This article discusses how effective various encryption schemes are and some of the tools used to discover WAP's.

If you would like to read the next part in this artice series please go to The Lack of WiFi Security (Part 2).

Hopefully by now everyone has heard that WiFi (wireless) is subject to a series of attacks that will lead to its compromise. How effective are the various encryption schemes though? What are some of the tools used? Read on to find out.

WiFi security or lack thereof

I think we all agree that having the option of wireless connectivity is great. It certainly helps to have it in a corporate setting as well. The freedom to roam about the office with your laptop helps worker efficiency, and is simply nice to have at home as well. No longer are we constrained by cables and such. Heck, I remember having a 100 foot length of CAT-5 in my home that I used to connect my laptop to my router. That was a pain in the butt believe me.

Well with this new found freedom have come certain risks. For everytime you introduce new technologies you can rest assured that exploits for it are soon to follow. So with this in mind it was no great surprise that 64 bit WEP was quickly found to be lacking in terms of its implementation. So the vendors upped the ante and came out with 128 bit WEP, and this in turn was also found to be lacking. It kind of makes you think of the old arms race doesn’t it? For every new weapon that comes out, there is quickly a counter-measure for it.

WiFi hacking has been around for some time now, and oddly enough has really received little press. Since 2001, 64 bit WEP has been breakable. That was also around the time that well known tools such as Airsnort gave the ability to break into wireless networks to the masses. This tool is only half of the equation though for you still require something to let you know if there are any wireless access points around you. We shall now go on to look at various tools which will allow you to do some WEP cracking. Some of the tools shown are Linux based, but some have since been ported to Win32. On that note let’s get to the business of profiling some of the tools used to pull off a WiFi hack.

What tools do you use to crack WEP?

There is a fairly decent variety of tools out there to help you crack WEP keys. One of them, I mentioned already, is Airsnort as coded by Snax of Shmoo group fame. Well much like any hack, there is typically a logical series of events that need to take place first. What do you think the first step would be? Well, seeing as we want to crack WEP keys, then our first step should be to find ourselves a wireless access point (WAP). To that end some tools which will help you detect WAP’s are as follows. Please bear in mind that not all of them are available in Win32. I will indicate as such where one of them is not.

Kismet

This tool does a combination of things for you and is native to *nix. Kismet will not only detect WiFi networks, it is also capable of sniffing packets from them, and can act as an intrusion detection system as well. All in all, it is a very functional tool and is also one that is still actively maintained. Please note that you can run Kismet on your favorite Win32 operating system, but you will need to do so with cygwin. Though this tool is indeed very functional, some people find it a little confusing to work with. That said, should you wish to install it on your Win32 laptop then pleaseclick here for a good explanation of how to do it.

Now is a good time to point out that you will need an external wireless card to do WEP cracking as the onboard wireless card you have is simply not up to the task of detecting all WiFi networks that may be around you. Some of the cards that I suggest you get are the Cisco Aironet a/b/g (this is the one I have) 3Com 3CRPAG175 wireless card, and lastly the Linksys Dual Band wireless card. Please bear in mind that this is not an exhaustive list. All said and done I would go for the Cisco Aironet card as it will support both a/b/g modes.

Netstumbler

Netstumbler is a tool which will allow you to detect WAP’s around you. It is fully functional on Win32, specifically W2K Pro and Win XP. You are once again limited by having to have a wifi card that is supported by Netstumbler. However, this software tool will not detect WAP’s that are configured to not broadcast their SSID. A rather limiting factor, and is the main reason why you would be better off using another tool during your discovery phase.

AirMagnet

The tools shown above are both free tools available to you at no cost other then your time to configure them. This tool is commercial in nature, but does a far better job at finding WAP points, and a whole lot more. AirMagnet is also native to Win32 and can be used with ease, vice some of the problems you may have trying to get the above two noted working. Though some tools can do a good job of both detecting and then collecting WAP point traffic, you are likely best off splitting your tool kit into two. With that in mind I would use either Netstumbler or Airmagnet for WAP detection if you are trying to do so with only free tools.

Figure 1

We can see from the above screenshot that there are four wireless networks detected. These are all within range of my wifi card to detect, and in likelihood these networks belong to those of my neighbors. The topmost network with no SSID is mine as I have it set to not broadcast my SSID. Also of note is the fact that only three out of four networks have some form of WEP (64 or 128 bit) enabled.

Figure 2

With the above noted screenshot in mind we see how easy it would be to use this tool to associate yourself to a wireless network whose WEP you have broken. Once you have the key, it would be trivial then to insert yourself into the network. Anyhow I don’t wish to dwell on this tool as it is indeed a commercial one, and I prefer to show you tools that are free in nature. That said, this tool is extremely powerful and easy to use. If your company can afford to buy it then I for one would certainly counsel you to do so.

