designation that Auditor gives to PRISM-
based cards. If your screen looks similar to Figure 12, then Auditor has correctly detected
your wireless card. You can now close out of the command line screen.

Figure 12: iwconfig to verify that the wireless card works

(click image to enlarge)

Repeat these same steps for your second notebook, then shut it down. You won't be
needing it until Part 2, where you'll learn how to use it to stimulate WLAN traffic that
will be captured by your first notebook.

Network Recon with Kismet

You're now ready to start Kismet, which is a Linux-based wireless scanner. It's a handy
tool for surveying the wireless airwaves around you to find target wireless LANs to
crack. Kismet also captures traffic, but there are other tools such as airodump (part of
Aircrack) that do a better job in the context of cracking WEP. So we'll be using it to
make sure our wireless card is working and for scanning for wireless networks. Then we
will switch to different tools in Part 2 to actually sniff and capture traffic.

You get to Kismet by clicking on the Programs icon, then Auditor, then Wireless, then
Scanner/Analyzer, and finally Kismet (Figure 13).
 Figure 13: Getting to Kismet
(click image to enlarge)

In addition to scanning wireless networks, Kismet captures packets into a file for later
analysis. So Kismet will ask for the directory to save the captured files in. Click Desktop
and then OK (Figure 14).

Figure 14: Specifying the Save Location

Kismet will then ask for a prefix for the captured files (Figure 15). Change the default
name to capture and then click OK.

Figure 15: Specifying the file prefix

(click image to enlarge)
As Kismet starts, it will display all the wireless networks in range (Figure 16), which
should hopefully include the target WLAN you set up. The channel number, under the Ch
column, should match what you have written down. If Kismet has found many nearby
access points, you may want to move the lab farther away from the Access Points, or
disconnect any high-gain antennas you have connected.

Figure 16: Kismet at work

(click image to enlarge)

While Kismet is jumping through all the channels and SSIDs looking for interesting
information, you will see the number of packets changing for all the access points. In the
column at the right side of the screen, Kismet displays the total number of networks
found, the number of packets captured and the number of encrypted packets seen.

Even with the target computer off, Kismet is detecting packets from our AP. This is
because APs send out "beacons", which tell wireless computers that an AP is in range.
You can think of it as the AP announcing, "My name is XXXXX, please connect to me."

Network Recon with Kismet - more

Kismet starts in "autofit" mode, which doesn't list APs in any meaningful order. Press "s"
to get to the Sort menu (Figure 17). Here you can specify sort orders, which will
organize the APs better.
 Figure 17: Sort options in Kismet
(click image to enlarge)

Press "c" and the access points will be ordered by channel. (Figure 18)

Figure 18: Sorting WAPs by channel

(click image to enlarge)

Kismet will by default hop through channels 1 to 11. Use the cursor keys to move the
highlight bar to your SSID and press "L" (note capital "L") and Kismet will lock on the
SSID's channel (Figure 19). You will notice that the packet numbers of other APs may
still continue to increase. This is because many channels overlap each other in frequency.

Figure 19: Locking the channel scanning in Kismet

(click image to enlarge)

Now that we are reasonably sure that Kismet is working, let's see what happens when the
target computer on the network starts transmitting information. In most cases, this will be
receiving / sending of email or web surfing. Start the target computer, while keeping the
scanning laptop in Kismet.

As the target computer boots into Windows and connects to the target AP, you will notice
a surge in regular and encrypted packets being captured by Kismet. You'll be using these
packets in the attacks described in Part 2 of this series.
Conclusion

At this point, you know the basic approach to WEP cracking, have a target WLAN
configured and have both sniffing and attack computers configured and working. You
also have gained a basic familiarity with Auditor and used Kismet to find in-range
wireless LANs.

In Part 2, we will use the second notebook to stimulate the target LAN to generate
wireless traffic that we will capture and perform the actual WEP key crack. Until then,
you can familiarize yourself with Kismet, go WLAN hunting and explore some of the
other tools on the Auditor CD.

In Part 1 of How to Crack WEP, we showed the basic approach to WEP cracking,
configured a practice target WLAN and configured both sniffing and attack computers.
We also introduced the Auditor Security Collection and used Kismet to find in-range
wireless LANs.

In this article, we will describe how to use additional tools found on the Auditor CD to
capture traffic and use it to crack a WEP key. We'll also describe how to use
deauthentication and packet replay attacks to stimulate the generation of wireless traffic
that is a key element of reducing the time it takes to perform a WEP key crack.

Before we get started, however, let us make a few points that may save some readers the
time and effort of trying these techniques:

• To successfully follow this How To, you need basic familiarity with networking
terminology and principles. You should know how to ping, open a Windows
Command Prompt, enter command lines and know your way around the Windows
networking properties screens. Basic familiarity with Linux will be helpful too.
• These procedures assume the use of specific wireless hardware described in Part
1. They will not work with other hardware types without modification.
• These procedures assume that the target WLAN has at least one client associated
with an AP or wireless router. They will not work with an AP that has no
associated clients.
• This tutorial is based on the Auditor version released April 2005. Future versions
could make this attack easier or harder. In addition, some of the commands shown
are Auditor-specific scripts that don't exist (but can easily be made) in other Linux
distributions.
• Accessing anyone else's network other than your own without the network
owner's consent is illegal. SmallNetBuilder, Pudai, LLC and the author do not
condone or approve of illegal use of this tutorial in any way
Also note that it is possible to perform WEP cracking using only one computer. But we
have chosen to use two to more clearly illustrate the process and avoid some of the
complications caused by using a single computer.

