WI-FI NETWORKS REQUIRE AUDITING on an ongoing basis. Indeed, auditing is essential. It conveys to the network administrator the network’s precise status at any time. This is especially true for Wi-Fi because of its inherent vulnerability as a broadcast medium—that is, it transmits to anyone who is interested.

In recent years, Wi-Fi has become pervasive both in the workplace and in the home. This is due in large part to its affordability and its ease of installation. This is great for installers and administrators, but there is a downside. Because they are cheap and easy to install, Wi-Fi networks are constantly under threat of unauthorized access. This unauthorized access can occur as a result of misconfiguration, due to a lack of basic security controls, or because of the addition of rogue access points or ad hoc networks to the wireless local area network (WLAN). To counter these vulnerabilities, it is essential to audit and monitor the WLAN on a continuous basis.

Performing network audits is not an easy task because there are many potential attack vectors. There are, however, many tools available to assist in this sometimes difficult task. WLAN auditing requires a wide variety of both general-purpose and highly specialized tools. These range from basic WLAN discovery tools to wireless protocol analyzers and network management applications.

Unfortunately, attackers can use these same tools to find security weaknesses and gain access to the network. Therefore, understanding these tools—how they both help network administrators and can be used against them—is a critical aspect of WLAN security. This chapter focuses on these tools, providing a primer on both how to use them and how to protect the network from them.

WLAN Discovery Tools

Many WLAN discovery tools are available to the network auditor. These range from the built-in discovery software that comes with network adapters—or within Windows or Linux—to more sophisticated tools such as NetStumbler and Kismet, which do far more than simply recognize and display available WLANs.

NetStumbler and InSSIDer

NetStumbler was a free Windows-based software utility designed to locate and interrogate WLANs that use 802.11a, 802.11b, and 802.11g. But NetStumbler didn’t just capture the information from beacons, such as the service set identifier (SSID), the signal strength, and the access point name. It also captured Global Positioning System (GPS) settings and media access control (MAC) addresses. In addition, it was useful for detecting rogue access points or other networks in the vicinity that might be causing interference.

NetStumbler was the preferred tool for network administrators, who used it to conduct wireless audits. It was also among the favorite tools for hackers who engaged in wardriving (driving around and searching for unsecured wireless networks). Although it has not been updated for several years, it is still used in some places.

The effective replacement for NetStumbler, which does not work well with modern 64-bit systems, is InSSIDer. Much like NetStumbler, InSSIDer is a Wi-Fi network-scanning application, albeit with more features and the ability to support both Windows and the Mac OS. InSSIDer began as a free, open source tool, but has since become a commercial application with variants that not only scan but also help with network visualization, optimization, and troubleshooting.

Kismet

Kismet is Wi-Fi scanner that runs on Linux. It is capable of detecting and interrogating 802.11a, 802.11b, 802.11g, and 802.11n networks. Kismet also works as a network sniffer and detector and as an intrusion detection system (IDS).

Kismet works on any network interface that can support raw monitoring mode (the ability to capture packets without first associating with an access point). It’s compatible with network analyzers and file loggers such as Airshark and tcpdump. Kismet can also determine network IP ranges and supports built-in channel hopping. That means it can detect networks active on all channels by hopping through the spectrum.

Kismet can also “decloak” SSIDs hidden from the network by listening rather than broadcasting. In listening mode, it can identify cloaked SSIDs by intercepting authentication and association requests from clients (who already know the SSID) wishing to join the networks. Furthermore, Kismet listens for clients’ responses to beacon frames, which enables it to then associate clients with access points.

Kismet is useful for wardriving, site surveys, and detecting rogue APs, and as a distributed low-cost IDS. Performing as an IDS, Kismet can be distributed throughout the workplace and monitored by a single server running a Layer 3 IDS application such as Snort. A large enterprise will likely have a much more sophisticated IDS, but this is a good option for smaller networks with lower-risk profiles.

Network discovery tools such as NetStumbler, InSSIDer, and Kismet are good at finding networks, but locating access points can be a tedious business. For that type of task, tools such as HeatMapper are useful.

HeatMapper

HeatMapper enables you to locate and map out the radio frequency (RF) footprint for each discovered access point against either a default grid or an imported floor plan. After you have conducted your site survey (simply by walking around), HeatMapper presents the coverage overlaid on the floor plan, showing you where gaps and overlaps exist. The enterprise version, called Ekahau, offers additional features.

These network discovery tools can be and are used by administrators for authorized auditing purposes and by attackers for mapping out and identifying potential targets. As noted, Kismet can even discover cloaked SSIDs, so an attacker can easily find hidden networks. To mitigate the risk of an attacker discovering and interrogating the network, an administrator can use a number of techniques to reduce the effectiveness of discovery tools. These involve applying advanced security measures such as 802.1X, Extensible Authentication Protocol (EAP), or virtual private networks (VPNs) to securely encrypt and tunnel the packets. Other methods include using fake access points to generate counterfeit beacons. These mask the presence of genuine access points by confusing tools such as NetStumbler and Kismet. Administrators must also conduct regular surveys to ensure that well-meaning employees have not installed their own rogue access points, which are often exploited by wardrivers.

