Tilted Forum Project Discussion Community - View Single Post

Limey2 · 01-22-2006, 02:17 PM

Hi, I'm a new user - I found this thread on google and decided I would join as I like the gist of the forum as a whole.

I think I have something to contribute to this old thread so I figure I;d resurrect it.

I do wireless Network Penetration testing for a major tech company and there are a few caveats missing from the numbered security lock down parts of this discussion.

#1 Client Hijack.
No matter how good the encryption, be it WPA/RADIUS 802.1x, PEAP, LEAP, Kerberos5 or even WPA-PSK or lowly WEP they all share a fundamental flaw - client hijack.
Inevitably, laptop users will be local admins at any company or agency you choose. They will also inevitably play with their client so that they can use their home wireless, possibly to VPN in. These probes can be sniffed and it is easy to provide the named access point they are searching for. On corporate networks, they can even be "poached" with a same name louder signal (ap with directional antennae pointed at the window)
At this point it all comes down to how well the client is patched, for which the answer is usually, not completely up to date - especially if the laptop is not a member of the xyz domain - then it can be accessed and the WPA Pairwise Master Key or WEP key can be extrapolated from the windows registry.

Sometimes, and with some drivers, like linksys WPC11, the card will default to Ad-hoc mode and windows will helpfully assign a default 169.254.x.x IP address, using kismet, ethereal or airodump, this IP can be sniffed in monitor mode and the connection can then be established by granting yourself an IP in the same subnet.

#2 WEP, WPA, WPA-PSK
not all WPA is equal, the WPA standard has been muddied with newer Access Points and people have the habit of stating that WPA is secure. It's not that simple.
Many new APs will default to WPA-PSK with WEP, this is no better than plain WEP - it can still be broken! WPA is only secure when using TKIP or AES - the broken WEP key can be used to decipher traffic, though not for association, even if rekeying (MIC) takes place on some APs, it is too late, internal traffic capture has been made and the key breaks in 300-1M packets.

Even with WPA-PSK with TKIP, users are still using their pass-phrase like a key and using a single word or very simple phrase, such as a bible passage (after calling the AP something like johnx:x)
forged de-authentication of a client will result in the replay of the four way EAPOL handshake which can be cracked offline with around 5-10K guesses per second, obviously dictionary words will fall.

Also, use of the AP built in Passphrase generator for WEP was mentioned, the Linux utility "wepattack" has broken this algorithm for most APs and the seed "pass-phrase" is the same as the WEP key itself when performing a dictionary attack - in laymans terms, it is possible to break 64-256bit WEP with a single data packet in less than a second if someone were silly enough to choose a pass-phrase like, "cat" by piping john the ripper into wepattack or using a dictionary of people's names. (two of my neighbors have such simple keygen constructed WEP keys - broken with their permission)

Hope this helps some of you more informed people to further strengthen your home networks - your companies are only as secure as your homes, and you could have me as a neighbor.

01-22-2006, 02:17 PM	#45 (permalink)
Limey2 Upright	Wireless info Hi, I'm a new user - I found this thread on google and decided I would join as I like the gist of the forum as a whole. I think I have something to contribute to this old thread so I figure I;d resurrect it. I do wireless Network Penetration testing for a major tech company and there are a few caveats missing from the numbered security lock down parts of this discussion. #1 Client Hijack. No matter how good the encryption, be it WPA/RADIUS 802.1x, PEAP, LEAP, Kerberos5 or even WPA-PSK or lowly WEP they all share a fundamental flaw - client hijack. Inevitably, laptop users will be local admins at any company or agency you choose. They will also inevitably play with their client so that they can use their home wireless, possibly to VPN in. These probes can be sniffed and it is easy to provide the named access point they are searching for. On corporate networks, they can even be "poached" with a same name louder signal (ap with directional antennae pointed at the window) At this point it all comes down to how well the client is patched, for which the answer is usually, not completely up to date - especially if the laptop is not a member of the xyz domain - then it can be accessed and the WPA Pairwise Master Key or WEP key can be extrapolated from the windows registry. Sometimes, and with some drivers, like linksys WPC11, the card will default to Ad-hoc mode and windows will helpfully assign a default 169.254.x.x IP address, using kismet, ethereal or airodump, this IP can be sniffed in monitor mode and the connection can then be established by granting yourself an IP in the same subnet. #2 WEP, WPA, WPA-PSK not all WPA is equal, the WPA standard has been muddied with newer Access Points and people have the habit of stating that WPA is secure. It's not that simple. Many new APs will default to WPA-PSK with WEP, this is no better than plain WEP - it can still be broken! WPA is only secure when using TKIP or AES - the broken WEP key can be used to decipher traffic, though not for association, even if rekeying (MIC) takes place on some APs, it is too late, internal traffic capture has been made and the key breaks in 300-1M packets. Even with WPA-PSK with TKIP, users are still using their pass-phrase like a key and using a single word or very simple phrase, such as a bible passage (after calling the AP something like johnx:x) forged de-authentication of a client will result in the replay of the four way EAPOL handshake which can be cracked offline with around 5-10K guesses per second, obviously dictionary words will fall. Also, use of the AP built in Passphrase generator for WEP was mentioned, the Linux utility "wepattack" has broken this algorithm for most APs and the seed "pass-phrase" is the same as the WEP key itself when performing a dictionary attack - in laymans terms, it is possible to break 64-256bit WEP with a single data packet in less than a second if someone were silly enough to choose a pass-phrase like, "cat" by piping john the ripper into wepattack or using a dictionary of people's names. (two of my neighbors have such simple keygen constructed WEP keys - broken with their permission) Hope this helps some of you more informed people to further strengthen your home networks - your companies are only as secure as your homes, and you could have me as a neighbor.