The four main tools used in this article are airodump, void11, aireplay and aircrack,
which are included on the Auditor Security Collection CD:

• Airodump scans the wireless network for packets and captures these packets into
files
• Void11 will deauthenticate computers from a wireless access point, which will
force them to reassociate to the AP, creating an ARP request
• Aireplay takes this ARP request and resends it to the AP, spoofing the ARP
request from the valid wireless client
• Finally, aircrack will take the capture files generated by airodump and extract the
WEP key

From your scanning with Kismet as described in Part 1, you should have written down
the following four pieces of information:

• MAC Address of the wireless Access Point (AP)

• MAC Address of the "Target" computer
• WEP key used
• Wi-Fi channel used

In the following procedures, we will call our laptops, Auditor-A and Auditor-B and call
the target computer Target. Let's get started.

Starting from scratch

In real-life, someone trying to break into a wireless network usually would have to obtain
the information needed (MAC address of the AP and Target PC and wireless channel).
Professionals who do penetration testing of networks describe this attack as a "Zero
Knowledge" attack, for obvious reasons. If the attacker already has all the information
needed, that's called a "Full Knowledge" attack, which is nowhere near as challenging!
We'll assume that we know nothing and describe how to get the information we need.

Finding the MAC Address of the AP with Kismet

 Figure 1: Navigating Kismet
(click image to enlarge)

Finding the MAC Address of the AP is extremely easy with either Kismet or
Netstumbler. Start Auditor-A with its Wi-Fi card and Auditor CD inserted. Once
Auditor is up, start Kismet, just like you did in Part 1, and you will see a list of APs.
Type s and then c to sort the APs by channel and using the arrow keys, move the
highlight bar to your target AP's SSID. Then hit the Enter key. This will bring up a
detailed screen (Figure 2) that will show the selected AP's SSID, MAC address and
channel. Voila! "Zero knowledge" has been transformed into almost all the information
needed to run a WEP crack.

Figure 2: Kismet easily finds the SSID, Channel and MAC address
(click image to enlarge)
 Tip: Some "security professionals" suggest cloaking your SSID / disabling SSID
broadcasts. While this will defeat a Netstumbler scan, Kismet will easily detect "cloaked"
SSIDs. Kismet captures more network information than Netstumbler and can find AP
SSID's by following conversations between associated clients and the AP.

Finding the MAC Address of the Client

We need one last piece of information to begin our cracking - the MAC address of a
wireless client associated to the AP of our Target WLAN. Go back to Kismet and type q
to quit out of the details menu. The highlight bar should still be on your AP, if it isn't, then
use the arrow keys again. Typing shift-C will bring up a list of clients. The MAC
addresses are listed on the left side (Figure 3).

Figure 3: Client MAC address found by Kismet

(click image to enlarge)

If you don't see the MAC address of the TARGET computer, check to make sure it's on
and associated with the Target AP (boot the TARGET into Windows, have it connect to
the AP and start browsing the web). In about 10-30 seconds, you should see the MAC
address of the TARGET computer pop up in Kismet. A prudent cracker would probably
record all the client MAC addresses found so as not to be thwarted if a client isn't present
when the time comes to start the cracking process.

Packet capture with Airodump

 Figure 4: Airodump usage
(click image to enlarge)

As amazingly fast as aircrack is, it still needs a sufficient number of "interesting" packets
to work on in order to crack a WEP key. As we noted earlier, packet capture is done by
airodump, which creates a file of captured data for aircrack. Let's see how it's done.

You can use either computer, but we'll stick with Auditor-A. Open the shell and type in
the following commands:

Commands for setting up airodump

iwconfig wlan0 mode monitor
iwconfig wlan0 channel THECHANNELNUM
cd /ramdisk
airodump wlan0 cap

NOTES:
- Replace THECHANNELNUM with the channel number of your Target WLAN
- The /ramdisk directory is where the capture data will be stored

If there are many wireless access points close by, you may want to use attach the MAC
address of your target AP to the end of the airodump command like so:

airodump wlan0 cap1 MACADDRESSOFAP

This will instruct airodump to write only the packets of the target AP to the capture file.

You can exit out of Airodump by typing Control-C. Typing ls -l will list the contents of
the directory. Notice the size of the capture file which has the extension of .cap. If
packets were successfully captured, the file size should be a few kB or so after a few
seconds of capture. Note that if Airodump is stopped and restarted with the same
parameters, the new capture file will appended to the previous one. You may want to
make separate files by naming the first file cap1, the next, cap2 and so on.

Collecting IVs with Airodump

Figure 5: Watch the IV count go up

(click image to enlarge)
While airodump is running, you should see the MAC address of your AP listed under
BSSID on the left side of the window. You should also see the Packet count and IV
count (Initialization Vector) going up. This is due to normal Windows network traffic that
is generated even if you aren't surfing the web or checking your email. So you will see
the IV count rise by a few IVs after a while. If you start surfing the web on the TARGET
computer, you should see that each new webpage raises the IV count in airodump.

We aren't interested in the Packet count, because doesn't help us with WEP cracking and
many of the packets will be beacons coming from the AP. (Most APs send out ten
beacons a second by default and you will see that reflected in the packet count in
airodump.) The IV count is the important number to watch for since you will need to
capture around 50,000 to 200,000 IVs in order to crack a 64 bit WEP key and for a
128 bit key, you will need around 200,000 to 700,000 IVs!

Deauthentication via void11

You probably noticed that the IV count doesn't rise very quickly under normal traffic
conditions. In fact, it could take several hours or even days, to capture enough data from
most wireless LANs for a successful WEP key crack under normal conditions. But
fortunately, there are a few tools at our disposal to speed things along.

The easiest way to speed up packet generation is for the Target WLAN to be a busy one.
We can simulate this by running a continuous ping or starting a large file download on
the Target. Keep airodump running on Auditor-A and notice the rate that the IV count is
rising. Then start your file download via bittorrent or just download an .ISO file of your
favorite Linux distribution or movie trailer.

