Chapter 15. Intrusion Process

The scope of this chapter is to understand the technical capabilities and limitations of a potential unauthorized intruder in order to make sure that your own security measures can withstand a hacker’s attempt to breach them. It is important to know not only your own tools and techniques, but also those of the potential adversary, in order to better protect against them. This is the first part of an age-old strategy used by the famous Chinese strategist, Sun Tzu, who said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” [1]

15.1. Profiling To Select a Target or Gather Information

Target profiling is a term that describes the process of choosing a target for hacking and doing subsequent research on that specific target. Because the Internet has made public (and sometimes private) information very easy to access, once a target has been identified, it is usually a trivial matter to search for and uncover great amounts of information related to that target. Professional hackers normally carry out target profiling; it is not something done by the casual browser. These professional hackers usually choose their targets because the target has or is perceived to have some value to the hacker.

Conducting such high-level acts of intrusion generally means the profiler has a unique and specific set of tools, adequate time to carry out the task, and a strong desire to acquire whatever the target possesses. Hackers use many types of networking tools to gather sensitive information from unsecured wireless networks. These specialized tools include discovery tools, packet analyzers, application layer analyzers, network utility applications, and share enumerators. As IT security professionals become more attuned to these types of attacks and deploy better security architectures for their networks, many of these tools will become obsolete. Social engineering is typically the hacker’s next-best approach.

15.2. Social Engineering

Social engineering is a term used to describe the act of convincing someone to give you something that they should not. Successful social engineering attacks occur because the target might be ignorant of the organization’s information security policies or intimidated by an intruder’s knowledge, expertise, or attitude. Social engineering is reported to be one of the most dangerous yet successful methods of hacking into any IT infrastructure. Social engineering has the potential of rendering even the most sophisticated security solution useless. Some favorite targets for social engineering attacks are the help desk, on-site contractors, and employees.

The help desk should be trained to know exactly which pieces of information related to the wireless network should not be given out without proper authorization or without following specific processes put in place by security policy. Items that should be marked for exclusion include the Service Set Identifier (SSID) of access points, WEP key(s), physical locations of Access Points (APs) and bridges, usernames and passwords for network access and services, and passwords and SNMP strings for infrastructure equipment. For example, if the process of defeating a WEP has stumped the hacker, he or she may try to trick an employee into providing this information. Once the correct WEP key has been obtained by the hacker, he or she will plug that key into his or her computer and use the various tools described previously to capture sensitive data in real time, just as if there was no security.

Two common tactics are often used when attempts at social engineering against help desk personnel are implemented: (1) forceful, yet professional language and (2) playing dumb. Both approaches have the same effect—obtaining the requested information. Social engineers understand that help desk employees do not wish to have their supervisors and managers brought into a discussion when their assigned customers are not happy with the service they are receiving. Social engineers also know that some people are just inept at handling conflict, and some people are easily intimidated by anyone with an authoritative voice. Playing dumb is also a favorite tactic of social engineers. The help desk personnel are often distracted and disarmed by the “dumb caller,” which causes them to stop paying attention to rigid security protocols when they assume the person they are speaking with knows very little to begin with.

IT contractors can be especially good targets for social engineers. They are brought onto a job with very little training in security and may not realize the value of information they are helpfully providing the authoritative caller on the other end of the phone. How could they know the authoritative voice on the other end of the phone is a hacker anyway? Remember, most contractors are knowledgeable of the inner workings and details of just about all network resources on a site because they are often on that site to design and/or repair the very network they built. In wanting to be helpful to their customer, contractors often give out too much information to people who are not authorized to have such information.

Wireless technology is still very new to many organizations. Employees who have not been properly educated about wireless security may not realize the dangers a wireless network can pose to the organization. Nontechnical employees who use a wireless network should be trained to know that their computers can be attacked at work, at home, or on any public wireless network. Social engineers take advantage of all of these weaknesses, and they even fabricate elaborate stories to fool almost anyone who is not specifically trained to recognize these types of attacks.

15.3. Searching Publicly Available Resources

Today, it is possible to find out information on almost any conceivable topic simply by searching the Internet. This new information tool can be used to find out about almost anything, including personal information about individuals, proprietary information about corporations, and even network security information that is not intended to be made public. If public information exists, it can most likely be found on the Internet with little effort. Nefarious individuals can find out who you are, the names of your family members, where you live and work, if your residence or workplace has a WLAN, and what wireless security solutions are used by your employer. As an example, many people now post their resumes on the Internet. From an individual’s resume, you may be able to determine if someone has WLAN proficiency. It is logical to therefore assume that this individual may have a WLAN set up at his or her home. This individual is also more likely than not to be connected to his or her employer’s corporate network. It is also likely that sensitive corporate data is exposed on the user’s laptop or desktop computer. Because this individual connects to a laptop using the WLAN at home, he or she is susceptible to hacking attacks. All of this is probable because a small amount of personal information found on the Internet exposed critical data that led to a security breach on a corporate network. What is even worse is the fact that this data could be pilfered and the victim is likely never going to know it happened!

Many Web sites provide maps of public wireless Internet access. If someone is easily able to use a corporation’s WLAN as a public access point, that WLAN may even be one of the sites listed on these maps. For instance, http://www.NetStumbler.com offers a unique mapping [2] of all reported WLANs NetStumbler has found.

