DFWUUG SECURITY SIG
INTRODUCTION TO 802.11 TECHNOLOGIES
At present there are three wireless LAN technologies in common use today: 802.11b, 802.11a,
and 802.11g. The bandwidth of 802.11b is 11 Mb/sec and operates at 2.4 GHz Frequency. The
successor of this current 802.11b standard is 802.11g and it is designed to be faster speed and
operates at the same frequency at 54 Mb/sec. 802.11g is backwards compatible with 802.11b.
802.11a operates at a higher frequency, 5 GHz, and uses a different bandwidth management
scheme from 802.11b and 802.11g resulting in an incompatible technology. In addition to being
incompatible with the established 802.11b networks, 802.11a uses a part of the radio frequency
spectrum that is already allocated in Europe. These factors coupled with decreased range over
802.11b and 802.11 g have all but killed 802.11a.
Wireless LAN devices consist of wireless cards that fit into computers and access points. An AP
(access point also known as a AP) is the wireless server that connects clients to the internal net-
work. AP’s typically act as a bridge for the clients. There is an IP address for management con-
figuration of the AP. The AP’s typically have a web browser and an SNMP agent for remote
The 802.11 client cards for PDA’s, laptops, and desktops are approximately under $19US. Be-
cause of inexpensive equipment to get into wireless, attackers can get easy access to the tools
necessary to apply the attack. Because of the inexpensive price, within many companies employ-
ees can purchase wireless equipment without approval and deploy this in a rogue fashion, creat-
ing additional risk.
The same security issues apply to home networks, corporate networks, and telecommuters that
are using wireless. As the corporate networks are allowing in remote users, these remote users
may be using wireless at their end-point to connect in. In this case, even if wireless capabilities
have not been installed on the corporate network, they may still be affected by the risk that their
remote employees are using wireless at home or on the road.
Airports, hotels, coffee shops like Starbucks, and even McDonald’s are deploying 802.11 net-
works so people can wirelessly browse the Internet with their laptops. As these types of net-
works increase, this will create additional security risk for the remote user if not properly pro-
WAR DRIVING ETC.
Taken from the movie, "WarGames", dialing many phone numbers looking for computers to ac-
cess was called "War-Dialing". This similar action has been applied to wireless. War-walking,
war-driving, war-flying refer to the modes of transportation for going around and identifying
various Access Points. Most reports of war-walking, war-driving, and war-flying has resulted in
identifying large numbers of wide open un-secure Access Points in most cities.
Dallas/Fort Worth Unix Users Group – Security SIG Page 1
War-chalking is the act of marking the area or vicinity with a symbol to infer that an AP is with-
in range. WiFi War-chalking Symbols are at http://www.warchalking.org .
The main known security risks with 802.11 are
• Denial of Service
• Insertion Attacks
• Interception and monitoring wireless traffic
DENIAL OF SERVICE
802.11b and 802.11g wireless LANs are allocated spectrum in the 2.4 GHz region. This part of
the radio frequency is set aside as unlicensed spectrum, i.e., a license is not required to transmit
at that frequency. Other electronic devices operating at the same frequency are cordless digital
phones and microwaves ovens. An attacker could perform a simple denial of service just by
turning on a cordless digital phone on the area of a wireless LAN. Similarly, a microwave oven
with a leaky door seal will spew enough energy to take down a wireless LAN. A more insidious
attack is the disassociate denial of service attack. An AP can send out a special command to all
the associated client stations forcing them to disassociate, thus dropping the network connection.
The client stations have no recourse but to drop the association. To accomplish this, an attacker
uses an AP that had had its output power boosted and can be programmatically controlled to
send out the disassociate command.
The insertion attacks are based on placing unauthorized devices on the wireless network without
going through a security process and review.
•Plugging in unauthorized clients
An attacker tries to connect their wireless client, typically a laptop or PDA, to a AP without au-
thorization. AP’s can be configured to require a password before clients can access. If there is no
password, an intruder can connect to the internal network by connecting a client to the AP.
•Plugging in unauthorized rogue access points
Many companies may not be aware that internal employees have deployed wireless capabilities
on their network. An internal employee wanting to add their own wireless capabilities to the net-
work plugs in their own AP into the wired intranet. This is a risk if the AP has not been properly
Dallas/Fort Worth Unix Users Group – Security SIG Page 2
secured. This could lead to the previously described attack of unauthorized clients then gaining
access to unauthorized AP’s, allowing intruders into the internal network. Typically, companies
may need a policy against allowing employees to add wireless AP’s onto the corporate network
without requesting permission and going through a security process. A sophisticated intruder
may physically place an AP on the victims’ network to allow them remote access via wireless
INSERTION AND MONITORING WIRELESS TRAFFIC
These interception and monitoring attacks are popular on broadcast wired networks like Ether-
net. The same principles apply to wireless.
