Wireless Networks are increasingly becoming popular due to there advance design, convenience and cost but at same time introduced many security issues and holes.
A wireless LAN offers a fast way to provide data connectivity to an existing building where wiring may not be practical due to construction design, location or expense. Typical problems associated with the physical aspects of wired LAN connections do not arise as frequently with a wireless network. Laptops could be carried into meetings or even cafes. This convenience has become affordable but also inviting to Hackers. So how does Wireless Connection works?
A wireless LAN is one in which a mobile user can connect to a local area network (LAN) by a radio connection. A standard, IEEE 802.11. The standard includes an encryption method, the Wired Equivalent Privacy algorithm. WLANs do raise the issue of security due to certain inherent features such as radio waves being easier to intercept than physical wires. Though the user authentication and data encryption system known as Wired Equivalent Privacy or WEP is being used; by itself, it falls very short of providing good security. Despite the fact that WEP was never intended to provide security and only privacy, it has been seen that most WLANs trust on it to provide security. Each access point in a Wi-Fi network shares a fixed amount of bandwidth among all the users who are currently connected to it on a first-come, first-served basis. Since one of the major benefits of wireless networking is user mobility, an important issue to consider is whether users can move seamlessly between access points without having to log in again and restart their applications. Most large corporate data networks are divided into a number of smaller pieces called subnets for traffic management and security conserns. In many instances wireless LAN vendors provide seamless roaming within a single subnet, but not when a user moves from one subnet to another. Roaming is possible if the access points have a way of exchanging information as a user connection is handed off from one to another. However, such solutions are expensive and integrating the various components requires a considerable amount of patient networking expertise. The objective is to deploy and maintain secure, high performance wireless LANs with a minimum amount of time, effort and expense. Wireless networks and access points (APs) are some of the simplest and inexpensive types of targets to footprint and also some of the hardest to detect and change. Securing wireless networks is a challenge, but it can be accomplished. Wireless signals don’t stop at the outer walls of the facility. Wireless is accessible by many more individuals than have access to your wired network. Although we look at some specific tools and techniques used to secure wireless, the general principles are the same as those used in wired networks. Deploying many layers of security makes it much harder for an attacker to overcome the combined security mechanisms. Defense in depth is about the concept of building many layers of protection, such as
Encrypting data so that it is hidden from unauthorized individuals
Limiting access based on least privilege
Providing physical protection and security to the hardware
Using strong authentication to verify the identity of the users who access the network
Employing layers of security controls to limit the damage should one layer of security be overcome
[Securing Wireless Networks]
Treat Access Points As Untrusted – Access points need to be identified and evaluated on a regular basis to determine if they need to be quarantined as untrusted devices before wireless clients can gain access to internal networks. This determination means appropriate placement of firewalls, virtual private networks (VPN), intrusion detection systems (IDS), and authentication between access point and intranets or the Internet.
Access Point Configuration Policy – Administrators need to define standard security settings for any 802.11b access point before it can be deployed. These guidelines should cover SSID, WEP keys and encryption, and SNMP community words.
Access Point Discovery – Administrators should regularly search outwards from a wired network to identify unknown access points. Several methods of identifying 802.11b devices exist, including detection via banner strings on access points with either Web or telnet interfaces. Wireless network searches can identify unauthorized access points by setting up a 2.4 GHz monitoring agent that searches for 802.11b packets in the air.
These packets may contain IP addresses that identify which network they are on, indicating that rogue access points are operating in the area. One important note: this process may pick up access points from other organizations in densely populated areas
Access Point Security Assessments – Regular security audits and penetration assessments quickly identify poorly configured access points, default or easily guessed passwords and community words, and the presence or absence of encryption. Router ACLs and firewall rules also help minimize access to the SNMP agents and other interfaces on the access point.
Wireless Client Protection – Wireless clients need to be regularly examined for good security practices. These procedures should include the presence of some or all of the following: Distributed personal firewalls to lock down access to the client
VPNs to supplement encryption and authentication beyond what 802.11b can provide. It can also destroy the throughput on a wireless network.