15.4. War-Driving, -Walking, -Flying, and -Chalking

War-driving is the common term for unauthorized or covert wireless network reconnaissance. WLAN utilities (sniffers) are now using airborne tactics, detecting hundreds of WLAN access points from private planes cruising at altitudes between 1,500 and 2,500 feet. Recently, a Perth, Australia–based “war flier” reportedly managed to pick up e-mails and Internet Relay Chat (IRC) conversations from an altitude of 1,500 feet [3].

WLAN war drivers routinely cruise target areas in cars that are equipped with laptops. The laptops are commonly equipped with a Wireless Network Interface Card (WNIC), an external high-gain antenna, and often even with a global positioning system (GPS) receiver. The wireless LAN card and GPS receiver feed data into freely available software such as NetStumbler or Kismet, both of which detect access points and SSIDs, which are correlated to their GPS-reported locations. War-driving gets a hacker even one step closer to the actual network through a practice known as war-walking. This has been made possible through a software variant of Net-Stumbler made especially for the PocketPC called MiniStumbler.

The term war-driving is a derivation of the term war-dialing, which was originally used to describe the exploits of a teenage hacker portrayed in the movie War Games (1983), where the teenager has his computer set up to randomly dial hundreds of phone numbers seeking those that connect to modems. In the movie, the teenager eventually taps into a nuclear command and control system. Since 1983, when the movie was released, there have been several well-publicized instances of hackers breaking into government facilities. None of these break-ins have, however, resulted in the compromise of nuclear codes—that is where Hollywood ends and reality begins.

Recently, a hobbyist WLAN sniffer, alias Delta Farce, who claimed to be a member of the San Diego Wireless Users Group, purportedly conducted a war-flying tour of much of San Diego County in a private plane at altitudes ranging between 1,500 and 2,500 feet. According to his or her claims, Delta Farce detected 437 access points during the flight. These exploits were posted on the Ars Technica Web site [4]. Delta Farce reported that NetStumbler software had indicated that only 23 percent of the access points detected during the trip had even the simplest form of security, Wired Equivalent Privacy (WEP), enabled. The trip also showed that the range of 802.11b WLAN signals, which radiate in the 2.4-GHz unlicensed frequency band, is far greater than what manufacturers report. Delta Farce said he was able to detect wireless access points at an altitude of 2,500 feet, or about five to eight times the 300- to 500-foot range of WLANs used in a warehouse or office.

The legality of such exploits depends on where and what is done. There are federal and state laws against network intrusion and also against intercepting communications between two or more parties. Through the use of NetStumbler, Kismet, Airopeek (a spectrum analyzer), or a variety of other tools, virtually anyone can drive through a city or neighborhood and easily locate wireless networks. Once a WLAN is located, these tools will show the SSID, whether WEP is being used, the manufacturer of the equipment, IP subnet information, and the channel the network is using. Once this information is obtained, an adversary can either associate and use DHCP or make an educated guess of the actual static IP network address. At the very least, the unauthorized access will result in free Internet access. By using simple auditing tools, an adversary can now scan the network for other devices or use a VPN connection from the gateway into a corporate network. Using the trace route utility on any Windows computer can quickly give more information on a particular network connection. A trace route displays and resolves the name of all the hops between your computer and that of another host (e.g., a Web server). Trace routing provides the attacker a way to find out where he is logically located on the Internet once connected to a WLAN.

Sometimes an adversary will have a little help from war-chalkers who have already mapped out the potential target. War-chalking refers to the practice and development of a language of signs used to mark sidewalks or buildings located near an accessible wireless network with chalk, notifying other war-drivers that a wireless network is nearby and providing specialized clues about the structure of the network. Such clues include knowing if the network is open or closed, whether WEP is enabled or not, the speed of the Internet connection, the azimuth and distance of the access point from the mark, and so on. Most of the symbols can be found on the Web at http://www.warchalking.org. The term war-chalking originated from the practice of war-driving and is essentially a way for hackers to help other hackers. If your network has been war-chalked, you can bet it has been hacked or, at the very least, simply borrowed for free wireless Internet access.

15.4.1. WLAN Audit and Discovery Tools

Hackers exploit vulnerabilities discovered when using various auditing tools. WLAN auditing tools are the weapon of choice for exploiting WLAN networks. Multipurpose tools that can be used for auditing and hacking into a WLAN are described in the following sections. Many protocol analysis and site survey tools are focused on finding WiFi compliant Digital Sequence Spread Spectrum (DSSS) networks. It should not be assumed that an unauthorized user is only going to use WiFi equipment to conduct reconnaissance and penetrate a network.

15.4.1.1. NetStumbler

One of the most popular discovery tools is a free Windows-based software utility called NetStumbler. This tool is usually installed on a laptop computer. War-drivers, war-walkers, war-flyers, and war-chalkers commonly use NetStumbler to locate and interrogate WLANs. NetStumbler’s popularity stems from its ease of use and wide support of a variety of network interface cards (NICs). Other networking tools can be used to gain unauthorized access to a WLAN. Once NetStumbler finds an access point, it displays the MAC Address, SSID, access point name, channel, vendor, security (WEP on or off), signal strength, and GPS coordinates if a GPS device is attached to the laptop. Adversaries use NetStumbler output to find access points lacking security or configured with manufacturer’s default settings. Although WEP has exploitable vulnerabilities, a time investment is required to break WEP, and unless the adversary has specifically targeted your facility, he or she will normally take the path of least resistance and go after the more easily accessible open networks that are found everywhere.

15.4.1.2. MiniStumbler

MiniStumbler has the same functionality as NetStumbler but is designed to run on the PocketPC platform. It can operate from a very small platform, which makes it popular for use in war-walking. The ability to war-drive a wireless network with a handheld device placed in one’s pocket makes MiniStumbler a valuable addition to any adversary’s war chest.

