WEP - Dump it NOW

[Radar]

OK, just been doing a bit of messing with gentoo, madwifi-ng and aircrack and its all a bit scary for anyone still using WEP to protect well anything really

I use WPA2 on my home network, but have a spare BT Homehub not currently in use. As it supports both 40 and 104 bit WEP it was a prime candidate for this test. This was an active attack using spoofed ARPs to generate traffic and speed the process of data collection up. However the rate of ARPs was throttled so that the legit client wasn't noticeably affected. If I'd gone at it full tilt, data collection would have been even quicker.

Bottom line was that 40 bit WEP was cracked in 20 mins, after taking about an hour to collect sufficient unique IVs (crypto stuff from the raw data). 104 bit took approx 4 times longer, taking about 4 hours to collect 1.2M IVs and about 90mins to crack. I used the same PC to crack as was used to collect/spoof data, and for comparison its a P4 2.4 with 512M RAM. The arp flooding was left running while the crack itself ran, so the actual number of IVs analysed was higher by the time the crack completed than quoted above.

These were pseudo-random hex keys (actually random chunks out of various md5 checksums in my DVD collection)

MAC filtering is NOT a protection, a properly setup cracking PC can spoof source mac addresses no problem. All a cracker would need to do is wait until a legit client appears, note their mac address and use it to pretend to be them once they've logged out.

[Most of the post up to here is detailed for the curious & IT savvy reader and may sound like techno-babble to many non IT bods The important bit to remember is that the strongest possible WEP security was cracked within 5 hours using consumer grade equipment]

Now these attacks (and the vulnerabilities with WEP that enable them to work) have been known for a while and what I'm saying won't come as a surprise to anyone with an interest in IT security. When I had a sniff around where I live I was gob-smacked to notice the high proportion of Wifi LANs running WEP (at least they weren't open, even though they might as well have been) This suggests the message regarding WEP either hasn't got through to the general public, or where it has its being ignored

AFAIK WPA & WPA2 are both currently only susceptible to dictionary attacks. If you don't use English dictionary words modified in any systemic way to create your pre shared key you should be fine.

You can use a site like this one to assist with generating random binary keys, just remember not to use them with WEP

 

[exosculate]

I'm only using WEP because my card in one of the machines is WEP only.

What is the biggest danger with this?

p.s - I'm not transmitting anything sensitive, and would notice if anyone was using my bandwidth

 

[mauvais]

Thing is, only your neighbours are going to break in.

 

[Radar]

I'm only using WEP because my card in one of the machines is WEP only.

What is the biggest danger with this?

Effectively you're running an open network

Have you looked for WPA driver updates for the NIC in question ?

 

[Shippou-Sensei]

with a good aerial a guy with a laptop and a car and the inclination could cruse around breaking your encryption ... like wardriving but with added breaking

 

[mauvais]

I don't know much about crime to be fair, but five hours spent nicking a few Fall albums probably ain't too great a haul.

 

[Loki]

WEP is flawed - I know of two programs available on the internet that can work out your password within hours.

Technical explanation: http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

 

[Shippou-Sensei]

i don't think it's the fall albums they are after... more like personal details bank information stuff like that

 

[Radar]

I don't know much about crime to be fair, but five hours spent nicking a few Fall albums probably ain't too great a haul.

Probably not, but if you're operating under the impression that your LAN is secure you might be in for a rude awakening. Remember a wifi client is coming in behind any firewall running on your router, which means they theoretically have full IP access to attack any PC on your LAN, either to compromise it or just to down it. If you're running a M$ OS that should be cause enough to worry, Microsoft's record on patching 0 day exploits in a timely manner is pretty bad !!

Making your LAN secure is another step in the never ending process of trying to securing your PC, there's no point in looking for trouble by running WEP if you can possibly avoid it by using WPA. Driver and/or AP firmware upgrades are pretty simple to do, and asking in here or on the vendor's support site should get you any extra help you might need with the upgrade process.

If you're stuck using WEP, one possibility is to only enable wifi on your router when you're actively using it. The main hassle with this approach is that you need a wired PC to do this !

