发信人: notebookboy(阿清)
整理人: ranfish(2002-11-18 09:46:27), 站内信件
|
★原文转载自itman版notebookboy的《[转载]:TECHNOLOGY; ONCE YOU CRACK; YOU CAN'T STOP.》★
★原文转载自Network版notebookboy的《TECHNOLOGY; ONCE YOU CRACK; YOU CAN'T STOP.》★
关于破解WIFI的文章,大家可以参考一下。
Wednesday April 3 12:00am
Network News
Copyright 2002 VNU
In the first of a two-part series looking at security issues facing wireless Lan technology, David Ludlow looks into the lengths that crackers will go to when they are trying to infiltrate your network.
We've all seen the reports and news stories proclaiming how insecure WLans are. The same comments can go for most technologies; it's just a matter of how you implement and deal with them.
WLans provide a cheap and reliable network that can even be used to link buildings together without the need for a leased line.
WLans have become the latest security bandwagon to jump on without the majority of sources taking the time to examine the threat and it's resolution.
Network News has got together with i-sec (www.i-sec.biz), an independent security company, to bring you a two-part RTFM looking at WLan security.
In this first part we'll examine the technology behind 802.11b WLans and examine how crackers can break into a network. In part two, next week, we'll look at how WLans can be secured.
The technology
802.11b is a radio-based system that broadcasts in the 2.4GHz spectrum.
It uses direct sequence spread spectrum (DSS) encoding to give a theoretical maximum throughput of 11Mbps. The technology is commonly referred to as Wireless Fidelity or Wi-Fi.
The standard is capable of working in three modes: peer, infrastructure, and point-to-point. Peer networking lets devices talk to each other directly.
The infrastructure uses access-points to connect the wireless world to the wired network. Point-to-point joins two access points together to create a single wireless pipe.
Crackers will mainly try and get into a wireless network running in infrastructure mode. For this to work the attacking party needs access to the following information:
ESSID
The Extended Service Set ID (ESSID) can be thought of as the name of the network. All wireless clients and access points on the same network need to have the same ESSID. Without this machines cannot talk to each other.
Channel
WLan channels run from 1 to 13 and dictate which part of the 2.4GHz spectrum is being used for transmission. Cards can only listen to one channel at a time, and all clients on a WLan have to have the same channel set.
WEP
Wired equivalent privacy (WEP) is used to encrypt data traffic. It's a symmetric algorithm, which means that same key is used to encrypt and decrypt data.
Clients on a WLan need the same key in order to talk to each other. A client can join the network without this key, but it won't be able to understand any packets.
How do they crack in?
So far the system looks quite rugged, but in its default state WLans are not very secure. We'll talk you through how a cracker can retrieve each component that we've mentioned. The information is based on tools and equipment that i-sec demonstrated in our labs.
Range
WLans have a maximum range of 100 metres in perfect conditions. For crackers looking to break into a network they want to get the clearest signal possible.
This can easily be achieved using an external aerial - and they can be built with household components for around GBP 30.
Perhaps the best known example is one made from an empty Pringles can.
Inside is a metal rod the exact length of a 2.4GHz wavelength. Along the rod are five washers spaced a quarter of a wavelength apart. A cable enters the tube just under this and plugs into the wireless device that you want to amplify. We found that the Orinocco cards from Agere the best as they have an aerial jack built into the card.
When a transmission comes into the can it resonates off the washers and is amplified and directed into the cable and wireless device, giving around a 12db boost.
Better aerials can be built from empty coffee cans, which give around a 14db signal boost.
I-sec made one and mounted it to a satellite dish, which gave a range of just over half-a-mile.
In both cases the most expensive bit is the cable. We recommend keeping it's length to a minimum, as longer cables cause signal degradation. Have a look at the web links on how to build your own aerial.
NetStumbler
With the aerial in place, all the cracker needs to do is discover your network, which isn't that difficult a task.
The 802.11b protocol comes with a feature making it easy for clients to join a network. A wireless client sends out a broadcast probe asking for access points.
An access point in range responds giving out its name, channel, ESSID, and MAC address. If you set the ESSID to 'any' on a client machine then it will automatically take the broadcast information and join a wireless network.
However, for reconnaissance crackers will use a program such as NetStumbler.
This is a free package that works under Windows. It transmits a broadcast probe every second and stores information on all of the WLans discovered.
The graphing facility in it gives an indication of how far away the access point is located. More worrying is the fact a GPS compass can be plugged in. This lets NetStumbler pinpoint the exact co-ordinates of the access point.
For example, i f this information is typed into a web site such as www.streetmap.co.uk, the cracker can see the address of the company that owns the WLan.
NetStumbler is easy to use, but there are some restrictions based on the chipset of the WLan card. There are two manufacturers: Hermes and Prism. NetStumbler currently only supports the Hermes chipset, which the Ornicco kit is built on.
Joining the WLan
With all of the information gathered from NetStumbler, the cracker can choose the WLan he wants to join. At the easiest he can set his computer to DHCP.
If you have a server running then the cracker is automatically dished out a valid IP address. He is now able to browse your network with all of the permissions of the other users.
If this fails, then it just takes longer. Fortunately, this will require some technical knowledge on their behalf. A typical method involves downloading Ethereal for Linux.
This is a packet sniffer that's only compatible with WLan cards based on the Prism chipset. Available cards include Cisco and SMC. This means the cracker must have two laptops and a few WLan cards.
With Ethereal the cracker captures packets. By examining them the IP address range becomes clear. When enough traffic is captured it's obvious which addresses aren't in use. By manually setting his card to one of these addresses the cracker can seamlessly join the network.