Penetration Testing Tools

Like any other protected network environment that is subject to attack, the Wi-Fi network infrastructure requires security hardening, such as the use of demilitarized zone (DMZ) Web servers. There are many tools and techniques available, but simply installing them and assuming they work has proven disastrous for many organizations. A better practice is for companies to test their own defenses using penetration testing (pentesting). Pentesting is the practice of searching for and then attempting to exploit vulnerabilities on networks that an attacker could potentially exploit. In essence, pentesting is attacking the network with permission. Pentesting works on the theory that you are better off looking for weaknesses yourself than having an attacker find them for you (or worse, having one that goes unnoticed by you for years that is exploited without your knowledge).

You can perform manual pentests, but there are automated tools and specialized software frameworks available as well. One of the most popular frameworks for pentesting is Metasploit.

Metasploit

Pentesting tools such as Metasploit are used on mature networks to assess their state of defense. Pentesting is typically goal oriented, and this is where it differs from vulnerability assessments. Metasploit does both. It can be used as a pentesting tool to look for specific weaknesses and as a general vulnerability scanner.

With vulnerability scans or assessments, the administrator looks to find all known common vulnerabilities and to remove them. Once the administrator is satisfied that most, if not all, high-risk vulnerabilities have been mitigated, he or she will rerun the vulnerability assessment until a high score is achieved. (A low score indicates several problems.) When satisfied that the network is secure, the administrator may test that assumption by carrying out a pentest for specific targets and attack vectors.

The Metasploit framework is open source software built to assist administrators in “attacking” their own networks. It’s a great tool, but it represents a classic double-edged sword in that attackers, too, can and do use it. If nothing else, tools such as Metasploit force administrators to adopt pentesting to prevent attackers from gaining asymmetric information about the network (in other words, to prevent attackers from knowing more about aspects of your network than you do).

Security Auditor’s Research Assistant

Another pentest tool that also works as a vulnerability scanner is Security Auditor’s Research Assistant (SARA). SARA integrates with the National Vulnerabilities Database (NVD) and can perform many pentests, including SQL injection and cross-site scripting (XSS) tests. (XSS is a popular hacking technique that takes advantage of vulnerabilities in Web-based application codes. The exploit enables a hacker to get clients to transmit end-user information and data, which can be sold or otherwise used by the hacker.) One particularly good feature of SARA is its ability to integrate with Nmap, a Transmission Control Protocol/Internet Protocol (TCP/IP) network utility that allows for operating system (OS) fingerprinting and remote network port scanning for open TCP/User Datagram Protocol (UDP) ports and applications.

Password-Capture and Decryption Tools

When conducting any Wi-Fi network audit, it is wise to check for weak passwords. Aside from unencrypted sessions, weak passwords are often the most common and serious security threat to a network. Passwords that are easy to crack enable an eavesdropper to exploit them, perhaps gaining deep access into a network (depending on the level of the person whose password was cracked). This is especially true when dealing with default administrator passwords on network devices.

There are several tools for auditing and recovering passwords; Nessus and Aircrack-ng are two of the most popular. Nessus is particularly good at spotting default administrator passwords for Web applications. Aircrack-ng is also able to crack Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access 2–preshared keys (WPA2-PSK) passwords as well as perform packet capture and forced deauthentication and reauthentication. Being able to force a reauthentication handshake is an essential step in capturing the authentication and association process between clients and access points.

WEP and WPA are not secure. To mitigate the risk of an attacker eavesdropping and recovering network passwords, it is important to establish strong security such as WPA2-PSK or WPA2 Enterprise, which uses Advanced Encryption Standard (AES) encryption and Remote Authentication Dial-In User Service (RADIUS) authentication. Aircrack-ng can still break WPA2-PSK if given a large enough packet sample and enough time, but it is not a trivial task.

More important perhaps is that attackers are not always looking for access point or client authentication keys or passwords. In fact, in most cases, attackers are looking for operating system passwords for applications. Tools such as Win Sniffer and Ettercap can promiscuously capture all packets on a network segment. They can then decode File Transfer Protocol (FTP), Post Office Protocol 3 (POP3), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and Telnet passwords. Both Win Sniffer and Ettercap can run for days, collecting packets and recovering passwords. This underscores the advantage that the bad guys have: the ability to automate tasks to collect information and probe for weaknesses.

Another favorite target is open shares on client devices. These enable attackers to gain a foothold in the network. Open share is a method of sharing files directly between clients over an air interface. L0phtCrack is one tool that is commonly used on Windows-based clients to crack network password hashes on file shares and network logons. (A hash is a number generated from a string of text via a formula used in encryption.)