Intrusion detection and response to identify and minimize attacks from intruders, viruses, Trojans and backdoors
[What is 802.11]
Wireless LAN standards are defined by the IEEE’s 802.11 working group. WLANs come in three flavors:
802.11b: Operates in the 2.4000 GHz to 2.2835GHz frequency range and can operate at up to 11 megabits per second.
802.11a: Operates in the 5.15-5.35GHz to 5.725-5.825GHz frequency range and can operate at up to 54 mega bits per second.
802.11g: Operates in the 2.4GHz frequency range (increased bandwidth range) and can operate at up to 54 megabits per second.
WEP standards are defined in the 802.11 standard and not the individual standards. WEP vulnerabilities have the potential to affect all flavors of 802.11 networks.
802.11 is a standard by IEEE, on which wireless LANs are based, allowing for cross vendor products to seamlessly interact with each other. Let us take a look at how this standard works. 802.11 wireless networks should not be confused with Bluetooth, which was developed by a commercial companies such as Motorola, and Microsoft.
According to this standard, data is encoded using DSSS (direct sequence spread-spectrum) technology. DSSS works by taking a data stream of zeros and ones and modulating it with a second pattern, termed the chipping sequence. Chipping spreads modulated data across the spectrum in a way that makes it possible to handle some signal loss.
When this standard was introduced, the chipping sequence chosen was the Barker code. This is an 11-bit sequence (10110111000) that generates a carrier wave, modulated with Binary or Quadrature Phase Shift Keying (B/QPSK). Modulating with BPSK yields 1 Mbps, while modulating the direct sequence with QPSK 2Mbps.
The basic data stream is exclusive, mixed with the Barker code to generate a series of data objects called chips. Each bit is then “encoded” by the 11-bit Barker code, and each group of 11 chips goes on to encode one bit of data.
[WEP]
WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide for confidentiality of data on wireless networks at a level equivalent to that of wired LANs. WEP is vulnerable because of relatively short IVs and keys that remain static. Even if WEP is enabled, MAC addresses can be easily sniffed by an attacker as they appear in the clear format. Spoofing MAC address is also easy.
Wired LANs typically employ physical controls to prevent unauthorized users from connecting to the network and viewing data. In a wireless LAN, the network can be accessed without physically connecting to the LAN.
IEEE chose to employ encryption at the data link layer to prevent unauthorized eavesdropping on a network. This is accomplished by encrypting data with the RC4 encryption algorithm
Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP is 802.11’s optional encryption standard implemented in the MAC Layer that most radio network interface card (NIC) and access point vendors support.
WEP is used to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. Though this function has not been explicitly mentioned in the 802.11 standard, it is generally considered to be a feature of WEP.
WEP relies on a secret key that is shared between a mobile station (a laptop with a wireless Ethernet card) and an access point at base station. The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit.
If a user activates WEP, the NIC encrypts the payload (frame body and CRC) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA Security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies.
WEP uses the RC4 encryption algorithm, also known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. Before transmission takes place, WEP combines the key stream with the payload/ICV through a bitwise XOR process, which produces ciphertext (encrypted data). XORing the key stream with the ciphertext yields the original plaintext. WEP includes the IV in the clear (unencrypted) within the first few bytes of the frame body. The receiving station uses this IV along with the shared secret key supplied by the user of the receiving station to decrypt the payload portion of the frame body.
In most cases the sending station will use a different IV for each frame. When transmitting messages the beginning of each encrypted payload will be equivalent when using the same key. This means that after encrypting the data, the beginnings of the frames would be the same, offering a pattern that can facilitate attackers in cracking the encryption algorithm. WEP guards against this by allowing different IVs to be used, though the key used is the same.