Alternatively, a continuous ping can be done in Windows by entering the following into a
command window:

ping -t -l 50000 ADDRESS_OF_ANOTHER_LAN_CLIENT

where ADDRESS_OF_ANOTHER_LAN_CLIENT is replaced by the IP address of the

AP, router or any other pingable client on the LAN.

Either of these methods will cause the IV count to rise a bit faster. But since they require
access to the very WLAN that you are trying to obtain the WEP key for, they're useful
only to illustrate that more traffic = more IVs. What is needed is a traffic-generation
method that requires only the information that we've obtained via Kismet.

This is where void11 comes in. Void11 is used to force a de-authentication of wireless
clients from their associated AP,i.e. the clients are "kicked off" the AP. After being kicked
off the wireless network, a wireless client will automatically try to reassociate with the
AP. In the process of re-association, data traffic will be generated. This process is
commonly referred to as a de-authentication or deauth attack. Here's how it's done.

Figure 6: void11 usage

(click image to enlarge)

Start Auditor-B with its Wi-Fi card and Auditor CD inserted. Once Auditor is up, open a
shell and type in the following commands:

Commands for setting up a void11 deauth

attack
switch-to-hostap
cardctl eject
cardctl insert
iwconfig wlan0 channel THECHANNELNUM
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
void11_penetration -D -s
MACOFSTATION -B MACOFAP wlan0

NOTE: Replace THECHANNELNUM with the channel number of your Target

WLAN, and MACOFSTATION and MACOFAP with the MAC addresses of the Target
WLAN client and AP respectively, i.e.

void11_penetration -D -s 00:90:4b:c0:c4:7f -B 00:c0:49:bf:14:29 wlan0

Tip: You may see an invalid argument error while running void11 on the Auditor
Security Collection. Don't worry about this error, as void11 is working, which we'll verify
next.

Verifying the deauth

While void11 is running on Auditor-B, let's look at what's happening on the Target client.
Normally, anyone using a Target client will be happily be surfing websites or checking
email, when suddenly the network will get very slow and eventually come to a halt. A
few seconds later, the Target will be completely disconnected from the network.
You can check this out for yourself by running a continuous ping from TARGET to the
wireless access point. Figures 7 and 8 show a ping before and during a void11 deauth
attack.

Figure 7: Successful pings before void11

(click image to enlarge

Figure 8 shows that the pings will time out while void11 is running. If you do a Control-
C on Auditor-B to stop the void11 attack, the pings will come back to life after a few
seconds.

Figure 8: Pings die after void11 is started

(click image to enlarge)

You can see if you are being deauthenticated from an AP by looking at your wireless
client's utility program, which usually indicates the connection status. Figures 9 and 10
show the wireless client utility built into Windows WP. Before the void11 attack starts,
everything will seem normal, and Windows will show that you are connected to the AP
(Figure 9).
 Figure 9: Now you are connected

After void11 starts, the network status will change from connected to disconnected
(Figure 10). After void11 is stopped on Auditor-B, the Target will reconnect back to the
AP in a few seconds or so.

Figure 10: Now you aren't!

(click image to enlarge)
If you look back at Auditor-A - which we last left running airodump - while void11 is
running, the IV count in airodump should increase to around 100-200 with a few seconds.
This is due to the traffic generated by the Target client as it repeatedly tries to reassociate
with its AP.

Packet replay via Aireplay

While a deauth attack generates traffic, it generally doesn't generate enough to effectively
speed up our IV gathering process. It's also a pretty blunt instrument and severly
interferes with normal WLAN operations. For more efficient traffic generation, we'll need
to employ a different technique called a replay attack.

A replay attack simply captures a valid packet generated by a Target client, then spoofs
the client that it captured the packet from and replays the packet over and over again
more frequently than normal. Since the traffic looks like it is coming from a valid client,
it doesn't interfere with normal network operations and goes about its IV-generating
duties quietly.

So what we need is to capture a packet that is sure to be generated by the void11 deauth
attack, stop the deauth attack, then start a replay attack using the captured packet. A
perfect candidate for capture are Address Resolution Protocol (ARP) packets since
they're small (68 Bytes long), have a fixed and easily recongnizable format, and are part
of every reassociation attempt.

Figure 11: aireplay setup

(click image to enlarge)

Let's start with a clean slate and reboot both Auditor-A and Auditor-B. Figure 12 shows
the roles that Auditor-A and Auditor-B are playing. Notice that Auditor-A is running only
aireplay and is just serving to stimulate traffic (and IVs) to shorten the time it takes to
crack a WEP key. Also notice that Auditor-B is used for either running the deauth attack
(via void11) or capturing traffic (via airodump) and running the actual crack against the
captured data via aircrack which we'll get to shortly.
 Figure 12: The full WEP-cracking monty

We'll first start aireplay. Go to Auditor-A, open a shell and type in these commands:

Commands to set up aireplay to listen for

an ARP packet
switch-to-wlanng
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk

aireplay -i wlan0 -b MACADDRESSOFAP

-m 68 -n 68 -d ff:ff:ff:ff:ff:ff

NOTES:
- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the
Auditor CD to simplify commands and reduce typing
- Replace THECHANNELNUM with the channel number of your Target WLAN

At first, nothing too exciting will happen. You should see aireplay reporting it has seen a
certain number of packets, but little else since the packets haven't matched the filter we've
set (68 Byte packet with a destination MAC address of FF:FF:FF:FF:FF:FF).

Packet replay via Aireplay - more

Now go to the Target client computer and open its wireless utility so that you can monitor
its connection status. Then go to Auditor-B and start a void11 deauth attack by following
the previous instructions. Once you've started void11, you should see the Target client
lose contact with the Target AP. You should also see see the packet rate reported by
aireplay increase at a faster rate.
At some point, aireplay will display a captured packet and ask if you want to replay it
(Figure 13).

