Frequently Asked Questions About AirSnort
Can I run AirSnort on cardFoo? Why or why not?
Maybe. AirSnort needs cards which can gather raw, unencrypted packets.
Currently, this means PrismII cards. There are a number of cards based
on this chipset available, see our homepage for a list. Tentative Orinoco
support is now available.
Can I compile AirSnort on my Windows/MacOS X/Handspring machine?
Yes and no. MacOS, with it's AirPort cards, probably won't be able to support
the low-level packet capture. Windows, since it supports the PrismII cards,
should in theory be able to do the necessary tricks. However, not being
a Windows Guy, I can neither write this driver, nor speculate on it's difficulty.
Basically, we would be interested in having AirSnort ported to just
about any platform, but we have neither the experience nor time currently
to do it ourselves. Anyone who is interested in helping with a port is
welcome to contact us, and we will help out in any way we can. Also, I
really doubt the handspring will have AirSnort ported to it for a long
time, but you never know.
My card only works in 40 bit mode, but it is PrismII based. Will AirSnort
still work?
As neither of us have a 40 bit card, we aren't sure. We've had a few reports
of this working, but we haven't been able to verify it for ourselves. Snax
says: I don't see why not, all you are doing is sniffing, not trying to
associate.
About how long would it take to get the password for a network with AirSnort?
To crack a WEP password, AirSnort needs a certain number of packets with
weak keys. Out of the sixteen million keys which can be generated by WEP
cards, about nine thousand are weak (for 128 bit encryption.) Call these
packets with weak keys "interesting." Most passwords can be guessed with
after about two thousand interesting packets. Some as few as 1200-1500,
others as many as 3500-4000.
To get an idea, assume that your business (it's not very big yet) has
four employees, all using the same password. These employees surf the net
pretty continuously throughout the day (they're not very good employees.)
These employees will generate about a million packets a day. These employees
will generate approximately a hundred and twenty interesting packets every
day, so after sixteen days, the network will almost certainly be cracked.
However, this network is nowhere near being saturated. As networks approach
saturation, the capture time approaches a single day. In some situations,
different physical networks may use the same passwords. If this could be
determined, this would usually linearly diminish the cracking time also.
We realize that some of our early numbers were much lower than this.
The reason for this is simply that we were lucky in our initial tests,
and we didn't actually calculate the average amount of time it would take.
This can happen in the real world too, the best case and worst case are
significantly different from the average case. All of the informal calculations
performed here assume the average case. You should too.
What kinds of wireless networks are vulnerable to this attack? Are mis-configured
networks alone susceptible?
No, all 802.11b networks with 40/128 bit WEP encryption are vulnerable.
As this is a passive attack, nothing can be done to detect to detect that
this is being done, either. Some nics no longer generate IVs that
result in a resolved condition. This renders current versions of
airsnort ineffective.
What can I do to secure my networks?
We suggest that you assume that every packet will be readable by the world.
Protocols like SSL and SSH are trusted for a good reason; they've both
withstood numerous attacks over the years, and emerged (mostly) unscathed.
The latest versions of each allow users to protect data, even on totally
public channels. This is what's referred to as end-to-end encryption. End-to-end
protection measures are fundamentally more resistant to attacks like AirSnort's.
Also make use of RADIUS (or some such) authentication to keep users off
your network should they crack your key.
Your code crashes/doesn't work. What's the deal?
A number of bugs have been reported since our initial release. Most of
these are fixed in version 0.1.0. If you find any more let us know. If
you fix it yourself, send us the patch.
AirSnort is clearly a cracking tool. Why would you release such a thing?
We both have our reasons, but we did agree that it be made public. We felt
that the only proper thing to do was to release the project. It is not
obvious to the layman or the average administrator how vulnerable 802.11b
is to attack. With huge corporations pushing it, it's easy to trust WEP;
conversely, it's hard to digest a mathematical paper describing intimate
details of encryption algorithms.
Yes, AirSnort can be used as a cracking tool, but it can also be used
to settle arguments over the safety of WEP. People with neither the inclination
nor the ability to digest the papers about WEP's security can easily wrap
their minds around a tool like WEP.
If it took us so little time to write AirSnort, it would take a determined
adversary a similarly short amount of time to develop an attacking tool.
The only sane assumption to make is that a malicious hacker would have
developed a tool like this. The only thing AirSnort does is give the tool
to system administrators and script kiddies.
While we are troubled by the fact that script kiddies can get their
hands on this tool, we still figure that the benefits of full disclosure
outweigh the risks. If you disagree, it's just an academic debate, since
we cannot withdraw this program.
Can AirSnort crack 803.2/Bluetooth/Etc. networks?
No.
Can AirSnort be used with X technology to increase it's range?
Once I've broken a password, what kind of software can I use to do something
evil?
D00d, how could you release this to the public, and not the HaX0R Underground?
No comment.