Sniffing on Wireless LANs
Basic concept of wireless LAN
• A type of local area network.
• Use high frequency Radio Wave (RF).
• Speed: 2Mbps to 54Mbps.
• Distance: 100 feet to several miles.
• IEEE 802.11.
• Access Point (AP)
– Serves as a “hub” for wireless clients.
– Bridge between wired and wireless LANs.
– Similar to a basestation used for a cellular
• Ad Hoc Mode
– Client to client communication
• Infrastructure mode
– Connect to AP
• BSS (Basic Service Set)
– The set of clients and AP which have
recognized each other and have established
• SSID or BSSID
– Basic service set identifier
• ESS (extended services set)
– Series of overlapping BSS connected by a
1 2 3 4 5 6 7 8 9 10 11
Channel 5 Channel 10
Channel 4 Channel 9
Channel 3 Channel 8
Channel 2 Channel 7
Channel 1 Channel 6 Channel 11
• Originally, WarDriving was when crackers
drove around in a car equipped with
wireless gear looking for unsecured wireless
networks, to gain illicit access.
• Over time, the term has evolved to include
harmless types that simply checking on the
• What are needed for war driving
– Device capable of
• receiving 802.11b signal.
• Capable of moving around.
– Software that will log data from the device.
• Over time, you can build up a database
comprised of the network name, signal
strength, location, and ip/namespace in use.
• PISA tried a war driving in Hong Kong on
(See: http://www.pisa.org.hk/event/wlan_workshop.ppt )
• Their findings
– Discovered 187 access points with antenna (52
– WEP enable: 43
– WEP disable: 144
• Wired Equivalent privacy protocol is used
in 802.11 network to protect link-level data
during wireless transmission.
• WEP relies on a secret key k shared
between the communicating parties.
• It is optional
– That means some users may not turn it on.
– Compute an integrity checksum c(M) on the
– Concatenate the two to obtain a plaintext
P = <M,c(M)>
– Choose an initialization vector (IV) v.
– RC4 algorithm generates a keystream
• Long sequence of pseudorandom bytes
• A function of v and k.
– Exclusive-OR the plaintext with the keystream
to obtain the ciphertext:
C P RC4(v, k )
– Transmit the IV and the ciphertext over the
Weakness of WEP
• Presented in the paper
– Scott Fluhrer, Itsik Mantin, and Adi Shamir,
“Weaknesses in the Key Scheduling Algorithm
• Invariance weakness
– Existence of a large class of weak keys.
• IV weakness
– Related key vulnerability
• Open-source implementations of the attack
are now widely available.
• One of the best-known programs is
AirSnort (http://airsnort.shmoo.com/ ).
• Key recovery with AirSnort takes only a
few seconds once enough weakly-encrypted
frames are gathered.
• Our TAs have tried this package before. It
took about half day to collect enough packet
to break the key.
A Screenshot of running AirSnort
• The 802.11 work group is now working on
new encryption schemes. Some possible
methods may include.
• Per-port user authentication
• Use VPN for the wireless connection
– Encryption with IPSec or PPTP
Transport Router Transport
(TCP, UDP) (TCP, UDP)
Network (IP) Network (IP) Network (IP) Network (IP)
802.11b Link 802.11b Link Ethernet Ethernet
802.1b 802.1b Ethernet Ethernet
Physical Physical Physical Physical
Local Area Network
of your organization.