CHAPTER 9
Wireless Network Hacking
In this chapter you will learn about
• Identifying wireless network architecture and terminology
• Identifying wireless network types and forms of authentication
• Describing WEP and WPA wireless encryption
• Identifying wireless hacking methods and tools
• Defining Bluetooth hacking methods
When I was a youngster, I remember one of my favorite places to run to in the local Wal-Mart was the automotive aisles. In addition to all the great stuff I could dream about saddling a car down with, they also had “police” scanners out in the open, for anyone to play with. I would scan the waves listening for police chases and picking up all sorts of great information. One day, I was flipping through the channels and heard someone say “Wal-Mart.” I flipped back and discovered I was on the same channel the Wal-Mart folks were using for in-store communication. I locked it, turned the speakers up loud, and listened from afar as the store clerks wandered around, laughing at all the fun as they tried to figure out what they were hearing.
Maybe it’s not the wireless hack of my life, but it was my first—and I didn’t even realize that’s what it was called. See, back in the early 80’s, that’s all wireless hacking could be—telephone, CB, and other voice items. Today, though, we’ve got worlds of wireless to discover and play with.
Admit it—you’re hooked on wireless. I can say that with some degree of certainty because statistics tell me the chances are better than not that you’re communicating wirelessly right now, as you’re reading this chapter. Maybe you’ve got your laptop right there, tied in to your home network, or you’re sitting at some coffee shop (trying to look really smart). Maybe you’ve even got one of those blinking things stuck in your ear, communicating over Bluetooth with your cell phone. And if you’re doing neither right now, I’d bet your network at home is still chirping away, even though you’re not there to use it, right? Surely you didn’t shut it all down before you left for the day.
Look at virtually any study on wireless usage statistics in the United States and you’ll find we simply can’t live without wireless anymore. We use it at home, with wireless routers and access points becoming just as ubiquitous as refrigerators and toasters. We expect it when we travel, using hotspot access at airports, hotels, and coffee shops. We use wireless keyboards, mice, and virtually anything else we can point at and click (ceiling fan remote controls are all the rage now, don’t you know). We have our vehicles tied to cell phones, our cell phones tied to Bluetooth ear receivers, and satellite beaming television to our homes. Heck, we’re sometimes even beaming GPS information from our dogs.
Wireless is here to stay, and what a benefit it is to the world. The freedom and ease of use with this medium is wonderful and, truly, is changing our society day by day. However, along with that we have to use a little caution. If data is sent over the airwaves, it can be received over the airwaves—by anyone. Maybe not in clear text, and maybe not easily discernable, but it can be received. Therefore, we need to explore the means of securing our data and preventing accidental spillage. And that, dear reader, is what this chapter is all about.
Wireless 101
Although it’s important to remember that any discussion on wireless should include all wireless mediums (phones, keyboards, and so on), this section is going to focus primarily on wireless data networking. I’m not saying you should forget the rest of the wireless world—far from it. In the real world you’ll find as many, if not more, hacking opportunities outside the actual wireless world network. What we do want to spend the vast majority of our time on, however, are those that are testable issues. And, because EC-Council has defined the objectives this way, we will follow suit.
Network Architecture and Standards
A wireless network is built with the same concerns as any other media you decide to use. You have to figure out the physical makeup of the transmitter and receiver (NIC), and how they talk to one another. There has to be some order imposed on how clients communicate, to avoid collisions and useless chatter. There also must be rules for authentication, data transfer, size of packets, and so on. In the wireless data world, these are all defined with standards, known as the 802.11 series. Although you probably won’t get more than a couple of questions on your exam referencing the standards themselves, you still need to know what they are and basic details about them. These standards are summarized in the following table:
| Wireless Standard | Operating Speed (Mbps) | Frequency (GHz) |
| 802.11a | 54 | 5 |
| 802.11b | 11 | 2.4 |
| 802.11g | 54 | 2.4 |
| 802.11n | 100 + | 2.4–5 |
| NOTE A couple of other standards you may see referenced are 802.11i and 802.16. 802.11i is an amendment to the original 802.11 series standard and specifies security mechanisms for use on the WLAN (wireless LAN). 802.16 was written for the global development of broadband wireless metropolitan area networks. Referred to as “WiMax,” it provides speeds up to 40Mbps, and is moving toward gigabit speed. |
Lastly, I have to at least mention the terms 3G, 4G, and Bluetooth. 3G and 4G refer to third- and fourth-generation mobile telecommunications, respectively, and offer broadband-type speeds for data usage on mobile devices (cell phones and such). The actual technology behind these transmission standards is tweaked from mobile carrier to mobile carrier—so unlike a wireless NIC complying with 802.11g working with any manufacturer’s access point with the same standard, one company’s devices may not work with another’s on 3G or 4G. Bluetooth refers to a very open wireless technology for data exchange over a relatively short range (10 meters or less). It was designed originally as a means to reduce cabling, but has become a veritable necessity for cell phones and other mobile devices. We’ll delve more into Bluetooth, and all the standards, as we move through the chapter.
As for a basic wireless network setup, you’re probably already well aware of how it’s done. There are two main modes a wireless network can operate in. The first is “ad hoc,” which is much like the old point-to-point networks in the good old days. In ad hoc mode, your system connects directly to another system, as if a cable were strung between the two. Generally speaking, you shouldn’t see ad hoc networks appearing very often, but park yourself in any open arena (such as an airport or bus station) and see how many pop up.
Infrastructure mode is the one most networks are set up as and the one you’ll most likely be hacking. Whereas ad hoc connects each system one to another, infrastructure makes use of an access point (AP) to funnel all wireless connections through. A wireless access point is set up to connect with a link to the outside world (usually some kind of broadband router). This is an important consideration when you think about it—wireless devices are usually on completely different subnets than their wired cousins. If you remember our discussion on broadcast and collision domains, you’ll see quickly why this is important to know up front.
Clients connect to the access point using wireless NICs—if the access point is within range and the device understands what it takes to connect, it is allowed access to the network. Wireless networks can consist of a single access point or multiple ones, thus creating overlapping “cells” and allowing a user to roam freely without losing connectivity. This is also a very important consideration when we get to generating wireless packets later on in this chapter. The client needs to “associate” with an access point first, then “disassociate” when it moves to the next one. This dropping and reconnecting will prove vital later on, trust me.
We should probably pause here for a brief introduction to a couple of terms. Keep in mind these may not necessarily be testable items as far as EC-Council is concerned, but I think they’re important nonetheless. When you have a single access point, its “footprint” is called a BSA (basic service area). Communications between this single AP and its clients is known as a BSS (basic service set). Suppose, though, you want to extend the range of your network by adding multiple access points. You’ll need to make sure the channels are set right, and after it’s set up, you will have created an ESS (extended service set). As a client moves from one AP in your subnet to another, so long as you’ve configured everything correctly, they’ll disassociate from one AP and (re)associate with another seamlessly. This movement across multiple APs within a single ESS is known as roaming. Okay, enough vocabulary. Time to move on.
Another consideration to bring up here deals with the access points and the antennas they use. It may seem like a weird (and crazy) thing to discuss physical security concerns with wireless networks, because by design they’re accessible from anywhere in the coverage area. However, that’s exactly the point: Many people don’t consider it and it winds up costing them dearly. Most standard APs use an omnidirectional antenna, which means the signal emanates from the antenna in equal strength 360 degrees from the source. If you were to, say, install your AP in the corner of a building, three-quarters of your signal strength is lost to the parking lot. And the guy sitting out in the car hacking your network will be very pleased by this.
