by Kevin Beaver and Peter T.Davis
Foreword by Devin K.Akin
Chief Technology Officer,
The Certified Wireless Network Professional (CWNP) Program
at a Glace
Part I: Building the Foundation for Testing Wireless Networks
Introduction to Wireless Hacking
The Wireless Hacking Process
Implementing a Testing Methodology
Amassing Your War Chest
Part II: Getting Rolling with Common Wi-Fi Hacks
Human (In)Security
Containing the Airwaves
Hacking Wireless Clients
Discovering Default Settings
Wardriving
Part III: Advanced Wi-Fi Hacks
Still at War
Unauthorized Wireless Devices
Network Attacks
Denial-of-Service Attacks
Cracking Encryption
Authenticating Users
Part IV: The Part of Tens
Ten Essential Tools for Hacking Wireless Networks
Ten Wireless Security-Testing Mistakes
Ten Tips for Following Up after Your Testing
Part V: Appendixes
Appendix A: Wireless Hacking Resources
Appendix B: Glossary of Acronyms
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
2.00 USD |
|---|---|
Pages
| 387 p |
File Size
|
11,233 KB |
File Type
|
PDF format |
ISBN-13 ISBN-10
| 978-0-7645-9730-5 0-7645-9730-2 |
Copyright
| 2005 by Wiley Publishing, Inc |
Kevin Beaver is founder and information security advisor with Principle
Logic, LLC, an Atlanta-based information-security services firm. He has over
17 years of experience in the IT industry and specializes in information
security assessments for those who take security seriously — and incident
response for those who don’t. Before starting his own information-security
services business, Kevin served in various information-technology and security
roles for several healthcare, e-commerce, financial, and educational institutions.
Kevin is author of Hacking For Dummies as well as the e-book The Definitive
Guide to Email Management and Security (Realtimepublishers.com). In addition,
Kevin co-authored The Practical Guide to HIPAA Privacy and Security
Compliance (Auerbach Publications). He was also a contributing author and
editor of Healthcare Information Systems, 2nd ed., (Auerbach Publications),
and technical editor of Network Security For Dummies.
Kevin is a regular columnist and information-security expert for SearchSecurity.
com, SearchWindowsSecurity.com, SearchNetworking.com, SearchExchange.
com, and SearchSmallBizIT.com. He also serves as a contributing editor
for HCPro’s Briefings on HIPAA newsletter and is a Security Clinic Expert
for ITsecurity.com. In addition, Kevin’s information-security work has
been published in Information Security Magazine, SecurityFocus.com,
and Computerworld.com. Kevin is an information-security instructor for
the Southeast Cybercrime Institute, and frequently speaks on information
security at various conferences for CSI, TechTarget, IIA, SecureWorld Expo,
and the Cybercrime Summit.
Kevin earned his bachelor’s degree in Computer Engineering Technology from
Southern Polytechnic State University and his master’s degree in Management
of Technology from Georgia Tech. He also holds MCSE, Master CNE, and IT
Project+ certifications. Kevin can be reached at kbeaver@principlelogic.com.
Peter T. Davis (CISA, CMA, CISSP, CWNA, CCNA, CMC, CISM) founded Peter
Davis+Associates (a very original name) as a firm specializing in the security,
audit, and control of information. A 30-year information-systems veteran,
Mr. Davis’s career includes positions as programmer, systems analyst, security
administrator, security planner, information-systems auditor, and consultant.
Peter is also the founder (and past President) of the Toronto ISSA chapter,
past Recording Secretary of the ISSA’s International Board, and past Computer
Security Institute Advisory Committee member. Mr. Davis has written or
co-written numerous articles and 10 books, including Wireless Networks For
Dummies and Securing and Controlling Cisco Routers. In addition, Peter was
the technical editor for Hacking For Dummies and Norton Internet Security
For Dummies. Peter is listed in the International Who’s Who of Professionals.
In addition, he was only the third editor in the three-decade history of
EDPACS, a publication in the field of security, audit, and control. He finds
time to be a part-time lecturer in data communications at Seneca College
(http://cs.senecac.on.ca). He lives with his wife Janet, daughter Kelly,
two cats, and a dog in Toronto, Ontario.
About This Book
Hacking Wireless Networks For Dummies is inspired by the original Hacking
For Dummies book that Kevin authored and Peter performed the technical
editing. Hacking For Dummies covered a broad range of security testing
topics, but this book focuses specifically on 802.11-based wireless networks.
The techniques we outline are based on information-security best practices,
as well as various unwritten rules of engagement. This book covers the entire
ethical-hacking process, from establishing your plan to carrying out the tests
to following up and implementing countermeasures to ensure your wireless
systems are secure.
