Exploration of Wireless Networks Using the 802.11b protocol


            It seems that the new thing in the underground is breaking into various systems via a wireless connection. This is so because the wired equivalent protocol (WEP) has, especially recently, been shown to be flawed. What WEP attempts to do is deliver an infrastructure that makes it harder to "plug in" to the wireless network. Picture a corporate LAN with ethernet jacks every meter along the walls. This is what WEP actually accomplishes :) Also remember that wireless networks reach beyond the area they are meant to service, so not only are there ethernet jacks every meter along the walls, they go down the street a few blocks as well.


WEP protects a network using a 40/64-bit or 128bit key. When wireless network was still in diapers security was not a priority, walking was. Some of WEP's problems stem from mistakes in the algorithm. WEP has addresses that can be forged. /* here, it's not WEP that's at fault. 802.11 emulates a standard ethernet in a wire-free form, and as part of the 802.foo specs, there are MAC addresses that are a part of the level 2 protocol. these are in theory spoofable, but in practice it's not always as easy. There are genuinely few cards that allow you to change the mac address, and out of those that do, sometimes (this is the case with wavelan based cards, such as the AIRport and Lucent cards) at the -hardware- level it get's blocked by the card itself. For the wavelan based cards, there exists a firmware patch that lucent will only release under strict NDA and licensing that will enable the cards to broadcast level-2 packets that contain source addresses -other- than their hard coded address. */and lastly, the encryption key or keys must be shared by all the users on the same network. This most of all reduces the security level of the network, as the -same- key get sent out repeatedly and once you get the key, there is nothing in the way except for possible encryption at level's 3 or 4. 


When a wireless network is being created most people either do not test the placement of the base station(s), or do not take into account such things as brick walls that block the signals, or large metal plates that may reflect the signal Or the park bench down the street that for some reason, the packets fly by.


            Now that you are interested in this subject you first need to know how to access these magical wireless networks. The first thing you will need is a computer with 802.11 compatibility. Laptops are always preferred, for the obvious reasons, and keep in mind that there are different revisions of the 802.11 specification. The original spec called for 2mb/s and no WEP. The next level, 802.11c introduced WEP and 11mb/s, and with 802.11b we saw 128 bit keys for WEP. There is a new spec coming online now, 802.11a. This will allow 54mbs sans-fils, although I believe it offers no improvements to the WEP feature. As of this writing (fall 2001) there is just one company producing these new cards, with others promised for the near future.


            Before we get into the fun parts, there are a few things that I think you should know about if you want to have FWNW (Fun With No Wires, watch out, it's addictive), and that is simply a little about the structure of the layer-1 802.11 packets. These packets are remarkably similar to low-level ethernet packets, but with additions for ESSID (Extended Service Session ID), encryption (by WEP), and Station names, which are different than MAC addresses in that they are strings, as opposed to a series of hex digits. These an also be duplicate, and quite often base stations (or access points, whatever) have the Station name set the as the ESSID, for simplicities sake. So, you have to remember that each network broadcasts using the same Session ID, and that each station is assigned a Station ID. Normally ESSID's are manually assigned, using whatever tool your OS supports. One neat thing though is that the 802.11 spec says that if there is no ESSID set and the interface transmits or receives a packet, then the card is to use whichever ESSID it finds first. If the card gets reset (you can force resets via software), then it looks for another ESSID, and failing that, falls back on the old one. At this point light bulbs should be going off in your head, as this is the basis of wireless network scanning.


            There are multiple ways you can go about looking for these networks, ether by using one of the pre-made pieces of software such as AP Scanner, which runs on Apple (used and recommended by Magma). I know there are a few of these on freshmeat, graphical and/or console. Or,if you are like me then you could just write your own in perl. I'll give you some tips and a simple script at the end of the file. Lots of the wardriving (or warbiking, or warwalking) sites stress that you need an external antenna, and I'd like to say that while helpful, they are hardly necessary. Most of the time when I'm scanning, I'll be walking around with my laptop in my backpack, and a headphone running to my ear for output from the scanner. I personally own an iBook, and these have an omni directional antenna which has some front-back tendencies (the signal goes more forward and backwards than side to side), and it works fine. Now, if you are in a car, it's a bit different, as you are traveling at a higher velocity, and (in most cases) farther from the buildings. Although I must say that I have used my laptop sans antenna from a moving car, and it does work, just requires a bit more planning in the placement of the laptop.


            For the most part, to get online via an 802.11 it's quite easy for the simple reason that most people either forget or forgo a WEP password for whatever their reason may be. If this is the case you can simply assign the discovered ESSID or have it automatically set for you, and then your card will begin catching the desired packets.