However, the 802.11b standard does not discuss how the shared key is established in practice. Typically, most installations use a single key that is shared between all mobile stations and access points. This raises the security concern as an attacker can flip a bit in the ciphertext, so that upon decryption, the corresponding bit in the plaintext is also flipped.
Moreover if he can intercept two ciphertexts encrypted with the same key stream, he can obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The probability of success of statistical attacks increases in direct proportion to the ciphertexts using the same key stream. It becomes a trivial exercise to recover all plaintexts, once the attacker knows one of them. Let us look why this is possible.
As part of the encryption process, WEP prepares a key schedule (“seed”) by concatenating the shared secret key supplied by the user of the sending station with a random-generated 24-bit initialization vector (IV). The IV lengthens the life of the secret key because the station can change the IV for each frame transmission. WEP inputs the resulting “seed” into a pseudo-random number generator (PRNG) that produces a key stream equal to the length of the frame’s payload plus a 32-bit integrity check value (ICV).
The ICV is a check sum that the receiving station eventually recalculates and compares to the one sent by the sending station to determine whether the transmitted data underwent any form of tampering while intransient. If the receiving station calculates an ICV that doesn’t match the one found in the frame, then the receiving station can reject the frame or flag the user.
WEP specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data. Some vendors also include 128 bit keys (know as “WEP2″) in their products. With WEP, the receiving station must use the same key for decryption. Each radio NIC and access point, therefore, must be manually configured with the same key.
Before transmission takes place, WEP combines the key stream with the payload/ICV through a bitwise XOR process, which produces ciphertext (encrypted data). WEP includes the IV in the clear (unencrypted) within the first few bytes of the frame body. The receiving station uses this IV along with the shared secret key supplied by the user of the receiving station to decrypt the payload portion of the frame body.
We will consider the 64-bit key generator here. In the figure below, the ASCII text “PassPhrase” is mapped to 32-bit value with XOR. The XOR operation guarantees four zero bits. However, since the input is ASCII, high bit of each character is always zero. The XOR of these high bits is also zero. Therefore only seeds from 00:00:00:00 through 7f:7f:7f:7f can occur.
The result value is used as seed to 32-bit linear congruential PRNG. Forty values are generated from PRNG, of which one byte is taken from each 32-bit result. Now, for each 32-bit output, only bits 16 through 23 are used. This flaw results in low bits being “less random” than the higher bits. The 64-key generator is a linear congruential generator modulo 2^32. Bit 0 has a cycle length of 2^1, Bit 3 has a cycle length of 2^4, etc. Therefore the resultant bytes can have a cycle length of 2^24. This makes seeds 00:00:00:00 through 00: ff: ff: ff only to result in unique keys. This implies that the 64-key generator has an entropy of 21-bits, as the number of unique keys that can be generated is 2^21.
[WEP Brute-Forcing]
Pure WEP keyspace brute-forcing with tools such as wep_tools or dwepcrack brute-forcing options is realistic only against 40-bit WEP keys. Even with this limited key size, it might take about 50 days on a single average Pentium III host. Nevertheless, an efficient distributed attack against 40-bit WEP is possible and one should never underestimate the potential of dictionary attacks, which are also applicable to 128-bit and higher WEP key size. In particular, it applies to the use of the newer Wepattack tool that can run dictionary attacks against a single captured data packet encrypted using WEP.
Algorithm accepted as the de facto standard for 40-bit WEP key generation by many wireless equipment vendors is extremely flawed. It starts from folding a password string into a 32-bit number that reduces the keyspace from 240 to 232 bits. This number is employed to seed a pseudorandom number generator (PRNG; see Chapter 11), which is used to derive all four 40-bit WEP keys used on the network. Although the PRNG-generated keyspace has a cycle length of 232 bits, because of the way the values are derived from the PRNG, the actual cycle length of drawn values is only 224 bits. To be more specific, a seed x produces the same keys as a seed x + 224. To make the situation even worse, the method chosen to fold a password string into a 32-bit seed ensures that the high bit of each of the four bytes always equals zero. The effect of these weaknesses combined is that the algorithm can only generate 221 unique sets of WEP keys, corresponding to seeds between 0 and 0×1000000, which do not have bits 0×80, 0×8000, or 0×800000 set. Thus, it takes 221 operations or less to crack any set of WEP keys generated from a password processed with such an algorithm. In one observation, this corresponds roughly to 90 seconds of cracking time on a 233-MHz PII or 35 seconds on a 500-MHz PIII; this is quite a difference if compared to 50 days of brute-forcing without this flaw.
