Hacking Wireless Networks

1
Hacking Wireless Networks
2
Technology - wireless

• Describe equipment and technologies operating in
  the radio frequency (RF) spectrum between 3 Hz
  and 300 GHz.
• Examples of wireless equipment include cell
  phones, AM/FM radios, wireless networking
  devices, and radar systems.
• Most wireless networking equipment operates in a
  smaller portion of the RF spectrum, between 2.4
  GHz and 66 GHz.

3
Components of a Wireless Network

• Wireless network interface cards (WNICs), which
  transmit and receive wireless signals, and
• access points (APs), which are the bridge between
  wired and wireless networks
• Wireless networking protocols, such as Wi-Fi
  Protected Access (WPA)
• A portion of the RF spectrum, which replaces wire
  as the connection medium

4
Access Points

• An access point (AP) is a radio transceiver that
  connects to a network via an Ethernet cable and
  bridges a wireless LAN (WLAN) with a wired
  network.
• An AP is where RF channels are configured.
• APs are what hackers look for when they drive
  around with an antenna and a laptop computer
  scanning for access.

5
NetStumbler
6
Service Set Identifiers

• A service set identifier (SSID) is the name used
  to identify a WLAN, much the same way a workgroup
  is used on a Windows network.
• An SSID is configured on the AP as a unique, 1-to
  32-character, case-sensitive alphanumeric name.
• The AP usually beacons (broadcasts) the SSID
  several times a second so that users who have
  WNICs can see a display of all WLANs within range
  of the APs signal.

7
Service Set Identifiers

• Many vendors have SSIDs set to a default value
  that companies never change.
• For example, Cisco APs use the default SSID
  tsunami. shows some default SSIDs as of this
  writing, but this list changes often, sometimes
  daily.

8
(No Transcript)
9
dd-wrt

• dd-wrt Linux embedded OS that replaces the
  embedded OS used on hundreds of routers from
  Linksys, D-Link, Netgear, Belkin, Microsoft, U.S.
  Robotics, Dell, Buffalo, and many others.

10
(No Transcript)
11
(No Transcript)
12
Disable SSID Broadcasting

• Can use a passive wireless sniffer, such as
  Kismet
• Unlike NetStumbler, which can pick up only
  broadcasted SSIDs, Kismet can detect SSIDs in
  WLAN client traffic.

13
Understanding Wireless Network Standards
14
Signal Modulation

• data to be moved over radio waves, it must be
  modulated on the carrier signal or channel.
• Modulation defines how data is placed on a
  carrier signal.
• spread spectrum modulation means data is spread
  across a large-frequency bandwidth instead of
  traveling across just one frequency band.
• In other words, a group of radio frequencies is
  selected, and the data is spread across this
  group.

15
Spread spectrum, the most widely used WLAN
technology, uses the following methods

• Frequency-hopping spread spectrum (FHSS) Data
  hops to other frequencies to avoid interference
  that might occur over a frequency band. This
  hopping from one frequency to another occurs at
  split-second intervals and makes it difficult for
  an intruder or attacker to jam the communication
  channel.
• Direct sequence spread spectrum (DSSS) DSSS
  differs from FHSS, in that it spreads data
  packets simultaneously over multiple frequencies
  instead of hopping to other frequencies.
• Orthogonal frequency division multiplexing
  (OFDM) The bandwidth is divided into a series of
  frequencies called tones, which allows a higher
  throughput (data transfer rate) than FHSS and
  DSSS do.

16
Understanding Wardriving

• detect access points that havent been secured.
• most APs have no passwords or security measures,
  so wardriving can be quite rewarding for hackers.
  
• As of this writing, wardriving isnt illegal
  using the resources of networks discovered with
  wardriving is, of course, a different story.
• Wardriving has now been expanded to include
  warflying, which is done by using an airplane
  wired with an antenna and the same software used
  in wardriving.

17
How It Works

• To conduct wardriving, an attacker or a security
  tester simply drives around with a laptop
  computer containing a WNIC, an antenna, and
  software that scans the area for SSIDs. Not all
  WNICs are compatible with scanning software, so
  you might want to look at the software
  requirements first before purchasing the
  hardware.
• Antenna prices vary, depending on their quality
  and the range they can cover. Some are as small
  as a cell phones antenna, and some are as large
  as a bazooka, which you might have seen in old
  war films. The larger ones can sometimes return
  results on networks miles away from the attacker.
  The smaller ones might require being in close
  proximity to the AP.
• Most scanning software detects the companys
  SSID, the type of security enabled, and the
  signal strength, indicating how close the AP is
  to the attacker. Because attacks against WEP are
  simple and attacks against WPA are possible, any
  802.11 connection not using WPA2 should be
  considered inadequately secured. The following
  sections introduce some tools that many wireless
  hackers and security professionals use.

18
NetStumbler

• For Windows that enables detecting WLANs
• Verifying the WLAN configuration
• Detecting other wireless networks that might be
  interfering with a WLAN
• Detecting unauthorized APs that might have been
  placed on a WLAN
• Another feature of NetStumbler is its capability
  to interface with a GPS, enabling a security
  tester or hacker to map out locations of all
  WLANs the software detects.