Password crackers often use dictionary-style attacks. In this type of attack, attackers use freely available online password dictionaries to try out a vast array of words. Some of these dictionaries contain millions of possible passwords using both real words and combinations accumulated from password databases stolen from Web sites. These password crackers are called dictionary password crackers. In a dictionary attack, each item in the dictionary or word list is encrypted in sequence using the same encryption method as the password. The resulting hash code is then compared to the original password’s hash code. If they differ, the software tries the next entry. If they match, the password is revealed.

The advantage attackers have here is that many passwords are actually very simple. (Humans have a hard time remembering complex passwords.) As a result, passwords can usually be cracked very quickly using a large dictionary. When used against a captured password database, password crackers can run thousands—even millions—of permutations against the database per second.

Related to a dictionary list is a rainbow table. A rainbow table is a list of password combinations within a certain range and their matching hashes. A rainbow table may contain hundreds of thousands of known or previously discovered passwords and their hash equivalents, making the cracking of passwords much more efficient. These tables, which are collated by hackers and distributed online, are usually used to crack a plaintext password up to a certain length consisting of a limited set of characters. Having captured the hash, the attacker can then compare the hashed password against the table. When a match is found, the attacker can determine the password.

Dictionary password crackers like Aircrack-ng, Cain & Abel, and John the Ripper also use brute-force attacks to try to recover passwords. The difference between a dictionary attack and brute-force methods is that a dictionary attack decrypts passwords, whereas a brute-force attack cracks the password by comparing all possible combinations of characters for a given password length.

Brute-force attacks are generally inefficient against strong, complex passwords because they churn through all the possible combinations of characters. For example, if a password uses both uppercase and lowercase letters A to Z, numbers 0 to 9, and 10 special characters, there are 72 possible entries for every character in a password. That means a five-character password would have 1.934 billion possible combinations (72 × 72 × 72 × 72 × 72). This seems like a really large number of combinations, but it would not take that long for a high-end computer to process them all. On the other hand, an eight-character password has a mind-boggling 722,200 billion combinations, which is why most secure Web sites require passwords of at least eight digits.

Complicating matters is the fact that the attacker does not know how long a password is. This, along with the sheer math involved in working out all the possible permutations, is usually enough to thwart most brute-force password attacks unless the password is less than five characters long.

To be effective, both dictionary and brute-force attacks require a captured hashed sample password for comparison purposes. This is easily achieved using tools like Airodump-ng, which is part of the Aircrack-ng suite of tools, to capture packets in monitor mode over the wireless network. If this is not possible, then they can be used in a script to try against live sites. Now, however, most sites do not permit more than a few unsuccessful login attempts before logging the user out or challenging the user with a Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA). This makes it very inefficient to use these tools in live mode. They must resort to slow attack mode, whereby they attempt only two or three permutations an hour to avoid triggering the lockout or CAPTCHA.

The only way to mitigate the threat of password cracking by an attacker is to ensure that users create strong passwords, and that they use different passwords for different applications. This is usually not the case, however. Many users employ the same password for everything. This obviously is not a secure method; however, it is a very human one. Passwords are difficult to remember, especially if you have chosen a strong one. Using the same password over and over again is especially dangerous because of breaches such as those revealed at Target, Home Depot, and others, where entire databases of usernames and passwords were stolen. A routine practice by hackers is to set up an automated scheme to check credit card, bank, and other retail sites for the same combinations.

The problem for users comes down to being able to remember the passwords for each application when required. One answer to this is to use a password management system (PMS). A PMS will securely store encrypted passwords for all the Web sites you visit and will automatically log you in using the appropriate encrypted password. This means you can create very difficult-to-remember—but very secure—passwords and store them in the PMS. You need not remember them, as you will be logged in by the PMS. Access to the PMS password database and repository requires a master password, which should be both strong and easy to remember in the event other passwords need to be modified for any reason.

Remember that passwords are gold to hackers. They allow them to log on and gain access to all of someone’s data and services.

Network Enumerators

Network enumerators are software programs that scan a network for active hosts. They often list the IP addresses in a subnet and then go a step further to fingerprint each IP. Popular network enumerators include Nessus and Nmap, which provide information on the network infrastructure such as open ports and supported services. For detecting Windows shares, a program like Legion from Rhino9 will quickly scan an entire subnet and return a list of devices with their open file shares.

Typically, attackers will try to determine the operating system and the availability of open ports on any client devices they see on the network, a technique called OS fingerprinting, or port scanning. A popular tool for this used by administrators and attackers alike is LanGuard. LanGuard can quickly fingerprint an entire network and return in its payload information such as the service packs installed, the security patches installed, services in use, open ports, users and groups, and known vulnerabilities and exploits.

To protect against devices running LanGuard, Nessus, or Legion (or at least to detect their presence), a wireless intrusion prevention system (WIPS) can be used. These programs are easy to detect because they are quite noisy on the network, meaning they request a great deal of information from other devices while scanning and probing ports and services. Because of this, periodic scans with a network protocol analyzer—even brief ones—will reveal the presence of a rogue scanning device on the network.

