I tried to gear this towards someone that has absolutely zero computer knowledge, so bear with me… I have no idea what audience this would be most useful to (if any).



---How to Secure a Wireless Network



It’s amazing how many people assume that their network devices are totally secure right out of the box. In households especially, people hear that wireless routers work “just like firewalls” or “have a firewall built in”….but that’s not nearly enough security. Here's (http://www.antionline.com/showthread.php?s=&threadid=247281&highlight=wardriving) a great tutorial to explain the flip side of the coin.

First things first

I would still say that that a number one priority is to lock down each individual computer on any given network with the works (updated firewall and routine scans with updated AntiVirus, Anti-Trojan, and Anti-spyware/malware). Wireless networks are especially known for being vulnerable so just in case yours is penetrated – give ‘em a whole ‘nother layer to fight through.

SSID – Service Set Identifier

The SSID (http://www.webopedia.com/TERM/S/SSID.html) has been referred to as a password – which I believe to be somewhat inaccurate because the SSID’s primary purpose is to differentiate between WLANs (Wireless Local Area Networks). This is more like simply naming the networks than password protecting them. In fact, the SSID is sometimes called the “network name”. However! The SSID does have a part to play when it comes to the security of a wireless network. Without the SSID, no device (like the laptop in the hands of John Doe standing outside your building…) can connect to the network. The SSID is required to connect to any Access Point (AP). The problem is that this SSID is usually incredibly easy to get a hold of because simple devices (like netstumbler (http://www.netstumbler.com/)) can “sniff” or read the SSID from data packets in transit….the SSID is in plain text. Also, even if the network has been secured to the point where the SSID is not being transmitted or is encrypted, it is still easy to guess the SSID because all devices come with a default factory setting SSID and these factory default settings are known to people that wish to have access to your network… So what do you do with the SSID to make it work for you instead of against you? First – change it to anything other than the settings it came with. Next – keeping your network from broadcasting the SSID may be a good idea. The problem is that this will apparently cause the network to be less efficient and a dedicated attacker that has their sites set on your network will probably not be thwarted by this precaution. Last (and probably best) – use a reliable form of encryption to encrypt the SSID (for God’s sake don’t leave it in plain text), thus making it difficult to even interface with any AP on your wireless network. Also - anything that encrypts everything that is sent over the network should also encrypt the SSID. More on encryption in the next paragraph. Taking these simple steps will deter upwards of 90% of people trying to gain unauthorized access to your network because there are many networks out there that are easier to access and yours is not worth the trouble. ;D.

WEP- Wired Equivalent Privacy

Wireless networks are inherently less private than their wired counterparts, thus we have WEP (http://www.webopedia.com/TERM/W/WEP.html). WEP is a security protocol designed specifically for wireless networks. It is designed to be a very effective deterrent against any attackers and it does so by encrypting all information that is sent from one place to another through the network. WEP is an excellent deterrent against the casual attacker and can keep a dedicated attacker busy for the better part of the day. (During this time, you have an opportunity to notice any vehicles with antenna sticking out of it like a porcupine sitting outside your building - or any people on the street with laptops that have been there for a long time). The problem with WEP is that it’s not the uncrackable protocol that it’s commonly advertised to be. Studies have proven that WEP in actuality is relatively easy to crack and any dedicated attack can break through the encryption. Also, the newer version with the so-called 128-bit encryption key does not quite live up to its claims (though the 128-bit is at least stronger than the 40-bit).

TKIP – Temporal Key Integrity Protocol

The problem with WEP is that since the same key was reused over and over again, an attacker had ample time to crack the encryption. TKIP (http://www.webopedia.com/TERM/T/TKIP.html) is a temporary solution (like a patch) until something stronger and better is available. The TKIP process begins with a 128-bit "temporal key" shared among clients and access points. TKIP combines the temporal key with the client's MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. This procedure ensures that each station uses different key streams to encrypt the data. (Source (http://www.wi-fiplanet.com/tutorials/print.php/1377171)). The actual key used in this process is also changed automatically after every 10,000 packets sent. This makes the encryption substantially more difficult to crack and provides a smaller window of opportunity. This protocol is a direct upgrade to WEP and a WEP network with hardware that’s meant to only function with WEP will work with TKIP after some simple patches.