15.4.1.3. Kismet

Kismet is an 802.11 wireless network sniffer. As described on the Kismet Web site [5],it differs from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card capable of reporting raw packets (rfmon support), which includes any prism2-based card (e.g., Linksys, D-Link, RangeLAN), Cisco Aironet cards, and Orinoco-based cards. Kismet supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards that use the ar5k chipset. Kismet runs on the Linux operating system and has similar functionality to NetStumbler, but with a few additional features. Kismet’s basic feature set includes the following:

• Airsnort-compatible logging
• Channel hopping
• Cisco product detection via CDP
• Cross-platform support (handheld Linux and BSD)
• Detection of default access point configurations
• Detection of NetStumbler clients
• Ethereal/tcpdump compatible file logging
• Graphical mapping of data (gpsmap)
• Grouping and custom naming of SSIDs
• Hidden SSID decloaking
• IP blocking protection
• Manufacturer identification
• Multiple packet source
• Multiplexing of multiple capture sources
• Runtime decoding of WEP packets
• Support for multiple clients viewing a single capture stream

15.4.1.4. AiroPeek NX

AiroPeek NX is a Windows-based wireless sniffer from WildPackets. It has the capability to capture and decode packets simultaneously. Although AiroPeek can do on-the-fly decryption of WEP keys, it doesn’t actually crack WEP; you must supply the valid keys [6].

15.4.1.5. Sniffer Wireless

Sniffer Wireless [7] is a Windows sniffer from Network Associates. It doesn’t decode packets on the fly. You must stop sniffing before you can decode in this mode. It can decode a very large number of protocols at near-wire speeds. It also has the ability to spot rogue APs.

15.4.2. Network Discovery Tools

Management software packages such as What’s Up Gold (http://www.ipswitch.com), SNMPc (http://www.castlerock.com), and Solarwinds (http://www.solarwinds.net) each contain specialized discovery tools that use the Simple Network Management Protocol (SNMP) to map their way through an enterprise. If an adversary gains access to a WLAN and steals certain SNMP strings, the attacker can then begin creating a map of the entire extended network. An insecure wireless segment that exists within an enterprise environment that has distributed WLANs can cause an otherwise secure wired network to become insecure. This is another example of the huge security risks posed by implementation and use of WLANs.

15.4.3. Networking Utilities

In order to find out what resources are available on a network, most intrusion attempts begin with a scan of the network. To gather information, the client needs to obtain a valid IP address, either through DHCP assignment or by statically assigning a valid IP address. The next logical step for the hacker is to use a network utility such as WS-Ping ProPack (http://www.ipswitch.com) or NetScan Tools professional (http://www.netscantools.com) that can perform functions such as ping sweeps (pinging every IP address in a subnet looking for active nodes), port scans for defined ports (FTP, POP3, SMTP, NETBIOS), and computer name resolution (Accounting, Human Resources, Sales, Marketing). Once these tasks are performed, more detailed probes can be accomplished with tools such as LANGuard.

Once access point scans are accomplished using NetStumbler, and ping sweeps are accomplished with networking utilities, the IP addresses of the access points can be determined by comparing the laptop’s ARP cache against NetStumbler results. The ARP cache on the laptop is viewed by opening a command prompt window and typing “arp-a.” This command will return the IP addresses and MAC addresses of every node detected on the network.

15.5. Exploitable WLAN Configurations

It is important that network administrators learn to properly configure administrative passwords, encryption settings, automatic network connection functions, reset functions, Ethernet Medium Access Control (MAC) Access Control Lists (ACLs), shared keys, and Simple Network Management Protocol (SNMP) agents. Doing so will help eliminate many of the vulnerabilities inherent in a vendor’s out-of-the-box default configuration settings. Network administrators should configure APs in accordance with established security policies and requirements. The following is a list of vulnerabilities that can result from one of these configuration problems:

• Default passwords not updated
• WLAN encryption not set for the strongest encryption available
• No controls over the reset function
• MAC ACL functionality not in use
• Not changing the SSID from its factory default
• Not changing default cryptographic keys
• Not changing the default SNMP parameter
• Not changing the default channel
• Not using DHCP

Now, let’s look at how intruders use these WLAN weaknesses to exploit an organization.

15.6. How Intruders Obtain Network Access to a WLAN

Security attacks are typically divided into two classes: passive attacks and active attacks. These two broad classes are then subdivided into other types of attacks. A passive attack is an attack in which an unauthorized party simply gains access to an asset and does not modify its content (i.e., eavesdropping). Passive attacks can be done by either simple eavesdropping or by conducting a traffic analysis (which is sometimes called traffic flow analysis). While an attacker is eavesdropping, he or she simply monitors network transmissions, evaluating packets for (sometimes) specific message content. As an example of this type of attack, suppose a person is listening to the transmissions between two workstations broadcast on a LAN or that he or she is tuning into transmissions that take place between a wireless handset and a base station. When conducting traffic analysis of this type, the attacker subtly gains intelligence by looking for patterns of traffic that occur during the communication broadcasts. A considerable amount of information is contained in message flow traffic between communicating parties.

Active attacks are attacks in which an unauthorized party makes deliberate modifications to messages, data streams, or files. It is possible to detect this type of attack, but it is often not preventable. Active attacks usually take one of four forms (or some combination of such):

1. Masquerading
2. Replay
3. Message modification
4. Denial-of-Service (DoS)

When masquerading, the attacker will successfully impersonate an authorized network user and gain that user’s level of privileges. During a replay attack, the attacker monitors transmissions (passive attack) and retransmits messages as if they were sent by a legitimate user. Message modification occurs when an attacker alters legitimate messages by deleting, adding, changing, or reordering the content of the message. DoS is a condition that occurs when the attacker prevents normal use of a network.