Hide and Seek
One of the greatest benefits to wireless technologies is always a huge problem for incident responders in IT security—mobility. Wireless laptops in an enterprise network are great—you can move from presentation room to presentation room, from building to building, and never lose connectivity. It’s fantastic from a productivity standpoint, and here at Kennedy Space Center, it’s not just a nice convenience, it’s darn-near a requirement for some folks. But imagine the poor incident response staff (me) trying to track down a malware-infected laptop on the move across multiple buildings in a campus.
Thankfully, we have some eyes to help us on this. Much like other enterprise networks, inside and outside of government, our IT security staff watches all sorts of traffic and behaviors on the network. One nice little feature we have is a “heat signature” for our mobile clients. It’s not overly long or technically complicated, and it’s probably done 100 ways on 100 different networks, but the short of it is we can track a machine’s location on the network using its association and IP logs (that is, its “heat” signature). Much like the Predator aliens in Arnold Schwarzenegger’s movie, when I get the word on a malware-infected client, I can watch where he is and where he’s going, thus helping me to zoom in on my target.
A better option may be to use a directional antenna, also sometimes known as a “Yagi” antenna. Directional antennas allow you to focus the signal in a specific direction, which greatly increases signal strength and distance. The benefit is obvious in protecting against the guy out in the parking lot. However, keep in mind this signal is now greatly increased in strength and distance—so you may find that the guy will simply drive from his corner parking spot close to the AP to the other side of the building, where you’re blasting wireless out the windows. The point is, wireless network design needs to take into account not only the type of antenna used, but where it is placed and what is set up to contain or corral the signal. The last thing you want is for some kid with a Pringles can a block away tapping into your network. The so-called “cantenna” is very real, and can boost signals amazingly. Check out Figure 9-1 for some antenna examples.
| NOTE A Yagi antenna is merely one type of directional antenna. However, its name is used as a euphemism for all directional antennas—almost like the brand Coke is used a lot in the South to indicate soda. I’m not sure why that is, but I suspect it’s because people just like saying “Yagi.” |
Figure 9-1 Wireless antennas
Other antennas you can use are dipole and parabolic grid. Dipole antennas have, quite obviously, two signal “towers” and work omnidirectionally. Parabolic grid antennas are one type of directional antenna and work a lot like satellite dishes. They can have phenomenal range (up to 10 miles), but aren’t in use much. Another directional antenna type is the loop antenna, which looks like a circle. And, in case you were wondering, a Pringles can will work as a directional antenna. Google it and you’ll see what I mean.
So you’ve installed a wireless access point and created a network for clients to connect to. To identify this network to clients who may be interested in joining, you’ll need to assign an SSID, or Service Set Identifier. The SSID is not a password, and provides no security at all for your network. It is simply a text word (32 characters or less) that identifies your wireless network. SSIDs are broadcast by default and are easily obtainable even if you try to turn off the broadcast (in an effort dubbed “SSID cloaking”). The SSID is part of the header on every packet, so its discovery by a determined attacker is a given and securing it is virtually a moot point.
| EXAM TIP If you see a question on wireless security, you can ignore any answer with SSID in it. Remember that SSIDs do nothing for security, other than identify which network you’re on. Encryption standards, such as WEP and WPA, and physical concerns (placement of APs and antennas used) are your security features. |
Once the AP is up and a client comes wandering by, it’s time to authenticate so an IP address can be pulled. Wireless authentication can happen in more than a few ways, from the simplistic to the very complicated. A client can simply send an 802.11 authentication frame with the appropriate SSID to an AP, and have it answer with a verification frame. Or, the client might participate in a challenge/request scenario, with the AP verifying a decrypted “key” for authentication. Or, in yet another twist, you may even tie the whole thing together with an authentication server (Radius), forcing the client into an even more complicated authentication scenario. The key here is to remember there is a difference between association and authentication. Association is the action of a client connecting to an AP, whereas authentication actually identifies the client before it can access anything on the network.
Lastly, after everything is set up and engineered appropriately, you’ll want to take some steps toward security. This may seem a laughable concept, because the media is open and accessible to anyone within range of the AP, but there are some alternatives available for security. Some are better than others, but as the old saying goes, some security is better than none at all.
There are a host of wireless encryption topics and definitions to cover. I briefly toyed with an exhaustive romp through all of them, but decided against it after thinking about what you really need to know for the exam. Therefore, I’ll leave some of the “in-the-weeds” stuff for another discussion, and many of the definitions to the glossary, and just stick with the big three here: WEP, WPA, and WPA-2.
WEP stands for Wired Equivalent Privacy and, in effect, doesn’t really encrypt anything. Now I know you purists are jumping up and down screaming about WEP’s 40- to 232-bit keys, yelling that RC4 is an encryption algorithm, and questioning whether a guy from Alabama should even be writing a book at all. But trust me, it’s not what WEP was intended for. Yes, “encryption” is part of the deal, but WEP was never intended to fully protect your data. It was designed to give people using a wireless network the same level of protection someone surfing over an Ethernet wired hub would expect: If I were on a hub, I wouldn’t expect that the guy in the parking lot could read what I send and receive because he wouldn’t have physical access to the wire.
Now think about that for a moment—wired equivalent privacy. Do you consider a hub secure? Granted, it’s harder than sitting out in the hallway with an antenna and picking up signals without even entering the room, but does it really provide anything other than a discouragement to casual browsers? Of course not, and so long as it’s implemented that way, no one can be upset about it.
WEP uses something called an initialization vector (IV) and, per its definition, provides for confidentiality and integrity. It calculates a 32-bit integrity check value (ICV) and appends it to the end of the data payload and then provides a 24-bit IV, which is combined with a key to be input into an RC4 algorithm. The “keystream” created by the algorithm is encrypted by an XOR operation and combined with the ICV to produce “encrypted” data. Although this all sounds well and good, it has one giant glaring flaw: It’s ridiculously easy to crack.
Enough to Do the Job
So let’s get this out of the way first: Per EC-Council and every other organization providing hacking guidelines and information, WEP is not a secure protocol. When it comes to your exam and when you’re advising business clients on the job, WEP is never a good choice. But what about at home—is it good enough for your personal wireless network?
For 99 percent of the populace out there, WEP makes a good choice. Worried about random people driving by and picking up packets? WEP is good enough. Worried about stopping your creepy neighbor next door from using your network? WEP is good enough. In fact, outside of stopping the 15-year-old scriptkiddie hacker who is bored and has nothing better to do, you’re secure. And, if you’re really that worried about it, why not just change the keys out every so often? Combine this with turning off DHCP as well as stopping SSID broadcast and/or MAC filtering, and you’re in good shape. Unless, of course, your neighborhood is filled with elite, state-funded hackers with an active interest in your Facebook login.
Once again, this is written with reality and your home network in mind. Turning off broadcast SSID, using MAC filtering, and implementing WEP are not the best choices by themselves on your exam. For your test, remember WPA-2 is best, SSID is sent in every packet anyway, and MAC filtering can be overcome by spoofing.
