Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Introduction to Securing a Wireless Network.

  1. #21
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Originally posted here by annihilator_god
    Grunt, I literally have no idea what RADIUS servers are. All I know is that my router has multiple security modes for wireless networking. These include WEP, WPA pre shared key, WPA RADIUS, and RADIUS. It looks to be a method of authentication, so that would be a way to log in, right? Obviously i need to do more research since I have no idea. Which is exactly what I'm doing right now.
    RADIUS stands for remote access dial up server. THis is actually an authentication protocol, used when remote dial up users authenticate themselves. The reason this was brought up in the discussion of wireless security, is for the ability to authenticate users, not just based on mac cards and wep keys, but with actually usernames and passwords. This helps draw a clearer line on the network, as to what the actual user can do on a network or system. In addition, it adds another layer of security. I've listed below the actual radius definition, because I know my half ass explanation isn't gonna cut it for alot of you out there.


    RADIUS: A client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it's easier to track usage for billing and for keeping network statistics. Created by Livingston (now owned by Lucent), RADIUS is a de facto industry standard used by Ascend and other network product companies and is a proposed IETF standard.


    I hope this answers any of those radius specific questions out there.


    --PuRe www.pureehosting.com
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  2. #22
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    If you need more info on AES, here's the home page of the (Belgian ) developers of Rijndael. The page isn't updated anymore, though, and the data dates from back when Rijndael was still a candidate.
    The "pictures and animations" section is particularly interesting, though!

  3. #23
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    Hi,

    excellent post keezel,

    i am still not able to get the SSID part, As far as I know , the SSID is transmitted in plain text:


    What happens is :

    1. the client sends a probe request
    2. the access -point reponds with a probe response, these frames are known as beacon frames, you can also set the time of these frames in the beacon interval

    3. the client sends a authentication request here comes your WEP, if it is shared then WEP is enabled.
    4. The AP reponds with a Authentication reponse

    5. Association request

    6. Association reponse

    So if you were using Cisco systems AP then you will see these steps, the last however will say associated and the corresponding MAC -ID

    Actually even I am not 100% confident that if you were to use encryption then SSID will not be seen , Even if you were to disable SSID boadcast , still sniffers can pull the SSID .

    You might want to have a look at the following websites


    http://www.cisco.com/en/US/products/...800b469f.shtml

    http://xianshield.org
    look in Wireless security primer, The concept of RADIUS , TKIP is explained well.

    MRG.

  4. #24
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    Thank you very much, mrg81. I did some research and everything I read said that the SSID is encrypted by WEP or some other encryption when it is broadcast (assuming broadcasting of the SSID has not been turned off), but someone with physical access to the network can pull the SSID off a system because it is still stored in plain text. If you were using WEP (wired equivalant protection) then it causes an attacker to have to have physical access to the network - meaning it's done its job in equalizing wired and unwired networks in terms of security. Some experts say that the broadcasting of the SSID doesn't really matter anyway because even if someone has the SSID, they can't associate much with the network without being rejected because they don't have the correct encryption key. If they don't have the tools to crack the encryption, they won't be getting access to your network. The SSID is not so much the "key to your network" as simply the name of your network. Turning off the broadcasting of the SSID keeps random wardrivers from even trying to mess with your network but the real initial line of defense is the encryption. If someone *does* have the tools to crack encryption, a wardriver will be able to detect the network anyway and eventually break the encryption and get the SSID too. It seems like the only time disabling or encrypting the SSID matters is when a person doesn't have the ability or tools to crack the network anyway. Still can't hurt though. Agree/disagree?

  5. #25
    T3h 1337 N00b kryptonic's Avatar
    Join Date
    Sep 2003
    Location
    Seattle, Washington.
    Posts
    523
    I'll have to remember this for when I set my wireless up.