15.6.1. WLAN Attacks

All risks known to exist with 802.11 standards–based equipment are the result of one or more of the aforementioned active or passive attack methods. These attacks generally cause a loss of proprietary information, with companies suffering legal and recovery costs and sometimes even a tarnished image as a result of publication of the attack (which is known as an event in the security field) that resulted in a total loss of network service. With the rapid rate of growth and adoption of 802.11b WLAN technology in many organizations attempting to capitalize on the benefits of “going wireless,” there are many chances for hackers to take advantage of these known vulnerabilities when they discover that lax security practices are used by an adopter. Numerous published reports and papers have described attacks on 802.11 wireless networks and exposed risks to any organization deploying the technology. It is wise for those planning to adopt WLAN technology to find these papers and educate themselves and their staff on the risks and, moreover, to weigh these risks against the benefits of using the WLAN.

15.6.2. WEP Decryption Tools

In order to recover WEP encryption keys, WEP decryption software is used to passively monitor data transmission on a WLAN segment. When enough data has been collected, these decryption tools can compute the cryptographic key used to encrypt the data. Once this occurs, the network is totally insecure. For this to work, the decryption software must collect enough packets formed with “weak” initialization vectors. Wireless packet analyzers, such as AirSnort and WEPcrack, are common tools that are readily available on the Internet and are very popular WEP crackers. Both of these applications run in Unix-based environments.

AirSnort was one of the first tools created to automate the process of analyzing network traffic. Unfortunately, hackers quickly discovered that it is also great for breaking into wireless networks. AirSnort leverages known vulnerabilities found in the key-scheduling algorithm of RC4, which is used to form the basis of the WEP standard. The software monitors the WLAN data in a passive mode and computes encryption keys after about 100 MB of network packets have been sniffed. On a busy network, collecting this amount of data may take only three or four hours, but if traffic volume is slow, it could easily stretch out to a few days. After all of these network packets have been collected and analyzed, the cryptographic key can be determined in a matter of milliseconds. This gives the attacker access to the root key, and he or she can now read cleartext of any packet traversing the WLAN.

15.6.3. MAC Address Spoofing and Circumventing Filters

Numerous 802.11 product vendors provide capabilities for restricting access to the WLAN based on device MAC ACLs, which are stored and distributed across many APs. MAC address exploitation can be accomplished by an adversary capturing a series of wireless frame packets obtained during normal business hours at the target location. The captured frames contain all information needed to circumvent MAC filters. Using this data, the hacker is able to derive valuable information from the packet trace log, which is generated via a wireless protocol packet analyzer such as WildPackets Airopeek or Network Associates Sniffer Pro Wireless. By reviewing the BSS IDs (the MAC address of an access point) found in the packet trace, the hacker can figure out which units are access points and which are clients. Once this is known, it is a rather simple matter to deduce which SSIDs and MAC addresses are used by the connecting clients. Additionally, IP subnet information can be recorded in order to establish subsequent network connections once the hacker device is associated to the target access point. Once these data have been recorded, the hacker is in a position to gain unauthorized access to the target network.

15.6.4. Rogue AP Exploitation

Rogue APs pose huge security risks. Malicious users have been known to surreptitiously insert rogue APs into closets, under conference room tables, and in other hidden areas in buildings to gain unauthorized access to targeted networks. As long as the rogue AP location is close to WLAN users, the rogue AP can intercept wireless traffic between an authorized AP and its wireless clients without being detected. The rogue AP needs to be configured with a stronger signal than the existing AP in order to intercept client traffic. Malicious users can also gain access to a wireless network by using APs configured to allow blanket access without authorization.

15.6.5. Exploiting Confidentiality Weaknesses

Confidentiality infers that specific information is not to be made available or disclosed to unauthorized individuals, entities, or processes. Confidentiality is a fundamental security requirement for most organizations. Because of the very nature of wireless communications, confidentiality is a difficult security requirement to implement. Often, it is not possible to control the distance over which a WLAN transmission occurs. This makes traditional physical security countermeasures ineffective for WLANs. Passive eavesdropping of wireless communications is a significant risk to any organization. Because 802.11b signals can travel outside the building perimeter, hackers are often able to listen in and obtain sensitive data such as corporate proprietary information, network IDs, passwords, and network and systems configuration data. Sometimes, the hacker is even an insider who may be disgruntled. The extended range of 802.11 broadcasts enables hackers to detect transmissions from company parking lots or from positions curbside on nearby roads. This kind of attack, which is performed with a wireless network analyzer tool, or sniffer, is particularly easy for two reasons:

1. Confidentiality features of WLAN technology are often not even enabled.
2. Numerous vulnerabilities in the 802.11b technology security are compromised.

When an AP is connected to a network through a hub, it poses yet another risk to loss of confidentiality. Hubs generally broadcast all network traffic to all connected devices, which leaves hub-relayed traffic vulnerable to unauthorized monitoring. An adversary can monitor such traffic by using a laptop and wireless NIC (set to promiscuous mode) when an access point is connected to a hub instead of a switch. If the wireless AP is connected to an Ethernet hub, the hacker device monitoring broadcast traffic is able to easily pick up data that was intended for wireless clients. Consequently, organizations should consider using switches instead of hubs for connections to wireless access points.

