The Current State of Wireless Security

This post is a small survey of existing Wi-Fi security protocols pertaining to home and small offices as of Oct. 25th, 2010

WEP – Wired Equivalent Privacy – WEAK

Anyone with the slightest knowledge of wireless security protocols knows that WEP is very insecure. A very inexperienced individual can get the tools and watch a tutorial on how to crack a WEP key in a few hours. WEP seriously has so many problems from a cryptographic point of view.

  • The master key is used within the encryption instead of deriving a key from the master key.
  • Keys can be derived from datagrams.
  • The hashing algorithm it uses for integrity is weak (CRC32)

Do not secure your network with WEP. WEP will be completely out of production by 2014.

WPA – Wi-Fi Protected Access – MODERATE-STRONG

WPA was the interm solution to WEP’s serious weaknesses while WPA2 was developed. One of the important points of WPA is that it derives encryption keys from the master key instead of utilizing the master key in the encryption.

WPA has held it’s ground for some time but it still vulnerable to brute-forcing weak passwords by capturing an authentication handshake.Weaknesses in WPA implementations have been discovered as early as 2008 and are continuing to be discovered into early 2010.

The current vulnerabilities exist in the Temporal Key Integrity Protocol (TKIP) (the enhanced protocol to address WEP vulnerabilities). They allow an attacker to inject a small amount of valid encrypted packets of their choice. When the original vulnerability was discovered, Quality of Service (QoS) needed to be enabled on the access point in order to successfully take advantage of the vulnerabilities. Specifically, having QoS enabled,
allowed one to bypass WPAs replay protection. However, as of early 2010, the QoS requirement for the attack is not required. Because this vulnerability doesn’t expose the key, people are not as concerned about it and it hasn’t warranted much concern. Although the attacks aren’t much of a concerned, I’d suggest if you’re going to use WPA, use WPA-AES, NOT WPA-TKIP. TKIP was officially deprecated from the 802.11 spec as of early 2009. The take home message of WPA as quoted from the Wi-Fi alliance:

Q: Is WPA still secure?
Yes, WPA remains secure. WPA is the major upgrade to Wi-Fi security, applicable to
enterprise and home users. WPA was independently verified to address all of WEP’s
known weaknesses. WPA2 is not being released to address any flaws in WPA.

WPA2 – Wi-Fi Protected Access 2 – STRONG

WPA2 was the final spec that the Wi-Fi Alliance had been working on when WEP vulnerabilities were discovered. Instead of utilizing TKIP for encryption, WPA2 utilizes AES. WPA2 is very similar to WPA-AES with a few minor differences that are negligible to security protection.

Like WPA, WPA2 passwords can also be brute-forced, thus strong and random passwords should be used. Other weaknesses in WPA2 do exist but they can generally be avoid by implementing basic security practices. Due to the deprecation of TKIP and the inherently stronger AES encryption, WPA2 is the recommended wireless security protocol. 

Cracking WEP with the Intel 3945abg

Since I’ve been reading a lot about security in networking, I figured I’d give the well known WEP cracking a try.

Common Misconceptions With Wep Cracking
  1. You need a special card to crack WEP keys.
    • This is not true, with some caveats. Any card that can be switched to “monitor mode” can be used to crack WEP keys. The vast majority of cards can do this or someone has written a custom driver (e.g. Airport Extreme Cards on Macs) to enable it. HOWEVER, and this is a big however; if you want to crack WEP without waiting for days or even weeks, you need a card to supports “packet injection.” This list is much smaller but growing as the hardcore driver writers write custom drivers for them.
    • (more…)

Simple HTTP Server Detector

The preamble to this post is that you can do this in a few lines with CURL, telnet, wget etc. I’m also sure someone has already written one of these but coming from a Java background, it was useful for me (and may be to others) to write a simple application that uses sockets in C.

very Simple HTTP Server Detector 1.0

(I was laughing when I wrote that title)

nobody@nobody:~/$ ./detect
Usage: ./detect < domainname >

Output looks like this

nobody@nobody:~/$ ./detect
Server: Microsoft-IIS/7.5

nobody@nobody:~/$ ./detect
Server: Apache

nobody@nobody:~/$ ./detect
Server: gws

nobody@nobody:~/$ ./detect
Server: unknown

nobody@nobody:~/$ ./detect
Server: AkamaiGHost

nobody@nobody:~/$ ./detect
Server: hi <=== LOL!!