  6. #26



    i still thinking about publish a tutorial called " Introduction to unsecure a Wireless Network".


    the only secure pass protection can i see is WPA-PSK, the air crack software also say support a cracking module for this protocol encryption:


    /*
    * 802.11 40/104 bit WEP / WPA-PSK Key Cracker
    *
    * Copyright (C) 2004,2005 Christophe Devine


    Code:
    struct WPA_hdsk
    {
        uchar stmac[6];             /* supplicant MAC               */
        uchar snonce[32];           /* supplicant nonce             */
        uchar anonce[32];           /* authenticator nonce          */
        uchar keymic[16];           /* eapol frame MIC              */
        uchar eapol[256];           /* eapol frame contents         */    
        int eapol_size;             /* eapol frame size             */
        int keyver;                 /* key version (TKIP / AES)     */
        int state;                  /* handshake completion         */
    };


    and the resource for crack:


    Code:
    int crack_wpa_thread( void *arg )
    {
        char  essid[36];
        char  key1[128], key2[128];
        uchar pmk1[128], pmk2[128];
    
    #ifdef __i386__
    
        uchar k_ipad[128], ctx_ipad[40];
        uchar k_opad[128], ctx_opad[40];
        uchar buffer[128], sha1_ctx[40];
        uchar wrkbuf[640];
        uint i, *u, *v, *w;
    
    #endif
    
        int slen, cid = (long) arg;
    
        /* receive the essid */
    
        memset( essid, 0, sizeof( essid ) );
    
        if( safe_read( mc_pipe[cid][0], (void *) essid, 32 ) != 32 )
        {
            perror( "read failed" );
            kill( 0, SIGTERM );
            _exit( FAILURE );
        }
    
        slen = strlen( essid ) + 4;
    
        while( 1 )
        {
            /* receive two passphrases */
    
            memset( key1, 0, sizeof( key1 ) );
            memset( key2, 0, sizeof( key2 ) );
    
            if( safe_read( mc_pipe[cid][0], (void *) key1, 128 ) != 128 ||
                safe_read( mc_pipe[cid][0], (void *) key2, 128 ) != 128 )
            {
                perror( "read passphrase failed" );
                kill( 0, SIGTERM );
                _exit( FAILURE );
            }
    
            key1[127] = '\0';
            key2[127] = '\0';
    
    #ifdef __i386__
    
            /* MMX available, so compute two PMKs in a single row */
    
            memset( k_ipad, 0, sizeof( k_ipad ) );
            memset( k_opad, 0, sizeof( k_opad ) );
    
            memcpy( k_ipad, key1, strlen( key1 ) );
            memcpy( k_opad, key1, strlen( key1 ) );
    
            memcpy( k_ipad + 64, key2, strlen( key2 ) );
            memcpy( k_opad + 64, key2, strlen( key2 ) );
    
            u = (uint *) ( k_ipad      );
            v = (uint *) ( k_ipad + 64 );
            w = (uint *) buffer;
    
            for( i = 0; i < 16; i++ )
            {
                /* interleave the data */
    
                *w++ = *u++ ^ 0x36363636;
                *w++ = *v++ ^ 0x36363636;
            }
    
            shammx_init( ctx_ipad );
            shammx_data( ctx_ipad, buffer, wrkbuf );
    
            u = (uint *) ( k_opad      );
            v = (uint *) ( k_opad + 64 );
            w = (uint *) buffer;
    
            for( i = 0; i < 16; i++ )
            {
                *w++ = *u++ ^ 0x5C5C5C5C;
                *w++ = *v++ ^ 0x5C5C5C5C;
            }
    
            shammx_init( ctx_opad );
            shammx_data( ctx_opad, buffer, wrkbuf );
    
            memset( buffer, 0, sizeof( buffer ) );
    
            /* use the buffer, luke */
    
            buffer[ 40] = buffer[ 44] = 0x80;
            buffer[122] = buffer[126] = 0x02;
            buffer[123] = buffer[127] = 0xA0;
    
            essid[slen - 1] = '\1';
    
            hmac_sha1( (uchar *) key1, strlen( key1 ),
                       (uchar *) essid, slen,  pmk1 );
    
            hmac_sha1( (uchar *) key2, strlen( key2 ),
                       (uchar *) essid, slen,  pmk2 );
    
            u = (uint *) pmk1;
            v = (uint *) pmk2;
            w = (uint *) buffer;
    