There are literally hundreds, if not thousands, of ways to hack wireless network
systems such as (for openers) laptops and access points (APs). Rather
than cover every possible vulnerability that may rear its head in your wireless
network, we’re going to cover just the ones you should be most concerned
about. The tools and techniques we describe in this book can help
you secure wireless networks at home, in small-to-medium sized businesses
(SMBs) including coffee shops, and even across large enterprise networks.
Introduction
Welcome to Hacking Wireless Networks For Dummies. This book outlines
plain-English, wireless-network hacker tricks and techniques you can
use to ethically hack 802.11-based wireless networks (yours or someone else’s
if you’ve been given permission) and discover security vulnerabilities. By
turning the tables and using ethical hacking techniques, you then have a leg
up on the malicious hackers — you’ll be aware of any vulnerabilities that
exist and be able to plug the holes before the bad guys have a chance to exploit them.
When we refer to ethical hacking, we mean the professional, aboveboard, and
legal type of security testing that you — as an IT professional — can perform
as part of your job. Villains need not apply.
Wireless networks are popping up everywhere. They provide a lot of freedom
but not without cost: All too many wireless networks are left wide open for
attack. As with any other computer or network, you must be up on the latest
security concepts to properly secure 802.11-based wireless networks. But
locking them down involves more than just port-scanning testing and patching
vulnerabilities. You must also have the right security tools, use the
proper testing techniques, and possess a watchful eye. And know your enemy:
It’s critical to think like a hacker to get a true sense of how secure your information really is.
Ethical hacking is a means of using the bad-guy (black-hat) techniques for
good-guy (white-hat) purposes. It’s testing your information systems with the
goal of making them more secure — and keeping them that way. This type of
security testing is sometimes called penetration testing, white-hat hacking, or
vulnerability testing, but it goes further than that as you’ll see when we outline
the methodology in this book.
If you use the resources provided in this book, maintain a security-focused
mindset, and dedicate some time for testing, we believe you’ll be well on your
way to finding the weaknesses in your wireless systems and implementing
countermeasures to keep the bad guys off your airwaves and out of your business.
The ethical hacking tests and system-hardening tips outlined in this book can
help you test and protect your wireless networks at places like warehouses,
coffee shops, your office building, your customer sites, and even at your house.
Table of Contents
Foreword ..................................................................xvii
Introduction .................................................................1
Who Should Read This Book? ........................................................................2
About This Book ..............................................................................................2
How to Use This Book ....................................................................................2
Foolish Assumptions ......................................................................................3
How This Book Is Organized ..........................................................................3
Part I: Building the Foundation for Testing Wireless Networks ......4
Part II: Getting Rolling with Common Wi-Fi Hacks ............................4
Part III: Advanced Wi-Fi Hacks .............................................................4
Part IV: The Part of Tens .......................................................................5
Part V: Appendixes ................................................................................5
Icons Used in This Book .................................................................................5
Where to Go from Here ...................................................................................6
Part I: Building the Foundation
for Testing Wireless Networks .......................................7
Chapter 1: Introduction to Wireless Hacking . . . . . . . . . . . . . . . . . . . . .9
Why You Need to Test Your Wireless Systems ..........................................10
Knowing the dangers your systems face ..........................................11
Understanding the enemy ..................................................................12
Wireless-network complexities ..........................................................14
Getting Your Ducks in a Row .......................................................................15
Gathering the Right Tools ............................................................................16
To Protect, You Must Inspect ......................................................................17
Non-technical attacks .........................................................................17
Network attacks ...................................................................................18
Software attacks ..................................................................................18
Chapter 2: The Wireless Hacking Process . . . . . . . . . . . . . . . . . . . . . .19
Obeying the Ten Commandments of Ethical Hacking ..............................19
Thou shalt set thy goals .....................................................................20
Thou shalt plan thy work, lest thou go off course ..........................21
Thou shalt obtain permission ............................................................21
Thou shalt work ethically ...................................................................22
Thou shalt keep records .....................................................................22
Thou shalt respect the privacy of others .........................................23
Thou shalt do no harm .......................................................................23
Thou shalt use a “scientific” process ...............................................24
Thou shalt not covet thy neighbor’s tools .......................................24
Thou shalt report all thy findings .....................................................25
Understanding Standards ............................................................................26
Using ISO 17799 ...................................................................................26
Using CobiT ..........................................................................................27
Using SSE-CMM ....................................................................................27
Using ISSAF ...........................................................................................27
Using OSSTMM ....................................................................................28
Chapter 3: Implementing a Testing Methodology . . . . . . . . . . . . . . . . .31
Determining What Others Know .................................................................32
What you should look for ...................................................................32
Footprinting: Gathering what’s in the public eye ............................33
Mapping Your Network .................................................................................35
Scanning Your Systems ................................................................................37
Determining More about What’s Running ..................................................39
Performing a Vulnerability Assessment .....................................................39
Manual assessment .............................................................................40
Automatic assessment ........................................................................40
Finding more information ...................................................................41
Penetrating the System ................................................................................41
Chapter 4: Amassing Your War Chest . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Choosing Your Hardware .............................................................................44
The personal digital assistant ............................................................44
The portable or laptop .......................................................................44
Hacking Software ...........................................................................................45
Using software emulators ...................................................................45
Linux distributions on CD ..................................................................55
Stumbling tools ....................................................................................56
