Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Hacker-Built PC Scans 300 Wifi Networks At Once 121

An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.
This discussion has been archived. No new comments can be posted.

Hacker-Built PC Scans 300 Wifi Networks At Once

Comments Filter:
  • by Anonymous Coward on Friday September 01, 2006 @11:20PM (#16028517)
    Bush would be proud.
    • Re: (Score:2, Informative)

      The poster isn't wrong, from the thg article

      After the Instant Off switch is hit, a USB key with a 2000-bit passkey and a manually entered password are needed to access the computer. Williams said that even if someone managed to grab the USB key, they would still have to "torture or bribe me" to get the password.

      In the UK, the RIP act allows you to be thrown in jail for 3 years for not supplying the encryption keys, in America I can quite easily picture this guy wearing his leather hat and some fetching oran
      • I could imagine that too.....when did withholding information (passwords, etc) become illegal? wasn't there some law aginst forcing someone into self incrimination in the US?...I kinda remember something like that...no couldn't be...
        • Re: (Score:3, Interesting)

          by hazem ( 472289 )
          If you are not under arrest, and if they are simply investigating, you don't have as many protections and you can be charged with interfering with a federal investigation. There's some kind of legal "trilemna" that is considered unethical - but is often used by the government to get around the "self-incrimination" issue:

          Your three choices are:
          1) answer the questions/comply with information requests - which ends up incriminating you
          2) refuse to answer the questions - now you can be charged with interfering
      • It's much better to simply keep a second key in a secure location and introduce the key you have in your posession when you're caught to the business end of your boot. It's not destroying evidence, just the means to get to the evidence.

        Of course, be ready to face the full force of the authorities' revenge for daring to stand up to them when they do something wrong.
      • Law-enforcement isn't your only adversary. It's just a good one to model because it's an adversary with lots of resources at its disposal, and not necessarily completely trustworthy.

        No information technology is going to give you significant protection from the courts except in very limited circumstances.

  • Time to enable encryption on your wireless network. It's not foolproof, but it'll make you a smaller target.
    • Encrypted networks ARE the target when it comes to wireless "hacking"
      • I hate to be needlessly cruel, but did you even read the fing summary? It's about SCANNING, not necessarily hacking; if you have 250 users worth of unencrypted data, and 50 users with strong encryption, you'll probably find that the encrypted ones aren't worth your time.

        I don't think that this machine can scan, decrypt, and record 300 WiFi Networks in real-time.
        • Re:Just about time (Score:5, Interesting)

          by Kadin2048 ( 468275 ) <slashdot.kadin@[ ]y.net ['xox' in gap]> on Friday September 01, 2006 @11:35PM (#16028567) Homepage Journal
          Did you even read the article?
          In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic.
          ...
          Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

          No, it can't decrypt traffic from 300 networks at once, but it can certainly crack one that's encrypted with some of the most common algorithms rather quickly. It's more than just a recording device. Although, if it really can crack networks that quickly, then concievably you could crack all the WEP-enabled networks in range, and then start logging all the traffic on all the networks that you could hear, encrypted and not, for later analysis.
          • by Leto-II ( 1509 )
            He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

            Oh come on... That just makes him sound like a nutcase.
            • by Leto-II ( 1509 )
              And that's what happens when you forget to add a slash and use the preview button. :(
          • He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.
            "Breaking SHA-1," as in a preimage attack? Has anyone even managed to do this "quickly"?
        • Re: (Score:2, Informative)

          It is pretty good at cracking WEP

          In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic

          • Oh, nifty! I guess it replays recorded (encrypted) frames, hoping to capture the replies (even if they're just NAKs) in order to use them to get the IVs needed to crack the WEP key.

            Yet another reason why encryption without authentication (or doing something with messages that have failed authentication besides dropping them to the floor) is a bad idea.

    • Too true. Secure wireless is an oxymoron. If it's wireless, it's insecure depending only upon on how determined the snooper is so if your data is sensitive, don't broadcast it. The only way to fully guarantee the integrity of your wireless network is to disconnect your WAP and bury it in the backyard.
      • by deragon ( 112986 )
        What if you use a strong VPN between your wireless computer and your access-point? Granted, there is no proof that encryption cannot be cracked, but up to this day, strong encryption is considered pretty secured.
  • by Kagura ( 843695 ) on Friday September 01, 2006 @11:24PM (#16028533)
    "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access.