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
    
            for( i = 1; i < 4096; i++ )
            {
                memcpy( sha1_ctx, ctx_ipad, 40 );
                shammx_data( sha1_ctx, buffer, wrkbuf );
                shammx_ends( sha1_ctx, buffer );
    
                memcpy( sha1_ctx, ctx_opad, 40 );
                shammx_data( sha1_ctx, buffer, wrkbuf );
                shammx_ends( sha1_ctx, buffer );
    
                u = (uint *) pmk1;
                v = (uint *) pmk2;
                w = (uint *) buffer;
    
                /* de-interleave the digests */
    
                *u++ ^= *w++; *v++ ^= *w++;
                *u++ ^= *w++; *v++ ^= *w++;
                *u++ ^= *w++; *v++ ^= *w++;
                *u++ ^= *w++; *v++ ^= *w++;
                *u++ ^= *w++; *v++ ^= *w++;
            }
    
            essid[slen - 1] = '\2';
    
            hmac_sha1( (uchar *) key1, strlen( key1 ),
                       (uchar *) essid, slen,  pmk1 + 20 );
    
            hmac_sha1( (uchar *) key2, strlen( key2 ),
                       (uchar *) essid, slen,  pmk2 + 20 );
    
            u = (uint *) ( pmk1 + 20 );
            v = (uint *) ( pmk2 + 20 );
            w = (uint *) buffer;
    
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
            *w++ = *u++; *w++ = *v++;
    
            for( i = 1; i < 4096; i++ )
            {
                memcpy( sha1_ctx, ctx_ipad, 40 );
                shammx_data( sha1_ctx, buffer, wrkbuf );
                shammx_ends( sha1_ctx, buffer );
    
                memcpy( sha1_ctx, ctx_opad, 40 );
                shammx_data( sha1_ctx, buffer, wrkbuf );
                shammx_ends( sha1_ctx, buffer );
    
                u = (uint *) ( pmk1 + 20 );
                v = (uint *) ( pmk2 + 20 );
                w = (uint *) buffer;
    
                *u++ ^= *w++; *v++ ^= *w++;
                *u++ ^= *w++; *v++ ^= *w++;
                *u++ ^= *w++; *v++ ^= *w++;
            }
    
    #else
    
            /* not x86, use the generic SHA-1 C code */
    
            calc_pmk( key1, essid, pmk1 );
            calc_pmk( key2, essid, pmk2 );
    
    #endif
    
            /* send the passphrase & master keys */
    
            if( safe_write( cm_pipe[cid][1], (void *) key1, 128 ) != 128 ||
                safe_write( cm_pipe[cid][1], (void *) key2, 128 ) != 128 ||
                safe_write( cm_pipe[cid][1], (void *) pmk1,  32 ) !=  32 ||
                safe_write( cm_pipe[cid][1], (void *) pmk2,  32 ) !=  32 )
            {
                perror( "write pmk failed" );
                kill( 0, SIGTERM );
                _exit( FAILURE );
            }
        }
    }



    so, when i probe for myself crack my psk protocol crypt using aircrack for example this not able to attack these encryption type.

    :|

    you'll see:

    psk and wep components are "redundant" code encryption like RC4 and old RC2 for infineon Sicrypt base smart card and include poliinterpolation for sha-1 mounted on 128 bits base char, text ok but in the source code NOT exist marks for this decrypt phase.


    So i implemented for myself that and the result is a non linear base cryptography, how i can able to decrypt that in efficient times?


    easy, i take the jhon cracker source and combined aircrack (ivs compatible ) with my develop of smart card RC2/RC4 cracking code and i are able to pretend decrypt that.