Figure 13: aireplay bags a packet

(click image to enlarge)

You want a packet that matches the following criteria (also illustrated in Figure 13):

• FromDS - 0
• ToDS - 1
• BSSID - MAC Address of the Target AP
• Source MAC - MAC Address of the Target computer
• Destination MAC - FF:FF:FF:FF:FF:FF

Type n (for no) if the packet does not match these criteria and aireplay will resume
capture. When aireplay successfully finds a packet matching the above criteria, answer y
(for yes) to the replay question and aireplay will switch from capture to replay mode and
start the replay attack. Immediately go back to Auditor-B and stop the void11 deauth
attack.

Tips:
- The capture of a packet via a deauth attack can be the trickiest part of the WEP cracking
process. While the deauth attack generates traffic, it generally doesn't generate very much
because of the time it takes for a client to realize that it has lost connection with its AP
and then more time for the re-association process to complete.

- Capture can be further complicated by the fact that the timing of these processes is
different among client drivers (and operating systems). void11 can easily overwhelm a
client with deauth packets so that it doesn't even have time to complete a re-association
and generate the packets we'll be looking to capture.

- Sometimes you may luck out with the first packet captured. But other times you may
have to wait for multiple captures.

- If aireplay doesn't produce a captured packet within a few thousand packets, void11
could be overwhelming the AP and client and not giving them any time any time to
complete a reassociation. Try stopping void11 manually (control-C) and then restarting
it. You can also try adding the -d parameter to the void11 command line (the delay value
is in microseconds) and experimenting with different values to allow time for a successful
reassociation. Be aware that some wireless clients lock up when subjected to a deauth
attack and may need to be rebooted to recover!

- You may have difficulty capturing ARP packets via a deauth attack if the Target client
is idle. This is unlikely to happen with a real Target WLAN, but could be a problem with
your practice Target WLAN. If aireplay is not flagging packets for you to approve, you
may need to go to your Target client and run a continuous ping or start a download before
you start the deauth attack.

- As a final tip, if you absolutely cannot get void11 to work, you can test if aireplay is
really working by cheating a little bit. Keep aireplay running on AUDITOR-A and turn
off void11 on AUDITOR-B. Go to the TARGET computer and manually disconnect from
the wireless network. You can do this through either the wireless connection properties or
by simply turning the computer off. Now reconnect the computer or turn the computer
back on. Within thirty seconds, aireplay on AUDITOR-A should see an ARP packet sent
by the TARGET computer as it reconnects to the WLAN and requests an IP address.

Packet capture and cracking

At this point Auditor-A is running a replay attack and producing plenty of IVs. Now it's
finally time to do the actual WEP cracking. Stop void11 on AUDITOR-B, if you haven't
done so already. Type in the following commands to set up airodump to capture packets
for cracking.

Starting up airodump after stopping

void11
switch-to-wlanng
cardctl eject
cardctl insert
 monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
airodump wlan0 cap1

NOTES:
- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the
Auditor CD to simplify commands and reduce typing
- Replace THECHANNELNUM with the channel number of your Target WLAN
- If there are many wireless access points in range, append the MAC address of your
target AP to the end of the airodump command, i.e.
airodump wlan0 cap1 MACADDRESSOFAP

After airodump starts, you should now see the IV count rise to about 200 per second,
thanks to the aireplay replay attack running on Auditor-A

Figure 14: After ten minutes of aireplay

(click image to enlarge)

With airodump writing IVs into a capture file, we can run aircrack at the same time to
find the WEP key. Keep airodump running and open another shell window. Type the
following commands into the new window to start aircrack:

Starting aircrack
cd /ramdisk
aircrack -f FUDGEFACTOR -m
MACADDRESSOFAP -n WEPKEYLENGTH -q 3
cap*.cap

NOTES:
- FUDGEFACTOR is an integer (default is 2)
- MACADDRESSOFAP is the MAC address of the Target AP
- WEPKEYLENGTH is the length of the WEP key you are trying to crack (64, 128, 256
or 512)

Figure 15 shows an example of a complete command.

 Figure 15: aircrack usage
(click image to enlarge)

Aircrack will read in unique IVs from all the capture files and then perform a statistical
attack on those IVs. A lower "fudge factor" (-f parameter) has less chance of succeeding,
but is very fast. A high fudge factor is slower, but has a higher chance of finding the WEP
key. A fudge factor of 2 is the default starting point.

You can stop aircrack by typing control-C or just let it run to completion (it will give up
after awhile if it doesn't find the WEP key, at least for 64 bit WEP keys). If you followed
our syntax above, you can simply hit the up arrow then enter. You can then restart
aircrack by hitting the up arrow then enter keys, and aircrack will automatically include
the updated contents of the airodump capture file. At some point, you should be rewarded
with the screen shown in Figure 16.

Figure 16: Gotcha, Key Found!

(click image to enlarge)
Helpful hints

We broke a 64 bit WEP key in less than five minutes, which is the combined time for
scanning with airodump and cracking with aircrack and stimulating traffic with aireplay
running a simultaneous replay attack. There is a lot of luck involved and sometimes you
may break the WEP encryption after gathering just 25,000 IVs, but most times it takes
more than 100,000.

You would expect a 128 bit key to take eons longer, but this is not the case. A 128 bit key
can be broken with around 150,000 to 700,000 IVs. bit capturing more IVs will definitely
speed up the cracking process. When we reconfigured our target AP with a 128 bit key,
we were able to recover the WEP key with 200,000 IVs, but it took the laptop we used
more than an hour. Having more captured IV's would have sped up the process
dramatically.

It's important to note that you must input the length of the WEP key that you are trying
to recover into aircrack and that none of these tools provide that information. While
you know this information in your practice target WLAN, you wouldn't know it in a zero
knowledge exploit. So you may need to try both 64 and 128 WEP key lengths in aircrack
in order to be successful.