WEP
If you have WEP enabled then the cracker can still join the network, but he needs to crack the key in order to start decoding them and transmitting.
In the easiest scenario he just tries the default keys which ship with hardware.
For Symbol these are:
10:11:12:13:14
20:21:22:23:24
30:31:32:33:34
40:41:42:43:44
If you're using a different key, they will have to physically break it.
This isn't hard as WEP is a poor implementation of the RC4 algorithm, which is also used for SSL.
We'll explain how it works, and how it can be cracked. First, it is important to understand what the bit-encryption means. Some manufacturers refer to WEP encryption as 64- and 128-bit.
This is inaccurate. WEP uses either a 40- or 104-bit key. A 24-bit random initialisation vector (IV) is prefixed to the key to give the full key-stream. This ensures that no two packets are ever encrypted using the same key.
Before being encrypted the data has a checksum calculated and appended to the packet. This ensures that the data has been correctly decoded after transmission.
Once the checksum has been calculated the RC4 algorithm performs an eXclusive Or (XOR) between the full key-stream and data/checksum combination. XOR works in the following way:
0 XOR 0 = 0
1 XOR 0 = 1
0 XOR 1 = 1
1 XOR 1 = 0
The encrypted data is then sent across the network with the IV transmitted in plain text. At the other end the receiver takes the IV and prefixes it to the WEP key and performs another XOR.
This reverses the encryption process. Now the receiver recalculates the checksum and compares it to the one in the packet. If they match the data has been decrypted.
Problems
There are several problems with the way that WEP is implemented that allow an attacker to calculate the key. First, the cracker is provided with 24-bits of the key in plain text (the IV).
All that needs to be broken is the remainder of the key. If this is 40-bits then attacking it is trivial using brute-force. Forty-bit encryption is not secure.
If a higher level of encryption is used, it takes longer and requires capturing several packets encrypted with the same IV. As the IV is only 24-bits long there is only a certain amount of time before an IV gets reused. The busier the network, the quicker this happens.
However, it can be even quicker. For example, some Lucent cards start the IV at zero and increment by one every time they are initialised.
As IP traffic is often predictable and sends out lots of redundant information, it is possible to compare several packets using the same IV. Using statistical attacks the WEP key can be retrieved. In practice this involves sniffing the WLan in order to capture enough data to perform this attack. Initial statistics claimed that this would take around five-hours but actual use has shown this to be around ten-days.
How do they do it?
Performing the attack is not as easy as has been made out. First, a tool such as AirSnort or WEPCrack needs to be downloaded. These tools only support cards based on the Prism-chipset, although AirSnort 2 will support Hermes chipsets as well. Both tools work under Linux and require some skill to get running.
The cracker has to sit on the WLan and capture enough packets. AirSnort gives no indication of when this is, so the cracker has to guess.
When the capture buffer is big enough the key retrieve application is run on it, which literally takes a few seconds. Once retrieved the cracker has a couple of options: put the WEP key into his WLan setup and join the network, or decrypt the capture buffer looking for interesting data.
What can they do?
Once on a WLan the cracker has an IP address that matches the local subnet.
All actions they take originate on your own internal network.
It's akin to allowing a stranger to bring a laptop to your offices and plugging into the wired network.
Even if you spot the rogue client, the best you will get is his IP address and MAC address. It's tricky on a wired network to track down where the traffic is originating from, but it's virtually impossible on a WLan.
They could be anywhere, maybe even in the office next door.
Once on your network there are several options open to them. Most obvious is to hack local machines and steal corporate data, but they can also use your internet connection for downloading and launching attacks against other companies while remaining masked.
Your mail servers are at risk, as the cracker can use them for launching spam while you foot the bill. It is important to understand the risk that WLans present to a company.
What's next?
Now we know the threats and how the technology works all is not lost.
In next week's RTFM we'll talk through the security steps to take.
We can show that if implemented properly WLans are of great benefit to a company and not merely the security hole that we have to keep reading about.
- See www.networknews.co.uk/Features/1130346
LEGAL ISSUES
The activity described in this RTFM can be used for illegal activity.
If you decide to try any of the procedures described then please make sure you are not breaking the law.
In this country two laws protect WLans: RIP and the Computer Misuse act.
RIP governs the use of intercepting radio transmissions. It is illegal to intercept radio communications that are not meant for you.
Sniffing other peoples WLans falls into this category. The ESSID is there to make sure that only authorised users pick up transmissions.
The Computer Misuse act deals with the unauthorised use of computers.
If you send a broadcast probe to an external WLan access point then you are soliciting an unauthorised response. This is in breach of the Computer Misuse act.
To ensure you stay within the law if you try these tools, we'd recommend you only run them on your own network.
If you find another company's access point using a tool like NetStumbler, then don't do anything to it or try and join the network. As long as your intentions were for the security of your network there shouldn't be any legal implications.
WEB LINKS
EAerials http:www.oreillynet.com/cs/weblog/view/wlg/448
EComponents and cables www.acalelec.co.uk
EWEP encryption www.counterpane.com/crypto-gram-0103.html
www.securityfocus.com/cgi-bin/library.pl?cat=154&offset=10
ETools www.netstumbler.com
http:airsnort.shmoo.com
https:sourceforge.net/projects/etherealmud
https://sourceforge.net/projects/wepcrack.
----
CCNA:东风吹,战鼓擂,
偶是知青,谁怕谁?
MCSE:怎么现在还有人怎么傻?
欢迎来网易广州社区笔记本电脑版
|
|