You got the sniffers? ............................................................................56
Picking Your Transceiver .............................................................................57
Determining your chipset ...................................................................57
Buying a wireless NIC ..........................................................................59
Extending Your Range ...................................................................................59
Using GPS .......................................................................................................62
Signal Jamming ..............................................................................................63
Part II: Getting Rolling with Common Wi-Fi Hacks .......65
Chapter 5: Human (In)Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
What Can Happen .........................................................................................68
Ignoring the Issues ........................................................................................69
Social Engineering .........................................................................................70
Passive tests .........................................................................................71
Active tests ...........................................................................................73
Unauthorized Equipment .............................................................................74
Default Settings ..............................................................................................76
Weak Passwords ............................................................................................77
Human (In)Security Countermeasures .......................................................78
Enforce a wireless security policy .....................................................78
Train and educate ...............................................................................79
Keep people in the know ....................................................................79
Scan for unauthorized equipment .....................................................80
Secure your systems from the start ..................................................80
Chapter 6: Containing the Airwaves . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Signal Strength ...............................................................................................81
Using Linux Wireless Extension and Wireless Tools .......................81
Using Wavemon ...................................................................................87
Using Wscan .........................................................................................88
Using Wmap .........................................................................................88
Using XNetworkStrength ....................................................................88
Using Wimon ........................................................................................88
Other link monitors .............................................................................88
Network Physical Security Countermeasures ...........................................90
Checking for unauthorized users ......................................................90
Antenna type ........................................................................................91
Adjusting your signal strength ..........................................................94
Chapter 7: Hacking Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .97
What Can Happen .........................................................................................98
Probing for Pleasure .....................................................................................99
Port scanning .......................................................................................99
Using VPNMonitor .............................................................................102
Looking for General Client Vulnerabilities ...............................................103
Common AP weaknesses ..................................................................104
Linux application mapping ...............................................................105
Windows null sessions ......................................................................106
Ferreting Out WEP Keys .............................................................................109
Wireless Client Countermeasures .............................................................111
Chapter 8: Discovering Default Settings . . . . . . . . . . . . . . . . . . . . . . .113
Collecting Information ................................................................................113
Are you for Ethereal? ........................................................................113
This is AirTraf control, you are cleared to sniff ............................114
Let me AiroPeek at your data ..........................................................114
Another CommView of your data ....................................................115
Gulpit ...................................................................................................117
That’s Mognet not magnet ...............................................................119
Other analyzers .................................................................................119
Cracking Passwords ....................................................................................120
Using Cain & Abel ..............................................................................120
Using dsniff .........................................................................................124
Gathering IP Addresses ..............................................................................125
Gathering SSIDs ...........................................................................................126
Using essid_jack ................................................................................127
Using SSIDsniff ...................................................................................128
Default-Setting Countermeasures .............................................................128
Change SSIDs ......................................................................................128
Don’t broadcast SSIDs .......................................................................129
Using pong ..........................................................................................129
Detecting sniffers ...............................................................................129
Chapter 9: Wardriving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Introducing Wardriving ..............................................................................131
Installing and Running NetStumbler .........................................................133
Setting Up NetStumbler ..............................................................................134
Interpreting the Results ..............................................................................141
Mapping Your Stumbling ............................................................................148
Using StumbVerter and MapPoint ...................................................149
Using Microsoft Streets & Trips .......................................................150
Using DiGLE ........................................................................................151
Part III: Advanced Wi-Fi Hacks .................................153
Chapter 10: Still at War . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Using Advanced Wardriving Software ......................................................155
Installing and using Kismet ..............................................................156
Installing and using Wellenreiter .....................................................167
Using WarLinux ..................................................................................168
Installing and using MiniStumbler ...................................................170
Using other wardriving software .....................................................173
Organization Wardriving Countermeasures ............................................174
Using Kismet ......................................................................................174
Disabling probe responses ...............................................................175
Increasing beacon broadcast intervals ..........................................175
Fake ’em out with a honeypot ..........................................................175
Chapter 11: Unauthorized Wireless Devices . . . . . . . . . . . . . . . . . . . .177
What Can Happen .......................................................................................178
Wireless System Configurations ................................................................179
