Q: If my wireless network doesn’t have a lot of traffic, is it okay to use WEP because the IVs required to crack the WEP key won’t be generated?
A: No. Automated tools are available that allow attackers to capture an ARP packet and reinject it to the access point very rapidly. This generates a significant amount of traffic and allows the attacker to capture enough unique initialization vectors to quickly crack the key.
Q: What is the difference between active and passive WLAN detection?
A: Active WLAN detection requires that the SSID be broadcast in the beacon frame. Passive WLAN detection listens to all traffic in range of the device and determines what WLANs are in range.
Q: Briefly describe the process involved in cracking WEP.
A: To efficiently crack a WEP key, you first need to obtain an Address Resolution Protocol (ARP) packet from the access point you want to attack. You can obtain this packet using a tool such as Void11 (www.wlsec.net/void11) to send deauthentication packets to the clients associated with that access point. When the clients reassociate to the access point, ARP packets will be generated and can be captured. After you have captured a valid ARP packet, you can use a tool such as Aireplay, a part of the Aircrack suite (http://freshmeat.net/projects/aircrack/), to inject the ARP packet back into the network. This injection process will cause a large number
of initialization vectors to be generated. You can capture this traffic with any pcap format sniffer. Ethereal, Airodump, and Kismet all support pcap format. After you have captured between 500,000 and 1 million unique initialization vectors, you can then crack the WEP key using Aircrack or other, similar tools. Most of these tools are available for free on the Internet.
Q: How many types of Extensible Authentication Protocols (EAPs) are supported by WPA/WPA2 and what are they?
A: There are six fully supported EAP types for WPA/WPA2: EAP-TLS; EAP-TLS/MSCHAPv2;
PEAPv0/EAP-MSCHAPv2; PEAPv1/EAP-GTC; EAP-SIM;and EAP-LEAP.
Q: What is the primary difference between 802.11g and 802.11a?
A: 802.11g operates in the 2.4 GHz frequency range, as do 802.11b and 802.11i, whereas 802.11a operates in the 5 GHz frequency range.
Q: What is the difference between the HostAP drivers and the wlan-ng drivers for Linux?
A: Both of these drivers work with a variety of cards; however, only the HostAP drivers allow you to place your card in monitor mode.
Q: Who determines the wireless standards?
A: The IEEE develops and determines the wireless standards (802.11a, b, g, and so on). The WiFi Alliance, the group that owns the WiFi trademark, then certifies the interoperability of these devices.
Q: What tools do you use to WarDrive?
A: Depending on the operating system in use, Kismet for Linux or Kismac for OS X provide the greatest level of functionality for detecting and identifying WLANs. NetStumbler is available for Windows but supports only active WLAN detection and identification, whereas the Linux and OS X tools both support passive WLAN detection and identification.
Q: What is the minimum passphrase length that should be used for WPA-PSK?
A: Because WPA-PSK with a short passphrase is vulnerable to a dictionary attack, and automated tools are available to facilitate this process, a WPA-PSK passphrase should be at least 21 characters long.
Q: Our organization doesn’t have a wireless network, so is it even important for our security engineers to understand wireless security?
A: Yes. Even though wireless networking isn’t allowed at your site, it is important that the security staff understand that laptops with wireless cards (authorized or unauthorized) pose a threat to the network and know how to identify them and react accordingly. Additionally, the staff should be able to identify rogue access points and the potential impact they can have on the security of the network.