Hacking Wireless Networks - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Hacking Wireless Networks

Description:

Hacking Wireless Networks – PowerPoint PPT presentation

Number of Views:175
Avg rating:3.0/5.0
Slides: 27
Provided by: Ap687
Category:

less

Transcript and Presenter's Notes

Title: Hacking Wireless Networks


1
Hacking Wireless Networks
2
Technology - wireless
  • Describe equipment and technologies operating in
    the radio frequency (RF) spectrum between 3 Hz
    and 300 GHz.
  • Examples of wireless equipment include cell
    phones, AM/FM radios, wireless networking
    devices, and radar systems.
  • Most wireless networking equipment operates in a
    smaller portion of the RF spectrum, between 2.4
    GHz and 66 GHz.

3
Components of a Wireless Network
  • Wireless network interface cards (WNICs), which
    transmit and receive wireless signals, and
  • access points (APs), which are the bridge between
    wired and wireless networks
  • Wireless networking protocols, such as Wi-Fi
    Protected Access (WPA)
  • A portion of the RF spectrum, which replaces wire
    as the connection medium

4
Access Points
  • An access point (AP) is a radio transceiver that
    connects to a network via an Ethernet cable and
    bridges a wireless LAN (WLAN) with a wired
    network.
  • An AP is where RF channels are configured.
  • APs are what hackers look for when they drive
    around with an antenna and a laptop computer
    scanning for access.

5
NetStumbler
6
Service Set Identifiers
  • A service set identifier (SSID) is the name used
    to identify a WLAN, much the same way a workgroup
    is used on a Windows network.
  • An SSID is configured on the AP as a unique, 1-to
    32-character, case-sensitive alphanumeric name.
  • The AP usually beacons (broadcasts) the SSID
    several times a second so that users who have
    WNICs can see a display of all WLANs within range
    of the APs signal.

7
Service Set Identifiers
  • Many vendors have SSIDs set to a default value
    that companies never change.
  • For example, Cisco APs use the default SSID
    tsunami. shows some default SSIDs as of this
    writing, but this list changes often, sometimes
    daily.

8
(No Transcript)
9
dd-wrt
  • dd-wrt Linux embedded OS that replaces the
    embedded OS used on hundreds of routers from
    Linksys, D-Link, Netgear, Belkin, Microsoft, U.S.
    Robotics, Dell, Buffalo, and many others.

10
(No Transcript)
11
(No Transcript)
12
Disable SSID Broadcasting
  • Can use a passive wireless sniffer, such as
    Kismet
  • Unlike NetStumbler, which can pick up only
    broadcasted SSIDs, Kismet can detect SSIDs in
    WLAN client traffic.

13
Understanding Wireless Network Standards
14
Signal Modulation
  • data to be moved over radio waves, it must be
    modulated on the carrier signal or channel.
  • Modulation defines how data is placed on a
    carrier signal.
  • spread spectrum modulation means data is spread
    across a large-frequency bandwidth instead of
    traveling across just one frequency band.
  • In other words, a group of radio frequencies is
    selected, and the data is spread across this
    group.

15
Spread spectrum, the most widely used WLAN
technology, uses the following methods
  • Frequency-hopping spread spectrum (FHSS) Data
    hops to other frequencies to avoid interference
    that might occur over a frequency band. This
    hopping from one frequency to another occurs at
    split-second intervals and makes it difficult for
    an intruder or attacker to jam the communication
    channel.
  • Direct sequence spread spectrum (DSSS) DSSS
    differs from FHSS, in that it spreads data
    packets simultaneously over multiple frequencies
    instead of hopping to other frequencies.
  • Orthogonal frequency division multiplexing
    (OFDM) The bandwidth is divided into a series of
    frequencies called tones, which allows a higher
    throughput (data transfer rate) than FHSS and
    DSSS do.

16
Understanding Wardriving
  • detect access points that havent been secured.
  • most APs have no passwords or security measures,
    so wardriving can be quite rewarding for hackers.
  • As of this writing, wardriving isnt illegal
    using the resources of networks discovered with
    wardriving is, of course, a different story.
  • Wardriving has now been expanded to include
    warflying, which is done by using an airplane
    wired with an antenna and the same software used
    in wardriving.

17
How It Works
  • To conduct wardriving, an attacker or a security
    tester simply drives around with a laptop
    computer containing a WNIC, an antenna, and
    software that scans the area for SSIDs. Not all
    WNICs are compatible with scanning software, so
    you might want to look at the software
    requirements first before purchasing the
    hardware.
  • Antenna prices vary, depending on their quality
    and the range they can cover. Some are as small
    as a cell phones antenna, and some are as large
    as a bazooka, which you might have seen in old
    war films. The larger ones can sometimes return
    results on networks miles away from the attacker.
    The smaller ones might require being in close
    proximity to the AP.
  • Most scanning software detects the companys
    SSID, the type of security enabled, and the
    signal strength, indicating how close the AP is
    to the attacker. Because attacks against WEP are
    simple and attacks against WPA are possible, any
    802.11 connection not using WPA2 should be
    considered inadequately secured. The following
    sections introduce some tools that many wireless
    hackers and security professionals use.

18
NetStumbler
  • For Windows that enables detecting WLANs
  • Verifying the WLAN configuration
  • Detecting other wireless networks that might be
    interfering with a WLAN
  • Detecting unauthorized APs that might have been
    placed on a WLAN
  • Another feature of NetStumbler is its capability
    to interface with a GPS, enabling a security
    tester or hacker to map out locations of all
    WLANs the software detects.