Characteristics of Unauthorized Systems ................................................181
Wireless Client Software .............................................................................184
Stumbling Software .....................................................................................186
Network-Analysis Software ........................................................................188
Browsing the network .......................................................................188
Probing further ..................................................................................191
Additional Software Options ......................................................................193
Online Databases ........................................................................................193
Unauthorized System Countermeasures ..................................................193
Chapter 12: Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
What Can Happen .......................................................................................196
MAC-Address Spoofing ...............................................................................197
Changing your MAC in Linux ...........................................................198
Tweaking your Windows settings ....................................................199
SMAC’ing your address .....................................................................203
A walk down MAC-Spoofing Lane ....................................................204
Who’s that Man in the Middle? ..................................................................208
Management-frame attacks ..............................................................209
ARP-poisoning attacks ......................................................................211
SNMP: That’s Why They Call It Simple .....................................................213
All Hail the Queensland Attack ..................................................................217
Sniffing for Network Problems ...................................................................218
Network-analysis programs .............................................................218
Network analyzer tips .......................................................................219
Weird stuff to look for .......................................................................220
Network Attack Countermeasures ............................................................222
Chapter 13: Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . .225
What Can Happen .......................................................................................227
Types of DoS attacks .........................................................................227
It’s so easy ..........................................................................................228
We Be Jamming ............................................................................................229
Common signal interrupters ............................................................230
What jamming looks like ..................................................................230
Fight the power generators ..............................................................232
AP Overloading ............................................................................................234
Guilty by association ........................................................................234
Too much traffic ................................................................................240
Are You Dis’ing Me? ....................................................................................241
Disassociations ..................................................................................242
Deauthentications .............................................................................242
Invalid authentications via fata_jack ..............................................249
Physical Insecurities ...................................................................................250
DoS Countermeasures ................................................................................251
Know what’s normal .........................................................................251
Contain your radio waves ................................................................251
Limit bandwidth ................................................................................253
Use a Network Monitoring System ..................................................253
Use a WIDS .........................................................................................253
Attack back .........................................................................................254
Demand fixes ......................................................................................254
Chapter 14: Cracking Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
What Can Happen .......................................................................................255
Protecting Message Privacy .......................................................................256
Protecting Message Integrity .....................................................................256
Using Encryption .........................................................................................257
WEP Weaknesses .........................................................................................259
Other WEP Problems to Look For .............................................................261
Attacking WEP .............................................................................................263
Active traffic injection ......................................................................263
Active attack from both sides ..........................................................263
Table-based attack ............................................................................264
Passive attack decryption ................................................................264
Cracking Keys ..............................................................................................264
Using WEPcrack .................................................................................265
Using AirSnort ....................................................................................267
Using aircrack ....................................................................................269
Using WepLab ....................................................................................273
Finding other tools ............................................................................274
Countermeasures Against Home Network-Encryption Attacks ............274
Rotating keys .....................................................................................275
Using WPA ..........................................................................................275
Organization Encryption Attack Countermeasures ................................277
Using WPA2 ........................................................................................278
Using a VPN ........................................................................................278
Chapter 15: Authenticating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Three States of Authentication ..................................................................281
Authentication according to IEEE 802.11 .......................................282
I Know Your Secret ......................................................................................283
Have We Got EAP? .......................................................................................284
This method seems easy to digest ..................................................285
Not another PEAP out of you ...........................................................286
Another big LEAP for mankind ........................................................286
That was EAP-FAST ............................................................................287
Beam me up, EAP-TLS .......................................................................287
EAP-TTLS: That’s funky software ....................................................288
Implementing 802.1X ..................................................................................288
Cracking LEAP .............................................................................................290
Using asleap .......................................................................................291
Using THC-LEAPcracker ...................................................................292
Using anwrap .....................................................................................293
Network Authentication Countermeasures .............................................293
WPA improves the 8021.1 picture ....................................................293
Using WPA2 ........................................................................................294
Using a VPN ........................................................................................295
WIDS ....................................................................................................296
Use the right EAP ...............................................................................297
Setting up a WDMZ ............................................................................297
Using the Auditor Collection ............................................................297
Part IV: The Part of Tens ...........................................301
Chapter 16: Ten Essential Tools for
Hacking Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Laptop Computer ........................................................................................303
Wireless Network Card ...............................................................................304
Antennas and Connecting Cables .............................................................304
GPS Receiver ................................................................................................304
Stumbling Software .....................................................................................304
Wireless Network Analyzer ........................................................................305
Port Scanner ................................................................................................305
Vulnerability Assessment Tool ..................................................................305
Google ...........................................................................................................305
An 802.11 Reference Guide .........................................................................305
Chapter 17: Ten Wireless Security-Testing Mistakes . . . . . . . . . . . .307
Skipping the Planning Process ..................................................................307
Not Involving Others in Testing ................................................................308
Not Using a Methodology ...........................................................................308
Forgetting to Unbind the NIC When Wardriving ......................................309
Failing to Get Written Permission to Test ................................................312
Failing to Equip Yourself with the Proper Tools .....................................313
Over-Penetrating Live Networks ...............................................................314
Using Data Improperly ................................................................................314
Failing to Report Results or Follow Up .....................................................314
Breaking the Law .........................................................................................316
Chapter 18: Ten Tips for Following Up after Your Testing . . . . . . . . .321
Organize and Prioritize Your Results ........................................................321
Prepare a Professional Report ...................................................................322
Retest If Necessary .....................................................................................322
Obtain Sign-Off .............................................................................................322
Plug the Holes You Find ..............................................................................323
Document the Lessons Learned ................................................................323
Repeat Your Tests .......................................................................................323
Monitor Your Airwaves ..............................................................................324
Practice Using Your Wireless Tools ..........................................................324
Keep Up with Wireless Security Issues ....................................................324
Part V: Appendixes ...................................................325
Appendix A: Wireless Hacking Resources . . . . . . . . . . . . . . . . . . . . .327
Certifications ...............................................................................................327
General Resources ......................................................................................327
Hacker Stuff ..................................................................................................328
Wireless Organizations ...............................................................................328
Institute of Electrical and Electronics
Engineers (IEEE): www.ieee.org ...................................................328
Wi-Fi Alliance (formerly WECA): www.wifialliance.com ...............329
Local Wireless Groups ................................................................................329
Security Awareness and Training ..............................................................331
Wireless Tools ..............................................................................................331
General tools ......................................................................................331
Vulnerability databases ....................................................................332
Linux distributions ............................................................................332
Software emulators ...........................................................................333
RF prediction software ......................................................................333
RF monitoring ....................................................................................333
Antennae .............................................................................................335
Wardriving ..........................................................................................335
Wireless IDS/IPS vendors ..................................................................336
Wireless sniffers ................................................................................337
WEP/WPA cracking ............................................................................338
Cracking passwords ..........................................................................338
Dictionary files and word lists .........................................................339
Gathering IP addresses and SSIDs ...................................................339
LEAP crackers ....................................................................................340
Network mapping ..............................................................................340
Network scanners ..............................................................................340
Appendix B: Glossary of Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Index........................................................................347
Bookscreen
Who Should Read This Book?
If you want to find out how to maliciously break into wireless networks this
book is not for you. In fact, we feel so strongly about this, we provide the following disclaimer.
If you choose to use the information in this book to maliciously hack or
break into wireless systems in an unauthorized fashion — you’re on your
own. Neither Kevin nor Peter as the co-authors nor anyone else associated
with this book shall be liable or responsible for any unethical or criminal
choices you may make using the methodologies and tools we describe. This
book and its contents are intended solely for IT professionals who wish to
test the security of wireless networks in an authorized fashion.
So, anyway, this book is for you if you’re a network administrator, informationsecurity
manager, security consultant, wireless-network installer, or anyone
interested in finding out more about testing 802.11-based wireless networks
in order to make them more secure — whether it’s your own wireless network
or that of a client that you’ve been given permission to test.
How to Use This Book
This book bases its approach on three standard ingredients of ethicalhacking
wisdom:
Descriptions of various non-technical and technical hack attacks — and
their detailed methodologies
Access information to help you get hold of common freeware, opensource,
and commercial security-testing tools
Countermeasures to protect wireless networks against attacks
Each chapter is as an individual reference on a specific ethical-hacking subject.
You can refer to individual chapters that pertain to the type of testing
you wish to perform, or you can read the book straight through.
Before you start testing your wireless systems, it’s important to familiarize
yourself with the information in Part I so you’re prepared for the tasks at
hand. You’ve undoubtedly heard the saying, “If you fail to plan, you plan to
fail.” Well, it applies especially to what we’re covering here.