I'm not trying to piss on anyones parade with this thread or scare the crap out of anyone, I just want to draw people's attention to the fact that WEP is no longer capable of securing wifi networks in the face of someone seriously trying to crack them. There are ways to remedy this and most posters on here should be able to manage it !

 

[Lazy Llama]

Given the number of completely unprotected wireless access points around, you have to wonder whether anyone would choose to spend several hours breaking the WEP key to snoop on traffic when they could just do the same instantly on an open network. Or at a wireless hotspot.

It's like home security, you don't have to have a burglar-proof home, you just have to have one more secure than your neighbour.

So use WPA if you can, but WEP's still better than nothing.

And if you send or store your bank details un-encrypted, you really have more to worry about than your WEP key.

 

[Jonti]

It's like home security, you don't have to have a burglar-proof home, you just have to have one more secure than your neighbour.

Great thread, and a good point.

It reminds me of the advice to always go walking in dangerous woods wearing good trainers. And with companions who wear heavy walking boots. The trainers will not help you outrun a bear, should you meet one. But you don't need to -- you only need to outrun the other people!

 

[lobster]

Its interesting how the openbsd project considers wpa/2 over complicated and recommends using AuthPF + IPsec instead.

 

[Radar]

Its interesting how the openbsd project considers wpa/2 over complicated and recommends using AuthPF + IPsec instead.

Nice one, that's an interesting approach to take. authpf looks useful, and I know many corporates mandate an IPSec VPN connection across the WiFi network and terminating at a border firewall, I implemented one myself but we parted company before deploying it live. I like this approach myself as your WiFi can be compromised (thus alerting you via an IDS that something is up), but there's still another layer for neer-do-wells to get through. Pinching a phrase from the aviation industry, you don't want the holes in your cheese lining up.

Another approach is to use 802.1x/EAP authentication & tunnelling. Also popular with corporates as it can use the same AD as the windows networks, making administration of the wifi network easier.

I don't see the hassle with WPA/2 myself, unless they're looking at it from a vender/development point of view. Sure its more complex to code than WEP, but that shouldn't be a serious barrier to implementation as shitloads of companies have already managed it. For the user and providing your kit supports a stable WPA/2 setup, using WPA/2 is as easy as using WEP

 

[jæd]

Bottom line was that 40 bit WEP was cracked in 20 mins, after taking about an hour to collect sufficient unique IVs (crypto stuff from the raw data). 104 bit took approx 4 times longer, taking about 4 hours to collect 1.2M IVs and about 90mins to crack. I used the same PC to crack as was used to collect/spoof data, and for comparison its a P4 2.4 with 512M RAM. The arp flooding was left running while the crack itself ran, so the actual number of IVs analysed was higher by the time the crack completed than quoted above.

Did you try 128 bit...? And how long did it take...?

 

[Radar]

Did you try 128 bit...? And how long did it take...?

I did them both, in the OP I'm listing the key lengths without includiing the IV, so add another 24 bytes to 40 and 104

104/128 bit took about 4 hours to gather the data and was cracked in approx an hour and half. This was using the inbuilt korek attacks with aircrack-ng

There's a good article here explaining the whole process including the many tweaks you can use with aircrack-ng, and with alternative times to crack a lot quicker than the one I did.

 

[Jambooboo]

I use WPA, but for some reason the Nintendo DS only supports WEP. Which means I need to change my routers encryption if I want to play my DS online. Which is both a ball ache and less secure.

 

[jæd]

104/128 bit took about 4 hours to gather the data and was cracked in approx an hour and half. This was using the inbuilt korek attacks with aircrack-ng

Interesting... I will look into possibly using WPA now, though at the moment there's at least one device that doesn't support it...

 

[Iam]

All my stuff is WPA, including the Wii. Odd that it supports WPA and the DS doesn't.

Interesting stuff, though.

 

[Stanley Edwards]

Everything I do and store on my PC is Top Secret and very valuable information. That's why using an open network worries me.

Think my Professional Indemnity insurance covers me upto £5M. I'm sure they would pay up despite my ignorance.

