---

+ Try out the GSKY GS-27USB, a device that is a huge hit in China and offers free Internet access for life.
Update: Wireless LAN: Sales of devices used without permission. Report of arrests of business owners for aiding violation of the Radio Law (opening a wireless station without permission) (Breaking news)

First November 5, 2009 Ikeriri★Network Service 竹下恵 http://www.ikeriri.ne.jp/
Partially updated September 24, 2010 Ikeriri★Network Service Megumi Takeshita

竹下恵 (Ikari★Network Service) → 自己紹介 → 著書 → 個人Blog → Twitter GSKY GS-27USB packages G-SKY USB Adapter　７０モデル G-SKY USB Adapter 70 model

(1) Introduction Analyzing the WEP key and using a third party's network without permission is prohibited by law. In addition, Riverbed(CACE)Inc. AirPcap ClassicおよびAirPcap TX has already obtained TELEC certification in Japan. Other products may violate the Radio Law depending on how they are used. Updated: June 14, 2011 According to 毎日新聞の記事 (→ 産経新聞の記事 → Slashdotでの記事 ), it says, "Wireless LAN: Managers arrested for selling equipment used without permission in Osaka." ``We have begun searching several homes, including this electronics store, on suspicion of aiding a violation of the Radio Act (opening a wireless station without permission).We are voluntarily interviewing several store managers and others, and as soon as the suspicions are solidified, we plan to arrest them on the same charges.The purchaser of the equipment will also be prosecuted on suspicion of violating the same law.'' ●Ikeriri★To customers of network services First, we have a question from a customer. Our company sells the products AirPcapシリーズ はWireless LANのtroubleshootingおよび問題解決に利用する機器で、 TELEC（技適） を取得しております。通信企業やインテグレーター、ユーザー企業様での調査、サイトサーベイ、設計、構築に関しては一切問題ありません。ご安心ください。 さらに、電波を送信していない、受信を主に行うことについては一切問題はありません。 Please rest assured. ●無線に関わるエンジニアの方・アマチュア無線業務をされる方へ パケットキャプチャ技術を中心に、セキュリティや無線networkに関わる私自身にとっても、 「電子計算機使用詐欺（刑法第２４６条の２）」や、「電子計算機損壊等業務妨害（刑法第２３４条の２）」はもちろんのこと、「不正アクセス禁止法（不正アクセス行為の禁止等に関する法律）」で逮捕というのは理解できます。しかし、 別件といえる 「電波法違反（無線局の無許可開設）のほう助」で逮捕が成立してしまったことについては、大変な驚きと、そして恐怖を感じます。 たとえば、技適をまだとっていない準備段階のアマチュア無線設備（自作の送信機）、海外の携帯電話や無線機器を利用されている方は、摘発を行われる危険性が生じています。 ＮＴＴ／ＫＤＤＩ／ソフトバンクetc.のキャリアの方や、大手のＮＩerさんであれば、法務部や弁護士が対処できると思います。しかしながら、 中小や個人の方が、まずできることとしては、 （１）技適を取得していない機器については、空中線を取り外し、電波暗室での送信のみとし、受信のみを行う。 （２）その目的が「無線ＬＡＮのただ乗り」でなく、顧客の調査、サイトサーベイ、アマチュア無線業務etc.であることを証明する証拠（できるだけ証拠能力の高いもの）をきちんと残す。 ことをおすすめします。 いけりり★networkサービス竹下です。アキバ系メディアの PC Watchの記事 はもちろんのこと、 日経トレンディの記事 にもとりあげられた話題の「一生ネットが無料になるanalysisソフトつきのLANアダプタ」を入手しました。 G-SKY WIRELESS USB Adapter というすごくクラッカー色の強いWireless LANアダプタです。弊Inc.で販売しておりますWireless LANキャプチャドングル AirPcapシリーズ との比較もふまえて評価してみました。 （２）一生ネットが無料になるアダプタの正体 この中国IT系サイトで普通に紹介されて大人気の製品ですが、メーカーは台湾の G-SkyInc. です。機器名は「G-SKY WIRELESS USB Adapter (GSKY GS-27USB)」となっていましたが、hereの正式な製品名はおそらく「 High Power 802.11b/g USB Adapter / GS-27USB-50 」と思われます。 (top left in the photo) In addition, we also discovered 「High Power 802.11b/g USB Adapter / GS-27USB-70」 , which is integrated with the antenna. (bottom left in the photo)

(3) Features of G-SKY WIRELESS USB Adapter I think the first major feature of this product is its output. While normal wireless LAN devices only have an output of about 10mW, G-SKY has an output of 50mW, five times that amount. The chip is RTL8187, made by Realtek, but it is Prizm-based, making it easier to recognize on Linux. The antenna has a mini-sized terminal (a much smaller version of the M terminal) and comes with a brown antenna that looks like it's 90 degrees vertically. Looking at the same site, there seems to be a product with an output of 70mW and a flat antenna attached. (4) A bootable CD for BACKTRACK3 is attached The accessories are the main unit, a brown antenna, a USB cable, an 8cm CD-sized driver (Realtec's device driver), and a bootable CD for `` BACKTRACK3 '', a Linux distribution dedicated to hacking and security research that includes a WEP analysis tool, which is probably the most important feature of this product. It seems to be an Asian product, with a plain blank CD in a transparent sleeve, and it looks like it was put into the product box afterwards. I didn't understand at first. This is probably the world's first wireless LAN adapter bundled with a crack tool.