/* I don't know about this section as much, as I haven't done too much with wep

cracking. I'm just rewriting this part for clarity :) */


            If there is WEP in the picture, things change somewhat. Some of the more advanced scanners (I'm not sure if there are any free ones that do this, I know the scripts' I've written and seen don't do this) will report ESSID's for networks that have WEP enabled. If this is the case, then you can just make a brute force cracker, but this can take a while as passwords can run into quite a few characters long. Fortunately, as we know, WEP is insecure. The theories for cracking it have been around for quite some time, and in the past few months people have released software (some commercial, some freeware/GPL with names like Airsnort and WEPcrack) that does it at the click of a button. The only prerequisite for most of these pieces of software is large amounts of data to fool with. You need to gather packets at the site in question for periods of time ranging from minutes to hours. Also, most of the already-written crackers are dependent on specific wireless chipsets, like the prism2 chipset. Depending on your situation, this may or not be a problem. If the target network is located at a public library or a coffee shop, then you would have no problem staying there for hours at a time. If the network is located on a busy downtown street, then your options are more restricted to things such as walking back and forth multiple times a day, compiling the packet logs over a period of weeks, or even months, or even just sitting in there stairwell for a few hours. The software will then analyze the packet logs and try to guess which packets have encoding problems, that is, the sources of randomness (SYN numbers, TCP flags) weren't computed as well as they could have been. I don't have much experience with this personally, because none of the networks I've found so far have had WEP activated :). And never forget of course the time honored traditions of brute forcing and guessing. It's easy, just use perl, and apply the same steps as mentioned for collecting data. The key is for these things is that you don't have to be connected all the time, you could, for example, take a detour on the way to work each morning and wander around the building the target network is located. Or even just walk past it. If it's a busy network, there will be plenty of traffic, even for the few minutes it takes you to walk past. And remember that 802.11 is a level 2 protocol, so all the dns queries, arp queries, WOL (wake on lan), things like that are always floating around out there, just waiting for an antenna.


            There are many opinions on the ways you can actually go out and find networks, and I'm going to go over a few just to give you some inspiration. First off, humans have been graced with two feet. They are very useful. Personally, I prefer to do all my packet hunting on foot, as this allows you to get the closest to the networks themselves, or to go inside and hide in a stairwell at a moments notice. As far as user interface goes, my scripts so far have used audio output, and I wear a headphone in one ear while I'm scanning. Using speech synthesis, the scripts let me know what's going on. There are of course numerous disadvantages to this. It's slow, you can't cover nearly as much ground as most other methods, and it can be suspicious looking (try walking downtown with one headphone in your ear and holding a directional antenna made from a tomato juice tin and an old nintendo zapper, with it's lead running into your backpack, and you'll know what I mean). But if you don't own a car, and you don't always carry around external antennas (*wink*) then this method is pretty much the most anonymous of them all. You're just another monkey with a backpack, one of hundreds out there... The next most popular method (and the one with a catchy media term) is using a car. In your car, you can be warm, and you can interactively use the computer while you comfortably sit down, not exerting your legs at all. One thing I've noticed is that it really really helps to have an external antenna while doing this, as you are traveling at a higher velocity and the networks are in general farther away. This isn't to say that you won't pick up any networks, you just won't pick up as many.


Sniffing packets as they go by or using software to find Base stations is a passive attack meaning that you don't leave a trial. This also means that the admin on a system cannot what you are doing. However, once you connect to a network you leave behind the MAC (same as on a wired LAN)address of your wireless card. In theory if you cause substantial amounts of damage you could be tracked down through it (buy your 802.11 card using cash, kids). You've been warned but do keep in mind that this scenario is not very likely to happen, as it's quite resource intensive.


/* :( dos is silly.*/


            Just when you thought you have heard the last of Denial Of Service attacks. Yes, you can do such a thing to a wireless network. Due to the nature of radio transmission wireless networks are very prone to denial of service attacks. If you really wanted to crash a network and had a powerful enough transceiver you could easily create enough interference that the wireless network would be unable to communicate. This kind of attack can be done from a somewhat remote location for example in an apartment on the same block as the network. If you are or know someone that is well versed in short-wave radio you should have no problem in creating such a mess. At a reasonable price too. There is a much simpler way to cause the same effect of a somewhat smaller scale. I'll use my ibook as an example. The software that was shipped with my ibook allows me to use my ibook or another computer with a wireless card as a software base station.  What this means is that I can use it as an access point without buying a base station. This is an option for some people that only have two wireless cards but lack a hardware base station. So now you know why Apple ships this software. The wonderful thing is that when I activate my ibook as a software base station and walk into any area that has a wireless network, I'll use a university for this example. It causes everyone within 150 feet (the distance increases when you can an antenna) to try to connect to me rather then the network the university has. This is done because most people will connect to the access point with the strongest signal. Of course my signal will be stronger if I'm right beside you. As you can see this will cause people to not be able to access the information they are seeking. As soon as I leave the area all will be fine.


            This large gap in security may not be around for too much longer. Under development are new versions of both WEP and 802.11b protocols that will include stronger security features such as personal password. This may mean new hardware for those currently operation wireless networks, or it may come in the form of software patches. However, these features will not be released until mid-2002 at best.


            In the meantime, there are other options out there, ranging from IPsec to other things involving dynamic interactive firewalls, to only using ssh and remote X on your machine :)




-           Magma (www.ghu.ca)

-           The_p0pe