Essentials First: Wireless Hacking Tools

This section examines some of the tools that eliminate some of the threats discussed in the preceding sections. In theory, these tools were all designed to help network administrators take care of their networks, and they are still touted as such on each website. In reality, these are some of the same tools that attackers can and will use; thus, network administrators should also use them to ensure that their wireless networks are secure.

NetStumbler

Wireless networking is everywhere! That is not meant as hyperbole—it really is everywhere. Wireless technology uses radio waves to transmit data, so wireless packets are probably flowing in the air in front of you as you read this.

As everyone knows by now, where wireless packets flow, wireless APs are pumping them out. (Where there is smoke, there is fire.) If only there were a way to find out whether any WAPs were nearby. Fortunately (and unfortunately), there is a way to discover just that.

A little piece of freeware called NetStumbler is available on the Internet (www.netstumbler.com/) that provides you with such secret pieces of information as the following:

• WAP’s Service Set Identification (SSID), the unique name you can assign to your WAP

• Signal strength of the discovered WAPs and whether the WAP uses WEP

• What channel the WAP transmits on, and some other sneaky bits of information

You might have even seen NetStumbler make an appearance on the local evening news under the headline, “Wireless Security Threats: You Could Be Next!” or some other scary tagline. Figure 10-9 shows the NetStumbler interface.

Figure 10-9 NetStumbler Scanning

NetStumbler sends out a broadcast on all channels looking for a response. If your WAP is configured to respond to the broadcast (SSID broadcast “enabled” setting), NetStumbler logs that WAP and furnishes you with a “bing-bing” tone designating a target. The trick is that NetStumbler tells you all the information you need about someone else’s wireless network.

Most wireless NIC configuration programs enable you to perform a site survey, which sniffs around for other wireless access points configured to broadcast on the same channel as your NIC. If you happen to find a WAP with the default SSID (in this case, the default SSID of a Linksys WAP is linksys) displayed, you can assume that you can connect to that WAP with little or no trouble.

One of the best features about NetStumbler is its capability to integrate laptop-based GPS units into its WAP discovery adventure. Imagine driving along with your trusty laptop on the passenger seat of your privately owned vehicle (POV) and hearing the pleasant “bing-bing” tones generated by NetStumbler as it happily sniffs out WAPs within transmitting distance. Every time your laptop makes that sound, NetStumbler queries the attached GPS unit and records the coordinates of the WAP it found. Later, you can download the coordinates into mapping software and have a nice, little map printed out to show you where the WAPs were found. And who says technology doesn’t make our lives just a wee bit more interesting?

The whole GPS issue aside, NetStumbler is not actually a hacking tool because the information it reveals is just a step above what your NIC can already help you find out. Tools such as NetStumbler are more along the lines of “reconnaissance” tools because they help you discover things that might not have been immediately obvious. NetStumbler is a chatty tool and recon is often done with passive recon tools such as KisMET.

Wireless Packet Sniffers

Sniffing packets can be both fun and profitable if you know how and what to sniff. Any network administrator can lay his hands on a packet sniffer in a matter of seconds and snag a couple hundred packets before you can even read this paragraph. The contents of these packets can reveal network secrets that have been closely guarded. Sniffing, or snarffing in the hacker world, is the process of intercepting and recording traffic that was never supposed to be seen by anyone other than the sender or receiver.

To the layman, the idea of sniffing, capturing, or snagging packets is an often misunderstood concept; therefore, the basics of the operation deserve some brief discussion:

1. Packets travel over an Ethernet connection from source to destination.

2. A NIC set to promiscuous mode can listen in on all local traffic.

3. A packet sniffer can see and record all this traffic.

4. A packet sniffer can also decode the packet and display neat things such as the source MAC address, the destination MAC address, and the data payload contained in the packet.

5. Packets contain things such as unencrypted Windows passwords, logins or password combinations sent in clear text, account numbers, and other tasty things relished by hackers.