    Good post, i seriously think to write the anti post for this.




    greetz



    AzRaEL
    [NuKE] high council

  7. #27
    Junior Member
    Join Date
    Aug 2006
    Posts
    1
    I want to try and offer somewhat of a conclusion on the SSID discussion. By no means am I an expert, but when I paid more attention to the progression of wireless security, this is what I came across.

    Even if SSID broadcast is disabled in the AP, it's still transmitted for legitimate network traffic. When a legitimate user intializes a connection with the AP, they send the SSID in plain text, after all, how else will the AP knows someone is talking to it? It gets transmitted in plain text because the request/response takes place before encryption is initialized. If a user sends a probe request that's encrypted, how would the AP know how to decrypt it if they haven't talked before? Sorry I don't know all the technical details of how it works, but that's my understanding on how disabling SSID broadcast is still not an effective security measure by itself. Security through obscurity has never worked and it's amazing how many people still think disabling SSID broadcast and using WEP makes them "secure". I'm glad to see that it's very clear in this thread that these are not good solutions

  8. #28
    Member
    Join Date
    Dec 2006
    Posts
    33
    http://www.wardriving.com/

    Has some good information on wireless networking and cracking WEP. Think it hasn't been updated recently though.

  9. #29
    While i understand most of this (i love wifi) i think that hiding the ssid is pointless infact i have a great pdf on it that i will be happy to post. its public domain if remember correctly goes in to great depth about it. My question though is where does WPA2 fit into all of this. It kind of came out of left field. WPA supports 802.11i as well as AES and TKIP. WPA2 supports 802.11i and AES. So what can WPA2 do that WPA cant? What was the purpose of its creation. My wrt54g has the ability to use it but with the wrt54g already set up to use WPA AES PSK and some tweaking to its broadcast power i fall to see how WPA2 would make it any more secure. Here is a link to info on wpa2 if im missing something please fill me in. -TheX1le

    Edit: a bit more research turned up the answer to my question.

    "Let's start by looking at what is not different. First, WPA2 and 802.11i are the same. WPA2 is the name used by the Wi-Fi Alliance, whereas 802.11i is the name given to the standard by the IEEE. You may also see the term RSN, Robust Security Network, which is part of WPA2/802.11i but is often used interchangeably.

    Second, WPA and WPA2 can use the same authentication methods, becausethey are all EAP based. EAP stands for Extensible AuthenticationProtocol and, as the name suggests, many different protocols can bebuilt on top of EAP. So both EAP/TLS as well as EAP/PEAP-MSCHAPV2 willwork both for WPA and for WPA2.

    A key difference between WPA and WPA2 is the underlying encryptionmethod. For WPA this is TKIP/RC4, for WPA2 this is CCMP/AES. AES is theAdvanced Encryption Standard and is used by the US Department ofDefence as a replacement for older encryption standards. It is very secure. AES can be used in several modes - CCMP is the mode used by WPA2. You will see both terms used interchangeably.

    RC4 is the cypher on which the older WEP standard is based (to beconsistent we should call it WEP/RC4 here, WEP being the way the RC4cypher is used). RC4 has some key vulnerabilities, that make itdifficult to design secure encryption using that cypher. It is these vulnerabilities that led to the demise of WEP/RC4... so how can aTKIP/RC4 be secure? Because TKIP uses the RC4 cypher in such a way thatthe vulnerabilities that are in the cypher do not materialize. So eventhough WEP/RC4 ("WEP") and TKIP/RC4 ("WPA") are based on the sameunderlying cypher, one is considered secure and the other is not.

    Having said that, the new CCMP/AES is preferable over TKIP/RC4. Alsonote that you will not normally see the term RC4 being used in access points or wireless software." inquotes is not my words. My only problem with this running stock firmware my wrt54g can use AES. So I dont see much of a difference.
    Last edited by TheX1le; December 12th, 2006 at 02:08 AM.
    ...."Cant stop the signal Mel, Every thing goes some where and i go every where."...... "From here to the eyes and the ears of the verse, thats my motto or might be if i start having a motto" - Mr. Universe "Serenity"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •