Hacking Wireless Networks
Technology - wireless Describe equipment and technologies operating in the radio frequency (RF) spectrum between 3 Hz and 300 GHz. Examples of wireless equipment include cell phones, AM/FM radios, wireless networking devices, and radar systems. Most wireless networking equipment operates in a smaller portion of the RF spectrum, between 2.4 GHz and 66 GHz.
Components of a Wireless Network Wireless network interface cards (WNICs), which transmit and receive wireless signals, and access points (APs), which are the bridge between wired and wireless networks Wireless networking protocols, such as Wi-Fi Protected Access (WPA) A portion of the RF spectrum, which replaces wire as the connection medium
Access Points An access point (AP) is a radio transceiver that connects to a network via an Ethernet cable and bridges a wireless LAN (WLAN) with a wired network. An AP is where RF channels are configured. APs are what hackers look for when they drive around with an antenna and a laptop computer scanning for access.
NetStumbler
Service Set Identifiers A service set identifier (SSID) is the name used to identify a WLAN, much the same way a workgroup is used on a Windows network. An SSID is configured on the AP as a unique, 1-to 32-character, case-sensitive alphanumeric name. The AP usually beacons (broadcasts) the SSID several times a second so that users who have WNICs can see a display of all WLANs within range of the AP’s signal.
dd-wrt dd-wrt Linux embedded OS that replaces the embedded OS used on hundreds of routers from Linksys, D-Link, Netgear, Belkin, Microsoft, U.S. Robotics, Dell, Buffalo, and many others.
Disable SSID Broadcasting Can use a passive wireless sniffer, such as Kismet Unlike NetStumbler, which can pick up only broadcasted SSIDs, Kismet can detect SSIDs in WLAN client traffic.
Understanding Wireless Network Standards
Signal Modulation data to be moved over radio waves, it must be modulated on the carrier signal or channel. Modulation defines how data is placed on a carrier signal. spread spectrum modulation means data is spread across a large-frequency bandwidth instead of traveling across just one frequency band. In other words, a group of radio frequencies is selected, and the data is “spread” across this group.
Spread spectrum, the most widely used WLAN technology, uses the following methods: Frequency-hopping spread spectrum (FHSS): Data hops to other frequencies to avoid interference that might occur over a frequency band. This hopping from one frequency to another occurs at split-second intervals and makes it difficult for an intruder or attacker to jam the communication channel. Direct sequence spread spectrum (DSSS): DSSS differs from FHSS, in that it spreads data packets simultaneously over multiple frequencies instead of hopping to other frequencies. Orthogonal frequency division multiplexing (OFDM): The bandwidth is divided into a series of frequencies called tones, which allows a higher throughput (data transfer rate) than FHSS and DSSS do.
Understanding Wardriving detect access points that haven’t been secured. most APs have no passwords or security measures, so wardriving can be quite rewarding for hackers. As of this writing, wardriving isn’t illegal; using the resources of networks discovered with wardriving is, of course, a different story. Wardriving has now been expanded to include warflying, which is done by using an airplane wired with an antenna and the same software used in wardriving. In one test conducted by warflyers, more than 3000 APs were discovered, and two-thirds of them used no encryption. The testers used Kismet, covered later in this section, which identifies APs that attempt to “cloak” or hide their SSIDs.
How It Works To conduct wardriving, an attacker or a security tester simply drives around with a laptop computer containing a WNIC, an antenna, and software that scans the area for SSIDs. Not all WNICs are compatible with scanning software, so you might want to look at the software requirements first before purchasing the hardware. Antenna prices vary, depending on their quality and the range they can cover. Some are as small as a cell phone’s antenna, and some are as large as a bazooka, which you might have seen in old war films. The larger ones can sometimes return results on networks miles away from the attacker. The smaller ones might require being in close proximity to the AP. Most scanning software detects the company’s SSID, the type of security enabled, and the signal strength, indicating how close the AP is to the attacker. Because attacks against WEP are simple and attacks against WPA are possible, any 802.11 connection not using WPA2 should be considered inadequately secured. The following sections introduce some tools that many wireless hackers and security professionals use.
NetStumbler For Windows that enables detecting WLANs Verifying the WLAN configuration Detecting other wireless networks that might be interfering with a WLAN Detecting unauthorized APs that might have been placed on a WLAN Another feature of NetStumbler is its capability to interface with a GPS, enabling a security tester or hacker to map out locations of all WLANs the software detects.