Wrapup

Well over the course of this article we have seen that there are a fair amount of tools out there for the discovery phase of wireless networks. All you really need is a decent wifi card and you are good to go. Netstumbler is really a rather nice tool for Win32, while Kismet can be made to work as well on your Windows O/S. These tools are just for the discovery of WAP’s, and not really for the collection and subsequent breaking of WEP. What we shall look at in part two of this article series are tools to collect, and in turn, break WEP. Remember, while discovering WAP’s around you may be fun to do, it is still illegal for you to connect to them. Please bear that in mind. On that note I shall see you in part two!

If you would like to read the next part in this artice series please go to

Tools that collect packets and then break the WEP keys.

If you missed the first part in this series please read The Lack of WiFi security (Part 1).

In part one of this article series on wifi security we took a look at some tools that will help you discover WAP points in your immediate vicinity. What we shall do in this part is look at tools that will actually collect packets and then break the WEP keys.

WiFi security or lack thereof Part II

In the first part of this article series we looked at some of the tools that exist today which will allow you to discover wireless access points (WAP). Wireless networks have become very popular over the past few years for not only business, but also the home market. In all likelihood your neighbors are probably running a wireless router for their home computer network even though it is not using a wireless card. People are often talked into getting wireless routers, even though they don’t need them, by salespeople at electronics stores. These very same people are sadly the ones who are also running an unprotected WAP.

Having a WAP is not in and of itself inherently insecure, but you do need to take measures to properly harden it. That includes having encryption enabled, and making sure that you have the latest firmware available as well. Some other common sense measures should also be implemented as well. For one there is no need to broadcast your SSID. You already know what it is so why make a potential hackers job that much easier.

Figure 1

Another simple measure to take is to enable MAC filtering on your WiFi network. What this does is restrict access to your WAP by virtue of specifying a list of MAC addresses that have permission. All other computers or laptops whose MAC addresses are not on that list will be refused permission. This security measure can be bypassed by an attacker changing their MAC address, however every layer of security helps. Remember “defense in depth”.

Figure 2

On with the show

Well as noted above, I hope your WAP is properly secured. On that note we will now look at some tools which will allow an attacker to compromise that very same WAP. First up on the list is Airsnort. You may recall that I touched on it very briefly in part one of this series. Well we shall now take a look at it. Airsnort will run on either win32 or *nix as mentioned on its homepage. It will take you a bit of extra effort to run it on Windows but rest assured it is entirely possible to do so.

Figure 3

Using Airsnort is fairly simple as seen from the above screenshot. You will need to ensure that you are using a supported wifi card for one. Once done you simply ensure that Airsnort is working off of the proper network device and is using the right driver type as well. Once that is done, and any other minor tweaks you may want to make, you are ready to start it. You will note the values for “crack breadth” on the upper right hand side of Airsnort. I would advise you to leave this to their defaults unless you read up on what they mean and how it will impact cracking WEP.

Airsnort does have one limitation, and that is it requires a large amount of packets to be collected from the WAP in question. I don’t mean either a couple of hundred but rather a couple of hundred thousand or several million. Well as you may have guessed there are not too many WAP’s out there that will generate that type of traffic quickly. So you can imagine that cracking WEP could be a time consuming affair. Well there are tools that have come out since Airsnort was first written which will dramatically reduce the time it takes to crack 64 bit WEP.

WEP crackers

There are several tools that will take wifi packet captures as their input and then work on cracking the key for you. One of the first ones to be aware of is WepAttack and please bear in mind that this is a linux based tool. Though the operating system of choice for many is Windows, it also should be remembered that not all tools written to attack Windows or other devices that are native to win32. You should try to gain at least a rudimentary knowledge of other operating systems and the tools available to them. WepAttack, as seen on its homepage, is a command line utility which accepts .pcap data. You would use a tool such as the earlier discussed Kismet to capture wireless frames and then use WepAttack afterwards to crack the WEP key. It is a pretty simple tool to use.

WEPCrack is another tool to use for cracking WEP keys via a .pcap file for input. The tool is also written in PERL so that means you can use it on your win32 box so long as you have a PERL interpreter installed. Should you not have an interpreter installed then simply go here and get one. WepLab is the last tool that we shall look at in this article. This tool is available for either win32, linux, BSD and Mac. So pick your poison as it were. Once again this tool will work like WEPCrack in that it will accept .pcap data as its input and then try to crack the WEP key.

Wrapup

Well so far we have seen that there is a fairly wide variety of tools out there which will help you crack WEP keys, be they 64 or 128 bit in length. While some of the older tools such as Airsnort do work quite well, they do require a fair amount of data before becoming effective. Since Airsnort was released new attacks have been formulated. No longer do you really need to sit outside an office space, as it were, to collect a myriad of encrypted data.

