WLAN Security

FIXME Das Dokument ist teilweise veraltet, ein neuerer und optimierter Angriff existiert.

Cowpatty (WPA)
(Ethereal) neuer Name: wireshark

Zuerst muss man die Wlan-Karte in den so genannten monitor-modus versetzen, d.h. die Karte verwirft nicht gleich alle Pakete die nicht direkt an sie gerichtet sind, sondern ermöglicht eine Auszeichnung aller Pakete.

iwconfig wlan0 mode monitor
iwconfig wlan0 channel 1

Kismet sniffs out Wi-Fi access

Kismet scans for available networks and gives you some interesting information about them.

#> apt-get -t testing install kismet

Man muss die /etc/kismet/kismet.conf an das aktuelle Wlan-Interface anpassen. Gültige Werte sind in der README enthalten. Mit dem folgenden Befehl kann man sich

zcat /usr/share/doc/kismet/README.gz | less

die Hilfe anzeigen lassen. In der Section 12: „capture sources“ stehen gültige Werte.

Also z.B.


wobei als erstes der Treiber steht, dann das interface.

FIXME You need to be root to run kismet. When started it gathers information about the available networks in an „Autofit“ called mode. To actually select an interesting network (eg. your own) press s to sort the list by a key of your choice, then select the network and press i for more information.

Make sure your network has WEP encryption enabled. It is possible to hide the name of your network (SSID hiding) – however kismet will detect it nontheless it will show it as „cloaked“.

Kismet logs received packets to /var/log/kismet/ which will come in handy later.

Ebenfalls ein Wlan-Sniffer. Airodump Homepage

airodump-ng --channel 1 --abg --write dumpfile --ivs ath0

–ivs kann man angeben wenn nur den WEP-Schlüssel knacken will

Man braucht etwa 50,000 bis 200,000 IVs für 64 bit WEP und 200,000 bis 700,000 IVs für einen 128 bit key

The next tool to use is AirSnort. This is a GTK based networksniffer similar to kismet but able to break WEP encryption. Install it and run it as root.

#> apt-get -t testing install airsnort

Some theory first. WEP uses the RC4 Algorithm which isn't the safest in world. In fact it has some known security flaws which are described elsewhere. Simplified spoken there are a few thousand keys which are weak and easy to decrypt. A few years ago you just had to run a tool like AirSnort to crack WEP encrption in a few minutes by fetching these weak keys from the air.

Well nowadays all manufactuers have changed their WEP implementations to avoid these weak keys so AirSnort will need a laarge amount of Packets to get the WEP password. If you get a lot of „interesting“ packets in AirSnort you know there is some old Hardware in your net which needs to be updated.

Even if the manufacturers don't use the weak keys in WEP anymore there is room for an simple attack: Using brute force to guess the WEP password. The interesting thing is that this can be done completely undetected. All that is needed is a single passively sniffed packet.

Lets install the tool first. Get it from and unpack it. For compiling you need some libraries, too.

#> apt-get -t testing install libssl-dev libpcap-dev
$> tar -xzvf WepAttack-0.1.3.tar.gz
$> cd WepAttack-0.1.3/src/
$> make
#> cp wepattack /usr/local/bin/

To brute force attack a WEP encrypted packet you need a wordlist (available from the above site) and a packet dump from kismet. Then just run the following command.

$> wepattack -f /var/log/kismet/Kismet-<date>-<num>.dump -w wordlist

If this finds your password it is too weak.

If your WLAN passes all these tests it should be considerably safe from most crackers. At our company all traffic to the internal LAN is additionally encrypted by IPSEC, but for a home network this is fine enough even without using stronger.


Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.