NetStumbler When the program identifies an AP’s signal, it logs the SSID, MAC address of the AP, manufacturer of the AP, channel on which the signal was heard, strength of the signal, and whether encryption is enabled (but not a specific encryption type). For those with mechanical ability, numerous Web sites have instructions on building your own antenna with empty bean cans, potato chip cans, and the like. You can also purchase a decent antenna for about $50.
Kismet free and runs on Linux, BSD UNIX, Mac OS X, and even Linux PDAs. The software is advertised as being more than just a wireless network detector. Kismet is also a sniffer and an intrusion detection system and Wireshark- and Tcpdump-compatible data logging Compatible with AirSnort and AirCrack Network IP range detection Detection of hidden network SSIDs Graphical mapping of networks Manufacturer and model identification of APs and clients Detection of known default AP configurations
Kismet Kismet can be used to conduct wardriving, but it can also be used to detect rogue APs on a company’s network. If you need GPS support, the BackTrack supporting files include several tools that work with Kismet, such as the GPS daemon (GPSD), GISKismet, and Kisgearth, that can come in handy for accurate AP geopositioning. When Kismet is configured to use GPSD, the output displays coordinates pinpointing the location of the AP being scanned. This coordinate data can then be fed into Google Earth to create maps.
Understanding Wireless Hacking Hacking a wireless network isn’t much different from hacking a wired LAN. Many of the port-scanning and enumeration tools you’ve learned about can be applied to wireless networks.
Tools of the Trade A wireless hacker usually has a laptop computer, a WNIC, an antenna, sniffers (Tcpdump or Wireshark, for example), tools such as NetStumbler or Kismet, and lots of patience. After using NetStumbler or Kismet to determine the network name, SSID, MAC address of the AP, channel used, signal strength, and which type of encryption is enabled, a security tester is ready to continue testing.
Tools of the Trade Wireless routers that perform DHCP functions can pose a big security risk. If a wireless computer is issued an IP address, a subnet mask, and DNS information automatically, attackers can use all the skills they learned in hacking wired networks on the wireless network. If DHCP isn’t used, attackers simply rely on Wireshark or Tcpdump to sniff packets passing through the wireless network to gather this IP configuration information. (As a security professional, you should recommend disabling DHCP on wireless networks and assigning IP addresses to wireless stations manually.) They can then configure the WNIC with the correct IP information. What do attackers or security testers do if WEP or WPA is enabled on the AP? Several tools address this issue. AirCrack NG and WEPCrack, covered in the following sections, are what prompted organizations to replace WEP with the more secure WPA as their authentication method.
AirCrack NG As a security professional, your job is to protect a network and make it difficult for attackers to break in. You might like to believe you can completely prevent attackers from breaking in, but unfortunately, this goal is impossible. AirCrack NG (included on the BackTrack files or available free at www.aircrack-ng.org) is the tool most hackers use to access WEP-enabled WLANs. AirCrack NG replaced AirSnort, a product created by wireless security researchers Jeremy Bruestle and Blake Hegerle, who set out to prove that WEP encryption was faulty and easy to crack. AirSnort was the first widely used WEP-cracking program and woke up nonbelievers who thought WEP was enough protection for a WLAN. AirCrack NG took up where AirSnort (and the slightly older WEPCrack) left off.
Countermeasures for Wireless Attacks Many countermeasure, such as using certificates on all wireless devices, are time consuming and costly. If you approach securing a wireless LAN as you would a wired LAN, you’ll have a better chance of protecting corporate data and network resources. Would you allow users to have access to network resources simply because they plugged their NICs into the company’s switch or hub? Of course not. Then why would you allow users to have access to a wireless LAN simply because they have WNICs and know the company’s SSID? If a company must use wireless technology, your job is to make it as secure as possible. Be sure wireless users are authenticated before being able to access any network resources. Here are some additional guidelines to help secure a wireless network:
Countermeasures for Wireless Attacks honeypots, which are hosts or networks available to the public that entice hackers to attack them instead of a company’s real network. To make it more difficult for wardrivers to discover your WLAN, you can use Black Alchemy Fake AP (available free at ww.blackalchemy.to/project/fakeap/). As its name implies, this program creates fake APs, which keeps war-drivers so busy trying to connect to nonexistent wireless networks that they don’t have time to discover your legitimate AP. There are measures for preventing radio waves from leaving or entering a building so that wireless technology can be used only by people in the facility. One is using a certain type of paint on the walls, but this method isn’t foolproof because some radio waves can leak out if the paint isn’t applied correctly. Use a router to filter unauthorized MAC and IP addresses and prevent them from having network access. (can spoof)