Frequently Asked Questions About AirSnort

Can I run AirSnort on cardFoo? Why or why not?

Maybe. AirSnort needs cards which can gather raw, unencrypted packets. Currently, this means PrismII cards. There are a number of cards based on this chipset available, see our homepage for a list. Tentative Orinoco support is now available.

Can I compile AirSnort on my Windows/MacOS X/Handspring machine?

Yes and no. MacOS, with it's AirPort cards, probably won't be able to support the low-level packet capture. Windows, since it supports the PrismII cards, should in theory be able to do the necessary tricks. However, not being a Windows Guy, I can neither write this driver, nor speculate on it's difficulty.

Basically, we would be interested in having AirSnort ported to just about any platform, but we have neither the experience nor time currently to do it ourselves. Anyone who is interested in helping with a port is welcome to contact us, and we will help out in any way we can. Also, I really doubt the handspring will have AirSnort ported to it for a long time, but you never know.

My card only works in 40 bit mode, but it is PrismII based. Will AirSnort still work?

As neither of us have a 40 bit card, we aren't sure. We've had a few reports of this working, but we haven't been able to verify it for ourselves. Snax says: I don't see why not, all you are doing is sniffing, not trying to associate.

About how long would it take to get the password for a network with AirSnort?

To crack a WEP password, AirSnort needs a certain number of packets with weak keys. Out of the sixteen million keys which can be generated by WEP cards, about nine thousand are weak (for 128 bit encryption.) Call these packets with weak keys "interesting." Most passwords can be guessed with after about two thousand interesting packets.  Some as few as 1200-1500, others as many as 3500-4000.

To get an idea, assume that your business (it's not very big yet) has four employees, all using the same password. These employees surf the net pretty continuously throughout the day (they're not very good employees.) These employees will generate about a million packets a day. These employees will generate approximately a hundred and twenty interesting packets every day, so after sixteen days, the network will almost certainly be cracked.

However, this network is nowhere near being saturated. As networks approach saturation, the capture time approaches a single day. In some situations, different physical networks may use the same passwords. If this could be determined, this would usually linearly diminish the cracking time also.

We realize that some of our early numbers were much lower than this. The reason for this is simply that we were lucky in our initial tests, and we didn't actually calculate the average amount of time it would take. This can happen in the real world too, the best case and worst case are significantly different from the average case. All of the informal calculations performed here assume the average case. You should too.

What kinds of wireless networks are vulnerable to this attack? Are mis-configured networks alone susceptible?

No, all 802.11b networks with 40/128 bit WEP encryption are vulnerable. As this is a passive attack, nothing can be done to detect to detect that this is being done, either.  Some nics no longer generate IVs that result in a resolved condition.  This renders current versions of airsnort ineffective.

What can I do to secure my networks?

We suggest that you assume that every packet will be readable by the world. Protocols like SSL and SSH are trusted for a good reason; they've both withstood numerous attacks over the years, and emerged (mostly) unscathed. The latest versions of each allow users to protect data, even on totally public channels. This is what's referred to as end-to-end encryption. End-to-end protection measures are fundamentally more resistant to attacks like AirSnort's.  Also make use of RADIUS (or some such) authentication to keep users off your network should they crack your key.

Your code crashes/doesn't work. What's the deal?

A number of bugs have been reported since our initial release. Most of these are fixed in version 0.1.0. If you find any more let us know. If you fix it yourself, send us the patch.

AirSnort is clearly a cracking tool. Why would you release such a thing?

We both have our reasons, but we did agree that it be made public. We felt that the only proper thing to do was to release the project. It is not obvious to the layman or the average administrator how vulnerable 802.11b is to attack. With huge corporations pushing it, it's easy to trust WEP; conversely, it's hard to digest a mathematical paper describing intimate details of encryption algorithms.

Yes, AirSnort can be used as a cracking tool, but it can also be used to settle arguments over the safety of WEP. People with neither the inclination nor the ability to digest the papers about WEP's security can easily wrap their minds around a tool like WEP.

If it took us so little time to write AirSnort, it would take a determined adversary a similarly short amount of time to develop an attacking tool. The only sane assumption to make is that a malicious hacker would have developed a tool like this. The only thing AirSnort does is give the tool to system administrators and script kiddies.

While we are troubled by the fact that script kiddies can get their hands on this tool, we still figure that the benefits of full disclosure outweigh the risks. If you disagree, it's just an academic debate, since we cannot withdraw this program.

Can AirSnort crack 803.2/Bluetooth/Etc. networks?

No.

Can AirSnort be used with X technology to increase it's range?

Once I've broken a password, what kind of software can I use to do something evil?

D00d, how could you release this to the public, and not the HaX0R Underground?

No comment.