If you’re new to C, see if you can come up with an implementation on your own and then check out the reference below (heavily commented for understanding):

 * Simple HTTP Server Detector
 * Copyleft 2010.
 * All rights have been wronged.
 *  Created on: Oct 5, 2010
 *      Author: xploit
#include <stdio.h> /* Printf, perror, etc */
#include <stdlib.h> /* exit */
#include <sys/socket.h> /* sockets */
#include <netinet/in.h>
#include <netdb.h> /* Host lookup */
#include <string.h> /* bzero */

/* HTTP port */
#define WEB_PORT 80
/* Receive buffer size */
#define RECV_BUF 1024
/* Server buffer size */
#define SRVR_BUF 256

void fatal(char *error);

int main(int argc, char **argv) {

	int socket_fd, i;
	struct sockaddr_in remote_addr;
	struct hostent *remote_host;
	char recv_buf[RECV_BUF], srvr[SRVR_BUF];

	if (argc < 2) {
		printf("Usage: %s <domainname>n", argv[0]);

	/* Create a socket */
	if ((socket_fd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
		fatal("Failed to create socketn");

	/* Resolve the domain name */
	if ((remote_host = gethostbyname(argv[1])) == NULL) {
		fatal("Failed to resolve domain namen");

	/* Set address and port of remote host */
	memcpy(&(remote_addr.sin_addr), remote_host->h_addr_list[0],
	remote_addr.sin_family = AF_INET;
	remote_addr.sin_port = htons(WEB_PORT);

	/* Zero out the rest of the struct */
	memset(&(remote_addr.sin_zero), 0, 8);

	/* Connect to the domain */
	if ((connect(socket_fd, (struct sockaddr *) &remote_addr,
			sizeof(struct sockaddr))) == -1) {
		fatal("Unable to connect to domainn");

	/* Send a HTTP head req */
	if ((send(socket_fd, "HEAD / HTTP/1.0rnrn", 19, 0)) == -1) {
		fatal("Error sending HEAD requestn");

	/* Receive the response */
	if ((recv(socket_fd, &recv_buf, 1024, 0)) == -1) {
		fatal("Error reading HEAD responsen");

	/* Find the server substring */
	char *srvr_ptr = strstr(recv_buf, "Server:");

	/* Fail if it wasn't found */
	if (srvr_ptr == NULL) {
		fatal("Server: unknownn");

	/* Read server line*/
	i = 0;
	while (srvr_ptr[i] != 'n' && i < SRVR_BUF) {
		srvr[i] = srvr_ptr[i];
	/* Terminate String */
	srvr[i] = '\0';

	/* Clear string */
	srvr_ptr = NULL;

	/* Print the results */
	printf("%sn", srvr);

	/* Stop both reception and transmission */
	shutdown(socket_fd, 2);

	return 0;

// Prints an error and exits
void fatal(char *error) {

One Time Password Protocol Using Your Email

Do you ever have a login that needs to be secure but you don’t want to create and remember a new random and cryptic password? I do all the time, especially for things that I don’t log in to frequently but still need to be secure. Remembering tons of 12+ random password, even with key store is a pain.

So I created a one time password protocol that I use all the time with popular sites like Twitter

The Protocol
  1. On computer @ site to login, click the “Forgot Password” link – enter the email you registered with the site
  2. Generate a random 12+ (100+ if you wanted!) alphanumeric/special char password using a random password generator (they’re all over online)
  3. Highlight and copy the password (CTRL-C/CMD-C)
  4. Log in to the email address, click the “Reset Your Password” link in the email you received from the site.
  5. Paste and submit the new password @ the reset screen
  6. Return to site login, enter username, paste password
  7. Copy something random back into the clipboard — like a space
  8. Forget
Go to Top