WPA

WPA (http://www.pcwebopedia.com/TERM/W/WPA.html) is the next step in security over WEP. WEP can be upgraded directly to Incorporate WPA with "firmware patches". TKIP is actually a part of WPA so refer back to that to see how it affects network encryption. WPA combines two protocols to provide dynamic key encryption (with TKIP) and mutual authentication (as opposed to one way) - something not found in WEP. For authentication, WPA uses a combination of open system and 802.1x authentication. Initially, the wireless client authenticates with the access points, which authorizes the client to send frames to the access point. Next, WPA performs user-level authentication with 802.1x. WPA Interfaces to an authentication server, such as RADIUS or LDAP, in an enterprise environment. WPA is also capable of operating in what's known as "pre-shared key mode" if no external authentication server is available, such as in homes and small offices.
WPA also checks the integrity of all information sent over the network. WPA implements the message integrity code (MIC), often referred to as "Michael," to guard against forgery attacks. WEP appends a 4-byte integrity check value (ICV) to the 802.11 payload. The receiver will calculate the ICV upon reception of the frame to determine whether it matches the one in the frame. If they match, then there is some assurance that there was no tampering. Although WEP encrypts the ICV, a hacker can change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver. WPA solves this problem by calculating an 8-byte MIC that resides just before the ICV.
The biggest weakness with WPA is that it does nothing to defend against DoS attacks. An issue that WPA does not fix yet is potential denial of service (DoS) attacks. If someone, such as a hacker or disgruntled employee, sends at least two packets each second using an incorrect encryption key, then the access point will kill all user connections for one minute. This is a defense mechanism meant to thwart unauthorized access to the protected side of the network.A firewall can be used as a seperate defense to work against DoS attacks.

Much was quoted in this section b/c it was added spur-of-the moment. Still my fault for not putting it in originally...but here's the source (http://www.wi-fiplanet.com/tutorials/article.php/2148721). He worded stuff better than I would have anyway. :p

AES – Advanced Encryption Standard

The name explains a lot of what this is supposed to be. It was developed fairly recently by the government to replace “DES” which used only a 56-bit key…not secure at all by today’s standards. AES (http://www.pcwebopedia.com/TERM/A/AES.html) was proclaimed the standard for government encryption in May, 2002. AES is made to be flexible so it can be used for almost anything and will be useful for the business world. The problem is that it’s expensive...it’s especially costly to implement because all access points and NICs must be “upgraded” (probably replaced) just to be able to use it. It's also known to be a serious "resource hog". AES is designed to be an extremely efficient encryption system though. It’s designed to be able to handle more information faster – it can encrypt and decrypt quickly as well as change encryption keys without slowing the process. This baby uses true 128-bit encryption keys and is capable of using 192-bit or even 256-bit keys if needed – as of right now darned near impossible to crack (in theory). Then there's Moore's law... This is the new standard in encryption. The only foreseeable problem is that it is relatively new…and has yet to be tested against real world attacks. Of course it’s been tested with brute forcing tools of all kinds and some laboratory attempts at hacking it…but little is known about it’s real-world effectiveness. Anyway, if you can afford it, this is supposed to be the strongest data encryption system available for practical use.

Source (http://www.networkmagazine.com/article/NMG20010226S0010)


802.1X

This is an extremely effective protocol. It uses digital certificates to make authentication very effective and also dynamically assigns encryption keys to LAN devices to completely eliminate the problem with WEP reusing encryption keys. 802.11 Protocols (http://www.webopedia.com/TERM/8/802_11.html)
More (http://www.antionline.com/showthread.php?s=&threadid=254387) on 802.11 (scroll halfway down page).


Make People Login

Set up the network so that everyone has to login with a valid username and password before they are allowed to do anything. This is probably the most ancient method of security on the web and continues to be effective. Everyone that is allowed access to the network will have their own username and password (preferably one that’s not easy to crack – no dictionary words, lowercase and capitol letters and a few numbers somewhere is not unreasonable. For an admin account – also throw in both regular symbols and special symbols). You can protect against brute force attacks by configuring any login prompt to lock a user out after 5 unsuccessful attempts in a row. The problem with this will be when somebody forgets their password they’ll have to come running to you and that’s one more thing to take care of.

Limit the Range of the Network

You’re just asking for an attack if someone can pick up your network signal from half a mile away, so try and confine the broadcast radius to just barely meet your needs. If someone has to sit up against the wall of your building just to get any kind of reading on your network, it becomes much less attractive and makes people trying to get into your network easier for anyone (you, security, or police) to spot.

