CS423523

1
CSCD 434/547
Lecture 7 Spring 2009 Reconnaissance,Scanning
1
2
Introduction

• Last time talked about attacker reconnaissance
• Low tech methods
• Dumpster diving, social engineering, physical
  methods
• Higher tech methods
• Whois DBs, Reconnaissance tools .. can read
  about these, slides
• This time
• Google DB - overview
• Scanning activities
• War driving, port scanning

2
3
Google Basics

• Several components to Google
• Google Bots
• Crawl web sites and search for information
• Google Index
• Massive index of web pages index is what gets
  searched. Relates pages to each other
• Google Cache
• Copy of 101K of text for each page
• Even deleted pages still have copies in Google
  cache
• Google API
• Programs perform search and retrieve results
  using XML
• Uses SOAP Simple Object Access Protocol
• Need your own Google API key to use Google API

3
4
Google Basics

• Can use directives to focus search and limit
  amount of information returned
• sitecounterhack.net
• Says to search only in counterhack.net
• filetypeppt sitecounterhack.net
• Limits file type to power point for
  counterhack.net site
• cachewww.counterhack.net
• Good for removed pages
• Combining terms gives powerful searches
• sitewellsfargo.com filetypexls ssn
• Says to search only Wellsfargo site for
  spreadsheets with ssn social security number

4
5
Google Basics

• If Web page removed
• May still be in Google Cache
• Another place for removed web pages
• Wayback Machine
• http//www.archive.org
• Archives old web pages
• Can search for active scripts
• sitewellsfargo.com filetypeasp
• sitewellsfargo.com filetypecgi
• sitewellsfargo.com filetypephp

5
6
Google Basics

• If Web page removed
• May still be in Google Cache
• Another place for removed web pages
• Wayback Machine
• http//www.archive.org
• Archives old web pages
• Can search for active scripts
• sitewellsfargo.com filetypeasp
• sitewellsfargo.com filetypecgi
• sitewellsfargo.com filetypephp

6
7
Google Hacking

• Something called
• The Google Hacking Database (GHDB)
• Database of saved queries that identify sensitive
  data
• Google blocks some better known Google hacking
  queries, nothing stops hacker from crawling your
  site and launching Google Hacking Database
  queries directly

7
8
Google Hacking

• The Google Hacking Database located at
• http//johnny.ihackstuff.com.
• Created by Johnny Long, a security expert
• More information about Google hacking can be
  found
• http//www.informit.com/articles/article.asp?p170
  880rl1

8
9
Scanning - Phase 2
9
10
Scanning Introduction

• Scanning
• Phase after reconnaissance, prior to attack
• Still gathering information for attack
• Goal Attackers
• Find out which machines might be more vulnerable
  to attack by discovering which services are
  running
• Goal Defenders
• To insure that attacks gain little information
  during this phase

10
11
Scanning Introduction

• Techniques
• Attackers use lots of different tools and
  techniques for gathering information
• War driving for WLANs, war dialing for modems,
  network scanning, and vulnerability scanning
• Note from Scoudis
• Defenders need to defend all paths into the
  network
• Attackers need to find just one open path
• Attackers have all the time in the world

11
12
War Driving

• Goal
• Locate WLANs and determine their SSIDs
• Definition
• Service Set ID. The SSID is the identifying name
  of a wireless network - strictly it is the
  identifying name of a wireless access point. It
  allows one wireless network to be clearly
  distinguishable from another
• SSID transmitted in clear text by access points
  and all wireless cards using the access points

12
13
War Driving

• War Driving
• Invented by Peter Shipley in 2001 when he drove
  around Silicon Valley and found hundreds of
  access points
• Why does it work?
• 802.11 signals only valid for a short distance,
  so arent we safe from War Drivers?

13
14
War Driving

• Distances in 802.11
• Signal travels 100 meters or less
• War driving, dont need to send traffic just
  detect the LAN
• If using a highgain antenna, researchers have
  shown signals can travel gt 2 km
• Km to miles 1 to .62
• When both ends have a highgain antenna, signals
  can travel gt 100 km or 62 miles
• High-gain antenna (HGA) an antenna with focused,
  narrow radiowave beam
• Narrow beam allows more precise targeting where
  radio signal goes - also known as a directional
  antenna

14
15
War Driving

• Techniques
• Active Scanning
• Passive Scanning
• Forcing de-authentication

15
16
War Driving

• Active Scanning
• Broadcast 802.11 probe packets with ESSID of
  any, check for access points in range
• Like going outside and shouting, Whos there?
• Netstumbler is free tool for doing active
  scanning
• www.netstumbler.com
• Most popular tool for active scanning WLANs
• Runs in Windows

16
17
War Driving

• Statistics (Ed Scoudis)?
• Netstumbler
• ORiNOCO antenna, Laptop, taxi cab in NY City
• One hour found 455 access points

17
18
War Driving Stats

• http//www.theinquirer.net/inquirer/news/654/10456
  54/london-leads-wifi-access-points
• From survey by RSA, security firm, 2008
• London still has more wireless network access
  points 12,276 t than
• New York City, 9,227, or
• Paris 4,481
• War-driving for unsecured WiFi access points has
  replaced war-dialing for unprotected dial-in
  modems as the preferred attack mode of network
  intruders

19
War Driving Stats

• Looked at Access Point Security
• New York, 97 corporate access points
• used
  encryption,
• Was 76 in 2007,
• Paris, 94 corporate access
  points were
• encrypted,
• 72 had WPA or
  more
• London 20 corporate AP's
  unsecured,
• 48 beyond WEP