WEP’s initialization vectors are relatively small and, for the most part, get reused pretty frequently. Additionally, they’re sent in clear text as part of the header. When you add this to the fact that we all know the cipher used (RC4) and that it wasn’t ever really designed for more than one-time usage, cracking becomes a matter of time and patience. An attacker simply needs to generate enough packets in order to analyze the IVs and come up with the key used. This allows him to decrypt the WEP shared key on the fly, in real time, and renders the encryption useless.
| EXAM TIP Attackers can get APs to generate bunches of packets by sending disassociate messages. These aren’t authenticated by any means, so the resulting barrage of “Please associate with me” packets are more than enough for the attack. Another option would be to use ARP to generate packets. |
A better choice in encryption technology is WPA (Wi-Fi Protected Access) or WPA-2. WPA makes use of something called TKIP (Temporal Key Integrity Protocol), a 128-bit key, and the client’s MAC address to accomplish much stronger encryption. The short of it is, WPA changes the key out (hence the “temporal” part of the name) every 10,000 packets or so, instead of sticking with one and reusing it, as WEP does. Additionally, the keys are transferred back and forth during an EAP (Extensible Authentication Protocol) authentication session, which makes use of a four-step handshake process to prove the client belongs to the AP, and vice versa.
Weird Science
I’m sure you’ve seen your share of mathematical tomfoolery that appears to be “magic” or some Jedi mind trick. These usually start out with something like “Pick a number between 1 and 10. Add 13. Divide by 2,” and so on, until the number you picked is arrived at. Magic, right? Well, I’ve got one here for you that is actually relevant to our discussion on WEP cracking.
In the world of probability, there is a principle known as the “birthday problem.” The idea is that if you have a group of at least 23 random people, the odds are that two of them will share the same birthday. There’s a lot of math here, but the short of it is if you have 366 people, the probability is 100 percent. However, drop the number of people down to just 57 and the probability only drops one percentage point. Therefore, next time you’re in a big group of people, you can probably win a bet that at least two of them share the same day as a birthday.
So just how is this relevant to hacking? Well, the mathematics for this little anomaly led to a cryptographic attack called the birthday attack. The same principles of probability that’ll win you a drink at the bar applies to cracking hash functions. Or, in this case, WEP keys.
WPA-2 is much the same process; however, it was designed with the government and the enterprise in mind. You can tie EAP or a Radius server into the authentication side of WPA-2, allowing you to make use of Kerberos tickets and all sorts of additional goodies. Additionally, WPA-2 uses AES for encryption, ensuring FIPS 140-2 compliance—not to mention AES is just plain better.
Finding and Identifying Wireless Networks
Now that we’ve covered some of the more mundane, definition-style high-level things you’ll need to know, we need to spend a little time discussing how you might actually find a wireless network to hack. I realize, given the sheer numbers of wireless networks out there, that telling you we’re going to discuss how to find them sounds about as ridiculous as me saying we’re going to spend the rest of this chapter talking about how to find air, but trust me—I’m going somewhere with this.
We’re not talking about finding any wireless network—that’s too easy. If you don’t believe me, purchase a wireless router from your local store and plug it in next to a window in your upstairs room—I’d bet solid cash you’re going to see at least one of your neighbors’ networks broadcasting an SSID, and probably a bunch more. If that’s not enough for you, go buy a cup of coffee, take a flight somewhere, go to the mall, or buy a burger at the local fast-food joint. Chances are better than not they’re going to have a wireless network set up for your use.
| NOTE Another easy way of finding wireless networks is to make use of a service such as WIGLE (http://wigle.net). WIGLE users register with the site and use NetStumbler in their cars, with an antenna and a GPS device, to drive around and mark where wireless networks can be found. |
So, we’re obviously not talking about finding a wireless network for you to use. What we are hoping to cover here is how you can find the wireless network you’re looking for—the one that’s going to get your team inside the target and provide you access to all the goodies. Some of the methods and techniques we cover here may seem to be a waste of your time and, in a couple of cases, a bit on the silly side. Just keep in mind we’re talking about them because you’ll be tested on them, but also because you may need to employ them to find the one you’re looking for.
First up in our discussion of wireless network discovery are the “war” options. No matter which technique we’re talking about, the overall action is the same: An attacker travels around with a Wi-Fi–enabled laptop looking for open wireless access points/ networks. In war driving, the attacker is in a car. War walking has the attacker on foot. War flying? I’m betting you could guess it involves airplanes.
One other “war” definition of note you’ll definitely see hit on in the exam is “war chalking.” A war chalk is a symbol drawn somewhere in a public place indicating the presence of a wireless network. These can indicate free networks, hidden SSIDs, pay-for-use hotspots, and which encryption technique is in use. The basic war chalk involves two parentheses back to back. Added to this can be a key through the middle (indicating restricted Wi-Fi), a lock (indicating MAC filtering), and all sorts of extra entries. Some examples are shown in Figure 9-2.
Generally speaking, these aren’t much use to you in the real world; however, there are some things about them you might be very interested in. Usually the double parentheses will also have a word written above or below, which indicates the SSID or even the administrative password for the access point. Various other information (such as bandwidth) can be found written down as well—this depends totally on the chalk “artist” and what he feels like leaving. Additionally, as you can tell from our examples here, you may also find workarounds for pay sites, MAC addresses to clone, and all sorts of stuff you can use in hacking.
| EXAM TIP You will definitely need to know war chalking and its symbols for the exam. |
Figure 9-2 War chalking symbols
The Coolness Factor
Sometimes things catch on and sometimes they don’t, but every once in a while a fad finds its way into even the nerdiest of circles. War chalking as a fad amongst people who really needed or used it didn’t really last all that long, and probably hit its heyday sometime back when wireless hotspots were hard to come by. In 2002, it might have taken some driving around to find a wireless network to connect to and, if memory serves, everyone was trying to jack into the Internet for free.
War chalking, in a sort of weird ironic twist, actually turned into something more suited for marketers than a true hacking breakthrough. Sure, it was fun to think about secret messages, encoded “hobo-language” style that only the true nerds understood. But, alas, it didn’t continue in the same rush and fashion in which it started. That said, Mr. Paul Boutin, in an article on the subject some years ago, probably put it best: “War chalking, it seems, is so cool it doesn’t even matter if anyone is really doing it or not.”
Give me some big Crayola chalk. I’m headed out front right now.
(If you’re interested, the referenced article dealt with a store in San Francisco that actually benefitted from displaying their war chalk right in the front window: “Wi-Fi Users: Chalk This Way,” Paul Boutin, www.wired.com/gadgets/wireless/news/2002/07/53638.)
Another option in wireless network discovery is the use of a wide array of tools created for that very purpose. However, before we explore the tools you’ll see mentioned on your exam, it’s relevant at this point to talk about the wireless adapter itself. No matter how great the tool is, if the wireless adapter can’t pull the frames out of the air in the correct manner, all is lost. Some tools are built this way, and only work with certain chipset adapters—which can be very frustrating at times.
The answer for many in wireless hacking is to invest in an AirPcap dongle (www.cacetech.com)—a USB wireless adapter that offers all sorts of advantages and software support (see Figure 9-3). Sure it’s expensive, but it’s worth it. Barring this, you may need to research and download new and different drivers for your particular card. The mad-wifi project may be an answer for you (http://madwifi-project.org). At any rate, just keep in mind that, much like the ability of our wired adapters to use promiscuous mode for our sniffing efforts, discussed earlier in this book, not all wireless adapters are created equal, and not all will work with your favorite tool. Be sure to check the user guides and man pages for lists and tips on correctly configuring your adapters for use.