19
NetStumbler
  • When the program identifies an APs signal, it
    logs the SSID, MAC address of the AP,
    manufacturer of the AP, channel on which the
    signal was heard, strength of the signal, and
    whether encryption is enabled (but not a specific
    encryption type).
  • For those with mechanical ability, numerous Web
    sites have instructions on building your own
    antenna with empty bean cans, potato chip cans,
    and the like. You can also purchase a decent
    antenna for about 50.

20
Kismet
  • free and runs on Linux, BSD UNIX, Mac OS X, and
    even Linux PDAs. The software is advertised as
    being more than just a wireless network detector.
  • Kismet is also a sniffer and an intrusion
    detection system and
  • Wireshark- and Tcpdump-compatible data logging
  • Compatible with AirSnort and AirCrack
  • Network IP range detection
  • Detection of hidden network SSIDs
  • Graphical mapping of networks
  • Manufacturer and model identification of APs and
    clients
  • Detection of known default AP configurations

21
Kismet
  • Unlike NetStumbler and iwScanner, which rely on
    an AP to send out a beacon,
  • Kismet is a passive scanner, so it can detect
    even hidden network SSIDs.

22
Kismet
  • Kismet can be used to conduct wardriving, but it
    can also be used to detect rogue APs on a
    companys network.
  • If you need GPS support, the BackTrack supporting
    files include several tools that work with
    Kismet, such as the GPS daemon (GPSD), GISKismet,
    and Kisgearth, that can come in handy for
    accurate AP geopositioning.
  • When Kismet is configured to use GPSD, the output
    displays coordinates pinpointing the location of
    the AP being scanned. This coordinate data can
    then be fed into Google Earth to create maps.

23
Understanding Wireless Hacking
  • Hacking a wireless network isnt much different
    from hacking a wired LAN.
  • Many of the port-scanning and enumeration tools
    youve learned about can be applied to wireless
    networks.

24
Tools of the Trade
  • A wireless hacker usually has a laptop computer,
    a WNIC, an antenna, sniffers (Tcpdump or
    Wireshark, for example), tools such as
    NetStumbler or Kismet, and lots of patience.
  • After using NetStumbler or Kismet to determine
    the network name, SSID, MAC address of the AP,
    channel used, signal strength, and which type of
    encryption is enabled, a security tester is ready
    to continue testing.

25
Tools of the Trade
  • Wireless routers that perform DHCP functions can
    pose a big security risk. If a wireless computer
    is issued an IP address, a subnet mask, and DNS
    information automatically, attackers can use all
    the skills they learned in hacking wired networks
    on the wireless network.
  • If DHCP isnt used, attackers simply rely on
    Wireshark or Tcpdump to sniff packets passing
    through the wireless network to gather this IP
    configuration information. (As a security
    professional, you should recommend disabling DHCP
    on wireless networks and assigning IP addresses
    to wireless stations manually.)
  • They can then configure the WNIC with the correct
    IP information. What do attackers or security
    testers do if WEP or WPA is enabled on the AP?
    Several tools address this issue. AirCrack NG and
    WEPCrack, covered in the following sections, are
    what prompted organizations to replace WEP with
    the more secure WPA as their authentication
    method.

26
AirCrack NG
  • As a security professional, your job is to
    protect a network and make it difficult for
    attackers to break in. You might like to believe
    you can completely prevent attackers from
    breaking in, but unfortunately, this goal is
    impossible.
  • AirCrack NG (included on the BackTrack files or
    available free at www.aircrack-ng.org) is the
    tool most hackers use to access WEP-enabled
    WLANs.
  • AirCrack NG replaced AirSnort, a product created
    by wireless security researchers Jeremy Bruestle
    and Blake Hegerle, who set out to prove that WEP
    encryption was faulty and easy to crack.
  • AirSnort was the first widely used WEP-cracking
    program and woke up nonbelievers who thought WEP
    was enough protection for a WLAN.
  • AirCrack NG took up where AirSnort (and the
    slightly older WEPCrack) left off.

27
Countermeasures for Wireless Attacks
  • Many countermeasure, such as using certificates
    on all wireless devices, are time consuming and
    costly.
  • If you approach securing a wireless LAN as you
    would a wired LAN, youll have a better chance of
    protecting corporate data and network resources.
    Would you allow users to have access to network
    resources simply because they plugged their NICs
    into the companys switch or hub? Of course not.
    Then why would you allow users to have access to
    a wireless LAN simply because they have WNICs and
    know the companys SSID?
  • If a company must use wireless technology, your
    job is to make it as secure as possible. Be sure
    wireless users are authenticated before being
    able to access any network resources. Here are
    some additional guidelines to help secure a
    wireless network

28
Countermeasures for Wireless Attacks
  • honeypots, which are hosts or networks available
    to the public that entice hackers to attack them
    instead of a companys real network.
  • To make it more difficult for wardrivers to
    discover your WLAN, you can use Black Alchemy
    Fake AP (available free at ww.blackalchemy.to/proj
    ect/fakeap/). As its name implies, this program
    creates fake APs, which keeps war-drivers so busy
    trying to connect to nonexistent wireless
    networks that they dont have time to discover
    your legitimate AP.
  • There are measures for preventing radio waves
    from leaving or entering a building so that
    wireless technology can be used only by people in
    the facility. One is using a certain type of
    paint on the walls, but this method isnt
    foolproof because some radio waves can leak out
    if the paint isnt applied correctly.
  • Use a router to filter unauthorized MAC and IP
    addresses and prevent them from having network
    access. (can spoof)
Write a Comment
User Comments (0)
About PowerShow.com