Quick Q about WEP/MAC

Boro · 15-03-2005 2:40pm #1

I know WEP is pretty insecure compared to WPA, but when WEP has to be used (and specifically 64bit WEP) and it is combined with MAC filtering - is that secure? Once the MAC filtering is in place, does that rule out anyone even getting to sniff at the WEP? Is MAC filtering secure or can it be spoofed somehow from outside the network?

seamus · 15-03-2005 2:46pm

I'd say "secure enough" if a) You're not overly concerned about your data security (i.e. a home network) and b) you keep an eye on what's going on every so often.

As you know WEP can be cracked, and MAC addresses can be spoofed.

It's unlikely that any wardriver would be so bothered as to spend the effort sniffing your packets and trying to make their way in, particularly when one of your neighbours probably has a wide open network 50 metres away.

It may be possible to set up MAC filtering and DHCP limiting so that if you have say 3 machines always on, on the network, then your router only gives out three IP addresses. If a MAC address is cloned, you should see an IP conflict appearing, and/or a machine being booted off the network.

If you're trying to secure a business AP or your data needs to be extremely secure, then I'd say no, it's not enough.

Boro · 15-03-2005 2:50pm

NAh, its just a home network. I would like to use something more secure than 64bit WEP but one machine can only use WEP.

Thanks Seamus, that was what i wanted to know. And as it happens, theres two unsecured wireless networks on either side of the house

JoyPad · 15-03-2005 5:03pm

seamus wrote:

If a MAC address is cloned, you should see an IP conflict appearing, and/or a machine being booted off the network.

A wardriver that is able to spoof the MAC will most probably be smart enough to not rely on DHCP, and will use a statically assigned IP, avoiding any conflict.
The security conscious (read "paranoid") will change the WEP key every hour or so

Cheers,
JP

seamus · 15-03-2005 5:06pm

JoyPad wrote:

A wardriver that is able to spoof the MAC will most probably be smart enough to not rely on DHCP, and will use a statically assigned IP, avoiding any conflict.

D'oh! Missed that. Though you could in theory refuse to also relay/route/accept any packets from any machine but the three IPs. If you're gonna got that far though, you might as well go the WPA route.

Boro · 15-03-2005 5:42pm

How easy is it to sniff out the MAC from a WEP'ed wireless network?

JoyPad · 15-03-2005 6:10pm

Boro wrote:

How easy is it to sniff out the MAC from a WEP'ed wireless network?

First you need to use brute force on WEP, and of course, 64bit would be easier to crack than 128bit. I never did it myself, but I read on tomsnetworking.com that it takes a few hours for 128bit.
Then MAC is easy, first unencrypted packet will reveal source and destination MACs and IPs.

Boro · 15-03-2005 6:13pm

Ah. Thanks for the info.
Still, once its moderately secure its fine. Nothing to hide and id probably notice someone parked outside the house for a few hours

Rew · 15-03-2005 6:23pm

As far as I know but id have to double check all 802.11 WEP encrypted trafic at layer 2 has the MAC adress in plain text and its the the data part of the packet thats encrypted.

EDIT:

Yeah I just checked and its only the body of of the 802.11 frame thats encrypted and the header containing all the MAC addresses is in the clear.

Capt'n Midnight · 15-03-2005 7:18pm

you could use a subnet like 255.255.255.248 to limit the range to 6 valid IP's, won't really help much unless all 6 are in use, or add fake routes to the unused IP's so they don't go to the internet but you need a very configuable internet router for that.

Rew · 15-03-2005 7:38pm

None of the network options are particularly secure though. Mucking about with DHCP to give out false routes etc will just make the true route and IP range obvious in sniffed trafic. Locking down the network to just a few IPs still means you can jump in when the other device isn't there or just mussle in and ignore the conflict. I know people who have done this is hotspots to get access.

JoyPad · 15-03-2005 9:46pm

None of the network options are particularly secure though.

If the keys change quicker than they can be cracked, the system is secure.
This can be achieved even with 128bit WEP.

Boro · 15-03-2005 9:51pm

So theres not much you can do at all to halt a semi-determined hacker?
So does WPA(-PSK?) slow them down?

Rew · 15-03-2005 10:06pm

Boro wrote:

So theres not much you can do at all to halt a semi-determined hacker?
So does WPA(-PSK?) slow them down?

You can def stop hackers/crackers but its not any one thing that does it. If sombody does break in to your network and your machine is patched and you use SSL websites etc. the wost they can do is use your bandwith.

Yes WPA is secure but with the PSK you have to use a fairly obsceure key (ie: alpha numeric, non dictionary). WPA2/802.11i standard which will have hardware accelerated AES + a few fixes.

JoyPad wrote:

If the keys change quicker than they can be cracked, the system is secure. This can be achieved even with 128bit WEP.

I was refering to the Layer 3 messing (DHCP, routing etc).

Sure but you refering to 802.11x/EAP and AFAIK it has a few weaknesses as well, mainly due to the fact that it was designed for a wired enviorment but I havn't read that much in to it, TBH sombody determined enough to get in at that stage will probabaly attack a softer part of the network or one of the authorised/privlaged clients.

Boro · 15-03-2005 10:36pm

Well, its not as if i have anything important to hide, maybe just my bandwidth. Ive benefitted from more than a few unprotected APs lately and i just was wondering whether my own was as easy to leech off, despite WEP/MAC filtering. Thanks for the education

Quick Q about WEP/MAC

Comments