20
Netstumbler

• What does Netstumbler do?
• Gathers MAC address, ESSIDS, Wireless Channels
  and relative signal strength of each access point
• Tells if security is turned on, WEP
• Coordinates with GPA system
• Locates access points on a map

21
Netstumbler
21
22
San Francisco Wi-Fis
22
23
War Driving

• Defense Against Active Scanning
• Configure access points to ignore probes with
  any set
• Becomes invisible to Netstumbler
• Active scanning alerts security people to
  attacker presence if monitoring
• Improved method is Passive Scanning

23
24
War Driving

• Passive Scanning
• Stealthier way of discovering WLANs
• Puts wireless card into rfmon mode
• Monitor Mode
• Like Ethernet, promiscuous mode
• Sniffs all wireless traffic from the air
• Allows a machine to see all traffic on the LAN
• Not just traffic destined for that machine

24
25
War Driving

• Passive Scanning
• Kismet by Mike Kershaw
• Does Detailed packet capture and analysis
• Linux but can run it in cygwin for Windows
• www.kismetwireless.net
• Wellenreiter - by Max Moser
• Optimized for war-driving
• www.remote-exploit.org
• Runs on Linux and supports, prism2, lucent, and
  cisco wireless card types

25
26
War Driving

• Passive Scanning
• Wireless interface also supports promiscuous mode
• Only see packets for WLAN machine is on
• Rfmon allows a machine to view all packets within
  range from multiple WLANs
• Doesnt associate with any of them
• Intercepts beacons and extracts ESSIDs from them
  ESSIDs sent in clear text!

26
27
War Driving

• Passive Scanning
• After discovering wireless AP or client, gains
  ESSID
• Listens then for ARP or DHCP traffic to determine
  MAC and IP of each discovered wireless device

27
28
War Driving

• Drawback of Wellenreiter
• If access point is configured to omit its SSID
  from its beacons and no other users are sending
  traffic to access point, wont be able to
  determine SSID
• Will know access point is there, not its name
• Thus, another way to get SSIDs from WLAN is to
  force clients to send traffic

28
29
War Driving

• De-authentication
• ESSID-Jack is a tool that is part of Airjack
  toolkit
• If WLAN ignores probes with SSID of any and
  omits SSID information from beacons, and no
  active traffic is going to it,
• What do you do?
• Use De-authentication!
• Assume there are clients who have previously been
  authenticated to an access point

29
30
War Driving

• Steps to de-authenticate and get SSID
• 1. Attacker first sends wireless
  de-authentication message to broadcast address of
  the LAN
• Spoofing MAC address of access point (AP)?
• MAC address was previously grabbed from
  management frames using Kismet or Wellenreiter
• 2. Client accepts de-authentication message as
  coming from access point
• Result is that client will disconnect from WLAN
• 3. Client then tries to re-associate with WLAN by
  sending an association message with SSID in clear
  text
• 4. Attacker sniffs for association frame and gets
  SSID

30
31
Dissassociation and Rogue AP
Sniffs association frame packet for SSID
32
War Driving

• De-authentication Why it works
• Wireless clients accept wireless control messages
  without authentication!!!
• Believes attacker is AP
• Attacker can force client off WLAN by merely
  spoofing APs MAC address

32
33
Defenses to War Driving

• Can set AP to omit SSID from Beacon packet
• Not broadcasting name to the world!
• Set up stronger authentication to APs
• MAC address is not a great form of authentication
• MAC addresses can be easily reset to anything in
  Linux or Unix
• ifconfig eth0 hw ether mymacaddress
• Windows a bit harder
• Use strong authentication with 802.11i not WEP

33
34
Defenses to War Driving

• Recommend use of Virtual Private Networks
• VPNs use encryption
• Help prevent sniffing of traffic
• VPNs typically deployed across the Internet to
  connect clients securely to corporate networks
• Yet, can serve similar purpose for wireless
  networks in home corporate environment

34
35
War Driving

• http//www.wardrive.net/wardriving/faq
• Is it illegal to War drive?
• legality of wardriving hasn't been tested, but
  few people think that wardriving itself is
  illegal.
• What is illegal is connecting to and using
  networks without the network owner's permission
• Which is what most people call "breaking into a
  network"?
• Wardriving has taken some hits by press because
  network crackers will sometimes use wardriving
  tools to locate networks to break into.

35
36
War Driving

• Staying within legal bounds
• Adhere to a relatively strict code of ethics
• Don't look.
• Don't touch.
• Don't play through.
• In other words,
• 1) don't examine the contents of a network
• 2) don't add, delete, or change anything on the
  network, and
• 3) don't even use the network's Internet
  connection for Web surfing, email, chat, FTP, or
  anything else.
• Somebody else paid for the bandwidth, and if you
  don't have permission to use it, you're stealing
  it

36
37
Summary

• Reconnaissance
• Google Hacking
• Looked at one method of Scanning
• War-driving
• Great way to locate wireless machines and
  networks
• Potential entry into the network of targets

37
38
Resources

• URL's Wireless
• www.wardrive.com
• wardrive.net
• www.netstumbler.net
• www.remote-exploit.org
• www.kismetwireless.net
• http//sourceforge.net/projects/airjack
• Books
• http//www.amazon.com/gp/product/0764597302

39
The End

• Next Time
• Network Scanning
• CounterHack Reloaded Ch. 6

39