Figure 17: 128 bit WEP key found

(click image to enlarge)

Using a notebook with a fast processor and lots of memory for "Auditor-B" can help
speed things along. You can also offload the capture files to other computers to speed up
the cracking, while continuing to capture packets. We tested out this technique at the
2005 Interop Convention in Las Vegas. While one laptop was running airodump, we
copied the capture files over to a very speedy server for cracking. The server (running
aircrack) doesn't need wireless access since it just crunches away on the captured files.
It goes without saying that you should use the fastest computer you can find to run
aircrack. The new dual core processors from AMD and Intel may provide a speedup in
WEP cracking since aircrack can spawn multiple processes with the -p option.

You may find it convenient to save your capture files to a USB flash drive to "sneakernet"
them to other computers. Simply open the shell and type the following:

Saving capture files to USB flash drive

mkdir /mnt/usb
mount -t vfat /dev/uba1 /mnt/usb
copy /ramdisk/cap*.cap /mnt/usb
umount /mnt/usb

Note that you must perform a umount to actually write the files to the flash drive.

Conclusion

WEP was never meant to secure a network, but was designed only to provide a WLAN
with the level of security and privacy comparable to that expected of a wired LAN. This
is clearly indicated by its full name, "Wired Equivalent Privacy". Recovering a WEP key
is the equivalent of gaining physical access to a wired network. What happens next
depends on the steps that have been taken to secure resources of the network itself.

Enterprise networks most always require a user login, i.e. authentication, before allowing
access to their networks. Servers are physically secured in locked server rooms and
network wiring panels secured in locked closets. Networks are frequently segmented so
that users are kept from accessing shares and servers that they have no need to access.

Unfortunately, trained in bad security habits by both Microsoft and Apple, most home PC
users avoid logins and password-protected network shares like the plague. And while
home networks may have made Internet and printer sharing possible, the combination of
networked computers and poor security practices has turned more than one home network
into a unholy mess of worm-infested zombies before people even know what hit them.
WEP was shown to have failed in its function shortly after 802.11 networks came into
widespread use and the industry has been playing catch-up ever since. Key rotation,
stronger IVs and other proprietary schemes were tried first. But businesses quickly
realized that these measures were ineffective and either closed down their wireless LANs
entirely or segregated them into limited-access separate networks, required the use of
VPNs or took additional security measures.

Fortunately, the wireless equipment makers quickly realized that stronger measures were
needed if they were to be able to continue to sell wireless products to businesses and
more security-conscious home networkers. The answer came in the late fall of 2002 in the
preliminary form of Wi-Fi Protected Access or WPA and followed a year or so later by
the current improved version - WPA2.

Despite the industry's foot-dragging in getting both technologies out to its users (and
providing updates for existing products), either technology - even in its simplified
"Personal" (or "PSK") form that uses password-based protection - will provide the level
of security originally envisioned for WEP as long as a sufficiently random and long
password is used.

In Part 3 of this series, we will demonstrate some good and not so good ways to protect
your network. But in the meantime, our basic recommendation is to secure your wireless
LAN by using WPA or WPA2 (with a strong password), or turn off wireless access
until you can. We hope that these articles have shown that WEP is simply not an option
for real "wired equivalent" security.

We would like to thank the following people and sites in helping us produce this article:

• Devine and KoRek for making the next generation of WEP cracking tools
• Brett Thorson and the staff at Interop iLabs for letting us finetune the attacks
• Max Moser for making the awesome Auditor Security Collection CD.
• The dedicated people on the Auditor and Netstumbler forums
• FBI Special Agent Geoff Bickers for breaking a 128 bit WEP key in front of 40+
computer security professionals at ISSA

Command Summary

Commands for setting up airodump

iwconfig wlan0 mode monitor
iwconfig wlan0 channel THECHANNELNUM
cd /ramdisk
airodump wlan0 cap

Commands for setting up a void11 deauth attack

switch-to-hostap
cardctl eject
cardctl insert
iwconfig wlan0 channel THECHANNELNUM
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0

Commands to set up aireplay to listen for an ARP packet

switch-to-wlanng
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk

aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff

Starting up airodump after stopping void11

switch-to-wlanng
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
airodump wlan0 cap1

Starting aircrack
cd /ramdisk
aircrack -f FUDGEFACTOR -m MACADDRESSOFAP -n WEPKEYLENGTH -q 3 cap*.cap
How To Crack WEP - Part 3: Securing your
WLAN
Humphrey Cheung
June 07, 2005
Introduction

Please see How to Crack WEP...Reloaded for the most up-to-date WEP cracking how
to.

After demonstrating in How To Crack WEP - Part 1 and Part 2 that WEP cracking is
easier than you may have thought, I will now switch gears. In this last part of the WEP
Crack How To, I will show you how to take a common sense approach to protecting your
wireless network.

As any security professional knows, there is no such thing as perfect security. A good
security plan takes into account the value of what needs to be protected, the cost of
implementing the protection and the nature and skillset of the potential intruder in order to
formulate an effective security plan. In other words, rather than implementing every
defensive measure known to man, a more prudent (and cost-effective) approach may be to
tailor your defense to the threats that you most likely face.

For example, wireless networks located in cities generally face more possible intrusions
than those located in sparsely-populated areas. During the course of a day in a city,
dozens, maybe hundreds of people may pass by your wireless LAN. And a car could also
be parked outside your home for hours, without attracting notice. But a wireless AP
located in a home on a ten-acre farm would be unlikely to see any client but its owner's
and any unfamiliar vehicles would be noticed and investigated in short order.
Why Bother?

For some people, setting up a secure wireless network is so daunting, they give up and run
it wide open, ie. unsecured. I also hear people say, "I just surf the web and have nothing
valuable on my computer. Why should I bother with security?" Good question, but here
are some equally good answers.