Network Management and Control Tools

Network administrators and IT security professionals can bring to bear a broad array of tools and solutions to help monitor, troubleshoot, and manage the network. The most common of these are protocol analyzers and network management tools. These not only help optimize the network, but also send alerts when suspicious or unusual activity occurs.

As noted before, however, many of the same tools can be—and are—used by hackers to gain insight into the network or to find holes in security that can then be breached. Generally speaking, tools are neither good nor bad (although there are some that are purpose-built for hacking). It depends on the motives of the person using them. This section covers some of the more common tools and notes where they can be used against you.

Wireless Protocol Analyzers

Network administrators who need to identify and correct deep-seated network faults often use network protocol analyzers to help them. Protocol analyzers are also used for security purposes to reveal and locate devices that are behaving contrary to the rules and protocols of the network. For example, using a protocol analyzer, client devices that are scanning ports and addresses on a subnet can be quickly identified and, if proven to be a problem, can be remediated.

Excessive probing and scanning behavior is often an indication of a virus infection, as that is how a worm replicates throughout the network. However, that is not always the case. It can also be the result of an attacker running Nmap, Nessus, or some other network discovery tool.

Because they provide a good indication of what’s going on, network protocol scans should be a normal part of a network administrator’s weekly task list. In most cases, anomalous traffic is found to be legitimate, but there are times when “odd” traffic is indicative of an attack or threat. Listening and investigating is a sound practice.

Aircrack-ng

Some wireless network tools have built-in protocol analyzers. One such tool is Aircrack-ng, which runs on both Windows and Linux. It’s a suite of software tools consisting of a network detector, a packet sniffer/collector/injector, and a dictionary-based password cracker. The suite of programs includes the following:

•  Aircrack-ng—This is a dictionary-attack tool used against passwords on WEP- and WPA-protected networks.

•  Airmon-ng—This is a tool for configuring a network card in monitor mode, a prerequisite to network discovery.

•  Airdeauth-ng—This is a tool to force deauthentication that kicks off an attempt by the client to re-authenticate, which is then hijacked. (This is discussed further later in the chapter.)

•  Aireplay-ng—This is a tool for packet injection.

•  Airodump-ng—This is a packet sniffer that captures packets and places them into files for analysis. It can be used as a protocol analyzer. It also shows detailed network information, so it is useful as a discovery tool.

•  Packetforge-ng—This is a tool for creating encrypted packets for injection into the network.

•  Airbase-ng—This is a tool for attacking clients rather than access points.

Airshark

Another popular and effective protocol analyzer is Airshark, a wireless variant of the hugely popular Wireshark protocol analyzer for wired Ethernet networks. Airshark, which is free, is very capable, making it a good tool for discovering rogue access points, other rogue devices, viruses, and anomalous activity on a wireless network.

Airshark works by running the network interface in promiscuous mode to capture all traffic on the network (in this case, over the WLAN). In doing so, Airshark can pinpoint TCP conversations and threads, presenting them in a color-coded display. This makes it easy to follow the interactions between devices within any given conversation. Additionally, the software looks inside the packets to reveal much more than just headers and ports, but also in-depth drilldowns into the payload of each packet within the TCP stream. This can be a very quick way to check for encryption, as it is readily clear whether the payload data has been encrypted. Furthermore, by checking the conversation streams, it will soon become clear if one host in particular is scanning the network or probing for gateways, DNS servers, or open shares.

Like all other tools, wireless protocol analyzers can be used for both good and evil. It’s important to recognize that unlike discovery tools, protocol analyzers are passive in their mode of operation. As such, they do not create noise on the network. An administrator will use them to determine the status of the network and to detect and reveal rogue devices or unencrypted wireless traffic. Protocol analyzers are also useful for determining whether an RF cell is oversized or if devices are incorrectly configured—for example, by logging and reporting failed authentication and associations.

Because protocol analyzers reveal critical insights in unencrypted systems, such as Layer 2 and Layer 3 information and packet payloads, they are widely used by eavesdroppers and attackers. With Airshark, packets can be captured, manipulated, and reinjected in a man-in-the-middle–style attack. This makes Airshark a very useful attack tool—one that can be used by both novices (in a limited capacity) and experts (with great effect).

Tools such as Airshark do not have a network signature that would give away their presence on the network. This makes them hard to detect. However, you can detect Airshark and tools like it by checking for network clients running in promiscuous mode. Security measures to reduce the impact of an attacker using a wireless protocol analyzer include applying Layer 2 and Layer 3 encryption using Internet Protocol Security (IPSec), Generic Routing Encapsulation (GRE) tunnels, or Secure Shell (SSH)/Secure Sockets Layer (SSL).

