The Wi-Fi protected setup with which a large majority of new routers ship with enabled by default has a serious flaw opening it up to a brute force attack against the WPS pin. Additional flaws allow for a successful brute force attack in 11,000 attempts. This means the network key of a protected network can be retrieved within hours.
The best course of action right now is to disable WPS if possible. This is not a option on all routers, but the possibility may exist of re-flashing the router’s firmware to a different one such as Open-WRT, DD-WRT, Tomato, etc. to disable it.
CERT’s Release: www.kb.cert.org/vuls/id/723755
Vulnerability Technical Details: sviehb.files.wordpress.com/2011/12/viehb…
Reaver — Functional exploit: code.google.com/p/reaver-wps/
So using the netsh wlan command allows us to manipulate the various properties of a wireless connection. Other potentially cool stuff:
- netsh wlan set tra yes – Enables wireless debug traces in %WINDIR%\tracing\wireless
- netsh wlan
- Creating/moving wireless profiles quickly
There is more, but this is prolly what I need to use when I write a app for a client to view wireless connection status.
The other day, I decided to bring my old “Skynet” device back online. The master came right online, but the drone was having some problems. I worked it out, and it’s all working correctly now. w00t. Just waiting on my N-Female to RP-TNC connector and I will be read to rock with the Yagi.
Also, I noticed that Kismet-Newcore is out which has a lot of nice features. There is also a plugin available called “Lorcon” that allows kismet to inject and sniff 802.11 frames. Sweet! I will compile both on the rother when I get time…
DIY Spectrum Analyzer using the XBee. Pretty simple project if you have the XBee laying around which I do…
Connectify exploits a unfinished feature in Win7 that allows you to create WiFi hotspot via your wireless card and share the traffic thru a LAN connection. COOL!
I finished configuring the routers yesterday. I exported the config for future use. The multi-location setup is as follows:
-Three Physical Sites.
-Intra-site VPN links
-Site 1 — Three Wireless Base Stations (Each with 4 radios conected)
-Site 2 — Two Wireless Base Stations (Each with 4 radios conected)
-Site 3 — Two Wireless Base Stations (Each with 4 radios conected)
-WPA2 Enterprise Authentication
It works well… During a continuous pingtest as I walked through the facility, I found the latency will jump up from ~3ms to ~100ms for one ping packet (I assume as the wireless card transitions to the next radio). The only place any packets were dropped was by the front nurses station, and it was just one or two packets and it began transmitting again.
I need a pigtail so I can connect my Yagi antenna to SkyNet
The Yagi has a N (F) connector and the WRT54GS has a RP-TNC connector. Heres what I ve found so far:
And finally SkyCraft Surplus — a local company here in orlando that is similar to Astro Too
Well the time has come and I have been looking for a new project. I think implementing WPA2 Enterprise complete with a RADIUS backend would be fun not to mention help secure the home network further (currently using WPA2/TKIP).
I’m not sure if I am going to ditch my Tomato firmware on the WRT54G v3 for openWRT or what. I need to see what kind of requirements the freeradius server has.
Some links Ive found so far:
Using RADIUS for WLAN Authentication
I got my powered USB hub in the mail today. Hopefully I can make it power the NSLU2.
After working pretty late last night I finally got all the pieces working for my wardriving setup. I posted about my original idea here, and this is the results of my labor. The premise of this is to avoid having to use a laptop to scan for AP’s.
Now on to the hardware setup…
- Linksys NSLU2 – Reflashed to Openwrt/jffs. This unit has two USB ports; one is used for storage to a memory stick and the other is used for my BU-353 GPS reciever.
- Linksys WRT54GS – Reflashed to OpenWrt/jffs.
The WRT54GS runs the kismet drone and a little script to enable the AP to continuously hop channels searching for AP traffic. All the data is passed to the kismet server on the NSLU2 for processing and/or display.
The NSLU2 is the central piece of the system. It runs the kismet server which receives data from the WRT drone, generates GPS positioning data for the APs, and logs it all to the memory stick.This allows me to easily retrieve the memory stick, read the logs in on a PC, analyze the TCP dumps, and feed the data into GPSDrive for AP waypoint mapping.
Now I just need to find my power invertor and my rig will be complete!
I just got a Globalsat BU-353 GPS Reciever in the mail. Pretty sweet so far, and the plan is to use kismet to create waypoints for gpsdrive to read in later to map out APs My brainstorm:
- WRT54GS Running OpenWRT
This will handle the scanning, sending its results via ethernet
- Linksys USB NAS (has a ethernet port and 2 USB ports). Running OpenWRT
This will handle writing the kismet data to a external HD as well as providing GPS data
I believe I should be able to attach a ext3 USB drive to the nas so it can write directly to the disk from the nas. Then, the wrt router running as a kismet drone sends the scan data back to the NAS and written to the external drive. The NAS would also be running GPSd with my Globalsat GPS attached. Both devices connect directly together via ethernet. The kismet drone will be configured to read the GPS data coming from the NAS on the GPSd port. As long as I can natively write to the attached USB drive on the NAS then I don’t see any thing that should be an issue pulling this off.
I was researching installing a USB port or a SD slot and came up with these interesting link that I will include just for the heck of it.
Whew I almost forgot how much cool stuff is in Sparkfun’s website.