Network Wide (outer) Firewall

A network’s firewall is capable of defending against attacks by limiting access (of anything) to only those ports and functions that are needed – eliminating vulnerabilities and thus making the network more secure. A good firewall should also be able to defend against those annoying DoS attacks. Another benefit is that any AP behind the firewall won’t announce itself to the world, making you even less likely to get hacked.

MAC – Media Access Control

MAC (http://www.pcwebopedia.com/TERM/M/MAC_address.html) address uniquely identifies each piece of hardware that is connected to the network. It’s possible to disallow access to any piece of hardware with an unknown MAC address, thus making the network a little more secure. These are spoofable (tho not easily I’m told) but having this certainly can’t hurt.

Ditch DHCP

DHCP (http://www.pcwebopedia.com/TERM/D/DHCP.html) (dynamic host configuration protocol) is what automatically assigns IP addresses to users that need one. A common “method of defense” is to configure your router to only allow certain IP addresses and use a static set of IP addresses (i.e. all nodes on the network already have a specifically assigned IP address), when all devices are on and all allowable IP addresses are being used, the router will not allow access to anything else. This is actually easy to get around (ie – a single inactive device frees up an IP for an attacker to use and all IP info is easily sniffed) but it’s an option. MAC is actually much more effective.



If anyone has links to other related and specifically more indepth tutorials on any specific subject I touched on, plz post them. I did not copy and paste this and the people I've been bugging for the past two days can vouch for me. ;) You can probably tell anyway cuz I'm sure I said something in there somewhere that's kinda off... I did however get ideas for things in this tutorial from several other sources.

Sources:
DeadAddict's (http://www.antionline.com/showthread.php?s=&threadid=249393)
Same by SicyourIT (http://www.antionline.com/showthread.php?s=&threadid=245853&highlight=secure+wireless+network)
http://slashdot.org/articles/01/02/15/1745204.shtml
http://www.wi-fiplanet.com/tutorials/article.php/1457211

Here's a link to Wi-Fi terminology (http://www.intermec.com/eprise/main/Intermec/Content/Technology/wireless/Wireless?section=terminology).

Please correct me if I'm wrong about anything and feel free to add stuff.

Just some questions/remarks:

- I've never heard of SSID encryption.... just making sure it's not a typo or anything... if not, teach me :D

- TKIP is not only a temporary solution to the WEP-insecurity; TKIP is the certified WPA-algorithm.

And I missed WPA altogether :)

Perhaps he means disabling SSID broadcasting?

That's what I was hoping, but this got me wondering:

use a reliable form of encryption to encrypt the SSID (for God’s sake don’t leave it in plain text)

:)

The way I understand it is that if you use any encryption then the SSID will be encrypted anyway when the connections take place.... and SSID broadcast is off.... I think....

Guidance.....

That sounds logical, thanks :)

Nice article, btw, very well put together. In addition, I'd like to add that you can also secure wireless networks with the implementation of a VPN. Using a VPN for one, will encrypt all of the data passing through it, even if you don't use wep, which is weak anyways. The VPN could be used as a gateway, forcing users to authenticate before being allowed access to network resources. VPN over wi-fi is a great way to secure a not so secure your wireless network.


--PuRe

Nice tutorial keezel. I've been iffy about wireless networking (I went into it, then fell back and now I'm on the see-saw with it again) and how secure it really is. Obviously, more counter measure's to attack's would need to be in place and this tutorial clear's up alot of that for me. Kudo's to you ;)

Pure: Doesn't that require a server or some software internally when we talk about "consumer grade" firewalls. I know that the Linksys and D-Link don't seem to have any way of creating the tunnel.... but maybe they changed some things.....

Comments?

We use a USR one here...

Ok, so question: given that WEP is a wee bit weak, how much of a difference does it make to use more than one key? Our USR can use up to four WEP keys, but I'm thinking, is it pointless, since you'd just have four weak keys, or does it make a significant difference?

From the Linksys WRT54G

Virtual Private Networking (VPN) is typically used for work-related networking. For VPN tunnels, the Router supports IPSec Pass-Through and PPTP Pass-Through.

* IPSec - Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange of packets at the IP layer. To allow IPSec tunnels to pass through the Router, IPSec Pass-Through is enabled by default. To disable IPSec Pass-Through, uncheck the box next to IPSec.
* PPTP - Point-to-Point Tunneling Protocol is the method used to enable VPN sessions to a Windows NT 4.0 or 2000 server. To allow PPTP tunnels to pass through the Router, PPTP Pass-Through is enabled by default. To disable PPTP Pass-Through, uncheck the box next to PPTP.