An attacker can sniff and capture legitimate traffic. Many of the sniffer tools for Ethernet are
based on capturing the first part of the connection session, where the data would typically in-
clude the username and password. An intruder can masquerade as that user by using this cap-
tured information. An intruder who monitors the wireless network can apply this same attack
principle on the wireless.
One of the big differences between wireless sniffer attacks and wired sniffer attacks is that a
wired sniffer attack is achieved by remotely placing a sniffer program on a compromised server
and monitor the local network segment. This sniffer based attack can happen from anywhere in
the world. Wireless sniffing requires the attacker to typically be within range of the wireless traf-
fic. This is usually around 300 feet range, but wireless equipment keeps strengthening the signal
and pushing this range further out.
There are many people who are building cheap antennas with various cheap cans bought at the
grocery store including the Pringles can and beef stew cans. The waveguide cans appear to be
significantly stronger in strength. Here is a good guide to building Pringles and waveguide an-
• 802.11b Homebrew Antenna Shootout
•Highjacking the Session
If an attacker can sniff the wireless traffic, it is possible to inject false traffic into a connection.
An attacker may be able to issue commands on behalf of a legitimate user by injecting traffic
and hijacking their victim’s session.
If an AP is connected to a hub rather than a switch, any network traffic across that hub can be
potentially broadcasted out over the wireless network. Because the Ethernet hub broadcasts all
data packets to all connected devices including the wireless AP, an attacker can monitor sensi-
tive data going over wireless not even intended for any wireless clients.
Dallas/Fort Worth Unix Users Group – Security SIG Page 3
An attacker can trick legitimate wireless clients to connect to the attacker’s network by placing
an unauthorized AP with a stronger signal within close proximity of the wireless clients that
mimic a legitimate AP. This may cause unaware users to attempt to log into the attacker’s
servers. With false login prompts, the user unknowingly can give away sensitive data like pass-
By default, all the AP’s out of the box from the factory are configured in the least secure mode
possible. Adding the proper security configuration is left up as an exercise to the administrator to
lock down. Unless the administrator of the AP understands the security risks, most of the AP’s
remain at a high risk level.
The SSID (Server Set ID) is a configurable identification that allows clients to communicate to
the appropriate AP. With proper configuration, only clients that are configured with the same
SSID can communicate with AP’s having the same SSID. SSID from a security point of view
acts as a simple single shared password between AP’s and clients.
Some default SSID’s
• “tsunami” - Cisco
• “101” – 3Com
• “RoamAbout Default Network Name” - Lucent/Cabletron
• “Default SSID"
• “Compaq” - Compaq
• “WLAN” – Addtron, a popular AP
• “intel” - Intel
• “linksys” – Linksys
Most AP’s today are configured with a server set id (SSID) that acts as a single key or password
that is shared with all connecting wireless clients.
An attacker can try to guess the AP SSID by attempting to use a brute force dictionary attack by
trying dictionary attacks. Most companies and people configure most passwords to be simple to
remember and therefore easy to guess. Once the intruder guesses the SSID, they can gain access
through the AP.
Dallas/Fort Worth Unix Users Group – Security SIG Page 4
The SSID could be obtained through one of the wireless clients becoming compromised or an
employee resigns knowing the key, there is risk that anyone with the SSID could still connect to
the AP until the SSID is changed. If there are many wireless users and clients, it can become
problematic to scale this security solution if the SSID needs to be changed frequently and all
clients and AP’s need to be reconfigured with an updated shared single SSID each time.
Unfortunately, the SSID cannot be encrypted. WEP (Wired Equivalent Privacy), the encryption
standard for 802.11, only encrypts the data packets not the 802.11 management packets and the
SSID is in the beacon and probe management messages. The SSID is not encrypted if WEP is
turned on. The SSID goes over the air in clear text. This makes obtaining the SSID easy by
sniffing 802.11 wireless traffic.
Many AP’s by default have broadcasting the SSID turned on. Sniffers typically will find the
SSID in the broadcast beacon packets. Turning off the broadcast of SSID in the beacon message
(a common practice) does not prevent getting the SSID; since the SSID is sent in the clear in the
probe message when a client associates to an AP, a sniffer just has to wait for a valid user to as-
sociate to the network to see the SSID.
•Wired Equivalent Privacy
WEP can be typically configured in 3 possible modes:
• No encryption mode
• 40 bit encryption
• 128 bit encryption
WEP, by default out of the box, is turned off. 64 bit encryption versus 128 bit encryption pro-
vides no added protection against the known flaw in WEP.