Joking a side;


I do actually have stuff on my PC that I've signed confidentiality agreements for. Can't for the life of me think why it would be of any value to anyone mind However, I do wonder if any insurer would pay up.

 

[Sunray]

The problem I have is that I would have to buy my house mates new cards as they dont support WPA-PSK which is what I would have chosen, so have to go back to standard WEP.

I don't use the wireless as the router is in my room so I cabled them all in. I wonder if I can disconnect the route from the wifi to the hub?

 

[Mr Smin]

While I agree with the OP's point, and anyone who can go for the more secure option should do so, I suspect serious criminals are more likely to work on mass, malware-based, attacks across the internet than by attacking via your wireless LAN which is far more labour intensive.

 

[Radar]

And zombie like it rises from the dead

Now it's even worse !! A couple of researchers at Darmstadt in Germany have busted 104/128 bit WEP wide open.

Their attack on a 802.11g network with approx 40K packets per minute traffic took merely 60 seconds to crack 50% of keys. Extending the sampling period to 2 minutes brought the sucess rate to over 95 %

 

[scott_forester]

Thing is, only your neighbours are going to break in.

I did this to my neighbours network a few months ago when I was bored one Sunday afternoon, two hours on Google and your all set. To be honest if you're really worried about this you can always plug your PC into a physical cable if you're doing home banking etc.

 

[jayeola]

WEP is easy to crack. You'd prolly need something like 500,000 "interesting" packets. Takes anything from 5 mins to 4-5 hours to get enough data for wep cracking, depending on the nature of the network that one is investigating.

String dumping is much more interesting

 

[Paulie Tandoori]

Our wireless router is currently WEP.

When i tried to change the key in thr router to WPA, it then had the result that the laptop couldn't access the router (presumably as it was set for the WEP).

Can anyone assist with reasonably simple instructions how to make the change from WEP to WPA without going through the headaches that i endured sorting out this mess the last time please?

 

[Pingu]

pingus recomendation:

if you are using your internal network for anything you dont want to risk someone else finding out.. use wires (shielded if poss)*

if you are using your internal network for anything that is actually really sensitive use a wire and encryption*

if its really really sensitve use fibre as its even possible to remotely sniff packets from wired networks with the right (expensive) equipment.*

* and disable wireless


i would say that the vast majority of home users would be safe enough with wep and mac filtering provided they used ssl and/or other encrption for any financial type stuff. even if someone can shiff your network if the packet is encrpted properly it will look like crap to them... unless they can also break the encrption used.

personally I treat even my wpa protected wireless network as suspect and have a firewall between it and my main network with a vpn tunnel used to access the wap from the main network.

a great, and often unused, way of helping to protect any network is by clever use of subnetting. if you know how many machines are on a network you want to secure then using the right netmask can easily help flag intruders or threats

but as an exersise in breaking wep nice work. wpa is more secure and if its an option use it but wep is still better than nowt for the average home user

 

[Radar]

Our wireless router is currently WEP.

When i tried to change the key in thr router to WPA, it then had the result that the laptop couldn't access the router (presumably as it was set for the WEP).

Can anyone assist with reasonably simple instructions how to make the change from WEP to WPA without going through the headaches that i endured sorting out this mess the last time please?

Can anyone guess what's going to be asked next ?

Here's a hint, Fridgie did a nice post about it and even made it a sticky up top.




























Post up specifics There's absolutely no point whatsofuckingever saying my kit doesn't work, but not bother to say what the bloody kit is !

What router, what laptop, what wifi card for laptop ? Give as much details as possible, including model numbers, and if its at all possible given the kits capabilities we should be able to help you out.

 

[Paulie Tandoori]

Oops, soz old bean.

Router is a netgear WGT 624 i think, with a Vaio laptop running vista, network card i'm not sure (at work so can't check either )

 

[Paulie Tandoori]

Will be off home soon, so will post more details then.

 

[souljacker]

if its really really sensitve use fibre as its even possible to remotely sniff packets from wired networks with the right (expensive) equipment.*

Christ, mate, it'd have to be fucking super top secret for someone to try and steal data from your ethernet cable! And there are fibre tappers these days too, you know.