Network Management System

The foundation of network security is the network management system (NMS). An NMS is a requirement for even the smallest of business networks. It provides the single viewpoint from which an administrator can view, plan, and configure the network. NMS applications such as wireless protocol analyzers come in a vast array of sizes, prices, and functional capabilities. There are open source and freely available NMS applications such as OpenNMS, Nagios, and Zenoss, as well as commercial applications such as WhatsUp Gold and SolarWinds, which are well within the price range of most small businesses. Enterprise-class NMS applications such as IBM Tivoli, on the other hand, can cost hundreds of thousands of dollars and take years to fully implement.

Apart from providing a network view and a single point of configuration, NMS also enables the use of Simple Network Management Protocol (SNMP), which is the network protocol used to raise alerts and alarms by network devices. NMS will typically provide a map of the network layout with each device and its interfaces and connections highlighted. Should any device fail, the device icon on the map will change color and/or the system will emit an audible alarm. When used in conjunction with a wallboard monitor in a network operation center, it can be an effective means of flagging a network issue and raising an alarm.

Alerts in SNMP systems are triggered by SNMP traps. These traps are generated when some predefined condition has been met on an SNMP agent in a device or software program. Manufacturers code in possible conditions, and system administrators set the thresholds for the alerts. If the prescribed threshold or condition is met, the trap triggers an alert, which is sent to the SNMP dashboard. This system allows for customized monitoring of the network. Depending on the networks’ activity and risk profile, different alerts trigger investigations by the security team. Even in simple networks, NMS is important; in large and complex network, it’s a critical security tool.

WLAN Hardware Audit Tools and Antennas

Much as for network management, there are purpose-built tools for auditing networks and, in the case of wireless networks, over-the-air signals. This section looks at hardware-based auditing tools and antennas, which allow the monitoring and auditing of over-the-air signals.

Hardware Audit Tools

For most wireless audits, a network administrator needs only a laptop with a wireless network adapter. Specialist wireless hardware and antennas are not required. This is true even in larger enterprises. Although these organizations may have specialized equipment, a simple laptop with a wireless adapter may be used for less-complicated tasks.

Some tasks, however, require more specialized equipment—that is, equipment that is designed and configured specifically for wireless network auditing and pentesting. One such device is the popular Pineapple. A pentesting and network auditing toolbox, Pineapple is a microcomputer that runs application scripts on a fast processor with sufficient random access memory (RAM) for data storage. Pineapple comes loaded with “preconfigured attack software such as the Aircrack-ng suite, dsniff, Kismet, Karma, Nmap, and tcpdump, among others.

The advantage of using a special tool rather than a laptop becomes evident when conducting audits in a remote location with limited access to AC power. Because audits are processor intensive, performing one can quickly drain a laptop’s battery power. Devices like Pineapple are battery powered but can run over an extended period of time—much longer than a basic laptop—in an isolated and remote location. Additionally, these tools come configured for pentesting and have many preconfigured attacks ready for launch.

Most of these tools do not come preconfigured with an antenna because the type and power of the antenna used will vary with the method and goals of the audit. These tools will typically come with high quality, low loss interfaces for attaching a suitable antenna.

Antennas

When pentesting, the type of antenna you use can have an impact. Wireless access points and network cards feature one of several types of wireless antennas, including the following:

•  Omnidirectional antennas—Omnidirectional antennas broadcast RF equally in all directions and have 360-degree coverage. This type of antenna is installed by default on access points and network cards. In most cases, omnidirectional antennas are the correct choice for general office or home use.

•  Directional or semi-directional antennas—These antennas have a narrower broadcast beam—typically around 180 degrees for both indoors and outdoors. Often, narrower broadcast beams of 45 to 90 degrees are aggregated and mounted on the same mast to create high-capacity segments covering a 360-degree area. This is a common topology in mobile telecom networks. Directional antennas with tight focus are also used to create short, medium, and long-haul point-to-point wireless links. These, too, are popular in mobile telecom backhaul networks, where microwave radio links are used.

The antenna’s power, or gain, is another important consideration. This will determine the coverage area, or RF footprint. The higher the gain, the further the RF footprint will spread. Normally, this is something you would curtail to prevent the RF footprint from spreading beyond the borders of the home or workplace. When pentesting, however, you might wish to test the network security from outside the business. Therefore, a high-gain directional antenna would be required to receive and eavesdrop from a distance. In addition, to measure RF, an RF meter is required. This could simply be a visual guide on a laptop’s network interface. Or, it could be a specialized tool integrated into a hardware device, such as the Pineapple pentester tool.

Antennas are a very important part of RF transmission. They determine the RF coverage area and the distance signals travel. Choosing the correct antenna type is crucial to good wireless network design and security. It’s also critical for network auditing. When choosing an antenna for use in network auditing, you’ll typically want to use two types:

•  A 16 decibel (dB) Yagi-style directional antenna for eavesdropping over long distances

•  A general-purpose upright 10 Db omnidirectional car-aerial–style antenna for indoor use

With both antennas, the auditing program will be able to detect and receive RF signals in the majority of pentesting and network auditing scenarios.