Figure 9-3 AirPcap USB
| NOTE Although people often expect any wireless card to do the trick, it simply won’t, and frustration begins before you ever get to sniffing traffic, much less hacking. I have it on very good authority that, in addition to those mentioned, Ubiquiti cards (www.ubnt.com/) may be the top-tier card in this realm. |
I’ve already made mention of WIGLE (http://wigle.net), and how teams of miscreant hackers have mapped out wireless network locations using GPS and a tool called NetStumbler (see Figure 9-4). NetStumbler (www.netstumbler.com), the tool employed in this endeavor, can be used for identifying poor coverage locations within an ESS, detecting interference causes, and finding any rogue access points in the network (we’ll talk about these later). It’s Windows-based, easy to use, and compatible with 802.11a, b, and g.
Figure 9-4 NetStumbler
Although it’s usually more of a wireless packet analyzer/sniffer, Kismet is another wireless discovery option. It works on Linux-based systems and, unlike NetStumbler, works passively, meaning it detects access points and clients without actually sending any packets. It can detect access points that have not been configured (and would then be susceptible to the default out-of-the-box admin password) and will determine which type of encryption you might be up against. You might also see two other interesting notables about Kismet on your exam: First, it works by “channel hopping,” to discover as many networks as possible and, second, it has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.
Another great network discovery tool is NetSurveyor (see Figure 9-5). This free, Windows-based tool provides many of the same features as NetStumbler and Kismet. Additionally, it supports almost all wireless adapters without any significant additional configuration—which is of great benefit to hackers who can’t afford, or don’t have, an AirPcap card. NetSurveyor acts as a great tool for troubleshooting and verifying proper installation of wireless networks. To try it out, simply download and install the tool, then run it. It will automatically find your wireless adapter and begin scanning. Click through the different menu options and check out all the information it finds without you needing to configure a thing!
Figure 9-5 NetSurveyor
Wireless Sniffing
Finally, although it technically has nothing to do with actually locating a network, we do need to cover some basics on wireless sniffing—and what better place to do it than right here, just after we’ve discovered a network or two to watch. Much about sniffing a wireless network is exactly the same as sniffing its wired counterpart. The same protocols and authentication standard weaknesses you looked for with Wireshark off that switch port are just as weak and vulnerable on wireless. Authentication information, passwords, and all sorts of information can be gleaned just from watching the air and, although you are certainly welcome to use Wireshark, a couple of tools can help you get the job done.
Just a few of the tools specifically made for wireless sniffing include some we’ve already talked about—NetStumbler and Kismet—and some that we haven’t seen yet, including OmniPeek, AirMagnet WiFi Analyzer Pro, and WiFi Pilot. Assuming you have a wireless adapter that is compatible and can watch things in promiscuous mode, OmniPeek is a fairly well-known and respected wireless sniffer. In addition to the same type of traffic analysis you would see in Wireshark, OmniPeek provides network activity status and monitoring in a nice dashboard for up-to-the-minute viewing.
AirMagnet WiFi Analyzer, from Fluke Networks, is an incredibly powerful sniffer, traffic analyzer, and all-around wireless network-auditing software suite. It can be used to resolve performance problems and automatically detect security threats and vulnerabilities. Per the company website (www.airmagnet.com/products/wifi_analyzer/), Air-Magnet includes the “only suite of active WLAN diagnostic tools, enabling network managers to easily test and diagnose dozens of common wireless network performance issues including throughput issues, connectivity issues, device conflicts and signal multipath problems.” And for you compliance paperwork junkies out there, AirMagnet also includes a compliance reporting engine that maps network information to requirements for compliance with policy and industry regulations.
| NOTE Although it’s not just a packet capture suite, don’t discount Cain and Abel. In addition to WEP cracking and other hacks, Cain can pull clear text passwords out of packet captures in real time, on wired or wireless networks. Just a thought. |
The point here isn’t to rehash everything we’ve already talked about regarding sniffing. What you need to get out of this is the knowledge that sniffing is beneficial to wired and wireless network attacks, and the ability to recognize the tools we’ve mentioned here. I toyed with the idea of including exercises for you to run through, but they would be totally dependent on your wireless adapter (and its compatibility with the tools), as well as the network(s) available for you to watch. Instead, I’m going to recommend you go out and download these tools. Most, if not all, are either free or have a great trial version for your use. Read the usage guides and determine your adapter compatibility, then fire them up and see what you can capture. You won’t necessarily gain much, exam-wise, by running them, but you will gain valuable experience for your “real” work.
Wireless Hacking
When it comes to hacking wireless networks, the truly great news is you probably won’t have much of it to do. The majority of networks have no security configured at all, and even those that do have security enabled don’t have it configured correctly. According to studies recently published by the likes of the International Telecommunications Union (ITU) and other equally impressive organizations, over half of all wireless networks don’t have any security configured at all, and of the remainder, nearly half could be hacked within a matter of seconds. If you think that’s good news for hackers, the follow-up news is even more exciting: Wireless communication is expected to grow tenfold within the next few years. Gentlemen, and ladies, start your engines.
Wireless Attacks
First things first: Wireless hacking does not need to be a complicated matter. Some very easy and simple attacks can be carried out with a minimum of technical knowledge and ability. Sure, there are some really groovy and, dare I say, elegant wireless hacks to be had, but don’t discount the easy ones. They will probably pay as many dividends as the ones that take hours to set up.
For example, take the concept of a rogue access point. The idea here is to place an access point of your own somewhere—heck, you can even put it outside in the bushes—and have legitimate users connect to your network instead of the original. Just consider the possibilities! If someone were to look at his wireless networks and connect to yours, because the signal strength is better or yours is free whereas the others are not, they basically sign over control to you. You could configure completely new DNS servers and have your AP configure them with the DHCP address offering. That would then route users to fake websites you create, providing opportunities to steal authentication information. Not to mention you could funnel everything through a packet capture.
Sometimes referred to as “evil twin,” an attack like this is incredibly easy to pull off. The only drawback is they’re sometime really easy to see, and you run a pretty substantial risk of discovery. You’ll just have to watch out for true security-minded professionals, because they’ll be on the lookout for rogue APs on a continual basis and (should) have plenty of tools available to help them do the job.
| NOTE Cisco is among the leaders in rogue access point detection technologies. Many of their access points can be configured to look for other access points in the same area. If they find one, they send SNMP or other messages back to administrators for action, if needed. The link here provides more information, in case you’re interested: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml. (Credit goes to our tech editor, Mr. Brad Horton, for this addition.) |
Don’t Try This at Home
Before I start this example, I must caution you, dear reader, not to attempt a setup like this unless a client has hired you explicitly to do so. This episode is here simply to demonstrate how it can be done, not as a blueprint for you to become a criminal. If you try something like this and wind up in court, which you will, don’t come crying to me saying this book was your reason for doing it. I’ve warned you. Okay, on with the show.
I saw, firsthand, how easy rogue access point attacks can be on a trip long, long ago. The team I was traveling with was composed of seasoned professionals who, if they weren’t the good guys, would be a scary group to have arrayed against you in the virtual world. We were staying in a well-known hotel chain that offered wireless, at a cost, to guests in the room. If you went downstairs, though, their business network was free. The SSIDs for the networks serving the guests were “hotel,” whereas the business network downstairs—the free one—was named “hotel_conf.” (I, of course, have changed the SSIDs here to protect the innocent, although if you’ve stayed in this particular chain, you’ll recognize them.)
