'WiFi'에 해당되는 글 5건

  1. 2012.01.04 WiFi Protected Setup PIN brute force vulnerability
  2. 2011.04.19 윈도우 커멘드라인 명령 패킷 스니퍼 RawCap
  3. 2010.11.11 Android Packet Sniffer Android-Arts
2012.01.04 20:21

WiFi Protected Setup PIN brute force vulnerability

Overview

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

I. Description

WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called "external registrar" that only requires the router's PIN. By design this method is susceptible to brute force attacks against the PIN.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

II. Impact

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

III. Solution

We are currently unaware of a practical solution to this problem.

Workarounds
Disable WPS. 

Although the following will not mitigate this specific vulnerability, best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network.

Vendor Information

VendorStatusDate NotifiedDate Updated
Belkin, Inc. Affected 2011-12-27
Buffalo Inc Affected 2011-12-27
D-Link Systems, Inc. Affected 2011-12-05 2011-12-27
Linksys (A division of Cisco Systems) Affected 2011-12-05 2011-12-27
Netgear, Inc. Affected 2011-12-05 2011-12-27
Technicolor Affected 2011-12-27
TP-Link Affected 2011-12-27
ZyXEL Affected 2011-12-27

References

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
http://www.wi-fi.org/wifi-protected-setup/
http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/

Credit

Thanks to Stefan Viehböck for reporting this vulnerability.

This document was written by Jared Allar.


Trackback 0 Comment 0
2011.04.19 11:01

윈도우 커멘드라인 명령 패킷 스니퍼 RawCap

RawCap is a free command line network sniffer for Windows that uses raw sockets.


Properties of RawCap:

  • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
  • RawCap.exe is just 17 kB
  • No external libraries or DLL's needed other than .NET Framework 2.0
  • No installation required, just download RawCap.exe and sniff
  • Can sniff most interface types, including WiFi and PPP interfaces
  • Minimal memory and CPU load
  • Reliable and simple to use 


Usage

You will need to have administrator privileges to run RawCap.

F:\Tools>RawCap.exe --help
NETRESEC RawCap version 0.1.2.0
http://www.netresec.com

Usage: RawCap.exe <interface_nr> <target_pcap_file>

 0.     IP        : 192.168.0.17
        NIC Name  : Local Area Connection
        NIC Type  : Ethernet

 1.     IP        : 192.168.0.47
        NIC Name  : Wireless Network Connection
        NIC Type  : Wireless80211

 2.     IP        : 90.130.211.54
        NIC Name  : 3G UMTS Internet
        NIC Type  : Ppp

 3.     IP        : 192.168.111.1
        NIC Name  : VMware Network Adapter VMnet1
        NIC Type  : Ethernet

 4.     IP        : 192.168.222.1
        NIC Name  : VMware Network Adapter VMnet2
        NIC Type  : Ethernet

 5.     IP        : 127.0.0.1
        NIC Name  : Loopback Pseudo-Interface
        NIC Type  : Loopback

Example: RawCap.exe 0 dumpfile.pcap

An alternative to supplying the interface number is to supply the IP address of the prefered interface instead, i.e. like this:

RawCap.exe 192.168.0.17 dumpfile.pcap

Interactive Console Dialog

You can also start RawCap without any arguments, this will leave you with an interactive dialog:

F:\Tools>RawCap.exe
Network interfaces:
0.     192.168.0.17    Local Area Connection
1.     192.168.0.47    Wireless Network Connection
2.     90.130.211.54   3G UMTS Internet
3.     192.168.111.1   VMware Network Adapter VMnet1
4.     192.168.222.1   VMware Network Adapter VMnet2
5.     127.0.0.1       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
File        : dumpfile.pcap
Packets     : 1337

Raw sockets limitations in Vista and Win7

Due to current limitations in the raw sockets implementations for Windows Vista and Windows 7 we suggest running RawCap on Windows XP. The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista).

Download RawCap

You can download RawCap.exe here.


Trackback 0 Comment 0
2010.11.11 19:32

Android Packet Sniffer Android-Arts

Android packet sniffer is an app which allows to capture and display WIFI, and Bluetooth traffic
on the android phone.
 
This APP is for ROOTED PHONES ONLY.
You have to be root on your phone, and have the "su" command installed.
 
App Install process:
  
This app is based on the tcpdump package therefor it have to be installed manually.

1. Download and Install PacketSniffer App from the market or from the following direct link.
2. Copy the precompiled TCPDUMP file to the "\data"  library on your phone:    
            -    first make sure your "/data" library has READ and WRITE privileges. if not use:  "chmod 777 data" 
            -    in order to copy use the following command if you have ADB :"adb push c:\locationOfTheTcpdumpFile \data"
            -    in case you don't have ADB you can copy the tcpdump file to the SD card and do:  "cat /sdcard/tcpdump > /data/tcpdump 
3. Give the tcpdump file Read Write and Exec privileges :    "chmod 777 \data\tcpdump"
 
Thats it you are ready to go.



The main layout of the app allows you to initiate a Wifi or a Bluetooth wireless traffic capture service.
It means that you can close the app and the capture will still continue, until you deactivate it.
Before you start to capture you can pick weather to save the captured data on a local SQL DB on the device
or on to a file on the SD card.

When you had enough data captured, you can use the Statistic Analysis or the Statistic Advanced layouts
to analyse the data you have captured by performing various searches on the packets.


Here are few examples of packets captured by the application:



 
If you have any suggestions or remarks regarding the application
feel free to contact me via mail:   vadimnetworks@gmail.com
or leave a remark on the android market.

If you appreciate our work and want to support future developments, you are welcome to place a donation.

출처 : http://sites.google.com/site/androidarts

Trackback 0 Comment 0