19
NetStumbler

• When the program identifies an APs signal, it
  logs the SSID, MAC address of the AP,
  manufacturer of the AP, channel on which the
  signal was heard, strength of the signal, and
  whether encryption is enabled (but not a specific
  encryption type).
• For those with mechanical ability, numerous Web
  sites have instructions on building your own
  antenna with empty bean cans, potato chip cans,
  and the like. You can also purchase a decent
  antenna for about 50.

20
Kismet

• free and runs on Linux, BSD UNIX, Mac OS X, and
  even Linux PDAs. The software is advertised as
  being more than just a wireless network detector.
  
• Kismet is also a sniffer and an intrusion
  detection system and
• Wireshark- and Tcpdump-compatible data logging
• Compatible with AirSnort and AirCrack
• Network IP range detection
• Detection of hidden network SSIDs
• Graphical mapping of networks
• Manufacturer and model identification of APs and
  clients
• Detection of known default AP configurations

21
Kismet

• Unlike NetStumbler and iwScanner, which rely on
  an AP to send out a beacon,
• Kismet is a passive scanner, so it can detect
  even hidden network SSIDs.

22
Kismet

• Kismet can be used to conduct wardriving, but it
  can also be used to detect rogue APs on a
  companys network.
• If you need GPS support, the BackTrack supporting
  files include several tools that work with
  Kismet, such as the GPS daemon (GPSD), GISKismet,
  and Kisgearth, that can come in handy for
  accurate AP geopositioning.
• When Kismet is configured to use GPSD, the output
  displays coordinates pinpointing the location of
  the AP being scanned. This coordinate data can
  then be fed into Google Earth to create maps.

23
Understanding Wireless Hacking

• Hacking a wireless network isnt much different
  from hacking a wired LAN.
• Many of the port-scanning and enumeration tools
  youve learned about can be applied to wireless
  networks.

24
Tools of the Trade

• A wireless hacker usually has a laptop computer,
  a WNIC, an antenna, sniffers (Tcpdump or
  Wireshark, for example), tools such as
  NetStumbler or Kismet, and lots of patience.
• After using NetStumbler or Kismet to determine
  the network name, SSID, MAC address of the AP,
  channel used, signal strength, and which type of
  encryption is enabled, a security tester is ready
  to continue testing.

25
Tools of the Trade

• Wireless routers that perform DHCP functions can
  pose a big security risk. If a wireless computer
  is issued an IP address, a subnet mask, and DNS
  information automatically, attackers can use all
  the skills they learned in hacking wired networks
  on the wireless network.
• If DHCP isnt used, attackers simply rely on
  Wireshark or Tcpdump to sniff packets passing
  through the wireless network to gather this IP
  configuration information. (As a security
  professional, you should recommend disabling DHCP
  on wireless networks and assigning IP addresses
  to wireless stations manually.)
• They can then configure the WNIC with the correct
  IP information. What do attackers or security
  testers do if WEP or WPA is enabled on the AP?
  Several tools address this issue. AirCrack NG and
  WEPCrack, covered in the following sections, are
  what prompted organizations to replace WEP with
  the more secure WPA as their authentication
  method.

26
AirCrack NG

• As a security professional, your job is to
  protect a network and make it difficult for
  attackers to break in. You might like to believe
  you can completely prevent attackers from
  breaking in, but unfortunately, this goal is
  impossible.
• AirCrack NG (included on the BackTrack files or
  available free at www.aircrack-ng.org) is the
  tool most hackers use to access WEP-enabled
  WLANs.
• AirCrack NG replaced AirSnort, a product created
  by wireless security researchers Jeremy Bruestle
  and Blake Hegerle, who set out to prove that WEP
  encryption was faulty and easy to crack.
• AirSnort was the first widely used WEP-cracking
  program and woke up nonbelievers who thought WEP
  was enough protection for a WLAN.
• AirCrack NG took up where AirSnort (and the
  slightly older WEPCrack) left off.

27
Countermeasures for Wireless Attacks

• Many countermeasure, such as using certificates
  on all wireless devices, are time consuming and
  costly.
• If you approach securing a wireless LAN as you
  would a wired LAN, youll have a better chance of
  protecting corporate data and network resources.
  Would you allow users to have access to network
  resources simply because they plugged their NICs
  into the companys switch or hub? Of course not.
  Then why would you allow users to have access to
  a wireless LAN simply because they have WNICs and
  know the companys SSID?
• If a company must use wireless technology, your
  job is to make it as secure as possible. Be sure
  wireless users are authenticated before being
  able to access any network resources. Here are
  some additional guidelines to help secure a
  wireless network

28
Countermeasures for Wireless Attacks

• honeypots, which are hosts or networks available
  to the public that entice hackers to attack them
  instead of a companys real network.
• To make it more difficult for wardrivers to
  discover your WLAN, you can use Black Alchemy
  Fake AP (available free at ww.blackalchemy.to/proj
  ect/fakeap/). As its name implies, this program
  creates fake APs, which keeps war-drivers so busy
  trying to connect to nonexistent wireless
  networks that they dont have time to discover
  your legitimate AP.
• There are measures for preventing radio waves
  from leaving or entering a building so that
  wireless technology can be used only by people in
  the facility. One is using a certain type of
  paint on the walls, but this method isnt
  foolproof because some radio waves can leak out
  if the paint isnt applied correctly.
• Use a router to filter unauthorized MAC and IP
  addresses and prevent them from having network
  access. (can spoof)