I was chatting about wireless with one of our team members and he mentioned how easy rogue access points were. I, a novice to the game, asked for more knowledge and he showed me a setup that blew my mind. He had a wireless router you could purchase from any electronics store, and configured an SSID on it to read “hotel_conf.” Within a matter of a minute or so, literally, a dozen guests tried to connect to it, thinking they had somehow tapped into the free network downstairs and hoping to save a few bucks on Internet access. The DHCP service running on the AP not only gave out Internet access via the NAT working behind the scenes, but gave us—the attackers—a leg up: We knew the IP addresses and MACs already, and could’ve attacked them with anything in the arsenal. Anything. If this had been anything other than a five-minute lesson to a newbie in the field, those people may have had all sorts of information stolen from them.
| EXAM TIP Rogue APs (evil twins) may also be referenced as a “mis-association” attack. |
Another truly ridiculous attack is called the “ad hoc connection attack.” To be honest, it shouldn’t ever be successful, but after years in the security management business, I’ve seen users do some pretty wild things, so almost nothing surprises me anymore. An ad hoc connection attack occurs when an attacker simply sits down with a laptop somewhere in your building and advertises an ad hoc network from his laptop. Believe it or not, people will, eventually, connect to it. Yes, I know it’s tantamount to walking up to a user with a crossover cable in hand and asking, “Excuse me, would you please plug this in to your system’s NIC? The other end is in my computer and I’d like easy access to you.” But what can you do?
Another attack on the relatively easy side of the spectrum is the denial-of-service effort. This can be done in a couple of ways, neither of which is particularly difficult. First, you can use any number of tools to craft and send de-authenticate (disassociate) packets to clients of an AP, which will force them to drop their connections. Granted, they may try to immediately climb back aboard, but there’s nothing stopping you from performing the same action again.
The other easy DoS wireless attack is to jam the wireless signal altogether, using some type of jamming device and, usually, a high-gain antenna/amplifier. All wireless devices are susceptible to some form of jamming and/or interference—it’s simply a matter of placing enough signal out in the airwaves that the NICs can’t keep up. Tons of jammer options are available (a quick Google search on wireless jammers will show you around 450,000 pages on the subject), ranging from 802.11 networks to Bluetooth and other wireless networking technologies. No, the giant jar of jam used in the movie Spaceballs won’t work, but anything generating enough signals in a 2.4GHz range would definitely put a crimp in an 802.11b network.
| NOTE A cautionary note here: According to FCC rules and the Communication Act of 1934, marketing, selling, and/or using a jammer is a federal offense and can result in seriously nasty punishment. Want further proof? Check almost any electronic device in your house right now: There will be an FCC warning saying that it will not create interference and that it will accept all interference. |
MAC Spoofing
One defense wireless network administrators attempt to use is to enforce a MAC filter. Basically it’s a list of MAC addresses that are allowed to associate to the AP—if your wireless NIC’s address isn’t on the list, you’re denied access. The easy way around this is to monitor the network to figure out which MAC addresses are in use on the AP and simply spoof one of them. On a Unix/Linux machine, all you need do is log in as root, disable the interface, enter a new MAC, and re-enable the device:
ifconfig wlan0 down ifconfig wlan0 hw ether 0A:15:BD:1A:1B:1C ifconfig wlan0 up
Tons of tools are also available for MAC spoofing. A couple of the more easy-to-use ones are SMAC and TMAC. Both allow you to change the MAC address with just a couple of clicks and, once you’re done, to return things to normal with a click of the mouse. Check out both of these tools in Exercise 9-1.
Exercise 9-1: MAC Spoofing
MAC spoofing is a skill that’s relatively easy to learn and is applicable in several hacking applications across the spectrum. In this exercise, we’ll just stick with two tools—TMAC and SMAC. Here are the steps to follow:
1. Download and install SMAC (www.klcconsulting.net/smac/) and TMAC (www.technitium.com/tmac/index.html).
2. Open SMAC (see Figure 9-6). You may need to click Proceed if you have a trial or free version.
3. Click the Ipconfig button and scroll through to find your current MAC address. You could also open a command prompt and enter the ipconfig /all command to do the same thing.
4. Select an adapter from the list, then click the Random button just to the right of the New Spoofed MAC Address boxes. Note the new MAC generated here. You could also have typed in a MAC you know would work in a given network.
5. Click the Update MAC button. Note your adapter MAC address change in the window.
Figure 9-6 SMAC open screen
Figure 9-7 SMAC Screenshot
| NOTE Your adapter normally must be stopped and started again to make these types of changes. If you go to the Options menu in SMAC, you can set this to run automatically for you (see Figure 9-7). |
6. Click the Remove MAC button and close SMAC.
7. Open the TMAC tool (see Figure 9-8).
8. Click the Change MAC button at the bottom and type in a MAC address of your choosing (see Figure 9-9). Alternatively, you can use the Random MAC Address button.
Figure 9-8 TMAC open screen
Figure 9-9 TMAC screenshot
9. Ensure the Automatically Restart Network Connections check box is marked, and click the Change Now! button. Once again, verify the MAC address change with an ipconfig /all command.
10. Click the Original MAC button, then close the tool.
WEP Attacks
Cracking WEP is ridiculously easy and can be done with any number of tools. The idea revolves around generating enough packets to effectively guess the encryption key. The weak initialization vectors we discussed already are the key—specifically, the fact that they’re reused and sent in clear text. Regardless of the tool, the standard WEP attack follows the same basic series of steps:
1. Start a compatible wireless adapter on your attack machine and ensure it can both inject and sniff packets.
2. Start a sniffer to capture packets.
3. Use some method to force the creation of thousands and thousands of packets (generally by using “de-auth” packets).
4. Analyze these captured packets (either in real time or on the side) with a cracking tool.
We’ll go through a couple of different WEP attacks to give you an idea how this works. Obviously these will be different for your network and situation, so I’ll have to keep these examples generalized. If you get lost along the way, or something doesn’t seem to make sense, just check out any of the online videos you can find on WEP cracking.
Our first example uses Cain and Abel. In this example, we take a very easy pathway using a tool that makes the process almost too easy. One note of caution: Cain and Abel will not crack the codes as quickly as some other methods, and is somewhat picky about the adapter you use. I highly recommend using an AirPcap dongle if you want to try this out for yourself. Here are the steps to follow:
1. Fire up a compatible wireless adapter. For example, you could use an AirPcap card (which will also give you options in its configuration to set specifically for WEP cracking).
2. Open Cain and Abel, click on the wireless menu option, and select the AirPcap card.
3. Select the Hopping on BG Channel option from the Lock on Channel section, ensure the Capture WEP IVs box is checked (see Figure 9-10,), and then click the Passive Scan button.
4. Wait until the tool has collected at least one million packets, then click Stop (you can speed this up using a variety of tools or simply another adapter injecting anything you can think of).
5. Click on the Analyze button on the left.
6. Select the SSID you wish to crack and then click on the Korek’s Attack button. It will take some time—in most cases, a seriously long time—but eventually Cain will display the WEP key.
Figure 9-10 Cain and Abel
Our second example uses Aircrack-ng. In this case, we’re using a BackTrack installation, where wlan0 is your adapter. Your adapter may show up with a completely different name—simply replace it in the commands shown in the following steps.