15.6.6. Exploiting Data Integrity Weaknesses

Wireless networks face the same data integrity issues that are found in wired networks. Organizations frequently implement wireless and wired communications without adequate data encryption. As a result, data integrity can be very difficult to achieve. A determined hacker can compromise data integrity simply by deleting or modifying data in an e-mail from an account found on the wireless system. The impact of such message modification could be quite detrimental to an organization depending on the importance of the e-mail and how widespread its distribution is across the company. Existing security features of 802.11 do not provide strong message integrity. This can lead to vulnerability from other kinds of active attacks. The WEP-based integrity mechanism used in wireless networking is simply a linear Cyclical Redundancy Check (CRC). Message modification attacks are possible without implementation and use of some cryptographic checking mechanisms, such as message authentication codes and hash codes (message digests).

15.6.7. Exploiting Authentication Weaknesses of the Service Set Identifier

Two methods are defined in the 802.11b specification for validating wireless users as they attempt to gain access to a network. One method depends on cryptography. The other method consists of two types of checks used to identify a wireless client attempting to join a network. Both of these non-cryptographic approaches are considered to be identity-based verification mechanisms. When establishing a connection, the wireless station requesting access will reply to a challenge with the SSID of the wireless network—there is no true “authentication.” This method is known as closed system authentication. With closed system authentication, wireless clients must respond with the actual SSID of the wireless network. That is, a client is allowed access if it responds with the correct 0- to 32-byte string identifying the BSS of the wireless network. Conversely, when using open system authentication, a client is considered authenticated if it simply responds with an empty string for the SSID—hence, the name “NULL authentication.” Both of these primitive types of authentication are only identification schemes, not true authentication methods. Neither of these two schemes offers very strong security against unauthorized access. Both open and closed authentication schemes are highly vulnerable to attacks, and steps should always be taken to mitigate such risk.

It is possible for a WLAN to hide the SSID from potential intruders. Currently, a few APs have software settings used to exclude sending the SSID in order to obscure the WLAN’s identity. Even with this feature, it is fairly easy for a hacker to learn the SSID of an active but hidden WLAN. The hacker will do this by sending a spoofed “disassociate” message to the AP. This message will force the wireless station to disconnect and reconnect to the WLAN. This method of forcing a hidden WLAN to reveal its SSID typically takes a hacker less than a second to execute against a station actively transmitting data.

15.6.8. Exploiting Cryptographic Weaknesses

A common cryptographic technique used for authentication is shared key authentication. It is a simple “challenge and response” scheme. The premise of this scheme is based on whether a client has knowledge of a shared secret. For example, a random challenge is generated by the access point and sent to the wireless client. The wireless client uses a cryptographic key (a.k.a., a WEP key), which is shared with the AP to encrypt the issued challenge and return the encrypted result to the AP. The AP then decrypts the encrypted challenge that was computed by the client. The AP will only allow access if the decrypted value is the same as the value issued during the challenge transmittal. The RC4 stream cipher algorithm is used to compute the encrypted and decrypted values. This authentication method is considered a rudimentary cryptographic technique. It does not provide mutual authentication. The client does not authenticate the AP. There is no assurance that a client is communicating with a legitimate AP as opposed to communicating with a rogue AP. Challenge-response schemes are considered to be a very weak form of security. Because of this weakness, challenge-response schemes are vulnerable to many types of attack, such as the man-in-the-middle attack.

15.7. Password Gathering and Cracking Software

Weak passwords are considered among the most serious of security threats in the networking environment. Security administrators have long suffered the effects of poor password administration, but they have learned over the last few years that a strong password policy in an organization can save them many hours of work in the long run. With the advent of WLANs, it was quickly discovered that passwords travel across unsecured networks from client to server all the time. Once LANs were thought to be very secure, but now, with the advent of WLANs, both network administrators and hackers have discovered that networking systems using passwords passed in cleartext across wired or wireless mediums are absolutely insecure. As a result of this discovery, password encryption has become a must. Security mechanisms such as Kerberos implement such strong encryption. Two well-known security auditing tools are used by both administrators and hackers to view cleartext passwords, namely WinSniffer and Ettercap, discussed as follows.

15.7.1. WinSniffer

WinSniffer is a utility capable of capturing SMTP, POP3, IMAP, FTP, HTTP, ICQ, Telnet, and NNTP usernames and passwords in a wired/wire-less blended networking environment. WinSniffer is a Windows-based utility. It is usually on a laptop dedicated to use for auditing wireless networks. In a switched network environment, WinSniffer captures passwords from clients or servers. WinSniffer can also be used to capture passwords saved in applications when users have forgotten them. WinSniffer can be used by an adversary to monitor users checking e-mail over an unencrypted WLAN segment. With this tool, the attacker could easily pick up a user’s e-mail login information and determine which domain the user accesses when checking mail. The information obtained in this manner provides the attacker full and unrestricted access to the unwitting user’s e-mail account.

Hotspots (a.k.a. public access wireless networks) are commonly found in airports or in metropolitan areas. They are some of the most vulnerable areas for user or peer-to-peer attacks. Victims who are unfamiliar with security vulnerabilities in these hotspots are easy prey. Mobile users should be trained on just how easy it is to obtain login information from a peer-to-peer attack. Often, such users check their e-mail or access a corporate network from a hotspot and in the process can unwittingly give access to their accounts to hackers. Once a hacker has obtained a valid login to the victim’s corporate account, they often try to obtain further access into the corporate network using the victim’s credentials in order to locate more sensitive corporate information.