RF signals that are above the noise floor determine the quality of the radio network. This is determined by the signal-to-noise ratio (SNR). If an antenna cannot receive a clean signal above the SNR, it will not be able to determine the signal from the noise. It will therefore be unable to make sense of the transmitted signal. This is how interference and background noise can prove detrimental to a wireless network. It also provides a simple, albeit crude, way to attack one.

Attack Tools and Techniques

Attackers use a wide variety of means and techniques to attack a network. The nature of these attacks is largely determined by the goal of the hackers (such as disruption of service, theft of data, or control of a client) and the opportunities (security vulnerabilities) of the target. This section explores some of the more common attack methods.

Radio Frequency Jamming

While both interference and jamming cause a decrease in the SNR and disrupt communications between transmitters and receivers, there is a difference between the two. Interference is unintentional. Common sources of interference are neighboring 802.11 networks that share the same frequency and channels. Because both are entitled to use the unlicensed spectrum, this is an unintentional disruption of transmission. In contrast, jamming is a deliberate disruption of the transmission. Jamming can be used to block or censor radio broadcasts, usually at a border region.

Wireless 802.11 networks are very vulnerable to both interference and jamming, making it very easy to launch a denial of service (DoS) attack on a radio network. In its simplest form, all that’s required is a device that transmits continuously on a particular channel. Because Wi-Fi is a half-duplex technology—meaning each device on the network can transmit only when no one else is transmitting—this prevents anyone else from transmitting. In a half-duplex system, each device must listen to make sure it is clear to transmit. If one station floods the transmission channel, then no other station can transmit, causing a denial of service.

Jamming of the unlicensed radio spectrum’s 2.4 GHz and 5 GHz bands represents a major vulnerability. As enterprises shift toward a wireless infrastructure, it has been a cause for concern. After all, interference is a big enough problem without having to contend with the malicious hijacking of the airwaves. To counter this, network card vendors must ensure that their products cannot be configured to transmit continuously. This prevents radio transmitters from being the source of interference through failure or through deliberate misconfiguration to cause RF jamming.

However, specialized products are available that do allow you to flood a frequency channel. Although these tools are marketed specifically for wireless audits and testing, an attacker can easily use one as a frequency jammer if he or she wishes. Furthermore, a crude but effective RF jammer for the unlicensed 2.4 GHz band can easily be constructed from old cordless phone circuit boards, which can be set to transmit continuously. Making a frequency jammer that can block the four main channels is a trivial task—one that can be achieved simply by following instructions available on the Internet.

Denial of Service

Flooding the RF spectrum is not the only way to jam a wireless 802.11 network. A more elegant way is to send deauthentication (deauth) packets to force access points to deauthenticate and drop connections. Sending a constant stream of these deauth packets with spoofed MAC addresses to access points will cause them to constantly deauthenticate the client connections.

Aircrack-ng supports packet injection. It also features the Airdeauth-ng tool, which causes the network card to hop between channels, finding all the access points on each frequency. It then constructs a stream of deauth packets aimed at each access point on each channel to force them to drop authentication sessions with their existing clients. Thankfully, deauth attacks on enterprise networks can now be easily recognized and blocked via WIPS. However, on networks that do not have the budget to install WIPS, they are a very real threat.A network protocol analyzer will quickly identify the attack, as it can easily recognize the constant stream of deauth packets. There will be little or no other legitimate network traffic.

Although not technically a denial of service, because all it actually does is request that the access point deauthenticate a session with a client, the fact that the script keeps injecting a stream of deauthenticate requests means that the access point in practice is constantly authenticating and then dropping the connection to the clients, which in effect is a denial of service.

Hijacking Devices

As you have seen, it is a trivial task to introduce interference or deliberately jam the RF frequencies wireless networks use. This is due to the half-duplex nature of radio communications. This weakness is difficult to mitigate. You have also looked at how you can manipulate the behavior of wireless access points by using deauthentication (deauth) management frames to drop connections. However, these are not the only weaknesses.

Another attack first uses deauth packets and then takes advantage of how client devices attempt to reconnect. In most Windows clients, a device will automatically attempt to attach to any network to which it has previously been attached. What’s more, it will favor the access point with the highest transmit signal. Hackers take advantage of this by creating a rogue access point (known as an evil twin) set with a high signal strength. They then force a deauthentication. In response, the client connects to the hacker’s evil twin, which appears to be a known access point with a strong signal.

Aircrack-ng features a tool called Airbase-ng that attackers can use to convert a standard wireless network card into an access point. Airbase-ng is very useful for performing a client-side hack that will enable a man-in-the-middle attack or compromise the client’s privacy and confidentiality. The goal is to mimic an access point by faking the SSID and MAC address of one of the client’s known (trusted) wireless networks. A client device will poll for these when attempting to associate with a network at connection time. The object is then to send a deauthenticate packet to the real access point, which instructs the access point to deauthenticate every client. When a client is deauthenticated—that is, when the connection is dropped—the client is forced into the authentication and association handshake process. When this happens, the client will by default attempt to attach to the access point with the highest power.