1. Open the Konsole and change the MAC address of your adapter before starting:
airmon-ng stop wlan0 //Disable Airmon monitoring mode.
ifconfig wlan0 down //Disable the wireless interface.
macchanger --mac 00:11:22:33:44:55 wlan0 //Changes the MAC address. Not
completely necessary, but makes
things easier later.
ifconfig wlan0 up //Enable the adapter again.
airmon-ng start wlan0 //Enable Airmon monitoring again.
2. Capture wireless network information by typing airodump –ng wlan0. Save the information (BSSID and so on) for later. For use in this example, we’ll say your target network is named WNET, on channel 3, with a BSSID of 00:22:29:BC:75:4C.
3. Type airodump-ng –c 3 –w WNET - - bssid 00:22:29:BC:75:4C. This begins the capture of WEP cracking packets from the target network. Don’t close this shell—it must stay up and running (all packets are being captured to a “.cap” file).
4. Inject fake authentication packets to generate the packets you’ll need to crack WEP. To do this, type aireplay –ng -1 0 –a 00:22:29:BC:75:4C –h 00:11:22:33:44:55 wlan0. You can also accomplish this by sending ARP replays (by typing aireplay-ng -3 0 –b 00:22:29:BC:75:4C –h 00:11:22:33:44:55 wlan0). In either case, or if you want go ahead and use both, wait until you’ve captured at least 35,000 packets to continue (50,000 is better; 100,000 is best).
5. Launch another Konsole window. Navigate to your home directory and find the name of the packet capture file there (it will end in .cap). For this example, we’ll use filename.cap.
6. Type aircrack-ng –b 00:22:29:BC:75:4C filename.cap. The WEP key, once cracked, will display next to the “KEY FOUND!” line (see Figure 9-11).
Figure 9-11 WEP key cracked using aircrack
| EXAM TIP Both Cain and Aircrack both make use of the Korek implementation. However, Aircrack is much faster at cracking WEP. |
We could go on, but you can see the point I’m making here. WEP is easy to crack, and more than a few tools are available for doing so. KisMAC, WEPCrack, chopchop, and Elcomsoft’s Wireless Security Auditor tool are just a few of the other options available.
Bluetooth Attacks
Lastly, we can’t finish any wireless attack section without visiting, at least on a cursory level, our friendly little Bluetooth devices. After all, think about what Bluetooth is for: connecting devices, usually mobile (phones), wirelessly over a short distance. And what do we keep on mobile devices nowadays? The answer is everything. E-mail, calendar appointments, documents, and just about everything else you might find on a business computer is now held in the palm of your hand. It should seem fairly obvious, then, that hacking that signal could pay huge dividends.
Bluetooth definitely falls into the wireless category and has just a few things you’ll need to consider for your exam and for your career. Although hundreds of tools and options are available for Bluetooth hacking, the good news is their coverage on the exam is fairly light, and most of it comes in the form of identifying terms and definitions. With that in mind, we’ll cover some basics on Bluetooth and the four major Bluetooth attacks, and then follow up with a very brief discussion on some tools to help you pull them off.
Part of what makes Bluetooth so susceptible to hacking is the very thing that makes it so ubiquitous—its ease of use. Bluetooth devices are easy to connect one to another and can even be set to look for other devices for you automatically. Bluetooth devices have two modes: a discovery mode and a pairing mode. Discovery mode determines how the device reacts to inquiries from other devices looking to connect, and it has three actions. The discoverable action obviously has the device answer to all inquiries, limited discoverable restricts that action, and non-discoverable tells the device to ignore all inquiries.
Whereas discovery mode details how the device lets others know it’s available, pairing mode details how the device will react when another Bluetooth system asks to pair with it. There are basically only two versions: Yes, I will pair with you, or no, I will not. Non-pairable rejects every connection request, whereas pairable accepts all of them. Between discovery and pairing modes, you can see how Bluetooth was designed to make connection easy.
Bluetooth attacks, taking advantage of this ease of use, fall into four general categories. Bluesmacking is simply a denial-of-service attack against a device. Bluejacking consists of sending unsolicited messages to, and from, mobile devices. Bluesniffing is exactly what it sounds like, and, finally, Bluescarfing is the actual theft of data from a mobile device.
| EXAM TIP Know the “blue” attacks and definitions in Bluetooth. You won’t be asked in-depth technical questions on them, but you will need to determine which attack is being used in a given scenario. |
Although they’re not covered in depth on your exam, you should know some of the more common Bluetooth tools available. Of course, your first action should be to find the Bluetooth devices. BlueScanner (from SourceForge) does a great job of finding devices around you, but it will also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices. Bluesniff and btCrawler are other options, providing nice GUI formats for your use.
In a step up from that, you can start taking advantage of and hacking the devices nearby. Super Bluetooth Hack is an all-in-one software package that allows you to do almost anything you want to a device you’re lucky enough to connect to. If the device is a smartphone, you could read all messages and contacts, change profiles, restart the device, and even make calls as if they’re coming from the phone itself. Other attack options include bluebugger and Bluediving (a full penetration suite for Bluetooth). Check Appendix A in the back of the book for more Bluetooth hacking tools.
Chapter Review
A wireless network is built with the same concerns as any other media you decide to use, and these are all defined with standards, known as the 802.11 series. 802.11a can attain speeds up to 54Mbps and uses the 5GHz range. 802.11b has speeds of 11Mbps at 2.4GHz, and 802.11g is 54Mbps at 2.4GHz. 802.11n has speeds over 100Mbps and uses a variety of ranges in a MIMO format between 2.4GHz and 5GHz.
Two other standards of note are 802.11i and 802.16. 802.11i is an amendment to the original 802.11 series standard and specifies security mechanisms for use on the WLAN (wireless LAN). 802.16 was written for the global development of broadband wireless metropolitan area networks. Referred to as “WiMax,” it provides speeds up to 40Mbps and is moving toward gigabit speed.
There are two main modes a wireless network can operate in. The first is “ad hoc,” where your system connects directly to another system, as if a cable were strung between the two. Infrastructure mode makes use of an access point (AP) to funnel all wireless connections through. A wireless access point is set up to connect with a link to the outside world (usually some kind of broadband router) and clients associate and authenticate to it. Clients connect to the access point using wireless NICs—if the access point is within range and the device understands what it takes to connect, it is allowed access to the network. Wireless networks can consist of a single access point or multiple ones, thus creating overlapping “cells” and allowing a user to roam freely without losing connectivity. The client needs to “associate” with an access point first, then “disassociate” when it moves to the next one.
When there is a single access point, its “footprint” is called a BSA (basic service area). Communication between this single AP and its clients is known as a BSS (basic service set). If you extend the range of your network by adding multiple access points, the setup is known as an ESS (extended service set). As a client moves from one AP in your subnet to another, so long as everything is configured correctly, it’ll disassociate from one AP and (re)associate with another seamlessly. This movement across multiple APs within a single ESS is known as roaming.
Wireless network design needs to take into account not only the type of antenna used, but where it is placed and what is set up to contain or corral the signal. Physical installation of access points is a major concern, because you will want to avoid spillage of the signal and loss of power. Most standard APs use an omni-directional antenna, which means the signal emanates from the antenna in equal strength 360 degrees from the source. Directional antennas allow you to focus the signal in a specific direction, which greatly increases signal strength and distance. Other antennas you can use are dipole and parabolic grid. Dipole antennas have, quite obviously, two signal “towers” and work omnidirectionally. Parabolic grid antennas work a lot like satellite dishes and can have phenomenal range (up to 10 miles), but aren’t in use much.