    I use a hammer, you use an instant-off switch that you'll never be able to turn back on. At the end of the day, at least one of us will have released some pent-up frustration and anger. :)
  • by w9ofa ( 68126 ) on Friday September 01, 2006 @11:32PM (#16028555) Homepage
    The one watt amplifiers mentioned in the article almost guarantees that this device is operating outside the FCC part 15 rules.

    I know everyone on /. hates the FCC, but consider how many nearby wireless networks might be effectively DoS'ed while he is trying
    to hack some schmuck's WEP key.

    • by TooMuchToDo ( 882796 ) on Friday September 01, 2006 @11:51PM (#16028608)
      If you're using this device, you most likely don't care about Part 15.

      -b
    • by RyuuzakiTetsuya ( 195424 ) <<taiki> <at> <cox.net>> on Saturday September 02, 2006 @12:16AM (#16028651)
      On the contrary, the FCC regulating my microwave not to interfere with my WiFi or my wireless phone I like.

      The FCC regulating whether or not i can say FUCK on the radio, I don't.
      • yeah? well?.....I hope that your microwave can accept any interference received, including interference that may cause undesired operation.
      • by argStyopa ( 232550 ) on Saturday September 02, 2006 @08:32AM (#16029398) Journal
        Of course on /., this is "insightful". To me, it's just juvenile egoism shining brightly.

        "I like the way the rules help me in one way, I don't like the way the rules constrain me in another way."

        At some point, the organism understands that society - the collective "we" that live together - cannot exist without compromise, and the essence of compromise is empathy.

        Perhaps you might consider that some of us would prefer that you pollute your own yard, not the collective commons that is the public airwaves.
        • by espo812 ( 261758 )

          To me, it's just juvenile egoism shining brightly.

          Maybe his particular statement, but I will come to his defense.

          "I like the way the rules help me in one way, I don't like the way the rules constrain me in another way."

          Well in one instance the rules are forcing devices to not interfere with eachother, a fairly useful form of government regulation. In the other case the regulation puts a constraint on the First Amendment ("Congress shall make now law [...] abridging the freedom of speech"), an illegal

        • The FCC as a technical regulatory body is great. Those are the set of rules I agree with. However, the decency on the airwaves set of rules, I don't.
        • I'm pretty sure most of us are strongly in the Bill of Rights camp. And that means freedom of speech, which I believe FUCK is a part of.

          Go back to church and don't hurt yourself by attempting to think. Leave that to us science and nerd types, please.

          rhY
          • While I understand it's intellectually easier for you to simply dismiss my comments as those of some religious nutjob, I'm afraid I don't fit your view. Haven't gone to church in years, not even sure I believe in the idea of God. So where does that leave you?

            Let's go back to the topic, perhaps?

            So you claim that the right to say "FUCK" is established in the Bill of Rights. So by your logic, I can say FUCK wherever I want? Oh wait, no, I can't. Dozens of court cases (many going all the way to the Supreme
    • The one watt amplifiers mentioned in the article almost guarantees that this device is operating outside the FCC part 15 rules.

      False.

      802.11 is considered to be direct sequence spread-spectrum. According to 47 CFR 15.247(b)(3), the limit is 1W for this purpose.

      • by w9ofa ( 68126 )
        I'm not denying that 1 Watt amplifiers are totally leagal, but doesn't that imply that the antenna is going to be low-gain in order to meet the field strength limits?
        • I'm not denying that 1 Watt amplifiers are totally leagal, but doesn't that imply that the antenna is going to be low-gain in order to meet the field strength limits?

          As a DSSS system, 802.11 is regulated on a power/gain rather than field strength basis. You can have up to a 6dB antenna gain before you have to start peeling back you transmitter power to comply.