This same feature can easily be used when the client has attached to a network that has a cloaked SSID. When an access point with a disabled broadcast (SSID cloaked) has been used, the client will continuously poll for it regardless of where the client is—even if it’s already connected to another access point. A hacker can listen for these polling attempts and then quickly configure his or her own high-power access point using that same SSID. This is to lure the client to automatically switch over to what it determines is a known access point but is in fact an evil twin.

The crucial step is to ensure that the evil twin has a more attractive signal. The attacker does this by boosting the network card’s power output to the largest permissible setting. This is typically set but not physically limited to 27 dBm or 500 mW in the U.S. and Europe. Some countries allow much higher rates, however. For example, if, when you configure the card, you specify the region as Bolivia, then the card will allow transmission at 30 dBm at a full 1,000 mW of power. This should be enough to overpower most access points in the vicinity and prove to be the most attractive to any client device wishing to join the network.

After the client has authenticated/associated with the evil twin, it may find itself victim of a man-in-the-middle attack, with the Ettercap tool used to intercept and analyze all the data. Alternatively, it could simply be left in limbo with no Internet or corporate network connection and no way of passing data through the evil twin.

Hijacking a Session

Another form of man-in-the-middle attack is referred to as session hijacking or session sidejacking. It does just what the names suggest. The requirement for this form of user hijacking is that the attacker have visibility at the Transport Layer (Layer 4). Data encryption at Layer 2 or Layer 3 will mitigate this attack, making it unlikely to be effective on corporate networks. Encryption is rarely used in guest areas and hotspots, however, so this can be an effective attack in corporate visitor areas. It is certainly something to be wary of in cafés and hotels.

The vulnerability exploited with this attack is an inherent weakness in HTTP and the way Web applications handle HTTP requests. Specifically, HTTP is not session-oriented. It does not remember a user from one command to the next. Therefore, each request or command is treated in isolation, as HTTP has no concept of a user session. While the lack of session continuity may seem like a flaw, it is actually a design consideration to improve throughput. After all, if user credentials were required to be sent with every transaction, it would waste bandwidth and hurt performance.

The way around this is to send a session ID instead of user credentials with every transaction. The session ID is created when the user logs on to the application. To secure the transaction, the Web server requires encryption through HTTPS or SSL to ensure confidentiality of the user credentials. This prevents anyone eavesdropping on the wireless network from acquiring the username and password. When the logon process is complete and the user is authenticated by the Web server or application, a session ID is created. This is used in all subsequent HTTP transactions as a user/session identifier to enable the application to track the user’s activities and ensure that the user is who he or she claims to be.

The problem is that although HTTPS or SSL is used to perform the login procedure, the application often reverts back to HTTP for efficient loading of page content and other non-confidential data. An eavesdropper on a wireless network can then see the session ID. It is then a trivial task to spoof the captured session ID and substitute it for the attacker’s session ID in his or her HTTP requests to the same server. An easy-to-use tool for just this purpose is Tamper Data. This free Firefox extension enables the attacker to halt and modify HTTP requests (GET/POST) without the need to inject data using JavaScript or to repost Web pages. By spoofing the session ID in his or her own HTTP requests, the attacker tricks the application into treating him or her as the user who is logged on. In other words, the attacker has hijacked the session, and will have the same rights and access as the session’s rightful owner.

Using Transport Layer Security (TLS), a cryptographic protocol, helps mitigate this attack. It ensures authentication, confidentiality, and integrity of the data. This attack remains possible, however, because TLS or encryption is used only at login and not across the entire site.

While performing an audit, an administrator should check that company Web sites and servers consistently enforce HTTPS across the entire site. They should also check that other common Web site vulnerabilities such as the following have been removed or mitigated:

•  Carriage return line feed (CRLF)—With carriage return line feed (CRLF), a common HTTP vulnerability, an HTTP packet may be split using a carriage return followed by a line feed (hence the name). By splitting a packet in two, with one packet containing legitimate header and protocol information, the attacker can pack a malicious payload into the second packet. HTTP response splitting, as it is also known, can lead to the hijacking of the client’s sessions, Web browser, and Web server, and to proxy cache poisoning.

•  SQL injection—These types of attacks are very common on dynamic Web sites that front a database. SQL injection attacks can occur when input is not validated.

•  Cross site scripting (XSS)—Dynamic web sites are vulnerable to XSS vulnerabilities. Attackers embed malicious code that executes when a user performs a specific action. For example, in June 2014, attackers embedded malicious XSS code into a tweet from TweetDeck. When TweetDeck users logged onto Twitter, it automatically retweeted the malicious code from the user’s Twitter account. A similar attack on Twitter in 2010 opened up a pop-up window displaying a Japanese porn site when users hovered over the tweet. While these attacks weren’t damaging, other XSS attacks steal user cookies, allowing attackers to impersonate users on some sites with weak security. The best protection against XSS attacks is input validation.