Most public wireless LAN access points (i.e., airports, hotels, etc) do not enable WEP. Based on
statistical analysis in regions like New York, San Francisco, London, Atlanta, most companies
do not turn on WEP security on their AP’s. If the AP does not enable WEP, the wireless clients
can not use the WEP encryption.
In some AP’s, it is optional whether the encryption is enforced. The WEP encryption may be
turned on, but if it is not enforced, a client without encryption with the proper SSID can still ac-
cess that AP.
•Attacks against WEP
802.11a/b/g standard uses WEP (Wired Equivalent Privacy). It has some known weaknesses in
how the encryption is implemented.
Papers on WEP Insecurities
• Researchers at Berkeley have documented these findings at:
• Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
Dallas/Fort Worth Unix Users Group – Security SIG Page 5
Using WEP is better than not using it. It at least stops casual sniffers. Today, there are readily
available tools for most attackers to crack the WEP keys. Airsnort and others tools take a lot of
packets (several million) to get the WEP key, on most networks this takes longer than most peo-
ple are willing to wait. If the network is very busy, the WEP key can be cracked and obtained
within 15 minutes. A reasonable amount of data to crack the WEP key is 3GB. A collection run
of 5GB will certainly yield the WEP key.
Because of the WEP weakness, wireless sniffing and hijacking techniques can work despite the
WEP encrypted turned on.
There is the IEEE 802.11i standard which allows network access to be authenticated and keys to
be distributed. This allows access to AP’s to be authenticated and WEP keys to be distributed
and updated. On the road to 802.11i, the Wi-Fi alliance has created WPA (Wi-Fi Protected Ac-
cess). It is forward compatible with 802.11i and was supposed to fix the problems of WEP and
lead us down the garden path to robust wireless security. WPA has a dirty little secret: poorly
chosen short human-readable passphrases can be cracked with a robust dictionary attack offline
and without access to the network. Short, text-based WPA keys can be broken through no fault
in the WPA protocol. This is not a flaw in WPA; it is a configuration problem which is ultimate-
ly a people problem.
The NetGear Access Point uses the following 4 WEP sequences as default keys.
• 10 11 12 13 14
• 21 22 23 24 25
• 31 32 33 34 35
• 41 42 43 44 45
It is highly recommended not to use the default WEP keys.
Many wireless AP’s have SNMP (Simple Network Management Protocol) agents running. If
the community word is not properly configured, an intruder can read and potentially write sensi-
tive information and data on the AP. If SNMP agents are enabled on the wireless clients, the
same risk applies to them as well.
By default, all AP’s with SNMP are read accessible by using the community word, “public”.
With the default of most AP’s using the community word “public”, potentially sensitive infor-
mation can be obtained from the AP.
WAR DRIVING, WAR WALKING
As people are “War Driving”, and locating the AP’s and recording the GPS coordinates of the
AP location, these AP maps are being shared to any attacker on the Internet. If a company has
their AP location and information shared on the Internet, their AP becomes a potential target and
increases their risk. They usually include a visual map and a database query tool for locating var-
ious AP’s. Here are some popular places to upload War Driving AP maps.
Dallas/Fort Worth Unix Users Group – Security SIG Page 6
802.11 SECURITY TOOLS
• AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by
passively monitoring transmissions, computing the encryption key when enough packets
have been gathered. AirSnort will work for both 40 and 128 bit encryption.
• WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered
weakness of RC4 key scheduling.
• Network Stumbler scans for networks roughly every second and logs all the networks it
runs into--including the real SSIDs, the AP's MAC address, the best signal-to-noise ratio
encountered, and the time you crossed into the network's space. If you add a GPS receiv-
er to the notebook, it logs the exact latitude and longitude of the AP. Network Stumbler
does not use promiscuous mode. Thus, by simply turning off broadcast pings hides the
Access Point from NetStumbler. Now NetStumbler website includes a PocketPC MiniS-
o http://www.netstumbler.com/download.php?op=getit&lid=21 PocketPC
• Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection
system. It will work with any wireless card which supports raw monitoring (rfmon)
mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
WHAT CAN YOU DO ABOUT WIRELESS SECURITY?
Actually, you can do a lot.
• Follow secure file-sharing practices. This means:
o Share only what you need to share (think Folders, not entire hard drives)
o Password protect anything that is shared with a strong password.
Dallas/Fort Worth Unix Users Group – Security SIG Page 7
• Enable WEP Encryption
802.11's WEP encryption has had a lot of deservedly bad press about its weaknesses. But a
weak lock is better than no lock at all, so enable WEP encryption and use a non-obvious en-
cryption key. Look for and use products that support 128bit WEP. Prices have come down
on 802.11 equipment so there's no need to buy something that doesn't support 128bit WEP.