          From there, if you have a point-to-multipoint system (which is what this box would be), you need to drop back dB-for-dB for every dB over 6. F

  • Sell? (Score:3, Interesting)

    by SocialEngineer ( 673690 ) <{moc.liamg} {ta} {adnapdetrevni}> on Friday September 01, 2006 @11:34PM (#16028563) Homepage

    I'm sorry, but I don't see much in the way of commercial application for this thing - we know standard wireless networking encryption isn't secure. We know it can be cracked, and it can be cracked with just 2 cheap laptops to capture the data. There isn't much more of a need for proof-of-concept anymore.

    • by jpardey ( 569633 )
      Ever heard of industrial espionage? Park your car in front of your client's specified target, and let the packets flow. Also good for stock traders. Amateurs would be interested. The military probably already has similar cheaper devices.

      And I would pay for his hat.
      • The military probably already has similar cheaper devices

        Oh, not so sure about the military, but you know the FBI / NSA / CIA have them - BUT I bet they are not cheaper. EVERYTHING the government does costs more. After all, it's not like they guys buying shit are using their own money now... Network General has been making network sniffers for years, but their $20K boxes really don't do much more than a cheap laptop running ethereal(wireshark) and other misc open source tools.
    • I believe they make no such claim as being the first of its kind with this capability; think of it more as need to waterproof-said-concept.

      *ducks
  • ..history sooner or later.

    Why? Because of WEP 's broadcasting nature smart people make things like Janus Project and capture your data and may break WEP security.

    This is known to cyptanalysts long before so it is superseeded by WPA(Wi-Fi Protected Access) and WPA2 standards.

    But yes WEP is stil used to avoid casual snooping :).

  • :o\ (Score:5, Insightful)

    by TubeSteak ( 669689 ) on Friday September 01, 2006 @11:37PM (#16028575) Journal
    From his Riviera hotel room and using a 1W amplified antenna, Williams said his Janus computer was able to capture data from 300 access points simultaneously. He said over 2000 access points were scanned and 3.5 GB of traffic was captured during the entire convention.
    ...
    Williams told us that he has spent a few thousand dollars building the Janus computer and hopes to make his money back by selling commercial versions to big companies and government organizations. "Maybe one day I could get the military to be a customer," said Williams.
    Forget the military, how about corporate espionage?

    I imagine that'd be a bit more productive.
  • by Browzer ( 17971 ) on Friday September 01, 2006 @11:42PM (#16028591)

    Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.


    • Re: (Score:2, Funny)

      by keeboo ( 724305 )
      He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

      move.l <key>,d0

      That was easy.
      I'm not sure it's possible in x86 processors though.
    • Yea, I couldn't even grasp what it truly meant here. Is Williams looking for an algorithm to break SHA1 and RSA? Did he prove P = NP yet?
      • If we account for reporter incompetence, it seems he is claiming that he is looking for a way to determine that the hash doesn't match, in constant time. Probably working under some assumptions about the length, etc.

        But considering how mangled that sentence is, theoretically, I'd wait for a claim directly from the source before claiming crackpot.
    • In other news, he has also announced that the next version of the Janus project will be powered by the Easter Bunny running on a very small, internally mounted gerbil wheel.

    • I'm sure this is a misquote.

      He can already crack WEP in under five minutes, I could see where he could possibly crack WEP in a single "for" loop or something using recursion (in which case why would it need to loop? Maybe if something goes wrong, the router doesn't respond or something).

      And then SHA1 and RSA encryption would be his next target, and eventually he'd get it to where he can crack that in a single "for" loop.
    • Re: (Score:3, Informative)

      Actually, if you read the documentation for the VIA Padlock [via.com.tw] hardware encryption/decryption engine, you would realise that they talk about realtime encryption/decryption, its not a software operation, its a set of on-die commands.
    • He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

      RISC is so passe nowadays.
  • So use VPNs. (Score:5, Interesting)

    by Randseed ( 132501 ) on Friday September 01, 2006 @11:45PM (#16028597)
    You'd think by now that people would go ahead and use WEP or WPA, but tunnel traffic over a VPN even to internal sites. That's what I do. While someone may be able to crack my WEP or WPA keys, all that gets them is the ability to access the VPN port on the router. Everything else, including traffic to internal machines, is dropped unless it comes from the VPN. And since the VPN address is on a seperate subnet, the WAP won't route the traffic if you force your IP address to be open, but appear as the VPN IP address.

