|
|
CASE STUDY: RIDING THE INSECURE AIRWAVES
Dax had recently acquired a nice Atheros-based wireless card, as well as a directional antenna and the pigtail required to hook it up. After plugging it into her Linux laptop in preparation for a war drive, she realized that she didn't even have to leave her home to find a new network. Dozens of new networks were already in range. Rather than try to hack and drive at the same time, she set her sights on a target within range of her own house.
Dax had already been stealing (or borrowing, depending on how you look at it) Internet access from a neighbor running a wide-open AP. The next thing on her to-do list was to break into a WEP-protected network. Fortunately, one of her neighbors was smart enough to encrypt their network (but not smart enough to enable WPA).
Dax put her card in monitor mode, fired up tcpdump, and captured a few packets from the network. She then ssh'ed into her school's idle cluster and started jc-wepcrack (a distributed WEP brute-forcer) on the captured data. Because Dax had access to 12 or so athlon 2200s, she would be able to break a 40-bit WEP key in, worse case, less than 24 hours.
Once jc-wepcrack was running, Dax logged out and decided to attack the network from a different angle. At this point, she had no idea if the network was protected by a 40-bit or 104-bit key. She wouldn't know for sure unless the brute-force attack against the packet capture failed, indicating a 104-bit key.
Instead of waiting for this to finish, Dax decided to get started cracking the network using statistical attacks instead of brute-forcing. To do this, she started logging all of the relevant data to a file using airodump (included in aircrack or as part of Airbase). Once she was writing data to disk, she went to get a coffee and then started up aircrack. After telling aircrack the path to the data and that she thought the key was 104-bit (since she already had the 40-bit case covered), she fired up aircrack.
aircrack popped up its matrix-like display of numbers dancing around as it computed the most statistically likely key and then tried it. Dax knew that the statistical techniques used worked better when they have more data to analyze and that the low scores on the screen indicated that it was really just flailing in the dark at this point.
To speed things up, Dax opened another terminal and launched aireplay. aireplay started retransmitting all the encrypted ARP packets it saw in an effort to generate traffic. At this point, Dax decided she had her bases covered. If it was a 40-bit key, she would definitely have it inside 24 hours. If it was a 104-bit key, aircrack would recover it given enough data. At any rate, she would probably have the key by morning. If she was lucky (and the neighbor's network was actually being used) she might discover the key even faster than that.
|
|