Neg:

To me that means that it allows the protocols through to an internal server as opposed to managing the tunnel themselves.

OTOH, I never played with trying to create a tunnel to the router but looking at them they don't seem to be anywhere near sophisticated enough to manage it. When I create the tunnel from inside I think I had to allow the "pass through" to allow it to connect to the outside "provider"..... I could be wrong.... But I don't think so..... Love to be shown how.... It would be nice.....

I know, Tiger... I was just proving your point - the WRT54G is probably one of the most "sophisticated" wireless routers for home use, and all it supports is IPSEC pass-through.
Linksys' solution that provides actual VPN starts at like $160:
WRV54G (http://www.ozcableguy.com/linksys1.html#wrv54g).

That site also has a nice reference card (http://www.ozcableguy.com/quickref.html), btw.

Good tutorial. Unfortunatly, you didn't cover RADIUS servers at all (which is what I hoped to learn about, guess I need to hit google). Also, my router allows for a few different encryption methods. The 2 you talked about (WEP and TKIP) and it also allows AES encryption. Obviously TKIP is better then WEP, but what about a comparison between TKIP and AES. I'm not that well versed in different encryption methods. I guess that would be a topic in the cryptography forum.

I might be a complete retard, but what does a RADIUS server have to do with anything? Are RADIUS servers not what ISP's use to give out their internet connections? How exactly does it all tie in?

http://webopedia.com/TERM/R/RADIUS.html

It's only for dial up too, PPoE is what broadband uses.

Wow - just got back from supper and I didn't expect anywhere near this much discussion, thx!

The way I understand it is that if you use any encryption then the SSID will be encrypted anyway when the connections take place.... and SSID broadcast is off.... I think.... - Tiger Shark
Yeah, I couldn't find anything to specifically encrypt the SSID but I *think* anything that encrypts everything transmitted over the network would also encrypt the SSID along with everything else. Also, I've heard that when someone does happen to get bits of info through screwups in the encryption (yeah, not a very technical explanation but hey...I'm learning right along with you guys on this one...) - it's not likely to be the SSID that they get (which is what they need). About turning the SSID broadcast off - I read something somewhere that said it would cause some kind of conflicts but I can't find it again. I recall that it's just a small drop in effeciency though so preventing the SSID from being broadcast can be a very effective preventative measure although there may be some slight cost to it.

Nice article, btw, very well put together. In addition, I'd like to add that you can also secure wireless networks with the implementation of a VPN. Using a VPN for one, will encrypt all of the data passing through it, even if you don't use wep, which is weak anyways. The VPN could be used as a gateway, forcing users to authenticate before being allowed access to network resources. VPN over wi-fi is a great way to secure a not so secure your wireless network. - PuReExcTacy
I did some research on VPN's but didn't include them into this tutorial because I never gained a good understanding of exactly what it is that they do. There will be a part 2 to this though to cover things more indepth - this was meant to be an introduction. Oh, and thx for the compliment!

Kudo's to you - Spyder32
Lol, I like kudos....

Ok, so question: given that WEP is a wee bit weak, how much of a difference does it make to use more than one key? Our USR can use up to four WEP keys, but I'm thinking, is it pointless, since you'd just have four weak keys, or does it make a significant difference? - AngelicKnight
I think you're actually asking 2 different questions. Any key can be weak if it can be guessed or maybe brute forced somehow? Having four different ones is better than just one only in that once you have one of them, you can only access a fourth of things transmitted...unless it's configured somehow so someone would need *all four* keys to read anything...there's a thought. Haven't heard of anything like that tho. Of course - with any information you get from cracking one it becomes easier to crack the others... The problem isn't not having enough keys - it's the fact that the key(s) stay the same for an indefinite period of time and it only takes about a day (or less) to crack one. TKIP fixes this problem by automatically changing the keys after every 10,000 packets of information sent over the network. How long that takes of course depends on the volume of traffic flowing across the network... Somebody said something like 40 minutes? No clue if that's accurate. Also the newer protocol 802.1X is supposed to dynamically assign encryption keys to all LAN devices. More on 802.1X and related protocols will be in the next tutorial.