    Obvoiusly not foolproof. I need to get all the machines to drop the traffic unless it's routed through the router. In other words, it doesn't matter where it comes from, but the machines will only listen to traffic coming in off the VPN subnet, and then only listen to that if it's being routed by the internal router. That keeps someone from being cute somehow and confusing the network by plugging something in with an IP address that's on the VPN subnet; since it wouldn't come via the internal router (VPN server), the machines would go "Uh, WTF?"

    • You'd think by now that people would go ahead and use WEP or WPA, but tunnel traffic over a VPN even to internal sites. That's what I do. While someone may be able to crack my WEP or WPA keys, all that gets them is the ability to access the VPN port on the router.

      That is because you truly take wireless security seriously where as 97% of the people do not. This is the ONLY proven way to secure wireless short of unpluging it. In such cases like this, all a hacker could do is DoS you, which is minor.

      • This is the ONLY proven way to secure wireless short of unpluging it.

        Silly me! I thought one-time pads were the only proven way to secure a wireless network. :P

    • Re: (Score:3, Informative)

      by walt-sjc ( 145127 )
      I don't bother with wep at all. My AP is wide open, and connects to a dedicated interface on my gateway server. Similar to your setup, the only ports open on that interface are for VPN - other than that it's stealth. No point in the additional encryption that just slows things down without proividing any real security.

    • I don't even bother with WEP or WPA - I figure it'll just slow things down. My home wireless router is running OpenWRT, so setting up WPA is an ass-ache anyway. I MAC-locked the wireless to keep the drooling masses from connecting (clueless neighbors, etc.) If the client has a correct MAC, they can get an address from DHCP and talk to my OpenVPN port. That's all. If someone were determined to DoS me, they certainly could do so in this arrangement, but then you can DoS wifi even if it's running WEP or WPA, t
  • Some corrections (Score:5, Informative)

    by Anonymous Coward on Friday September 01, 2006 @11:48PM (#16028602)
    The "2000 bit passkey" is really the disk encryption keys for loop-aes. See http://loop-aes.sourceforge.net/loop-AES.README [sourceforge.net] . They are longer than 2000 bits.

    The disk encryption keys are stored on USB and decrypted via passphrase (key encryption key) using a custom init process that mounts the encrypted loop-aes disk(s) and does the pivot_root / exec init into the target. This gives you full disk encryption booting from a trusted read-only kernel+initrd iso image. (or hdd bootloader)

    The "instant off" is the key zeroisation mechanism where loop-aes keys (rotated in memory) are flushed and the disks are now inaccesible. A reboot and passphrase auth with USB key device present is then required to get back to a working state.

    The use of 8 radios means most of them are in monitor mode attached to different antennas. There are two amplified cards (1W teletronics in line) which can be used for injection / active attacks, but 2 transmitting radios is about the limit practically speaking due to 802.11MAC / CSCA.

    The WPA/WPA2 cracking references WPA-PSK dictionary attacks / cowpatty speedup via the Padlock hash engine SHA1 instruction. This gives you about a 10-20x increase in dictionary attack throughput but is still slow compared to most attacks. Many other kernel functions (loop-aes, IPsec, entropy in /dev/random) and user space applications (openssl, openvpn) are also tweaked to utilize the padlock core described here: http://www.via.com.tw/en/initiatives/padlock/hardw are.jsp [via.com.tw] . Montgomery multiplication offload is still in the works...

    [The "breaking SHA1 and RSA encryption in a single processor instruction cycle" line appears to confuse the implementation of these primitives (SHA1/MontMult) in a single instruction. These are not cracked by a single instruction.]

    The comment about government sales is likely due to the fact that this system is well over FCC EIRP limits, thus restricting commercial sales to military or emergency services.