However, not all vendors used the vulnerable key generation algorithm, 40-bit keys aren’t used much anymore, and there are tools that ensure proper 40-bit key generation. An example of such a tool is dwepkeygen, included as part of BSD-airtools. In addition, to crack WEP using wep_tools, a large (about 24 Gb) pcap-format dump file is required. Its not recommend trying the attack or using brute-forcing in general against 128/104-bit WEP keys used by modern wireless networks.
However if you have truly massive traffic dump files, trying a dictionary attack using wep_tools or dwepcrack could bring success. Even better, you can try your luck with a dictionary attack against a single captured data packet or limited-size traffic dumps using Wepattack.
[Security issues]
WEP is vulnerable because of relatively short IVs and keys that remain static. It is not the RC4 algorithm that is at fault, but the fact that the entropy of the key generator is only 21. With only 24 bits, WEP ultimately uses the same IV for different data packets. WEP does not encrypt the entire transmission. The header and trailer of the frame are sent in clear text. This means that even when encryption is used, a MAC address can be sniffed. Hacker can therefore decrypt any of the 802.11 frames. The static nature of the shared secret keys only adds to this problem. 802.11 do not provide any functions that support the exchange of keys among stations. As a result, system administrators and users generally use the same keys for weeks, months, and even years. Unfortunately, WEP is fundamentally flawed, allowing you to crack it. However, even though it is possible to crack WEP encryption, we still highly recommend that you use it on all of your wireless networks. This will thwart the casual drive-by hacker, and it also enables another layer of legal protection that prohibits the cracking of transmitted, encrypted signals. With that in mind, let’s look at the practical process of cracking WEP. The most important tool that you’ll need to crack a WEP-encrypted signal is time. The longer you capture data, the more likely you are to receive a frame that will leak a key byte. There is only about a 5% chance, in some cases a 13% chance, of this happening. On average, you will need to receive about 5,000,000 frames to crack a WEP-encrypted signal. To actually capture the encrypted data, you will need a wireless sniffer such as AirSnort.
[Issues Plaguing WEP Key]
Management Keys are manually distributed
Keys are statically configured (therefore infrequently changed and easy to remember)
It uses four 40-bit keys (or one 104-bit key)
Key values can be directly set as hex data.
Key generators provided for convenience. ASCII string is converted into keying material. There are different key generators for 64- and 128-bit encryption.
[LAN Threats]
Wireless networking opens up a network to threats that you may not ever even consider on a wired network. This section discusses some of the attacks that can be launched against a WLAN. These include eavesdropping, open authentication, spoofing, and denial of service. During a pen test, the wireless network is something that an ethical hacker wants to look at closely. Unlike the wired network, a hacker can launch his attack from the parking lot or even across the street. The entire act of searching for wireless networks has created some unique activities, such as
Warchalking The act of marking buildings or sidewalks with chalk to show others where it’s possible to access an exposed company wireless network.
Wardriving The act of finding and marking the locations and status of wireless networks, this activity is usually performed by automobile. The wardriver typically uses a Global Positioning System (GPS) device to record the location and a discovery tool such as NetStumbler.
Warflying Similar to wardriving, except that a plane is used instead of a car. One of the first publicized acts occurred on the San Francisco area.
