OpenBSD Journal

Wireless security awareness and OpenBSD

Contributed by jose on from the demonstrating-WEP's-problems dept.

Angelbracket writes : "I've written a small thing about using OpenBSD in a security awareness setup (wifi related) for some ppl, might be useful? "

This is a short article (PDF) up on the author's website. You can use an OpenBSD laptop to show people how weak WEP is and encourage stronger WiFi security mechanisms (ie IPsec).

(Comments are closed)

  1. By Anonymous Coward () on

    Nice how-to article, but capturing 10,000 packets will bring you nowhere. You'll need anywhere between 500K and 1M packets to get sufficient weak packets to start cracking.

    Nice to see these kind of articles, but let's not exaggerate this WEP insecurity (you'll be capturing for weeks non-stop on a SOHO wireless netwerk to grab the key).

    1. By Anonymous Coward () on

      Actually, you aren't limited to waiting for packets. There are tools available for re-injecting valid packets, to generate even more traffic.

      1. By Anonymous Coward () on

        Also, there are much more advanced ways of cracking WEP than waiting for weakly scheduled 0xAA LLC frames.

        In fact, modern firmwares don't even generate weak frames anymore, so Airsnort style cracking like this is useless.

        However, WEP can still be easily cracked with much less than 10000 packets. Most of the time one is enough.

  2. By Anonymous Coward () on

    I have actually been looking around at wireless security lately, and it seems that thing have actually improved in the last couple of years.

    A lot of wireless gear released recently, or older hardware with updated firmware, has incorporated methods to avoid encrypting data with weak IV's which will stop wep-cracking methods that collect large amounts of data and attempt to crack weak IV's (sometimes incorrectly called weak keys).

    The only real problem with wep in current times should be people using weak passwords.

    If anyone has any evidence to the contrary, I would be very interested in checking that out.

    1. By Anonymous Coward () on

      Well, yes and no. The weak packet attacks are obsolete. Modern firmwares send weak IVs straight to /dev/null.

      The classic way of cracking WEP is pretty much dead, but there are plenty of more ways to do it.

      A modified rainbow table attack vs the first four bytes of an LLC frame still will give us a short list of candidate keys, most we will toss out because they dont translate to ascii, and the rest can be used to mini-brute force another packet encrypted with the same IV.

      The problem is that this is active, you have to accelerrate IV consumption in order to get packets matching your rainbow table (rainbow tables for LLC frames will reach 10 gb in size, and you aren't going to keep 16 million of them on hand).

      Of course standard weak-password brute forcing works as well, and bit-entropy is very low in WEP keys.

      Also we could build an IV / keystream dictionary by XORing out a known plaintext.

      And then there are ciphertext/ciphertext XOR attacks.

  3. By Anonymous Coward () on


    To control who connects to the access point or listens to traffic, yes encryption is a real concern...

    IF the wireless solution was meant to be open for anyone to connect to the internet ... say for an Internet CAfe ... and the since past the access point the Internet is not secure anyways...
    What advantage if any to make an open node use WEP or other encryptionb between access point and access client?

    Because one would think for better security perhaps it is best to encrypt all the traffice from end to end rather than worry about the hops that are wireless??? Then WEP is redundant for this situation?

    Perhaps if someone was using a laptop with windoze 9x, and someone else connected to the same hostaccess point they could look for netbios
    stuff like shared folders/printers ... and
    attack directly... But many windoze computers
    get cracked just by email attachments and connecting to a website and their computer opening downloaded email/files without asking or worse the user clicking yes without understanding.

    (and yes btw, do live in fear if you find out you were using putty on a windoze box that had a keylogger...:)

    1. By Anonymous Coward () on

      (and yes btw, do live in fear if you find out you were using putty on a windoze box that had a keylogger...:)

      man otp

      1. By Anonymous Coward () on

        I mean, man skey

  4. By Corbets () on

    I only read the journal every few weeks, and by the time I came to it, this pdf file appears to have been removed. Does anyone have it cached, by any chance? Or, if the author removed it deliberately, perhaps he/she/it could explain the reason?

    Thanks - I'm really looking forward to reading it!

    1. By bob () on

      You can find it here.

  5. By Anonymous Coward () on

    That PDF link is dead, unfortunately.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]