Just for fun (since I’m a dork), I was looking for a wireless stumbler for Macintosh that supported a GPS unit because I thought it would be interesting to map how many wireless networks there are in my neighborhood (I usually can see 15-30 unique wireless networks from any given point). In my search, I ran across one called kismac that does exactly what I wanted (it even generates the maps for you, so I didn’t need to code something to plot the GPS coordinates on a map):
I download it and start playing around with it. It turns out it also has security testing functions within it (although I would guess that most of the people using the cracking functions are just trying to gain access to "secured” networks… which is beside the point I suppose).
Anyway, so I start monkeying around with those functions to see if I could learn something about WEP encryption on my own 2 wireless networks (I have a Linksys WRT54G and an Apple Airport Express which I use for beaming iTunes music to the living room stereo), both are currently secured with 128-bit wireless security and I did not change anything in them for the purpose of this video. My "word list” is just the standard dictionary word list that comes with most any UNIX distribution (like Mac OS X) and resides in/usr/share/dict/.
So here’s the scary part, from the time it started scanning for wireless networks to the time I was able to crack both wireless network keys (which is all you need to gain access to the wireless network), it took right around 60 seconds. Check out this video…
Okay, so what just happened here? I just cracked my two 128-bit wireless networks in roughly 60 seconds from start to finish.
Even as a relatively knowledgeable tech guy, this seems like utter insanity to me. Okay, obviously I didn’t have some crazy, ultra-secure password for my networks, but I would guess 90% of all the wireless network passwords out there are based on simple (easy to remember) word(s). After doing some reading, an "ultra-secure” password/MD5 seed would be relatively useless anyway… all it would do is force the attacker to spend 10 minutes on it instead of 10 seconds (see this FAQ and this FAQ), all of which is easily done from the kismac Network menu. It doesn’t even matter if you setup your wireless network to be public or not, because kismac can see it even if the base station isn’t showing the SSID publicly.
I’m going to poke around and see how secure RADIUS authentication is for a wireless network, but even if RADIUS is more secure, what normal person is going to have the technical knowledge and an extra few thousand dollars to setup and run a RADIUS server for their wireless network? I’m not even sure if I want to run a wireless network anymore to be honest… or maybe shut them down except for the times I’m actually using them (talk about annoying though).