Running your WLAN wide open entails three major risks:

1) Your network resources are exposed to unknown users

Once someone wirelessly connects to your LAN, they have the same access as users
directly connected into your LAN's Ethernet switch. Unless you have taken precautions to
limit access to network resources and shares, intruders can do anything trusted, known
users can do.
Files, directories, or entire hard drives can be copied, changed or entirely deleted. Or
worse, keystroke loggers, Trojans, zombie clients or other programs can be installed and
left to work for their unknown masters.

2) All of your network traffic can be captured and examined

With the right tools, web pages can be reconstructed in real-time, URLs of websites you
are visiting captured, and most importantly passwords you enter stolen and logged for
future mis-use, most notably identify theft.

3) Your Internet connection can be used for illegal, immoral or objectionable

activities

If your open WLAN is used to transfer bootleg movies or music, you could possibly be
the recipient of a lawsuit notice from the RIAA. In a more extreme case, if your Internet
connection were used to upload child pornography to an FTP site, or used to host the
server itself, you could face more serious trouble. Your Internet connection could also be
used by spammers, DoS extortionists and purveyors of malware, viruses and their like.

It may be a noble sentiment to give free Internet access to anyone within range of your
wireless LAN. But unless you put some serious protection between your "open" LAN and
the one you use, you are exposing your data, and perhaps more, to serious risk.

The approach I'll take in formulating WLAN security recommendations is based on the
expected skill level of potential wireless intruders. I'll then provide recommended security
countermeasures for each skill level.

NOTE: I will generally use "AP" (Access Point) throughout this article, but this
should be read as meaning "Access Point or wireless router".
Skill Level 0: Anyone with a wireless computer

It doesn't take special skills to "hack" an unprotected wireless LAN - anyone with a
wireless-enabled computer and the ability to turn it on is a potential intruder. Ease of use
is often touted as a selling point of wireless networking products, but this often is a
double-edged sword. In many cases, people innocently turning on their wireless
computers will either automatically connect to your access point or see it in a list of
"available" access points.

The following countermeasures should help in securing your network against casual
access, but offer no real protection against more skilled intruders. These are listed in
relative order of importance. But most of them are so easy to do that I recommend doing
them all if your equipment allows.

Countermeasure 1: Change Your Default Settings

At minimum, change the administration password (and username if your equipment

allows), and default SSID on your AP or wireless router. Admin passwords for most
consumer wireless gear are widely available. So if you don't change yours, you could
find yourself locked out of being able to control your own WLAN (until you regain
control via a factory reset)!

Changing the default SSID is especially necessary when you are operating in proximity
of other APs. If multiple APs from the same manufacturer are in the area, they will have
the same SSID and client PCs will have a good chance of "accidentally" connecting to
APs other than their own. When you change the SSID, don't use personal information
in your SSID! During my Netstumbler sessions, I have seen the following as SSIDs:

• First and Last names

• Street Addresses with apartment numbers
• Social Security Numbers
• Phone Numbers

Changing the default channel of your AP might help you avoid interference from nearby
wireless LANs, but it has little value as a security precaution since wireless clients
generally automatically scan all available channels for potential connections.

Countermeasure 2: Upgrade Your Firmware, and maybe Hardware

Having the most current firmware installed on your AP can sometimes help improve
security. Updated firmware often includes security bug fixes and sometimes adds new
security features. With some newer consumer APs, a single click will check for and
install new firmware. This is in contrast to older APs which required the user to look up,
download and install the latest firmware from a sometimes difficult-to-navigate support
site.

APs that are more than a few years old have often reached their end of support lifecycle,
meaning that no new firmware upgrades will be made available. If you find that your
AP's latest firmware doesn't support at least the improved security of WPA (Wi-Fi
Protected Access), and preferably the latest version called WPA2, you should seriously
consider upgrading to new gear. The same goes for your wireless clients!

Virtually all currently-available 802.11g gear supports at least WPA and is technically
capable of being upgraded to WPA2. But manufacturers are not always diligent in their
support of older products, so if you want to be sure that your gear supports WPA2, either
check the Wi-Fi Alliance's certification database, or do some Googling in both the Web
and Groups.

Countermeasure 3: Disable SSID broadcast

Most APs allow users to disable SSID broadcasting, which will thwart a Netstumbler
scan. This will also stop Windows XP users using XP's built-in Wireless Zero
Configuration utility and other client applications from initially seeing the wireless
network. Figure 1 shows the control labeled "Hide ESSID" that will do the trick on a
ParkerVision access point. ("SSID" and "ESSID" both refer to the same thing.)

Figure 1: Disabling SSID Broadcast on a Parkervision AP

(click image to enlarge)

NOTE: Disabling SSID broadcast will not prevent a potential intruder using Kismet
or other wireless survey tools such as AirMagnet from seeing your wireless network.
These tools don't rely on SSID broadcast for available network detection.

Skill Level 0 Countermeasures - more

Countermeasure 4: Turn it off!

People commonly overlook the simplest way of securing their wireless network - turning
off the AP! A simple lamp timer can be used to turn off your AP during the overnight
hours when you're not using it. If you have a wireless router, this will mean that your
Internet connection will also be disabled, which also isn't such a bad thing.

If you can't or don't want to periodically shut down your Internet connection, you'll have
to remember to disable your wireless router's radio manually - if it has this feature.
Figure 2 shows a typical wireless disable control. This manual method is more prone to
error, however, since it's just one more thing to forget. Perhaps at some point
manufacturers will add radio disable to the features that can be scheduled on wireless
routers.