To identify a wireless network to clients who may be interested in joining, an SSID (service set identifier) must be assigned. The SSID is not a password, and provides no security at all for your network. It is a text word (32 characters or less) that only distinguishes your wireless network from others. SSIDs are broadcast by default and are easily obtainable even if you try to turn off the broadcast (in an effort dubbed SSID cloaking). The SSID is part of the header on every packet, so its discovery by a determined attacker is a given and securing it is virtually a moot point.
Wireless authentication can happen in more than a few ways, from the simplistic to the very complicated. A client can simply send an 802.11 authentication frame with the appropriate SSID to an AP, and have it answer with a verification frame. Or, the client might participate in a challenge/request scenario, with the AP verifying a decrypted “key” for authentication. Or, in yet another twist, you may even tie the whole thing together with an authentication server (Radius), forcing the client into an even more complicated authentication scenario. The key here is to remember there is a difference between association and authentication. Association is the action of a client connecting to an AP, whereas authentication actually identifies the client before it can access anything on the network.
WEP stands for Wired Equivalent Privacy and provides very weak security for the wireless network. Using 40-bit to 232-bit keys in an RC4 encryption algorithm, WEP’s primary weakness lies in its reuse of initialization vectors (IVs)—an attacker can simply collect enough packets to decode the WEP shared key. WEP was never intended to fully protect your data—it was designed to give people using a wireless network the same level of protection someone surfing over an Ethernet wired hub would expect.
WEP’s initialization vectors are relatively small and, for the most part, get reused pretty frequently. Additionally, they’re sent in clear text as part of the header. An attacker simply needs to generate enough packets in order to analyze the IVs and come up with the key used. This allows the attacker to decrypt the WEP shared key on the fly, in real time, and renders the encryption useless. Attackers can get APs to generate packets by sending disassociate messages. These aren’t authenticated by any means, so the resulting barrage of “Please associate with me” packets is more than enough for the attack.
A better choice in encryption technology is WPA (Wi-Fi Protected Access) or WPA-2. WPA makes use of TKIP (Temporal Key Integrity Protocol), a 128-bit key, and the client’s MAC address to accomplish much stronger encryption. The short of it is, WPA changes the key out (hence the “temporal” part of the name) every 10,000 packets or so, instead of sticking with one and reusing it. Additionally, the keys are transferred back and forth during an EAP (Extensible Authentication Protocol) authentication session, which makes use of a four-step handshake process in proving the client belongs to the AP, and vice versa.
WPA-2 is much the same process; however, it was designed with the government and the enterprise in mind. You can tie EAP or a Radius server into the authentication side of WPA-2, allowing you to make use of Kerberos tickets and all sorts of additional goodies. Additionally, WPA-2 uses AES for encryption, ensuring FIPS 140-2 compliance.
The “war” options are discussed in reference to wireless network discovery. No matter which technique is being discussed, the overall action is the same: An attacker travels around with a Wi-Fi–enabled laptop looking for open wireless access points/ networks. In war driving, the attacker is in a car. War walking has the attacker on foot. War flying has the attacker in an airplane.
Another “war” definition of note is war chalking. A war chalk is a symbol drawn somewhere in a public place indicating the presence of a wireless network. These can indicate free networks, hidden SSIDs, pay-for-use hotspots, and which encryption technique is in use. The basic war chalk involves two parentheses back to back. Added to this can be a key through the middle (indicating restricted Wi-Fi), a lock (indicating MAC filtering), and all sorts of extra entries. Usually the double parentheses will also have a word written above or below, which indicates the SSID or the administrative password for the access point.
Another option in wireless network discovery is the use of a wide array of tools created for that very purpose. However, no matter how great the tools are, if the wireless adapter can’t pull the frames out of the air in the correct manner, all is lost. Some tools are built this way, and only work with certain chipset adapters—which can be very frustrating at times.
An AirPcap dongle is a USB wireless adapter that offers all sorts of advantages and software support. If you don’t have one, you may need to research and download new and different drivers for your particular card. The Madwifi project may be an answer. Just keep in mind that, much like the ability of our wired adapters to use promiscuous mode for our sniffing efforts (discussed earlier in this book), not all wireless adapters are created equal, and not all will work with your favorite tool. Be sure to check the user guides and man pages for lists and tips on correctly configuring your adapters for use.
WIGLE (http://wigle.net) helps in identifying geographic locations of wireless networks; teams of hackers have mapped out wireless network locations using GPS and a tool called NetStumbler. NetStumbler (http://www.netstumbler.com) can be used for identifying poor coverage locations within an ESS, detecting interference causes, and finding any rogue access points in the network. It’s Windows-based, easy to use, and compatible with 802.11a, b, and g.
Kismet is another wireless discovery option. It works on Linux-based systems and, unlike NetStumbler, works passively, meaning it detects access points and clients without actually sending any packets. It can detect access points that have not been configured (and would then be susceptible to the default out-of-the-box admin password) and will determine which type of encryption you might be up against. It works by “channel hopping” to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.
Another great network discovery tool is NetSurveyor. This free, Windows-based tool provides many of the same features as NetStumbler and Kismet. Additionally, it supports almost all wireless adapters without any significant additional configuration—which is of great benefit to hackers who can’t afford, or don’t have, an AirPcap card. NetSurveyor acts as a great tool for troubleshooting and verifying optimal installation of wireless networks.
Wireless sniffing is the next important step in hacking wireless networks. Much about sniffing a wireless network is exactly the same as sniffing its wired counterpart. The same protocols and authentication standard weaknesses you looked for with Wireshark off that switch port are just as weak and vulnerable on wireless. Authentication information, passwords, and all sorts of information can be gleaned just from watching the air.
Just a few of the tools specifically made for wireless sniffing—in addition to NetStumbler and Kismet—include OmniPeek, AirMagnet WiFi Analyzer Pro, and WiFi Pilot. Assuming you have a wireless adapter that is compatible and can watch things in promiscuous mode, OmniPeek is a fairly well-known and respected wireless sniffer. In addition to the same type of traffic analysis you would see in Wireshark, OmniPeek provides network activity status and monitoring in a nice dashboard for up-to-the-minute viewing. AirMagnet WiFi Analyzer, from Fluke Networks, is an incredibly powerful sniffer, traffic analyzer, and all-around wireless network auditing software suite. It can be used to resolve performance problems and automatically detect security threats and vulnerabilities.
The rogue access point is an easy attack on a wireless network whereby an attacker sets up an access point near legitimate APs and tricks users into associating and authenticating with it. Sometimes referred to as an “evil twin,” an attack like this is easy to attempt. The only drawback is this attack is sometime really easy to see, and you run a pretty substantial risk of discovery. You’ll just have to watch out for true security-minded professionals, because they’ll be on the lookout for rogue APs on a continual basis and (should) have plenty of tools available to help them out.
An ad hoc connection attack takes advantage of the ad hoc mode of wireless networking. An ad hoc connection attack occurs when an attacker simply sits down with a laptop somewhere in your building and advertises an ad hoc network from his laptop, and people eventually begin connecting to it.