Good tutorial. Unfortunatly, you didn't cover RADIUS servers at all (which is what I hoped to learn about, guess I need to hit google). Also, my router allows for a few different encryption methods. The 2 you talked about (WEP and TKIP) and it also allows AES encryption. Obviously TKIP is better then WEP, but what about a comparison between TKIP and AES. I'm not that well versed in different encryption methods. I guess that would be a topic in the cryptography forum. - annihilator_god
Crap, t'would seem I completely missed something that should have gone in this tutorial....I'm really sorry. I promise to put a decent section on AES (and comparisons) in the next tutorial. That may not be for another month tho... I'll be researching the latest developments in WLAN and WAN security and I'll probably go into detail about the difference between the two networks next time too. Thx a lot to PhishPhr33k for giving me ideas about what to research next! Also thx to everyone for your responses!

Grunt, I literally have no idea what RADIUS servers are. All I know is that my router has multiple security modes for wireless networking. These include WEP, WPA pre shared key, WPA RADIUS, and RADIUS. It looks to be a method of authentication, so that would be a way to log in, right? Obviously i need to do more research since I have no idea. Which is exactly what I'm doing right now.

WPA (http://www.pcwebopedia.com/TERM/W/WPA.html) is short for wifi protected access. Here (http://www.tomsnetworking.com/Sections-article50-page1.php) is an exhaustive tutorial on WPA. Works with TKIP and uses authentication. I can't believe I missed this - it fits perfectly into this tutorial. It uses EAP (http://www.pcwebopedia.com/TERM/E/EAP.html) which is short for Extensible Authentication Protocol... Unfortunately I'm short on time right now but I'll try and edit the tutorial to include a section on WPA as it certainly seems to fit. *slaps self in forehead*

*edit*
It should be noted that WPA is an interim standard that will be replaced with the IEEE’s 802.11i standard upon its completion.

*re-edit*
Added a part about WPA. Next will be on AES (http://www.pcwebopedia.com/TERM/A/AES.html).

Last I checked using IPSec encryption for Wi-Fi networks only allowed the ip header to be encrypted.

Addressing WEP, yeah, it's weak even @ 128-Bit. It uses the RC4 stream and isn't implemented very well in WEP. WEP keys are static.

TKIP is the new WPA default standard. It also uses RC4 stream only as was mentioned earlier it uses a long IV (initialization vector) and the keys are changed much sooner on a xxx packet basis. Thanks to a nice implementation, weak RC4 or not, this type isn't easily crackable.

AES is the strongest WPA type of encryption for Wi-Fi LANS currently available. It uses the Rijndael encryption algorithm. Yes, this is "better" than TKIP but also adds much more cpu overhead to the equation. Using 256-Bit AES here hits performance noticably on my machine but it's very strong encryption.

Disabling SSID broadcasting and applying Mac-Filtering are good ideas... even though they still can be worked around. This has already been mentioned in detail. I won't bother.

If you don't need to access your internal LAN from the outside WAN (internet) then disable remote administration. There's no need for it. By default all of the routers I've played with have this off with their factory settings.

If you don't need DHCP disable it.

Port-Forwarding -don't use it unless you need it (running services to be accessed by WAN).

WPA (Radius Server) is only needed if you have a server that's dedicated to distributing keys to all of the hosts on your network. Since many soho environments don't have a dedicated server for this they use WPA-PSK (PreShared Key). Radius Servers are normally found in corporate enviroments and larger networks with many hosts. This is not saying you couldn't have a small soho network utilize this.

Thx Mark_Anderson. I also heard that AES is primarily used by the military....it's supposed to be incredibly strong and I also read that it is a resource hog (like you said) and is expensive. I've been afk for a few hours but I intend to add something on AES to this tutorial too...I think that's it for this one though after that...unless I've missed something else that needs to be in this one too. Any suggestions? Seriously though, thanks Mark, you really seem to know your stuff.

*edit*
Done. I believe everything is accurate but I'd very much like to get a second opinion. I tried to check everything with sources but sources aren't always accurate... Anyway, I think that this is now a well-rounded introduction to Wi-Fi security. More to come later! Stay tuned! ;)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=259394#post765672) by annihilator_god
Grunt, I literally have no idea what RADIUS servers are. All I know is that my router has multiple security modes for wireless networking. These include WEP, WPA pre shared key, WPA RADIUS, and RADIUS. It looks to be a method of authentication, so that would be a way to log in, right? Obviously i need to do more research since I have no idea. Which is exactly what I'm doing right now.