[Eavesdropping]
Eavesdropping is one of these basic problems. If the attacker is within range, he can simply intercept radio signals and decode the data being transmitted. Nothing more than a wireless sniffer and the ability to place the wireless NIC into promiscuous mode is required. Remember that promiscuous mode means that the adapter has the capability to capture all packets, not just those addressed to the client. If the hacker uses an antenna, he can be even farther away, which makes these attacks hard to detect and prevent. Besides giving the hacker the ability to gather information about the network and its structure, protocols such as File Transfer Protocol (FTP), Telnet, and Simple Mail Transport Protocol (SMTP) that transmit username and passwords in clear text are highly vulnerable. Anything that is not encrypted is vulnerable to attack. Even if encryption is being used, a hacker eavesdropping on a network is still presented with the cipher text, which can be stored, analyzed, and potentially cracked at a later time. Would you really feel safe knowing that hackers have the NT LanMan (NTLM) password hashes? Programs such as L0phtcrack and John the Ripper can easily crack weak passwords if given the hash. If the hacker is limited in what he can sniff, he can always attempt active sniffing. ARP poisoning allows an attacker to overcome a switch’s segmentation and eavesdrop on all local communication. WEP cracking is another type of eavesdropping attack. Soon after WEP was released, problems were discovered that led to ways in which it can be cracked. Although the deficiencies of WEP were corrected with the WPA protocol, those WAPs still running WEP are vulnerable.
[Denial of Service]
If all else fails, the hacker can always attempt a DoS. For example, these attacks can target a single device, can target the entire wireless network, or can attempt to render wireless equipment useless. Some common types of wireless DoS attacks are discussed here:
Authentication flood attack This type of DoS attack generates a flood of EAPOL messages requesting 802.1X authentication. As a result, the authentication server cannot respond to the flood of authentication requests and consequently fails at returning successful connections to valid clients.
Deauthentication flood attack This type of DoS targets an individual client and works by spoofing a de-authentication frame from the WAP to the victim. It is sometimes called the Fatajack attack. The victim’s wireless device would attempt to reconnect, so the attack would need to send a stream of de-authentication packets to keep the client out of service.
Network jamming attack This type of DoS targets the entire wireless network. The attacker simply builds or purchases a transmitter to flood the airwaves in the vicinity of the wireless network. A 1,000 watt jammer 300 feet away from a building can jam 50 to 100 feet into the office area. Where would a hacker get such a device? They are found inside of microwave ovens and known as a magnetron. Normally, a microwave oven doesn’t emit radio signals beyond its shielded cabinet. They must be modified to become useful, but little skill is required. This type of attack is as dangerous to people who are near the transmitter as it is to the network itself.
Equipment destruction attack This type of DoS targets the access point. The hacker uses a high output transmitter with a directional high gain antenna to pulse the access point. High energy RF power will damage electronics in the WAP, resulting in it being permanently out of service. Such high energy RF guns have been demonstrated to work and cost little to build. Although denial of service attacks don’t give the hacker access to the wireless network, they do attack availability and can bring communication to a standstill.
[The Radio Spectrum as Defined by the FCC]
Band Name Range Usage
Very Low Frequency (VLF) 10kHz to 30kHz Cable locating equipment
Low Frequency (LF) 30kHz to 300kHz Maritime mobile service
Medium Frequency (MF) 300kHz to 3MHz Avalanche transceivers, aircraft navigation, ham radio
High Frequency (HF) 3MHz to 30MHz Radio astronomy, Radio telephone, Civil Air Patrol, CB radios
Very High Frequency (VHF) 30MHz to 328.6MHz Cordless phones, TV, RC cars, aircraft/police/business radios
Ultra High Frequency (UHF) 328.6MHz to 2.9GHz Police/ Fire, business, cell phones, GPS, wireless networks
Super High Frequency (SHF) 2.9GHz to 30GHz Terminal doppler weather radar, satellite communications
Extremely High Frequency (EHF) 30GHz and above Government radio, astronomy, military,radar systems, HAM radio
Radio waves are very easy to create; in fact, you can demonstrate this right now. The following list illustrates how to create and hear your own radio waves.