15.7.2. Ettercap

Ettercap is a multipurpose sniffer/interceptor/logger for switched use on a LAN. Ettercap supports almost every major operating system platform and can be downloaded from Sourceforge [8]. Ettercap can gather data in a switched network environment. This capability exceeds the abilities of most audit tools, making ettercap a quite valuable edition to the hacker’s toolbox. Ettercap uses a Unix-style ncurses code library to create a menu-driven user interface that is considered very user friendly for beginner-level users. Some of the better known features available in Ettercap are character injection into an established connection, SSH1 support, HTTPS support, remote traffic via GRE tunnels, PPTP brokering, plug-in support, a password collector, packet filtering and packet rejection, OS fingerprinting, a connection killer, passive LAN scanning, poison checking, and binding of sniffed data to a local port.

15.7.3. L0phtCrack

Operating systems commonly implement password authentication and encryption at the application layer. Microsoft Windows file sharing and NetLogon processes are examples of this. The challenge and response mechanism used by Microsoft over the years has changed from LM (weak security) to NTLM (medium-level security) to NTLMv2 (strong security). Before release of NTLMv2, tools such as L0phtcrack could easily crack these hashes in a matter of minutes. It is also important to properly configure your Windows operating system to use NTLMv2 and not to use the weaker versions. Proper administration of patches and service packs is not enough. To properly secure a network to use NTLMv2, much of this process must be accomplished manually [9]. LC4 is the latest version of the password auditing and recovery application L0phtCrack. According to the L0phtcrack Web site [10], LC4 provides two critical capabilities to Windows network administrators:

1. It helps systems administrators secure Windows-authenticated networks through comprehensive auditing of Windows NT and Windows 2000 user account passwords.
2. It recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.

LC4 supports a wide variety of audit approaches. It can retrieve encrypted passwords from stand-alone Windows NT, 2000, and XP workstations, networked servers, primary domain controllers, or Active Directories, with or without Syskey installed. The software is capable of sniffing encrypted passwords from the challenge-response exchanged when one machine authenticates to another over the network. This software allows administrators to match the rigor of their password audit to their particular needs by choosing from three different types of cracking methods: dictionary, hybrid, and brute force analysis. Finally, using a distributed processing approach, LC4 provides administrators the ability to perform time-consuming audits by breaking them into parts that can be run simultaneously on multiple machines.

Once the intruder has captured the targeted password hashes, the hashes are imported into LC4’s engine, and the dictionary attack automatically ensues. If the dictionary attack is unsuccessful, a brute force attack is automatically initiated. The processor power of the computer doing the audit will determine how fast the hash can be broken. L0phtCrack has many modes for capturing password hashes and dumping password repositories. One mode allows for “sniffing” in a shared medium (such as wireless), while another goes directly after the Windows Security Access Manager (SAM).

Windows 2000 service pack 3 introduced support for a feature called “SysKey” (short for System Key). This feature, first seen in Windows NT, is invoked using the syskey.exe executable. It encrypts the SAM so well that even L0phtCrack cannot extract passwords from it. L0phtCrack can notify an auditor that a SAM has been encrypted so the auditor need not waste time attempting to extract an uncrackable password. L0phtCrack is one of the preferred tools in a hacker’s arsenal. The hacker is most likely going to use L0phtcrack in an attempt to gain access to a network. Once a hacker obtains administrator-level account information, many other tools already discussed will become quite useful to him or her.

15.7.4. Lucent Registry Crack

Proxim Orinoco PC cards store an encrypted hash of the WEP key in the Windows registry. The Lucent Registry Crack (LRC) utility is a simple command-line tool used to decrypt these values. The problem hackers face is getting these values from another computer, especially one that has the proper WEP key for the AP that the hacker wants to attack. This task is accomplished using a remote registry connection. The attacker can make a remote registry connection using the Window’s Registry Editor found on his own computer. Once the hacker is remotely connected, he or she must know where the key is located in the remote registry in order to copy and paste it into a text document on his or her computer. Once this is done, the hacker can use LRC to analyze this encrypted string and produce the WEP key. This process takes only a few seconds at most to complete. When the attacker has derived the WEP key using LRC, he or she can simply insert it into a computer to gain access to the target network. This process can be defeated when wireless end users are properly trained to implement safeguards against peer-to-peer attacks (such as installing personal firewall software or enabling IPSec policies).

15.7.5. Wireless Protocol Analyzers

Wireless protocol analyzers are used to capture, decode, and filter wireless packets in real time. Many products also support multiple frequency bands used in 802.11b and 802.11a networks. Protocol analyzers operate in RF monitor mode capturing packets as they are transmitted across the medium. Protocol analyzers make no attempt to connect or communicate with APs or other wireless peers while in this mode. There are many vendors in the protocol analyzer space, whose products include the following:

• AirMagnet
• Ethereal
• Fluke WaveRunner Wireless Tester
• Network Associates Sniffer Pro Wireless
• Network Instruments Observer
• Wildpackets Airopeek

Not all wireless packet analysis tools have identical functionality. For example, some do not offer real-time packet decoding. Some force the user to capture packets and export them to a reader utility. Some analyzers decode OSI Layer 2 through 7 protocols, whereas others decode only Layer 2 frame headers.

