Wireless Networking Fun

I managed to get myself some spare time last night to test out some wireless network cracking. I’ve got a spare AP at home which I black-holed and configured with 64bit (40bit actual encryption, 24bit key) WEP. Then, using Aircrack suite (airodump, aireplay, and aircrack). I sniffed some MAC addresses, found my target AP and associated test client. Then caught an ARP request for re-injection into the network. Let me just explain why the ARP request is important.

If I was just passively sniffing traffic from a wireless network, I could be there for days, accumulating enough legitimate data (derived from one key) to brute force the key, and the key isn’t that hard to brute force when you do have the data, due to weaknesses in the key scheduling algoritm of RC4. So, ARP is a predictable packet, a few bytes of the header are usually the same, and the size of the packet is recognisable. So we have known plaintext, and the ability to sniff known ciphertext. Great, if we re-inject this ARP packet into the network, something’s going to respond. We’ll receive more cipher text, to compare against known plain text.

Even on a low-traffic network, we can encourage traffic using this re-injection technique, and then sit back and accumulate the data (Initialisation Vectors, or IVs) we need to brute force the WEP key.

Simple, eh? Well, that’s what I was doing last night. Hopefully, I’ll get to test out some exploits against WPA-PSK tonight, or soon, at least.

Oh, and maybe I’ll play with polutting the airwaves, with this little number:

If one access point is good, 53,000 must be better.

Black Alchemy’s Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP’s cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.

Projects - fakeAP

technorati tags: wlan, wireless, hacking, information security, wep, wpa