RADIUS stands for remote access dial up server. THis is actually an authentication protocol, used when remote dial up users authenticate themselves. The reason this was brought up in the discussion of wireless security, is for the ability to authenticate users, not just based on mac cards and wep keys, but with actually usernames and passwords. This helps draw a clearer line on the network, as to what the actual user can do on a network or system. In addition, it adds another layer of security. I've listed below the actual radius definition, because I know my half ass explanation isn't gonna cut it for alot of you out there.


RADIUS: A client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it's easier to track usage for billing and for keeping network statistics. Created by Livingston (now owned by Lucent), RADIUS is a de facto industry standard used by Ascend and other network product companies and is a proposed IETF standard.


I hope this answers any of those radius specific questions out there.


--PuRe www.pureehosting.com

If you need more info on AES, here's (http://www.esat.kuleuven.ac.be/~rijmen/rijndael/) the home page of the (Belgian :D) developers of Rijndael. The page isn't updated anymore, though, and the data dates from back when Rijndael was still a candidate.
The "pictures and animations" section is particularly interesting, though!

Hi,

excellent post keezel,

i am still not able to get the SSID part, As far as I know , the SSID is transmitted in plain text:


What happens is :

1. the client sends a probe request
2. the access -point reponds with a probe response, these frames are known as beacon frames, you can also set the time of these frames in the beacon interval

3. the client sends a authentication request here comes your WEP, if it is shared then WEP is enabled.
4. The AP reponds with a Authentication reponse

5. Association request

6. Association reponse

So if you were using Cisco systems AP then you will see these steps, the last however will say associated and the corresponding MAC -ID

Actually even I am not 100% confident that if you were to use encryption then SSID will not be seen , Even if you were to disable SSID boadcast , still sniffers can pull the SSID .

You might want to have a look at the following websites


http://www.cisco.com/en/US/products/hw/wireless/ps458/products_white_paper09186a00800b469f.shtml

http://xianshield.org
look in Wireless security primer, The concept of RADIUS , TKIP is explained well.

MRG.

Thank you very much, mrg81. I did some research and everything I read said that the SSID is encrypted by WEP or some other encryption when it is broadcast (assuming broadcasting of the SSID has not been turned off), but someone with physical access to the network can pull the SSID off a system because it is still stored in plain text. If you were using WEP (wired equivalant protection) then it causes an attacker to have to have physical access to the network - meaning it's done its job in equalizing wired and unwired networks in terms of security. Some experts say that the broadcasting of the SSID doesn't really matter anyway because even if someone has the SSID, they can't associate much with the network without being rejected because they don't have the correct encryption key. If they don't have the tools to crack the encryption, they won't be getting access to your network. The SSID is not so much the "key to your network" as simply the name of your network. Turning off the broadcasting of the SSID keeps random wardrivers from even trying to mess with your network but the real initial line of defense is the encryption. If someone *does* have the tools to crack encryption, a wardriver will be able to detect the network anyway and eventually break the encryption and get the SSID too. It seems like the only time disabling or encrypting the SSID matters is when a person doesn't have the ability or tools to crack the network anyway. Still can't hurt though. Agree/disagree?

I'll have to remember this for when I set my wireless up.

http://img244.imageshack.us/img244/155/epsn10499dq9.jpg


i still thinking about publish a tutorial called " Introduction to unsecure a Wireless Network".


the only secure pass protection can i see is WPA-PSK, the air crack software also say support a cracking module for this protocol encryption:



/*
* 802.11 40/104 bit WEP / WPA-PSK Key Cracker
*
* Copyright (C) 2004,2005 Christophe Devine





struct WPA_hdsk
{
uchar stmac[6]; /* supplicant MAC */
uchar snonce[32]; /* supplicant nonce */
uchar anonce[32]; /* authenticator nonce */
uchar keymic[16]; /* eapol frame MIC */
uchar eapol[256]; /* eapol frame contents */
int eapol_size; /* eapol frame size */
int keyver; /* key version (TKIP / AES) */
int state; /* handshake completion */
};




and the resource for crack:



int crack_wpa_thread( void *arg )
{
char essid[36];
char key1[128], key2[128];
uchar pmk1[128], pmk2[128];

#ifdef __i386__

uchar k_ipad[128], ctx_ipad[40];
uchar k_opad[128], ctx_opad[40];
uchar buffer[128], sha1_ctx[40];
uchar wrkbuf[640];
uint i, *u, *v, *w;