Figure 2: Shutting off the radio

Countermeasure 5: MAC Address Filtering

MAC Address filtering is used to control access to your AP by allowing (or denying)
access to a list of wireless client MAC addresses you enter. It will prevent an unskilled
intruder from connecting to your WLAN, but MAC addresses are easily captured by
more skilled attackers and wireless adapter MAC addresses easily changed to match a
captured address.

Figure 3: MAC Address filtering on an older USR 8011 AP

(click image to enlarge)

Countermeasure 6: Lower the transmit power

While only a few consumer APs have this feature, lowering your transmit power can help
limit intentional and accidental unauthorized connections. But with the increased
sensitivity of wireless cards that even unskilled users can purchase, it may not be worth
the bother - especially if you're trying to prevent unwanted connections in an apartment
building or dorm.

Most skilled attackers typically use high-gain antennas, which allow them to detect very
low signal levels and effectively offset this countermeasure.

Skill Level 1: Anyone with commonly available wardriving tools

Now let's move up a notch on skill level to that of your common "wardriver", who
actively cruises around looking for wireless LANs. Some people wardrive for kicks to see
how many wireless networks they can detect and never attempt to use the vulnerable
networks they find. But others are not so benign in their intent and do connect, use and
sometimes abuse unsuspecting wireless LAN owners.

At Skill Level 1, I'll assume that all the countermeasures suggested for Skill Level 0 do
not work and the potential intruder can see your wireless network. The only effective
countermeasures at this point involve encryption and authentication. I'll save
authentication for later and focus on encryption.

NOTE: While forcing all wireless traffic to use a VPN (Virtual Private Network) is
one solution, VPN's are notoriously difficult to set up and beyond the scope of this article.

Countermeasure 7: Encryption

Wireless LAN owners should run the strongest type of encryption available to them. Your
choices will be dictated by the capabilities of your WLAN hardware and your options are
WEP, WPA and WPA2.

WEP (Wireless Equivalent Privacy) is the weakest wireless security technology, but
currently the most widely deployed due to its availability on virtually all 802.11 wireless
products. You may have to use it because many consumer wireless product manufacturers
have opted to not provide upgrades from WEP to WPA for 802.11b products. And others
are still creating new products such as some VoIP wireless phones that support only WEP,
forcing some WLAN owners to downgrade their security to accomodate the lowest
common level of security.

Either WPA (Wi-Fi Protected Access) or WPA2 provide adequate wireless security, due
to their stronger encryption technology and improved key management. The main
difference between the two is that WPA2 supports stronger AES (Advanced Encryption
Standard) encryption. But to further confuse users, there are some WPA-labeled products
that allow the selection of AES vs. the WPA-standard TKIP encryption.

Most 802.11g products support WPA (but there are exceptions), but upgrades to WPA2
for older products are still in the process of being rolled out - even though the 802.11i
standard that WPA2 is based on was ratified in June 2004.

I recommend that you use WPA as a minimum. It is as effective as WPA2 and, at least
as I write this, more widely supported. Implementing this recommendation, however,
may require purchasing new equipment, especially if you currently are using 802.11b in
your WLAN. But standard 11g gear is relatively inexpensive and could be the best
security investment you make.

Most consumer APs support only the "Personal" version of WPA or WPA2, which is
also referred to as WPA-PSK (Pre-Shared Key) (see Figure 4). WPA2 or WPA
"Enterprise" (also known as WPA "RADIUS") is also supported by some consumer
wireless gear, but is of little use without the additional RADIUS server required to
implement it.

Figure 4: Encrypting traffic on a Netgear AP

For most personal WLANs, using WPA-PSK will provide adequate protection, but it is
essential to use a key that is sufficiently long and random. Do not use a number, or a
word from the dictionary, since programs such as cowpatty are already available to
perform dictionary-based attacks against WPA-PSK.
Robert Moskowitz, Senior Technical Director ICSA Labs, recommended in this article
using an 128 bit PSK. Fortunately, all WPA implementations accept alphanumeric PSKs,
which would require only 16 characters to implement Mr. Moskowitz' recommendation.

There are many password generators available on the Internet that can be found by a
quick search. This one has lots of bells and whistles and even provides an estimation of
how long it would take to crack the password it generates.

As a final note, some manufacturers have started selling APs and wireless cards that
promise "one touch" easy setup of secured wireless connections. Buffalo Technology had
the first products based on their AOSS (AirStation One-Touch Secure Station)
technology. Linksys has recently starting selling products based on similar technology
from Broadcom dubbed SecureEasySetup. You can read a comparative review of these
two technolgies here.

Skill Level 2: Anyone with WEP / WPA-PSK Cracking Skills

While WPA and WPA2 eliminate many of the problems associated with WEP, they are
still vulnerable to attack, particularly in their PSK form. Many people have already
cracked WEP and Parts 1 and 2 of this series provided a step-by-step procedure.

Breaking the pre-shared key of WPA and WPA2 "Personal" is much harder and time
consuming - especially if you are using AES encryption - but it is possible.

Countermeasure 8: Add Authentication

To address this emerging threat, users should implement authentication. Authentication

adds another layer of security by requiring a client computer to "sign-in" to the network.
Traditionally this has been done with a mix of certificates, tokens, or hand-typed
passwords (also called Pre-Shared-Keys) that are negotiated with an authentication
server.

802.1X provides the access control framework used by WEP, WPA and WPA2 and
supports several EAP (Extensible Authentication Protocol) types that do the actual
authentication. George Ou's excellent article on Authentication Protocols contains
probably more than you'd ever want to know about EAP, WPA and WPA2!

Configuring authentication can be a daunting and expensive task for networking

professionals, let alone home networkers. At this year's RSA conference in San Francisco,
for example, many attendees didn't bother to set up their wireless connection because of
the full page of instructions they had to follow to do it!