Denial-of-service efforts are also easy attacks to attempt. This can be done in a couple ways, neither of which is particularly difficult. First, you can use any number of tools to craft and send de-authenticate (disassociate) packets to clients of an AP, which will force them to drop their connections. Granted, they may try to immediately climb back aboard, but there’s nothing stopping you from performing the same action again. The other easy DoS wireless attack is to jam the wireless signal altogether, using some type of jamming device and, usually, a high-gain antenna/amplifier. All wireless devices are susceptible to some form of jamming and/or interference—it’s simply a matter of placing enough signal out in the airwaves that the NICs can’t keep up. Tons of jammer options are available (a quick Google search on wireless jammers will show you around 450,000 pages on the subject), ranging from 802.11 networks to Bluetooth and other wireless networking technologies.
One defense wireless network administrators attempt to use is to enforce a MAC filter. Basically it’s a list of MAC addresses that are allowed to associate to the AP—if your wireless NIC’s address isn’t on the list, you’re denied access. The easy way around this is to monitor the network to figure out which MAC addresses are in use on the AP and simply spoof one of them.
Cracking WEP is ridiculously easy and can be done with any number of tools. The idea revolves around generating enough packets to effectively guess the encryption key. The weak initialization vectors we discussed already are the key—that is, they’re reused and sent in clear text. Regardless of the tool, the standard WEP attack follows the same basic series of steps:
1. Start a compatible wireless adapter on your attack machine and ensure it can both inject and sniff packets.
2. Start a sniffer to capture packets.
3. Use some method to force the creation of thousands and thousands of packets (generally by using “de-auth” packets).
4. Analyze these captured packets (either in real time or on the side) with a cracking tool.
Tools for cracking WEP include Cain and Able and Aircrack (both use Korek, but Aircrack is faster) as well as KisMAC, WEPCrack, chopchop, and Elcomsoft’s Wireless Security Auditor tool.
Bluetooth refers to a very open wireless technology for data exchange over relatively short range (10 meters or less). It was designed originally as a means to reduce cabling, but has become a veritable necessity for cell phones and other mobile devices. Although hundreds of tools and options are available for Bluetooth hacking, the good news is their coverage on the exam is fairly light, and most of it comes in the form of identifying terms and definitions.
Bluetooth devices have two modes—a discovery mode and a pairing mode. Discovery mode determines how the device reacts to inquiries from other devices looking to connect, and has three actions. The discoverable action obviously has the device answer to all inquiries, limited discoverable restricts that action, and non-discoverable tells the device to ignore all inquiries.
Pairing mode details how the device will react when another Bluetooth system asks to pair with it. There are basically only two versions: Yes, I will pair with you, or no, I will not. Non-pairable rejects every connection request, whereas pairable accepts all of them.
Bluetooth attacks, taking advantage of this ease of use, fall into four general categories. Bluesmacking is simply a denial-of-service attack against a device. Bluejacking consists of sending unsolicited messages to, and from, mobile devices. Bluesniffing is exactly what it sounds like, and, finally, Bluescarfing is the actual theft of data from a mobile device.
Some of the more common Bluetooth tools available for hacking include BlueScanner (from SourceForge), BT Browser, Bluesniff, and btCrawler. After identifying nearby devices, Super Bluetooth Hack is an all-in-one software package that allows you to do almost anything you want to a device you’re lucky enough to connect to. Other attack options include bluebugger and Bluediving (a full penetration suite for Bluetooth).
Questions
1. An access point is discovered using WEP. The ciphertext sent by the AP is encrypted with the same key and cipher used by its stations. What authentication method is being used?
A. Shared key
B. Asynchronous
C. Open
D. None
2. You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security?
A. Unauthorized users will not be able to associate because they must know the SSID in order to connect.
B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast.
C. Unauthorized users will still be able to connect because non-broadcast SSID puts the AP in ad hoc mode.
D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string.
3. You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable?
A. WEP keys are easier to crack when MAC filtering is in place.
B. MAC addresses are dynamic and can be sent via DHCP.
C. An attacker could sniff an existing MAC address and spoof it.
D. An attacker could send a MAC flood, effectively turning the AP into a hub.
4. A new member of the pen test team has discovered a WAP that is using WEP for encryption. He wants a fast tool that can crack the encryption. Which of the following is his best choice?
A. AirSnort
B. Aircrack, using Korek implementation
C. NetStumbler
D. Kismet
5. You are advising a client on wireless security. The NetSurveyor tool can be valuable in locating which potential threat to the network’s security?
A. Identifying clients who are MAC spoofing
B. Identifying clients who haven’t yet associated
C. Identifying access points using SSIDs with less than eight characters
D. Identifying rogue access points
6. A pen test team member is attempting to crack WEP. He needs to generate packets for use in Aircrack later. Which of the following is the best choice?
A. Use aireplay to send fake authentication packets to the AP.
B. Use Kismet to sniff traffic, which forces more packet transmittal.
C. Use NetStumbler to discover more packets.
D. There is no means to generate additional wireless packets—he must simply wait long enough to capture the packets he needs.
7. You set up an access point near your target’s wireless network. It is configured with an exact copy of the network’s SSID. After some time, clients associate and authenticate to the AP you’ve set up, allowing you to steal information. What kind of attack is this?
A. Social engineering
B. WEP attack
C. MAC spoofing
D. Rogue access point
8. Your client is confident in her wireless network security. In addition to turning off SSID broadcast and encrypting with WEP, she has also opted for the use of directional antennas instead of omnidirectional. These are set up along the east side of the building, pointing west, to provide coverage. In this case, does the placement provide adequate security for the network?
A. Yes, directional antennas do a better job than omnidirectional.
B. Yes, directional antennas force mutual authentication for clients.
C. No, attackers can simply place themselves on the west side of the building, and the signals may travel for miles.
D. No, the placement of antennas in a wireless network is irrelevant.
9. Which of the following is a true statement?
A. Configuring a strong SSID is a vital step in securing your network.
B. An SSID should always be more than eight characters in length.
C. An SSID should never be a dictionary word or anything easily guessed.
D. SSIDs are important for identifying networks, but do little to nothing for security.
10. Which wireless encryption technology makes use of temporal keys?
A. WAP
B. WPA
C. WEP
D. EAP
11. You are walking through your target’s campus and notice a symbol on the bottom corner of a building. The symbol shows two backwards parentheses with the word tsunami across the top. What does this mean?
A. Nothing. The symbol is most likely graffiti.
B. The war chalking symbol indicates the direction of the Yagi antenna inside the building.
C. The war chalking symbol indicates a wireless flood area.
D. The war chalking symbol indicates a wireless hotspot with a default password of tsunami.
Answers
1. A. WEP uses shared key encryption, which is part of the reason it is so susceptible to cracking.
2. D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.
3. C. MAC filtering is easily hacked by sniffing the network for a valid MAC, then spoofing it, using any number of options available.
4. B. Aircrack, using the Korek implementation, is a very fast tool for cracking WEP, assuming you’ve collected at least 50,000 packets.
5. D. NetSurveyor, and a lot of other tools, can display all sorts of information about the network. Of the choices listed, a rogue access point is the only true security threat to the wireless network.
6. A. Aireplay can send fake authentication packets into the network, causing storms of packets for use in WEP cracking. It can also be used to generate ARP messages for the same purpose.
7. D. Setting up a rogue access point is one of the easiest methods to attack a wireless network. If the network administrator is careless, it can pay huge dividends.
8. C. Wireless signals can travel for miles—especially when the signal strength and power is focused in one direction, instead of being beaconed out 360 degrees.
9. D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.
10. B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.
11. D. Any time there is a word written above or beside a war chalk symbol (two backward parentheses), it indicates either the SSID or, more commonly, the administrative password to the AP itself.