#endif

int slen, cid = (long) arg;

/* receive the essid */

memset( essid, 0, sizeof( essid ) );

if( safe_read( mc_pipe[cid][0], (void *) essid, 32 ) != 32 )
{
perror( "read failed" );
kill( 0, SIGTERM );
_exit( FAILURE );
}

slen = strlen( essid ) + 4;

while( 1 )
{
/* receive two passphrases */

memset( key1, 0, sizeof( key1 ) );
memset( key2, 0, sizeof( key2 ) );

if( safe_read( mc_pipe[cid][0], (void *) key1, 128 ) != 128 ||
safe_read( mc_pipe[cid][0], (void *) key2, 128 ) != 128 )
{
perror( "read passphrase failed" );
kill( 0, SIGTERM );
_exit( FAILURE );
}

key1[127] = '\0';
key2[127] = '\0';

#ifdef __i386__

/* MMX available, so compute two PMKs in a single row */

memset( k_ipad, 0, sizeof( k_ipad ) );
memset( k_opad, 0, sizeof( k_opad ) );

memcpy( k_ipad, key1, strlen( key1 ) );
memcpy( k_opad, key1, strlen( key1 ) );

memcpy( k_ipad + 64, key2, strlen( key2 ) );
memcpy( k_opad + 64, key2, strlen( key2 ) );

u = (uint *) ( k_ipad );
v = (uint *) ( k_ipad + 64 );
w = (uint *) buffer;

for( i = 0; i < 16; i++ )
{
/* interleave the data */

*w++ = *u++ ^ 0x36363636;
*w++ = *v++ ^ 0x36363636;
}

shammx_init( ctx_ipad );
shammx_data( ctx_ipad, buffer, wrkbuf );

u = (uint *) ( k_opad );
v = (uint *) ( k_opad + 64 );
w = (uint *) buffer;

for( i = 0; i < 16; i++ )
{
*w++ = *u++ ^ 0x5C5C5C5C;
*w++ = *v++ ^ 0x5C5C5C5C;
}

shammx_init( ctx_opad );
shammx_data( ctx_opad, buffer, wrkbuf );

memset( buffer, 0, sizeof( buffer ) );

/* use the buffer, luke */

buffer[ 40] = buffer[ 44] = 0x80;
buffer[122] = buffer[126] = 0x02;
buffer[123] = buffer[127] = 0xA0;

essid[slen - 1] = '\1';

hmac_sha1( (uchar *) key1, strlen( key1 ),
(uchar *) essid, slen, pmk1 );

hmac_sha1( (uchar *) key2, strlen( key2 ),
(uchar *) essid, slen, pmk2 );

u = (uint *) pmk1;
v = (uint *) pmk2;
w = (uint *) buffer;

*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;

for( i = 1; i < 4096; i++ )
{
memcpy( sha1_ctx, ctx_ipad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );

memcpy( sha1_ctx, ctx_opad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );

u = (uint *) pmk1;
v = (uint *) pmk2;
w = (uint *) buffer;

/* de-interleave the digests */

*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
}

essid[slen - 1] = '\2';

hmac_sha1( (uchar *) key1, strlen( key1 ),
(uchar *) essid, slen, pmk1 + 20 );

hmac_sha1( (uchar *) key2, strlen( key2 ),
(uchar *) essid, slen, pmk2 + 20 );

u = (uint *) ( pmk1 + 20 );
v = (uint *) ( pmk2 + 20 );
w = (uint *) buffer;

*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;

for( i = 1; i < 4096; i++ )
{
memcpy( sha1_ctx, ctx_ipad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );

memcpy( sha1_ctx, ctx_opad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );

u = (uint *) ( pmk1 + 20 );
v = (uint *) ( pmk2 + 20 );
w = (uint *) buffer;

*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
}

#else

/* not x86, use the generic SHA-1 C code */

calc_pmk( key1, essid, pmk1 );
calc_pmk( key2, essid, pmk2 );

#endif

/* send the passphrase & master keys */

if( safe_write( cm_pipe[cid][1], (void *) key1, 128 ) != 128 ||
safe_write( cm_pipe[cid][1], (void *) key2, 128 ) != 128 ||
safe_write( cm_pipe[cid][1], (void *) pmk1, 32 ) != 32 ||
safe_write( cm_pipe[cid][1], (void *) pmk2, 32 ) != 32 )
{
perror( "write pmk failed" );
kill( 0, SIGTERM );
_exit( FAILURE );
}
}
}





so, when i probe for myself crack my psk protocol crypt using aircrack for example this not able to attack these encryption type.