• Use non-obvious WEP keys and periodically change them
While the limitations that some wireless client utilities have don't help (hexadecimal only
support, single keys, forgetting keys, etc.), don't make it easy for potential snoops to get onto
your LAN by using simple keys like 123456, all ones, etc. Changing the keys periodically is
more difficult, because it requires sending out information about the new keys to users and
that can be a security problem in itself. But changing keys periodically can help keep your
LAN secure, so consider getting a procedure into place to do it.
• Secure your wireless router / Access Point (AP)
Your router or Access Point should require a password to access its Admin features. If it
doesn't, get one that will! Also, change your password from the default and use a strong one!
• Disallow router/ AP administration via wireless
Unfortunately, this feature is usually only present in "Enterprise-grade" AP’s. This is perhaps
more dangerous than SNMP community strings named “public”.
• Use MAC address based Access and Association control
Previously available only on "Enterprise-grade" products, many routers and Access Points
are being upgraded to have the ability to control the clients that can use them. MAC ad-
dresses are tied to physical network adapters, so using this method requires a little coordina-
tion and maybe a little inconvenience for LAN users. And MAC addresses can be "spoofed"
or imitated/copied, so it's not a guarantee of security. But it adds another hurdle for potential
intruders to jump. If you already have a product that doesn't include this feature, check your
Manufacturer's Web site for a firmware upgrade.
• Don’t broadcast the SSID.
You wouldn’t put a note card with the combination of a lock next to the lock. Similarly,
don’t broadcast the SSID to the world and make it easier to get in.
• Don’t put AP’s next to exterior walls.
As you do your site survey for access point deployment, think about locating the access
points toward the center of your building rather than near the windows. Plan your coverage
to radiate out to the windows, but not beyond. If the access points are located near the win-
dows, a stronger signal will be radiated outside your building making it easier for people to
Dallas/Fort Worth Unix Users Group – Security SIG Page 8
• Add the extra security of RADIUS
Consider using an additional level of authentication, such as RADIUS, before you permit an
association with your access points. While it's not part of the 802.11b standard, a number of
companies are optionally including some provision for RADIUS authentication. Orinoco ac-
cess points, for example, can enforce RADIUS authentication of MAC addresses to an exter-
nal RADIUS server. Intermec access points include a built-in RADIUS server for up to 128
• If you can get away with it, don’t use DHCP.
If you're deploying a wireless router, think about assigning static IP addresses for your wire-
less NIC’s and turn off DHCP. It's true that it's more of an administrative overhead to man-
age, but we found a number of wireless networks that passed out IP addresses to us once we
associated with the AP. Although a wireless sniffer could easily pick out IP addresses, by not
passing them out, it just adds another barrier. It makes it tougher for the casual "drive by" to
use your network.
• While you’re at it, change the subnet.
If you're using a wireless router and have decided to turn off DHCP, also consider changing
the IP subnet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1
as the default router.
• Avoid 64 bit WEP!
Don't buy access points or NIC’s that only support 64-bit WEP. Some low-end products only
support 64-bit (40 bit key) WEP, and as you know by now, even 128-bit WEP is universally
considered not very secure. Note that some NIC’s may only require a driver upgrade to attain
128-bit WEP capability.
• Avoid equipment that can’t be upgraded.
Only purchase access points that have flashable firmware. There are a number of security en-
hancements that are being developed, and you want to be sure that you can upgrade your ac-
• Hunt down rogue access points.
Periodically survey your site using a tool like NetStumbler to see if any "rogue" access
points pop up. With the declining pricing of access points, it's not hard to imagine that a de-
partment might run out to Best Buy, buy a couple of NIC’s and an AP, and plug it into your
corporate network. All of your hard work to "harden" your wireless network could be wasted
if a rogue AP were plugged into you network behind your firewall.
Dallas/Fort Worth Unix Users Group – Security SIG Page 9
• Determine where the broadcast perimeter of the wireless network ends.
Take a notebook equipped with NetStumbler and an external antenna outside your office
building and survey what someone parked in your parking lot might "see". You'll be sur-
prised how far the signal radiates. You might only associate at 1-2 Mbps, but it's still a secu-
• Use a VPN
The most effective strategy would be to put your wireless access points into a DMZ, and
have your wireless users tunnel into your network using a VPN (Virtual Private Network).
In closing, you can implement as much or as little security as you want to on your wireless net-
work. There is no one single thing you can do to make your wireless LAN secure. Fortunately,
there are a lot of things that can be done to make an essentially insecure medium into a more se-
cure medium suitable for many uses beyond mere hobbyist tinkering.
Dallas/Fort Worth Unix Users Group – Security SIG Page 10