Items needed: 9-volt battery, quarter, AM radio
Tune the AM radio to a spot between radio stations, so that you hear static.
Place the battery near the antenna of the AM radio.
Quickly tap the quarter onto the two terminals of the battery, making sure the quarter comes in contact with both terminals simultaneously.
Each time the quarter comes in contact with the battery terminals, it will generate a small radio wave, causing a crackle in the radio.
The circuit you create produces circular waves of electromagnetic interference, perpendicular to the direction of electrical flow.
When an 802.11b device is sending data, it is not just transmitting on a single frequency. A technology called Direct Sequence Spread Spectrum (DSSS) is used to spread the transmission over multiple frequencies. DSSS is designed to maximize the effectiveness of the radio transmission, while minimizing the potential for interference. In DSSS, a Channel refers to a specific ruleset rather than a particular frequency. These rulesets define how the radio will spread the signal across multiple frequencies, also identified as channels. It is much like having a party at your house at which there are people in eleven different rooms. In each of the eleven rooms, the guests are having a different conversation, and the sound is traveling from room to room. While you are in room one, you can hear the conversations of rooms one, two, three, four, and five. Guests in room six can hear the conversations in rooms two, three, four, five, six, seven, eight, nine, and ten, but they cannot hear anything from room one because of a wall, or ruleset.
Jamming or causing interference to an 802.11b network can be fairly simple. There are several commercially available devices that that will bring a wireless network to its knees. For example, a Bluetooth-enabled device is one such item that can cause headaches for 802.11b networks. We have found that when a Bluetooth device is located within approximately ten meters of 802.11b devices, the Bluetooth device will cause a jamming type of denial-of-service attack. The same is true of several 2.4GHz cordless phones that are currently available. This is because the 2.4GHz band is becoming widely used and is considered shared, thus allowing all kinds of devices to use it.
The signals generated by these devices can appear to be an 802.11 transmission to other stations on the wireless network, thus causing them to hold their transmissions until the signal has gone, or until you have hung up the cordless phone. The other possibility is that the devices will just cause an increase in RF noise, which could cause the 802.11b devices to switch to a slower data rate. Devices re-send frames over and over again to increase the odds of the other station receiving it. Normally, data is transmitted at 11Mbps when sending one copy of each frame. If it were to drop to 50% efficiency, the device would still be transmitting at 11Mbps, but it would be sending a duplicate of each frame, making the effective speed 5.5Mbps. Thus you will have a significant decrease in network performance because of re-sending duplicate frames. In addition, with a high level of RF noise, you can expect to see an increase in corrupt frames, which also requires a full retransmission of the packet.
[Wireless Hacking Tools]
There is no shortage of wireless tools for the attacker or the ethical hacker performing a security assessment or a pen test. Over time, tools come and go as technologies change and vulnerabilities are fixed. Therefore, it is important to understand what the tools do and where they fit in the methodology of a security assessment. Just listing all the available tools could easily fill this page.
NetStumbler This Windows-only tool is designed to locate and detect wireless LANs using 802.11b, 802.11a (XP only), and 802.11g WLAN standards. It is used for wardriving, verifying network configurations, detecting of rogue access points, and aiming directional antennas for long-haul WLAN links.
Mognet An open source Java-based wireless sniffer that was designed for handhelds but will run on other platforms as well. It performs real-time frame captures and can save and load frames in common formats, such as Ethereal, Libpcap, and TCPdump.
WaveStumbler Another sniffing tool that was designed for Linux. It reports basic information about access points such as channel, SSID, and MAC.
AiroPeek A Windows-based commercial wireless LAN analyzer designed to help security professionals deploy, secure, and troubleshoot wireless LANs. AiroPeek has the functionality to perform site surveys, security assessments, client troubleshooting, WLAN monitoring, remote WLAN analysis, and application layer protocol analysis.
