Do you have to limit yourself to off the rack Wifi gear?

Has anyone done any sampling and decryption of 802.11 WEP/WPA/WPA2 with software defined radio (SDR) at that 2.4g frequency. I realize the wide bandwidth an high sampling rate are problematic but not insurmountable. SDR chips seem to be on the precipice of being able to span multiple channels today and in the foreseeable future be able to capture and process the whole allocation at 2.4ghz.

This gear (http://zone.ni.com/devzone/cda/tut/p/id/6361) comes dangerously close and a good programmer, better than I am anyway, may be able to pull several adjacent channels or using multiple boards in a fast enough host be able to cumulatively "beat the HOP"

Notice that http://www.eetindia.co.in/ART_8800553252_1800001_NT_050e574b.HTM "IMEC's researchers demonstrated SDR base band and analogue front-end chips running video over two simultaneous 2.4-GHz channels at rates approaching 100Mbps."

Is it worth $10,000 or $50,000 to be able to sample all the allocated 802.11 channels from a radio perspective then sort it out and have a large sample size of data to crack then decrypt it as a pure software based process.

Mike

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Jose Selvi
Sent: Monday, April 05, 2010 12:53 AM
To: wifisec (at) securityfocus (dot) com [email concealed]
Subject: Re: decrypting WEP/WPA on the fly while sniffing

Hi,

> Hi
> Are there any wifi sniffing tools that will decrypt different
> encrypted networks on the fly giving a pcap stream on unencrypted
> data.
>
> For example, there are 2 WEP and 1 WPA APs in the area which I have
> the keys for and there are also a couple of unencrypted APs. I want to
> sniff all the traffic, channel hopping between them, and get an
> unencrypted stream of data out onto an interface which I can then run
> tools like dsniff on.

You can't sniff at the same time in some different channels, this is the
reason of channel hopping when discovering APs. It's just as wireless
cards hardware works.

> If it were a single AP then I would just associate with the correct
> key and get the data that way but with multiple and a single card I
> can't do that.

You can try sniffing while channel hopping, but you are going to lose
some data:
http://wiki.wireshark.org/CaptureSetup/WLAN#head-9e776cf879f1ce8a896395c
f3df2f5d122e3113f

More channels you are hopping, more data you are going to lose.

> Is there anything out there to do this? If not, I was thinking it
> could be done either directly in the sniffer or, to enable it to run
> with any current sniffers there could be an app that would take the
> data from the monitor mode interface and for each network decrypt it
> creating a new virtual interface for each network or maybe just
> re-merge the streams back into a new single interface.

Since it's a hardware problem, you can't solve it by software, probably
you could get a USB Hub and some USB Wireless Cards ($10?). If you
configure each USB Wireless Card for sniffing on different channels,
you're going to be able to sniff all these traffic at the same time.

How many Wireless Cards? Maximum of 11-14 (depending where you are: US,
Europe or Japan), but probably 4 will be more than enought, because APs
are usually default configured for a small set of channels (6 and 11 are
usual channels), and people don't really change it. Maybe you can buy
all needed hardware for less than $100.

> Where this could be useful is if you are auditing a company with a
> warehouse where the offices are on WPA, the warehouse is on old
> handheld devices so stuck with WEP and they are also running an open
> network for guests. This would let you get an idea of all traffic
> through a single card.
>
> Robin

Good Luck!
Regards.

--
Jose Selvi.
Security Technical Consultant
CISA, CISSP, CNAP, GCIH, GPEN

http://www.pentester.es

[ reply ]