15.8. Share Enumerators

File sharing is a major benefit of client/server networking. A major risk in file sharing arises when a node or server is improperly configured and data are exposed to unauthorized access. Share enumerators are software programs that can scan a Windows subnet for open file shares. Open file shares are directories on a Windows network that are made available to users for public browsing. Exploiting open file shares is a method used by some Internet Trojans and viruses to transmit and infect users. Others users on the Internet may be able to view or use files on the host computer. The computer could be used for distributing files (e.g., music and video) using peer-to-peer file-sharing programs. Windows open file shares provide anyone with public or domain-level access the ability to see the share, access it, and obtain data from it. Legion 2.1 is a popular freeware program that quickly scans a Windows subnet and lists all open file shares. An auditor or hacker can use Legion to quickly determine what file shares are available for access on a network. A common open file share attack methodology is to access another computer’s Windows registry remotely and redefine the properties of a file share to allow root-level access. After a system reboot, the file share still appears the same to the unsuspecting victim. When a hacker browses the share, it allows him or her to view the entire contents of the root drive. If a node on the wireless segment has open file shares, those shares are exposed to any intruder who has gained access to the wireless network. Once file shares are located on the network, even those shares whose settings are not public can be cracked or their properties can be changed to allow further access.

15.9. Using Antennas and WLAN Equipment

Tools used for auditing WLANs include antennas, wireless cards, a portable computer, and specialized software. These tools are legal, readily available, and quite affordable. In most cases, the total cost for a wireless NIC, an antenna, and a pigtail cable is less than $100. The auditing software can be obtained freely from the Internet. This means anyone who has the desire can usually afford the equipment necessary to eavesdrop on an organization’s WLAN.

15.9.1. Antennas

Antennas come in many forms. Some are magnetically mounted to the roof of a car, and some are made from Pringles potato chip cans. War drivers often use Orinoco or Cisco pigtail cables and various connectors to locate WLANs. Both omni, strong Yagi, or patch antennas are readily available for such uses. The war driver is able to easily determine network names, WEP usage, and even GPS coordinates of the target wireless devices located. Once a wireless network is found, a directional antenna such as a Yagi can be used to focus the frequency waves (beams) and listen in at great distances. This allows a hacker to operate without trespassing on a victim’s property. A directional antenna is also capable of detecting much fainter signals than an omnidirectional antenna and allows the intruder to establish a better-quality link at greater distances.

15.9.2. Wireless Cards

Three very popular NICs are used by hackers to attempt intrusions into WLANs: the Lucent Gold PC Card, the Cisco 350 PC Card, and the Symbol LA-4121 PC Card. They are inexpensive, can be easily obtained, and allow external antennas to be connected using pigtail cables/connectors. Most auditing software supports the chipsets used in these NICs, and each NIC provides site-surveying software that is useful for more than just intrusions and intrusion audits.

15.10. Denial-of-Service Attacks and Tools

A denial in network availability involves some form of DoS attack, such as jamming. Jamming occurs when a malicious user deliberately sends a signal from a wireless device in order to overwhelm legitimate wireless signals. Jamming results in a breakdown in communications because legitimate wireless signals are unable to communicate on the network. Nonmalicious users can also cause a DoS. A user, for instance, may unintentionally monopolize a wireless signal by downloading large files, effectively denying other users access to the network. There are three main types of wireless DoS attacks: RF jamming, data flooding, and hijacking. The tools required to conduct any of these attacks are inexpensive and easy to acquire, but the damage to production, service, or end-user productivity can be immense if these types of attacks are not prevented.

15.10.1. RF Jamming

Jamming a Direct Sequence Spread Spectrum (DSSS) WLAN is fairly easy to do using inexpensive tools, and such jamming activities can be conducted from relatively long ranges. Most WLANs operate at power outputs that are less than 100 mW. DSSS WLANs generally use only 22 MHz of the RF spectrum in order to transmit data. An RF generator can generate very low amounts of power (less than 1 W). It utilizes either directional or omnidirectional antennas capable of transmitting a broadcast signal over very long distances. Because these devices typically use a very small power source, it provides anyone with the ability to easily jam a WLAN.

Even though DSSS WLANs are resilient to noise interference, few can function properly when competing with an RF power source jamming with a signal up to 40 times (4 W) more powerful. This amount of generated RF signal can jam nearly any WLAN and cause a complete disruption (or denial) of service to client devices using the target access point. Another consideration is that the users connecting to the jammed access point are allowed to connect to the rogue access point set up by an intruder and configured to display the same SSID as the (hijacked) authorized access point. That is why this type of attack is called hijacking. No WLAN manufacturer makes a device called an “RF jamming device” because of the legal implications involved. A hacker knows he or she must find equipment commonly used for testing WLAN antennas, cables, connectors, and accessories. One such piece of equipment is YDI’s Power Signal Generator-1 (PSG-1), which can be seen at http://www.ydi.com. It is important to know that microwave ovens, Bluetooth devices, and even certain WLAN devices can inadvertently cause a jamming situation to occur on a WLAN.

15.10.2. Data Flooding

Data flooding is the act of overwhelming an infrastructure device or computer with more data than it can process. There are three primary methods of performing a data flooding attack:

1. Pull a very large file from the Internet.
2. Pull or push a very large file from or to an internal server on the LAN.
3. Use a packet generator software package.

The packet generator software is easy for even a novice. It can push enough traffic to saturate any WLAN. A packet generation attack is more likely to make it through effective network controls than the first and second methods described previously. This type of attack is very similar to RF jamming except it uses DSSS transmissions to accomplish the same result.