Such simple things as stimulating the WAP by sending data to it in order to increase packet transmission will help to cut down the time it takes to crack the WEP key. For that type of scenario you would need two separate laptops. One would be used to actively attack the WAP itself while the other one served as a collection point in order to harvest the packets at a much higher rate than the WAP would normally transmit at.

We also saw that once the WEP key has been recovered, it is rather simple to use it to then associate yourself to that WAP. If the WAP has MAC filtering enabled then your task will be a tad more difficult, but far from impossible. Using a tool such as SMAC will allow you to change your MAC address quite easily. Just as I mentioned above in this article, enabling MAC filtering is by no means a definitive block. It will simply slow someone down if they are a determined attacker.

What you will hopefully try to now do is use some of these tools in your home lab to actually break 64 and 128 bit WEP. It is only by doing something that you will truly understand it. Much like “doubting Thomas”, seeing is believing. On that note I will end the article series, and hopefully this series has shown you just how weak 64 and 128 bit WEP is. As always I welcome your feedback. Till next time!

Ref: http://www.windowsecurity.com/articles/WiFi-security-lack

The Metro GUI is the most visible representation of Microsoft's coming operating system. While the release of the tentatively named Windows 8 is still a year away, the company has not been shy about putting the multicolor tiled interface front and center.

Windows 8's security improvements will be much less visible, and that's just the way Microsoft wants it. The company has added a number of protection features to Windows 8 to better protect the system, all the while making the security less intrusive by limiting the number of notifications a user may receive.

For example, the company's SmartScreen technology for detecting potentially malicious sites -- introduced with Internet Explorer 8 -- will be built right into the OS to allow any file downloaded to a Windows 8 computer to be checked out by the system, yet the protection should not alert the average user more than twice a year, Microsoft says.

The higher signal-to-noise ratio will likely make users pay more attention to the truly dangerous incidents, Steven Sinofsky, president of Microsoft's Windows and Windows Live division, writes in a blog post on Microsoft's Developer Network.

"When they do see (a notice), it will signify a higher risk scenario," he says in a description of the feature.

Using its telemetry data, Microsoft has found that 95 percent of Internet Explorer 9 users do not run malicious software when they receive a SmartScreen warning. Once a user receives a SmartScreen warning, their chance of getting malware if they run the suspect program varies from 25 to 70 percent, according to Microsoft. Some 92 percent of applications downloaded by users already have an established reputation, so SmartScreen does not issue a notification.

Allowing SmartScreen to check applications downloaded by other browsers and applications is not the only feature Microsoft has added. Here are the ones currently announced.

Improving Windows Defender
Microsoft noticed a disturbing trend among Windows 7 users: While almost all users had antivirus protection following the purchase of Windows 7 -- due, most likely, to trial subscriptions shipped with new PCs -- almost a quarter of them let those subscriptions lapse in the ensuing months.

The company plans to make Windows Defender a baseline security solution, which will block all commonly used malware, worms, Trojan horses, and other attacks. Microsoft plans to use a file system filter to better protect critical files.

Making Windows 8 harder to exploit
Like Apple did with its security improvements to Mac OS X Lion, Microsoft plans to harden the operating system to attack. With each release, both Apple and Microsoft have bolstered a key anti-exploit technology known as ASLR (address space layout randomization). Windows 8 is no different: More components of Windows will use ASLR, and the memory randomization will be better.

Microsoft will bring a lot of secuity improvements to the kernel and a dynamically assigned area of memory known as the heap. Finally, the company plans to add defenses to Internet Explorer to eliminate "use-after-free" vulnerabilities, which make up three-quarters of the flaws reported in IE in the past two years. Basically, we can expect Internet Explorer to do a better job of cleaning up after itself and flushing away sensitive data after it has been used.

Supporting UEFI Secure Boot
Finally, Microsoft will use the UEFI (Unified Extensible Firmware Interface) to implement a secured boot process. UEFI Secure Boot allows the firmware to cryptographically verify the integrity of the computer's envrionment, preventing malicious software from executing before the computer boots into the operating system.

Secure Boot uses the Trusted Platform Module, a piece of hardware that has shipped in millions of systems, but largely remains unused. Microsoft had planned a similar feature, dubbed Secure Startup, in Windows Vista in 2005, but faced industry concerns that the company could block the installation of other operating systems on PC hardware.

Hardware OEMs will be required to support the architecture, but otherwise, Microsoft claims it will be vendor neutral. While the company aim is quiet security, expect this feature to create a fairly loud debate.

Ref:http://www.infoworld.com/t/windows-security/windows-8-security-stronger-gentler-174404