Labels

Wednesday, October 19, 2011

How To Crack WEP – Part 2: Performing the Crack

| Wireless Driver & Software

Conclusion

WEP was never meant to secure a network, but was designed only to provide a WLAN with the level of security and privacy comparable to that expected of a wired LAN. This is clearly indicated by its full name, "Wired Equivalent Privacy". Recovering a WEP key is the equivalent of gaining physical access to a wired network. What happens next depends on the steps that have been taken to secure resources of the network itself.

Enterprise networks most always require a user login, i.e. authentication, before allowing access to their networks. Servers are physically secured in locked server rooms and network wiring panels secured in locked closets. Networks are frequently segmented so that users are kept from accessing shares and servers that they have no need to access.

Unfortunately, trained in bad security habits by both Microsoft and Apple, most home PC users avoid logins and password-protected network shares like the plague. And while home networks may have made Internet and printer sharing possible, the combination of networked computers and poor security practices has turned more than one home network into a unholy mess of worm-infested zombies before people even know what hit them.

WEP was shown to have failed in its function shortly after 802.11 networks came into widespread use and the industry has been playing catch-up ever since. Key rotation, stronger IVs and other proprietary schemes were tried first. But businesses quickly realized that these measures were ineffective and either closed down their wireless LANs entirely or segregated them into limited-access separate networks, required the use of VPNs or took additional security measures.

Fortunately, the wireless equipment makers quickly realized that stronger measures were needed if they were to be able to continue to sell wireless products to businesses and more security-conscious home networkers. The answer came in the late fall of 2002 in the preliminary form of Wi-Fi Protected Access or WPA and followed a year or so later by the current improved version – WPA2.

Despite the industry’s foot-dragging in getting both technologies out to its users (and providing updates for existing products), either technology – even in its simplified "Personal" (or "PSK") form that uses password-based protection – will provide the level of security originally envisioned for WEP as long as a sufficiently random and long password is used.

In Part 3 of this series, we will demonstrate some good and not so good ways to protect your network. But in the meantime, our basic recommendation is to secure your wireless LAN by using WPA or WPA2 (with a strong password), or turn off wireless access until you can. We hope that these articles have shown that WEP is simply not an option for real "wired equivalent" security.

We would like to thank the following people and sites in helping us produce this article:

  • Devine and KoRek for making the next generation of WEP cracking tools
  • Brett Thorson and the staff at Interop iLabs for letting us finetune the attacks
  • Max Moser for making the awesome Auditor Security Collection CD.
  • The dedicated people on the Auditor and Netstumbler forums
  • FBI Special Agent Geoff Bickers for breaking a 128 bit WEP key in front of 40+ computer security professionals at ISSA

No comments:

Post a Comment