•  JavaScript injection—Using JavaScript enables an attacker to modify existing information in Web forms and input tags, as well as to rewrite cookies that are currently set in the browser. With JavaScript, the attacker can change any parameter within the cookie—for example, changing the authenticated setting from false to true. This would allow an attacker to bypass any authentication test and gain access without needing to authenticate. JavaScript is also an effective way to launch XSS attacks and inject malicious payloads.

These are just some of the most common Web site vulnerabilities that a site audit should test for. There are many more. The relevant point here is that attacks are always easier on wireless networks because it is easier to sniff the network with a protocol analyzer. At the same time, however, there are also many network tools available for both wired and wireless networks that can be used to troubleshoot events and issues.

Network Utilities

Network utilities are software programs and scripts designed to analyze or configure various aspects of computer networks. Many of these programs are Unix based and are run through command line interface (CLI) screens, but there are many commercial programs that package one or more for popular operating systems. The most commonly used network utilities are as follows:

•  Ping—Ping is used to check for network connectivity and to determine whether a host can be reached over the network. Ping can also be used to measure the round-trip delay between hosts on a wired or wireless network.

•  Traceroute and tracert—These Unix/Linux and Windows utilities, respectively, are used to trace the path taken between hosts on different subnets or networks. They list every router in the path between the sender and the recipient, along with the round-trip delay between stages and for the entire path.

•  Netstat—This command-line utility is used to display network connections, routing tables, and network interface information—such as protocol performance—on a host computer.

•  Ifconfig and ipconfig—These are Linux and Windows command-line utilities, respectively, for configuring and viewing network interface configurations.

•  InSSIDer—Discussed earlier in this chapter, InSSIDer finds Wi-Fi networks that are in range and provides details about each one. It provides the SSID, the vendor make and model, the channel, the signal strength at the present time and over time, and the public name of the network, as well as what security is in place. InSSIDer is useful in an audit capacity for detecting interference from other neighboring networks as well as discovering dead spots in RF coverage.

•  Hotspot Shield—Hotspot Shield provides a lightweight but secure VPN connection. It uses HTTPS to encrypt all data passing through the secure tunnel. This tool is essential if you have no installed VPN client and you regularly use public hotspots.

IT professionals will likely use all these tools throughout their career. Many great resources are available that describe how they can be used. Of all those listed, the one most relevant to this text is Hotspot Shield. In most cases, enterprises do a capable job of protecting the corporate network. With the advent of ubiquitous Wi-Fi, IP mobility, and bring your own device (BYOD), the mobile user is often the weakest link in the chain. Users today have an expectation of connectivity, and far too many are far too trusting. The best defense against this is ongoing training and the use of tools such as Hotspot Shield. These are inexpensive but effective measures against ongoing threats. The old saying holds true: An ounce of prevention is worth a pound of cure.

CHAPTER 9 ASSESSMENT

1. Network discovery tools are a set of tools made specifically for hackers.

A. True

B. False

2. Programs such as Kismet can perform which of the following functions?

A. Wardriving WLAN discovery

B. Rogue AP detection

C. Low-cost intrusion detection system (ID)

D. SSID decloaking

E. All of the above

3. Which of the following most accurately describes penetration testing, or pentesting?

A. To truly gauge security capabilities, pentesting should be done without notifying network administrators.

B. Pentesting is illegal and immoral.

C. Pentesting is an important aspect of identifying vulnerabilities and hardening defenses.

D. Pentesting helps you discover Wi-Fi coverage gaps.

4. Which of the following describes brute-force attacks?

A. They use torture to make people tell you what their passwords are.

B. They are efficient ways to crack passwords, given the power of modern computers.

C. They are fairly inefficient.

D. They work well on most online portals.

E. All of the above

5. Which of the following describes dictionary attacks?

A. They take advantage of people’s tendency to use actual words for passwords.

B. They can be done offline and used against captured packets to test without detection.

C. They can check millions of passwords per second.

D. All of the above.

6. Password management systems are a great way to implement many strong passwords without having to remember them all.

A. True

B. False

7. Regular audits with a protocol analyzer can do which of the following?

A. Prevent rogue APs from being established

B. Eliminate potential viruses

C. Help find and isolate misconfigured clients and rogue access points

D. All of the above

8. SNMP traps are a common attack used by hackers to fool users.

A. True

B. False

9. Session hijacking works because client devices tend to connect to a known SSID with the highest signal strength.

A. True

B. False

10. Which of the following is not a vulnerability of HTTP carriage return line feed (CRLF) or HTTP response splitting?

A. It allows attackers to put a malicious payload into the second packet.

B. It allows attackers to break encryption in the second packet.

C. It can lead to the hijacking of the client’s sessions.

D. It can lead to proxy cache poisoning.