Author : Fabrice Bellet <Fabrice.Bellet@creatis.insa-lyon.fr>
Recent changes to this document
The hardware choice
The 3Com PCMCIA card and Linux
The Intersil Prism2.5 card and Linux
The WLAN-ng driver
The Host AP prism2 driver
WEP key cracking
Vendor workarounds to WEP cracking
Recommended Linux tools
Host AP configuration
the wep_tools cracking programs
Updates
Hardware has been chosen with inter-operability requirement in mind. The hardware pool is composed of laptops running various versions of Microsoft Windows, and few laptops running Linux.
Starting from this web page, I looked for material satisfying interoperability and well known vendor criteria. After a quick search, I decided to order 3Com hardware, both for access point (the material being the bridge between the wired and the radio network) and for PCMCIA cards.
The ordered PCMCIA cards were model 3CRWE737A-FR, priced around 260 euros in France, and the access point was the model 3CRWE60092A-FR.
Fortunately, I first received Comet Labs instead of 3Com ones. These cards contain an Intersil Prism2.5 chipset, which proved to be very Linux friendly compared to 3Com model.
The 3Com PCMCIA cards arrived later, and we now have a configuration with : the 3Com AP, 3Com PCMCIA cards (3CRWE62092A-FR, the one with the XJack antenna), and Comet Labs cards.
The first thing that can be a surprise is that the access point is a black box. No serial port for direct configuration, no power switches, just a reset hole, and three LED indicating the AP healthness. The AP looks cheap and weak.
Powering is achieved with a hack using the ethernet cat 5 cable to bring power to the AP. So you can put your AP far for the wired-network element it is plugged to, without to worry about power supply. Good point.
The AP is only configurable via the HTTP protocol only. This means that the AP needs to get a valid IP address in your LAN first, so you have a DHCP server to be running. Once your AP is identified on your local network, you can start talking to it. The first bad point of this AP is its welcome message :
3Com Access Point's Web Configuration Manager is meant to be run on Microsoft Internet Explorer 5.0 or higher. If you do not have a Microsoft Internet Explorer 5.0 or higher, you download it from www.microsoft.com.
So if you expect to administer your AP from your Unix machine, change your mind, this AP is Windows-friendly only. This is quite disturbing for an active network element, which is expected to meet some interoperability criterion. You may think that this warning may be ignored, and other browsers can be used on other operating systems than IE on Windows. Wrong assumption !
Hidden links: This AP uses javascript, which is at least
a questionnable choice. The aim of this choice seems to introduce
configuration GUI interactivity. In the
"encryption" frame accessible
at the URL http://your_access_point/cfgWEP.html?file=cfgWEP
on your AP. Depending on your choice for the type of encryption,
"Enter a string to generate shared keys" or "Specify shared keys and
which key to use", a
new link http://your_access_point/Sh128bKey.html?WEP128b=1
appears in IE if you click on this second choice.
You can see the difference between the
IE version and the
mozilla version of this same page. This new link
is of vital importance if your PCMCIA cards are not 3COM ones,
because it gives the administrator access to the
raw hexadecimal key generated from
the string you entered in the previous web page.
First, why is this raw hexadecimal key important ? Because the algorithm which convert the key string into this hexadecimal key is hidden and proprietary from 3Com. So, you'll be able to use this key string only with 3Com PCMCIA cards, whose driver naturally also knows the conversion algorithm. With other PCMCIA cards, you 'll have to enter yourself this 13 or 5 hexadecimal digits in the configuration of your card, which is less userfriendly than having to remember a passphrase. One trick, among others, to discourage interoperability.
Secondly, the access to this hexadecimal key is carefully hidden to non-IE users. If you don't use IE to configure your AP, you'll never see this link in your browser... Second trick to discourage interoperability.
XSL Stylesheets working with IE5 only: The System status menu, uses XSL stylesheets to display the information in an eye candy way with IE. With mozilla, this same information appears in a less readable mode.
You're strongly encouraged to upgrade the firmware of the AP to the latest version. Firmware version 3.0 have a noticeable enhacement : it supports 128 bits WEP encryption. A few remarks about this new key format :
128 bits key length is not the WEP standard. 40 bits is the standard.
128 bits compared to 40 bits is better I you want to avoid brute force attacks, supposed to work by exploring the whole key space, because the duration of the attack is exponential relatively to the length of the key.
128 bits is not the good way to prevent attacks based on the weak keys selection in the RC4 encryption algorithm described in this article and implemented in AirSnort for example, because the duration of the attack is linear relatively to the length of the key. We'll see that 3Com chose another workaround to prevent the radio network against this attack.
Firmware version 3.0 also correct a very annoying problem of previous shipped firmware version. It was previously impossible to have two concurrent http connection to the AP from two distinct clients. If you tried to connect twice to the AP, it entered a frozen state, and the only way to restart it was to unplug the RJ45 power cable.
This model of card has a XJack antenna, which allows you to have the pcmcia completely inserted and hidden in the PCMCIA slot of your laptop when the antenna is retracted.
Looking for a working PCMCIA driver with Linux could be quite challenging, due to the large variety of available drivers, and due to the fact that a given card could be managed with different level of success by different drivers. The most known PCMCIA driver package is pcmcia-cs, which is integrated in the standard kernel sources, and whose userspace tools (cardmgr) are shipped in many Linux distributions. This package contains a directory contrib where you'll find drivers not compiled by the default config.