:|

you'll see:

psk and wep components are "redundant" code encryption like RC4 and old RC2 for infineon Sicrypt base smart card and include poliinterpolation for sha-1 mounted on 128 bits base char, text ok but in the source code NOT exist marks for this decrypt phase.


So i implemented for myself that and the result is a non linear base cryptography, how i can able to decrypt that in efficient times?


easy, i take the jhon cracker source and combined aircrack (ivs compatible ) with my develop of smart card RC2/RC4 cracking code and i are able to pretend decrypt that.


Good post, i seriously think to write the anti post for this.




greetz



AzRaEL
[NuKE] high council

I want to try and offer somewhat of a conclusion on the SSID discussion. By no means am I an expert, but when I paid more attention to the progression of wireless security, this is what I came across.

Even if SSID broadcast is disabled in the AP, it's still transmitted for legitimate network traffic. When a legitimate user intializes a connection with the AP, they send the SSID in plain text, after all, how else will the AP knows someone is talking to it? It gets transmitted in plain text because the request/response takes place before encryption is initialized. If a user sends a probe request that's encrypted, how would the AP know how to decrypt it if they haven't talked before? Sorry I don't know all the technical details of how it works, but that's my understanding on how disabling SSID broadcast is still not an effective security measure by itself. Security through obscurity has never worked and it's amazing how many people still think disabling SSID broadcast and using WEP makes them "secure". I'm glad to see that it's very clear in this thread that these are not good solutions :D

http://www.wardriving.com/

Has some good information on wireless networking and cracking WEP. Think it hasn't been updated recently though.

While i understand most of this (i love wifi) i think that hiding the ssid is pointless infact i have a great pdf on it that i will be happy to post. its public domain if remember correctly goes in to great depth about it. My question though is where does WPA2 fit into all of this. It kind of came out of left field. WPA supports 802.11i as well as AES and TKIP. WPA2 supports 802.11i and AES. So what can WPA2 do that WPA cant? What was the purpose of its creation. My wrt54g has the ability to use it but with the wrt54g already set up to use WPA AES PSK and some tweaking to its broadcast power i fall to see how WPA2 would make it any more secure. Here is a link to info on wpa2 if im missing something please fill me in. -TheX1le

Edit: a bit more research turned up the answer to my question.

"Let's start by looking at what is not different. First, WPA2 and 802.11i are the same. WPA2 is the name used by the Wi-Fi Alliance, whereas 802.11i is the name given to the standard by the IEEE. You may also see the term RSN, Robust Security Network, which is part of WPA2/802.11i but is often used interchangeably.

Second, WPA and WPA2 can use the same authentication methods, becausethey are all EAP based. EAP stands for Extensible AuthenticationProtocol and, as the name suggests, many different protocols can bebuilt on top of EAP. So both EAP/TLS as well as EAP/PEAP-MSCHAPV2 willwork both for WPA and for WPA2.

A key difference between WPA and WPA2 is the underlying encryptionmethod. For WPA this is TKIP/RC4, for WPA2 this is CCMP/AES. AES is theAdvanced Encryption Standard and is used by the US Department ofDefence as a replacement for older encryption standards. It is very secure. AES can be used in several modes - CCMP is the mode used by WPA2. You will see both terms used interchangeably.

RC4 is the cypher on which the older WEP standard is based (to beconsistent we should call it WEP/RC4 here, WEP being the way the RC4cypher is used). RC4 has some key vulnerabilities, that make itdifficult to design secure encryption using that cypher. It is these vulnerabilities that led to the demise of WEP/RC4... so how can aTKIP/RC4 be secure? Because TKIP uses the RC4 cypher in such a way thatthe vulnerabilities that are in the cypher do not materialize. So eventhough WEP/RC4 ("WEP") and TKIP/RC4 ("WPA") are based on the sameunderlying cypher, one is considered secure and the other is not.

Having said that, the new CCMP/AES is preferable over TKIP/RC4. Alsonote that you will not normally see the term RC4 being used in access points or wireless software." inquotes is not my words. My only problem with this running stock firmware my wrt54g can use AES. So I dont see much of a difference.