G-Sky's OUI (Organization Unit Identifier) ​​is 00-E-4C BACKTRACK3 when starting

*Note 1
According to Japan's Radio Law, the output (transmission output) limit for wireless LAN is 10mW in the GSM band (2.4GHz band), which can be used without a license. Reception doesn't matter.

*Note 2
A professional amateur radio can transmit an output of 1kW (referred to in the amateur industry as kilowatts), which is several hundred times more than this. By the way, the output is comparable to that of a local TV relay station in the countryside of Kagoshima. It's very bad for your health, so the antenna power I use for amateur radio is about 5W at most. Note that it is still 10 times more expensive than G-SKY. The antenna is also important because the gain of radio waves is proportional to the height and attenuated inversely proportional to the square of the output.

*Note 3
Similarly, mobile phones have a smaller output, but carriers such as Docomo, AU, and Softbank pay an annual radio wave usage fee of 500 yen.

Manual written in English How to use the tool from beginning to end After startup, select the NIC type and operation mode Screen while searching for AP (less information compared to Kismet etc.) Attack method selection screen Select the key length from undefined/64/128

(5) Try it! Analyzing the WEP key and using a third party's network without permission is prohibited by law. AirPcap Classic and AirPcap TX have obtained TELEC certification in Japan. Other products may violate the Radio Law depending on how they are used. This test is evaluated in a test environment. Well, I immediately booted up Linux and noticed something. What we found during device detection was a chip from Prizm, which is said to be a lucky wireless LAN card in the industry. Wireless LAN adapters that use Prism chips can be easily set to monitor mode (a state where they can acquire other frames) on Linux. This will be recognized by WLAN0 and BACKTRACK3 will start up. As written in the manual, after startup, launch the command prompt and enter spoonwep from the shell. Then, the GUI "SpoonWEP 2 / WEP Finder / SharmanVirtual" will start up as shown on the screen. After using it, I found out that this tool launches the old Aircrack (Aircrack-ng) with a GUI front end written in Java. When you scan, just like scanning with Aircrack or Kismet, you can check the list of access points, MAC addresses, the presence or absence of WEP (TKIP/WPA is also treated as WEP, so are you just looking at the WEP bit of the control frame?) output, the presence or absence of data frames, etc. After searching while changing channels here, click Seelection OK. Then, the next tab "ATTACK PANEL" (which looks like a suspicious tool) will start. Selectable attacks can be selected from the pull-down list. There are four attack methods: ARP REPLAY ATTACK, P0841 REPLAY ATTACK, CHOPCHOP & FORGE ATTACK, and FRAGMENTATION & FORGE ATTACK. This attack seems to only target WEP, as it is not the currently popular KoreK or TTY. You can select the key length from 64/128/Auto from the pull-down list below. The software displayed the last discovered WEP key at the bottom of the screen. 新しいAircrack-ngの攻撃が含まれていないことから、このtoolではAircrackによるWEP64/128攻撃のみcompatible可能と思われます。（辞書攻撃等がoptionで指定できないため） いわゆるTKIPにおいてのPSKやWPA1/WPA2のWPA-PSK（HOME）etc.、PSK（事前共有鍵）の検出はできません。 Latest versions of Backtrack and Kali include the latest WPA2 compatible aircrack

(6) What about packet capture? Using the interface recognized by WLAN0, I captured packets using Wireshark included with BACKTRACK3. The low layer header is displayed in the form of "Prizm header", followed by the IEEE802.11 header. Since the physical layer is treated as Prizm, RadiotapHeader will not be displayed, but information such as channels can be checked. Also, although I was able to acquire the IEEE802.11 frame part, I had the impression that the accuracy and reliability of the physical layer information was questionable for work and business purposes. On the other hand, it is possible to perform recognition and packet capture operations in Monitor mode using Linux without having to configure WLANCONFIG or driver settings in detail. Please go from 攻撃toolを使ってみての感想としては「WEP時代の古いtoolかなあ」という印象です。実際のWireless LANでは、ARP REPLYに答えてくれるようなクライアントを使って、短時間に大量（基本的に１００００個ですが、WEP128ビットの鍵検出の場合、感覚的には５００００－１０００００個）のIVを集めないと、WEPの脆弱性を利用した攻撃は成功しません。 そのため、ARP REPLAY以外の攻撃に応じるようなaccess pointはすでに日本には少なく、まず脅威としては低いという印象です。 さらに攻撃対象は現実的にWEP64/WEP128限定のため、TKIP/WPAに移行されたWireless LAN環境については対処できないと思いました。 Note:、LinuxでWLANCFGをいじったり、ドライバを工夫することなく、ブータブルCDでBACKTRACK3を起動して、toolからすぐにWEP解読が行える環境がすぐに手に入るということは危険ですね。当然将来はBACKTRACK4etc.を添付してくることが装うされます。 また、これが普通に中国で宣伝されて大流行していることからもEP64/WEP128については、鍵の変更etc.ではなく、TKIPやWPA1/WPA2の環境に移行されることを強くおすすめします。 （竹下恵＠いけりり★networkサービス） to お問い合わせはhere（SSLcompatible） .

When capturing packets, Prizm header is displayed on the physical layer. IEEE802.11 management frames (beacons, etc.) were successfully acquired. Comparison of AirPcap Classic made by CACE in the US, which we handle

Comparison table between AirPcap and G-SKY USB