Thankfully, things are getting better, and you don't need to buy a full-blown RADIUS
server, as there are a number of easier-to-implement alternatives. McAfee's Wireless
Security Suite is a subscription-based product starting at $4.95 per user per month with
discounts for volume purchases. A free 30 day trial download is available here.
Another free option worth investigating for more experienced networkers is TinyPEAP,
which adds a small RADIUS server supporting PEAP-based authentication into Linksys
WRT54G and GS wireless routers. Note that since this firmware isn't officially
supported by Linksys, you're on your own if you mess up your router while installing
TinyPEAP.

Skill Level 3: Expert Cracker

Up until this point, we have blocked an intruder from wirelessly doing the equivalent of
plugging their laptop into an Ethernet port on your LAN. But despite your best efforts,
someone with expert cracking skills may penetrate all of your wireless defenses. What do
you do now?

There are wired and wireless LAN intrusion detection and prevention product available,
but they are targeted at enterprise applications and come priced accordingly. There are
also open source solutions that are unfortunately not user-friendly for networking
novices. The most widely-used of these is Snort, which I hope to explore in a future
article.

But general network security practices have long dealt with traditional wired LAN
intrusions, and can be used to combat an expert wireless intruder.

Countermeasure 9: Implement general LAN security

Implement the following countermeasures to improve general LAN security:

1) Require authentication to access any network resource

Any server, network share, router, etc. should preferably require user-level authentication
for access. Although you won't be able to implement real user-level authentication
without some sort of authentication server, you can at least password-protect all shared
folders and disable Guest logins if you're running Windows XP. And never share the
contents of entire hard drives!

2) Segment your network

In the extreme case, a computer not attached to a network is safe from network-based
intrusion. But there are other ways to keep network users away from where they shouldn't
be. A few properly-connected Inexpensive NAT-based routers can be used to establish
firewalled LAN segments while still allowing Internet access. See this How To for the
details.

Switches or routers with VLAN capabilities can also be used to separate LAN users.
VLAN features can be found on most any "smart" or managed switch, but are harder to
come by in consumer-priced routers and unmanaged switches.
3) Bulk up your software-based protection

At minimum, you need to run current versions of good anti-virus applications that
automatically update their virus definition files. Personal firewalls such as ZoneAlarm,
BlackICE, etc. can alert you to suspicious use of your network. And, unfortunately, the
latest generaton of malware and spyware threats make adding an anti-spyware application
also necessary. Webroot Software's Spy Sweeper seems to be getting good marks lately,
along with Sunbelt Software's CounterSpy.
Note that you must install protection on every machine on your LAN in order to have
effective protection!

4) Encrypt your files

Encrypting your files with strong encryption should provide effective protection in the
event unauthorized users do gain access to them. Windows XP users can use Windows
Encrypted File System (EFS). Mac OS X Tiger users can use FileVault. The downside
to encryption is that it takes time and computing power to encrypt and de-crypt files,
which could slow things down more than you'd like.

Conclusion

Wireless networking provides us with convenience, but we must take a common sense
approach in securing it. There is no single thing that will shield you from attack and
complete protection is very difficult to achieve against a determined intruder.

But if you take the time to understand the possible risks your wireless LAN is likely to
encouter, you can implement effective protection.
NEEDS

You can download the

auditor from this sites
direct download link
http://ftp.dkuug.dk/pub/security/auditor/
Now a days autor is
known as Backtrack
U can download it
from here
Current Version - BackTrack 2 Stable release Mar 06
2007
Mirror 1 - provided by SWITCHmirror
http://mirror.switch.ch/ftp/mirror/backtrack/bt2final.iso
MD5: 990940d975f13d8418b0daa175560ae0

ftp://mirror.switch.ch/mirror/backtrack/bt2final.iso
MD5: 990940d975f13d8418b0daa175560ae0

Mirror 2 - provided by Belnet

http://ftp.belnet.be/packages/backtrack/bt2final.iso
MD5: 990940d975f13d8418b0daa175560ae0

ftp://ftp.belnet.be/packages/backtrack/bt2final.iso
MD5: 990940d975f13d8418b0daa175560ae0

Mirror 3 - provided by Secaron

ftp://mirror.secaron.lu/backtrack/bt2final.iso
MD5: 990940d975f13d8418b0daa175560ae0

Torrent - provided by IRC community

http://www.demonoid.com/files/download/HTTP/1052984/6746204
MD5: 990940d975f13d8418b0daa175560ae0
Older Versions
BackTrack2 Public Beta Nov 19 2006
http://mirror.switch.ch/ftp/mirror/backtrack/BT2_Beta-Nov_19_2006.iso
MD5: 80fda7122ef1e85587f23f97184f5572

ftp://mirror.switch.ch/mirror/backtrack/BT2_Beta-Nov_19_2006.iso
MD5: 80fda7122ef1e85587f23f97184f5572

http://ftp.belnet.be/packages/backtrack/BT2_Beta-Nov_19_2006.iso
MD5: 80fda7122ef1e85587f23f97184f5572

ftp://ftp.belnet.be/packages/backtrack/BT2_Beta-Nov_19_2006.iso
MD5: 80fda7122ef1e85587f23f97184f5572

BackTrack2 Public Beta Oct 13 2006

http://mirror.switch.ch/ftp/mirror/backtrack/bt20061013.iso
MD5: 67ce734304ef2f82c7fd7c1ba5e1caa1

swtsrv.informatik.uni-mannheim.de/~max/bt20061013.iso
MD5: 67ce734304ef2f82c7fd7c1ba5e1caa1

BackTrack 1.0 Final

ftp://swtsrv.informatik.uni-mannheim.de/pub/linux/distributions/BackTrack/backtrack-
v.1.0-260506.iso
MD5: f52319e4d414fa7bd554d8a1e175f1f5

U will need a wlan adapter has a prism 1 or 2 based chipset so this can guide u
For which one to buy