Vendor Information & WEP's Weakness

           Wired Equivalent Privacy (WEP) is an encryption scheme that was designed to secure wireless transmission. Soon the professionals who named WEP technology realized ,“Wired Equivalent” was misguided but the technology was better than no encryption. The reason WEP is insecure for wireless transmission is because it uses static Pre-Shared Keys (PSK). Everyone on the network uses the same key, if the keys need to be changed an administrator must configure them on the Access Point(AP). With the key remaining the same and disperse throughout the network , the key can be easily be captured and broken. Broken means that the WEP key encryption length is short and predictable allowing hackers to obtain access in a short time and with little effort. The total key length is 64 bit, which includes the IV+ Key. Initialization Vector is 24 bits while the key itself is 40 bits. The total 64 bits are XORed with the data to get the ciphered text. This is easily reverse engineered by hackers to discover the key and obtain access to a network.

        Using BackTrack you can use aireplay and aircrack command to send packets to the targets BSSID from your fake MAC Address to request authentication. Capturing the four-way hand-shake gives you the Key. Once you have the password you can simply request access and your in. To improve WEP after discovering the vulnerabilities the 802 project recommends using open authentication or tunneling with IPsec. There is also WEP2, WEP+ and Dynamic WEP which offer a touch of security through the use of better encryption. Improvements upon WEP are Wi-Fi Protected Access (WPA )and WPA2. These technologies introduced longer encryption algorithms , such as AES and TKIP, respectively, that are harder to hack into. WPA2 has the same advantage over WPA, that WPA has over WEP, that it is more secure. A disadvantage is that as you change technologies and improve upon security , you must also purchase new hardware.

        Part of the lab assignment required the use of a wireless scanner to discover the Wireless Access Points in the vicinity of the scanner. Leveraging Netstumbler , I gleaned 16 wireless Access Points surrounded my network. All but one Service Set ID (SSID) had been changed from factory settings and thus left the loner unsecured. Eight of the sixteen enabled WPA2-PSK, which is the strongest home encryption on the market to date. Six used WEP for encryption and two remained un-encyrpted.

          A Media Access Control address has two main parts: the Organizational Unique Identifier and the Network Interface Card specific information. The most significant being the OUI, exposing the vender specific information. One MAC address on my network began with 4025C2, telling that it was a laptop, desktop from Intel Corporation. Intel makes processors which the majority are in systems that run Windows OS. Also the MAC address can be useful to spoof to gain access to the network. Since the ARP tables have that MAC address listed they would allow access if other mechanisms where not in place. The second MAC Address 00259C confirmed a Cisco-Linksys device was being used. Most likely a router with an embedded OS. The third MAC was 002129 belonging to a Cisco-Linksys device as well. If these Cisco Devices were not secured I could use the default admin:admin password and usernames configured by the manufacturer at the web management interface. Knowing vender information can tell you the likelihood of a specific port being open on a router. Depending on the vendor there are configurations that a hacker can take advantage of.