    Additional images here:
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox.jpg&refPage=&imgAnc h=imgAnch3 [photobucket.com]
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox-dev.jpg&refPage=&im gAnch=imgAnch2 [photobucket.com]
    • by tritox ( 902804 )
      Anonymous Coward AKA Kyle Williams
    • by dch24 ( 904899 )
      Okay, this is one of the most informative posts ever. People are thinking this is Williams, the original guy who built the box (even though the thread [slashdot.org] credits someone else).

      I don't see how that post could be modded overrated. If I get modded troll and otherwise ignored...
      • i don't know who suggested/queued the original article intro posted by Zonk. i am involved on the software side and posted the anonymous corrections (prior to recovering this long idle acct) since neither Kyle nor myself were contacted prior to publication to verify technical details in content as evidenced by the couple of mis-quoted or mis-interpreted points above.

        or perhaps this is all an elaborate rouse designed to make you think in that direction... ;)
  • Article Summary (Score:1, Insightful)

    by Anonymous Coward
    Basically: Don't use "pencil" as WEP password.
  • first I code named it Preparation H. V2 is called the Allen Parson's Project.
  • by Ec|ipse ( 52 ) on Saturday September 02, 2006 @12:09AM (#16028636)
    FYI, it's a Pelican box, I have several that I use for SCUBA diving.
    • by kop ( 122772 )
      Well I wish you lots of succes traveling with your equipment now.
      You must be some kind of terrorist with all these snazzy little yellow boxes.
  • SSID="linksys" (or SSID="default")
    • by t1n0m3n ( 966914 )
      I use "linksys" as my SSID for my honeypot network. It confuses the security accessment teams that scan our networks. Quite funny at assessment reporting time.
  • 283 * 0 = 0 (Score:4, Interesting)

    by Doc Ruby ( 173196 ) on Saturday September 02, 2006 @12:33AM (#16028691) Homepage Journal
    The WiFi bandwidth has 17 data channels, each of which can be controlled by only one network at one time. How can a single node sniff more than 17 networks simultaneously.
    • by misleb ( 129952 )
      17 theoretical channels, but only 11 are used in the US. As for sniffing multiple networks on the same channel, it is possible if they are far enough apart and you are between them. You could pick up both as long as they didn't happen to send a packet at the same time. But 300 distinct networks at a single location? Seems far fetched to me.
      • Re: (Score:3, Informative)

        by anethema ( 99553 )
        Actually, while 11 channels are claimed, there really are only 3.

        1, 6, 11.

        Any other channels are just varying degrees of overlap with these 3.
  • Original Post (Score:1, Redundant)

    by Columcille ( 88542 ) *
    The link above is to a blog which links to a blog which links to... It seems the original info came from http://www.tgdaily.com/2006/08/30/defcon2006_janus _project/ [tgdaily.com] more info is available there than at the site linked at parent.
    • Re: (Score:1, Redundant)

      by Columcille ( 88542 ) *
      okay I am an idiot, I overlooked that parent does indeed include the tgdaily link at the end. Moderators... hit me hard.
  • I'm skeptical. If all you had to do to recieve faint signals was to amplify the antenna, then everyone would do it and you'd have awesome range without needing to increase the signal strength. But it doesn't work like that. The higher the gain, the more noise you get. And with all those people broadcasting on overlapping channels along with normal interferrence, noise is exactly what you're going to get.
  • The K9 version of this project will lack the J in the beginning for sniffing.
  • Let the wardriving games commence.
  • So what exactly does he do with all those purloined keys?

    I employ two of three possible methods to secure my network, MAC filters and WPA keys. So I was thinking, how does this deal with MAC filters. Then it came to me that the first two octets of the MAC are easy - Intel has a pretty big lock on wireless, as does Broadcom. So that's 65,535 fewer combinations to look for. But where it gets interesting is in the last four octets. That leaves 4,294,967,296 possible combinations. Not that you couldn't brute
    • Presumably they just wait until someone else joins the network, listen to their MAC address, and use that. Since it's a bus network, it isn't even always obvious when you have two conflicting MACs.
  • Drop the leading letter off the name of your project then it would be funny.

Veni, Vidi, VISA: I came, I saw, I did a little shopping.

Working...