Now that you know about wired packet sniffers, you also need to meet their wireless cousins. How is this possible, you ask? Can I actually capture wireless packet traffic? Could it be that easy? Do hackers know about this? The answers are, yes, yes, and yes. Capturing packets in a wireless network is actually much easier than in a wired network because wireless packets are all around in the air, and you don’t need to be physically sitting on a wired segment.

Yes, hackers know about sniffing wireless connections, and they have made the most of it. Have you turned on a MAC filter on your WAP? Packet captures rat you out by telling the hacker the MAC address’s source. It is easy to spoof a MAC address on your wireless NIC, especially with a program called SMAC, lovingly created by a group of guys at KLC Consulting. If hackers “sniff” your wireless packets, they can decode the packets, read the MAC address of a machine listed in the WAP’s MAC filter, plug that number in SMAC, and impersonate a machine authorized to use the WAP. It can do all this in less than 1 minute. That is correct—60 seconds. In the time it takes to dip a chip in salsa and eat it, a hacker can intrude on your network.

Aircrack-ng

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys after enough data packets have been captured. It implements the standard FMS attack along with some optimizations such as KoreK attacks and the all-new PTW attack, thus making the attack much faster compared to other WEP-cracking tools. Aircrack-ng is a set of tools for auditing wireless networks.

You can learn more about this product and company online at www.aircrack-ng.org and in the BackTrack 5 distribution.

OmniPeek

Wireless networks require the same kinds of analytical and diagnostic tools as any other LAN to maintain, optimize, and secure network functions, with one notable exception. In a LAN environment, all signals are conducted over fixed, well-defined, and “electrically stable” network of cables. This is in stark contrast to wireless networks, where signals transmit using radio frequency (RF) technology. Radio frequency waves propagate outward in all directions from their source and are sensitive to disruption or interference. The quality of the transmitted signal varies over time and space, even if the source and destination remain fixed. The path between the source and destination also has a significant impact on the quality of the resulting communication. Open propagation of data means that anyone can receive the data, even those not “connected” to the network, making security a far bigger issue for WLANs. The use of unlicensed spectrum by 802.11 also increases its vulnerability to interference because it must share its available bandwidth with non-802.11 devices, including Bluetooth, cordless telephones, and microwave ovens.

Fortunately, the 802.11 WLAN standard offers even more data to packet analysis than any of the other members of the 802 family of protocols. WildPackets products enable the creation of highly flexible, cost-effective wireless network analysis solutions. OmniPeek is a comprehensive wired and wireless network analyzer with complete support for IEEE 802.11 wireless LAN protocols. Real-time expert analysis provides an advanced set of expert troubleshooting and diagnostic capabilities.

Features include the following:

• Full 802.11 WLAN protocol decodes

• Multi-NIC support

• Distributed operation with wireless probes or AP capture adapters

• Display of data rate, channel, and signal strength for each packet

• SSID tree of nodes

• Expert analysis of network performance in real time, including VoIP expert diagnoses and wireless problem events

• Designation of nodes as Trusted, Known, and Unknown identifies rogue APs easily

• Expert ProblemFinder settings that include description, possible causes, and possible remedies

• Peer Map, which is a continuously updated graphical view of traffic between pairs of network nodes, showing volume, protocol, node address, and node type

• Alarms, triggers, and notifications, all user-definable

• Security audit template with predefined security audit filters

• Scan/surf by channels, ESSID or BSSID

• VoIP analysis tools

• Application performance tools

• Forensics analysis

You can learn more about this product and company online at www.wildpackets.com/ products/network_analysis_and_monitoring/omnipeek_network_analyzer.

Wireshark

Wireshark is the world’s foremost network protocol analyzer. It enables you to capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives because of the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set that includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time

• Live capture and offline analysis

• Standard three-pane packet browser

• Multi-platform: runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others

• Captured network data can be browsed via a GUI or via the TTY-mode TShark utility

• The most powerful display filters in the industry

• Rich VoIP analysis

• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

• Coloring rules can be applied to the packet list for quick, intuitive analysis

You can learn more about this product and company online at www.wireshark.org/.