Another good source of information about PCMCIA wireless hardware and available linux drivers is maintained by Jean Tourrilhes.
I found a working driver for the 3Com card at this location. The support for the 3Com 3CRWE62902A in integrated in the poldhu_cs driver. I tried version 0.2.9 of this driver. This was the most recent version available at the time of my testing. The support for 128bits WEP encryption was missing in this version. So I stopped here my investigations with this card. Recent versions of this driver ( 0.2.11) now includes a support for 128 WEP encryption. I didn't tested this support yet.
Altough this card is a very cheap one, it appeared to be exceptionnaly well suited to work with Linux : promiscuous mode is possible, 40/128 bits encryptions is supported, PF_PACKET mode is available (this allows to use directly tcpdump or ethereal on the wlan interface), airsnort is designated to work with this chipset (it work with Lucent orinoco_cs too), and finally, this chipset can run in host AP mode too, which allows you to turn a laptop into an access point, without the burden to use black boxed hardware. You can use the WLAN-ng driver to operate your card in Managed mode, or the Prism2 driver developper by SSH.COM guys tp operate your card in Host-AP mode. Other pcmcia drivers are supposed to work with this chipset, with various degrees of success. This is one of the power of the linux wireless software development : not a single driver can recognize your card, and for a given driver, the manfid (the numerical reference of your card) can be absent of the /etc/pcmcia/*.conf configuration files.
The prism2 driver is maintained by Absolute Value Systems. You can find useful additionnal patches at pizza's site.
You can switch to promiscuous mode :
wlanctl-ng wlan0 lnxreq_wlansniff channel=10 enable=true
Then you can listen the radio frames, with a tool like prismdump, and work with ethereal or tcpdump.
This other prism2 driver allows you to use the PCMCIA like an access point, without to deal with firmware flashing and other gory details. This driver installs a kernel module called prism2.o. You may have to adapt the configuration file /etc/pcmcia/prism2.conf in case the manfid of your card is not already there. You'll need to indicate to the driver your ESSID, and the frequency you're using at the end of this config file.
You'll have to configure your laptop to act as an ethernet bridge between your wired network and your wavelan. All the bridge configuration stuff is explained in the package's homepage.
I experienced stability problems when WEP encryption is enabled. The connection often freezes after transferring few MB of data. The solution is to use an opensystem connection, with SSL encryption at the application level.
I tried unsuccessfully to crack WEP with the two available programs on the net : airsnort and WepCrack. The first one is more userfriendly, but the second one is more didactic. The later one also can generate a list of weaks IV according to a given WEP key, for run with the WEPcracker then. The WEPcracker can work on those computer-generated weak IV, or on a list generated by scanning a real wavelan traffic.
Both programs rely on the fact that you can put your wireless card in promiscuous mode, without beging connected to any network. This is a bit different of the promiscuous mode on a wired network, where your network card is on the network. In this wireless promiscuous mode, you'll see a 802.11b header, and encrypted data containing ethernet frames if WEP is enabled. You'll see ethernet frames in clear-text if WEP is disabled.
The encrypted data is generated with a shared hexadecimal key, known by all hosts on the wireless network, and a 24bits initialization vector (IV), randomized, and supposed to be different for each frame.
The problem is that for a certain class of IVs (first byte between 2 and 14, second byte to 255), the shared key can be reverse engineered, according you have collected enough weak IVs, and their associated first byte of the encrypted stream.
If IVs are randomly assignated, and if the traffic is important on the wireless network, you just have to listen to the traffic for a small amount of time to collect enough weak IVs. Relying on statistics, 15 minutes, or around 1GB data examined (wireless 802.11b operates at 11Mbits) is sufficient to find enough weak IVs. Yor mileage may very according to frame length (MTU).
The two card I tested have different workaround to the WEP cracking algorithms.
The 3Com cards and access point only work with a small pool is IV (around 260 values), which are always reused. So cracking algorithms can never collect enough different IVs to run the cracker on.
The Intersil cards choose to distribute IVs incrementaly, but avoid values having 255 as second value : The card directly jumps from 255:254:x to 0:0:x+1.
These workarounds work efficiently on these PCMCIA cards, BUT you often cannot control what kind of wireless card is used on your wireless network. You have to remember that traffic is bi-directionnal. The policy of your access point doesn't extand to the policy of your network. So, even if your AP doesn't generate weak IV, the wireless cards can, depending on their chipset. WEP is intrinsequely broken, and the initiative of some vendors will not make the protocol secure for a while, because as long as one vendor card generate weak IV, your wireless network is vulnerable.
In this section, I'll briefly present some tools I find useful, interesting, powerful, for use with wireless equipments.
[root@bonobo bellet]# more /proc/net/wireless Inter-| sta-| Quality | Discarded packets | Missed face | tus | link level noise | nwid crypt frag retry misc | beacon wlan0: 0000 26. 40. 0. 0 0 0 0 0 0
[root@bonobo bellet]# iwconfig wlan0
wlan0 IEEE 802.11-b ESSID:"CreatisLab"
Mode:Managed Frequency:2.462GHz Access Point: 00:04:76:A5:E0:AC
Link Quality:22/100 Signal level:35/100 Noise level:0/100
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Wireless support in Linux is definitely a moving target. New features have been included in the linux-wlan-ng driver, as well in the poldhu_cs driver for 3Com latest cards with XJack antenna
$Id: wireless.html,v 1.5 2003/10/19 20:28:27 bellet Exp $