One might think it would require significant amounts of data to flood a WLAN, but that is not the case. A data flooding attack does not require very much data at all. An 802.11b-compliant access point will typically saturate at about 5.5 Mbps of throughput. Sometimes, saturation occurs with even less than 5.5 Mbps of throughput because APs are half-duplex devices. A WLAN client can produce the same amount of throughput. Therefore, each client device also has the ability to saturate an AP. Such methods of saturation will effectively disable the AP, creating a DoS condition by denying a reasonable Quality of Service (QoS) to other users. Because WLAN devices use a protocol known as Carrier Sense Multiple Access/Collision Detection (CSMA/CD), all nodes attached to an AP are allocated a fractional slice of time (usually calculated in a methodology known as round-robin scheduling) to transmit; however, when a single node transmits a huge chunk of data, other nodes are essentially blocked from passing even very small bits of data because the time-slicing algorithm is, in effect, paused to await the completion of processing the largest data frame allowed before allocating a small slice of time to other device connections.

For example, a time-slicing algorithm allocates a 100 millisecond block of time to each of 10 connected devices. Device 8 sends a huge chunk of data that is broken down into the largest allowable frame size and transmitted, using 900 milliseconds to do so. Once the frame is transmitted, Device 9 gets 100 milliseconds, Device 10 gets its turn, then back to Devices 1 through 7, using up a total of one second of computer clock time before getting back to Device 8 again. Device 8 sends the next chunk, using 900 milliseconds again, and the process continues until the entire amount of data sent by Device 8 has been transmitted. In this simplistic example, it is easy to figure out that Device 8 is using 90 percent of the available time and denying equal service in 10 percent increments to the remaining nine devices.

15.10.3. Client Hijacking

Hijacking occurs when an unauthorized user takes control of an authorized user’s WLAN connection. In wireless environments, hijacking is done at OSI Layer 2 when the intent is to create a DoS condition. When hijacking occurs at OSI Layer 3, the intruder is most likely attempting to initiate an attack surreptitiously. The unsuspecting victim who attempts connecting to a jammed access point is allowed to connect to a rogue access point set up by an intruder and configured to display the same SSID as the (now hijacked) authorized access point. In order to successfully accomplish the hijack operation, hackers must set up the rogue AP to replicate the authorized access point. A WLAN PC card can be configured to operate as a rogue AP. When configuring a rogue software AP, it is important for the hacker to choose a channel that does not conflict with one in use by the victim. When the jamming device is used to force users to roam for a better connection, the client devices will roam off the authorized hardware AP and onto the rogue software access point. After the Layer 2 connection has been hijacked, the next logical step in the attack process is to allow the hijacked user to establish a Layer 3 connection with the hijacker. The same Layer 3 connection can be established by running a DHCP server on the laptop serving as the AP. Windows-based products automatically renew DHCP leases whenever a Layer 2 connection is broken. This autorenew function works to the hijacker’s benefit.

15.11. Rogue Devices as Exploitation Tools

Ideally, rogue APs are placed to allow an intruder to gain the highest degree of access possible into a network and establish and maintain unauthorized control over the hacked network. What follows is a discussion on AP placement in order to prevent and discover rogue devices on your network.

15.11.1. Access Points

Rogue devices are usually placed in an area to appear as if the device were designed to be there in the first place. An AP should not cause any disruption in service to the existing network. It is intended to be used surreptitiously, so adversaries are generally very cautious when placing rogue APs so they will not be noticed. If an administrator happens to be scanning the area where a rogue device is suspected, he or she will search for unencrypted data packets as a first sign that a rogue device exists. There is virtually no way to tell the difference between data packets encrypted by an intruder’s WEP key and data packets encrypted by an authorized WEP key.

Rogue devices are often placed near building perimeter points, especially near a window, to optimize coverage. The intruder will attempt to place the rogue device in a part of the building that has a physically insecure perimeter so he or she can be within range of the access point and not arouse suspicion.

Intruders may use 900 MHz units instead of 2.4-GHz (802.11b) or 5 GHz (802.11a) WiFi-compliant units. Virtually no WLAN discovery tool can use the 900 MHz range. Intruders may also use FHSS technology such as Bluetooth, OpenAir, or HomeRF instead of DSSS. Few WLAN discovery tools are even able to use FHSS equipment. Additionally, intruders often use horizontally polarized antennas in order to give the rogue device a very small RF signature when scanning devices are used to find rogue devices. Such rogues are unlikely to be detected in a scan unless the administrator is physically close to the rogue device.

15.11.2. Wireless Bridges

A rogue bridge placed within the Fresnel Zone of an existing bridge link poses a great security risk. A Fresnel Zone is the area around the visual line-of-sight that radio waves spread out into after they leave the antenna. This area must be clear or signal strength will weaken. Fresnel Zones are an area of concern for wireless transmissions using the 2.4-GHz range. The 2.4-GHz signals can pass through walls easily, but they have a tough time passing through trees because of the water content; 2.4-GHz signals are absorbed in water, so any barrier with a high water content becomes a problem. The Fresnel Zone of a wireless bridge link may span several miles and can be extremely broad. This fact makes placement of a rogue bridge much easier for an intruder. Conversely, rogue detection becomes much tougher for an administrator. A rogue bridge must be set up with a very low priority; otherwise, it will become the root bridge and be detected. Intruders tend to use high-gain directional antennas in order to ensure a consistent, high-quality connection. Locating a rogue bridge in a three-mile point-to-point bridge link lessens the chances of being discovered significantly when compared to setting up the rogue device inside a corporate office. Administrators are rarely able to detect the presence of rogue bridges.

References

Material in this section is excerpted from the Cybersecurity Operations Handbook, by John W. Rittinghouse and William M. Hancock, New York: Digital Press, 2003. Reprinted with permission.

http://www.anti-spy.com.