AirSnort A Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions and then computing the encryption key when the program captures enough packets.
Kismet A useful Linux-based 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting masked networks, and inferring the presence of nonbeaconing networks via data traffic.
Void11 A wireless network penetration utility. It implements deauthentication DoS attacks against the 802.11 protocol. It can be used to speed up the WEP cracking process.
THC-wardrive A Linux tool for mapping wireless access points works with a GPS.
AirTraf A packet capture decode tool for 802.11b wireless networks. This Linux tool gathers and organizes packets and performs bandwidth calculation, as well as signal strength information on a per wireless node basis.
Airsnarf Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspotssnarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.
Aircrack A set of tools for auditing wireless networks that includes airodump (a 802.11 packet capture program), aireplay (a 802.11 packet injection program), aircrack (a static WEP and WPA-PSK key cracker), and airdecap (a decryptor for WEP/WPA capture files). This is one of a new set of tools that can quickly crack WEP keys; it’s much faster than older tools.
[Overview]
The techniques for wireless attacks are not new. Indeed, they are based on the ancient attacks that have been used on wired networks from time immemorial, with only minor updates. In fact, the goal of attacking a wireless network is usually not to compromise the wireless network itself, but rather to gain a foothold into the wired network within. Because traditional wired networks have been hardened from repeated attacks for more than thirty years, many are beginning to evolve formidable defenses. For example, a properly configured firewall can provide much security. However, consider what happens when you have an unsecured wireless access point sitting within the firewall—you have just effectively opened a back door right through your firewall. Thus, the proliferation of wireless networks has set the state of information security back more than a decade…almost to the 1980s, when computer systems were wide open to attack via modems and war dialing. In time, most wireless networks will fall victim to at least one type of wireless attack. These attacks are not limited to just the corporate world, either. One of the largest consumers of wireless networks is the residential customer. These consumers are typically looking for a way to use their broadband connection in any room of the house. Worse, the vast majority of consumers are not aware of security issues. You can now buy access points from the local electronic store for less than $200, but many of these do not have the same security features of the Corporate or Professional models that run $800 and up. With more users installing these low-end access points, both on personal networks and within small businesses, the number of easy targets is growing exponentially. There are many different models of 802.11b Wireless Network Interface Cards. One thing common to them all is the capability to put them into Infrastructure and Peer-to-Peer Mode. The IEEE defines Infrastructure Mode as Basic Service Set (BSS). It is used to connect a client to an access point on an established network . Peer-to-Peer Mode, also known as ad-hoc mode, is known as Independent Basic Service Set (IBSS). This mode is used to connect two or more wireless devices to form a small close range network, much like peer-to-peer networking on wired networks. One of the major disadvantages of this type of wireless network is that there is no central security control; in fact, there is very little security at all. The most difficult part of launching an attack on this type of network is finding one to attack. Because they are informally deployed, they can pop up and disappear overnight. Examples of such networks can be found at conventions and coffee shops, as well as any situation that requires Internet connection sharing (that is, splitting a single Internet connection among several users).
[Surveillance]
There are several approaches to locating a wireless network. The most basic method is a surveillance attack. You can use this technique on the spur of the moment, as it requires no special hardware or preparation. Most significantly, it is difficult, if not impossible, to detect. How is this type of attack launched? You simply observe the environment around you.
Things to Look For Potential Locations
Antennas Walls, ceilings, hallways, roofs, windows
Access points Ceilings, walls, support beams, shelves
Network cable Traveling up walls or shelves, or across a ceiling
Newly-installed platforms Walls, hallways and support beams
Devices—Scanners/PDAs Employees, reception or checkout areas
This might sound basic, but it is still an effective method of reconnaissance. In some cases, you can even find out what type of access point is being used, because many companies place devices in clear view. You can even talk to employees that are using the wireless devices and ask a few simple questions about them. They probably will not be able to give you much usable information, but they might be able to confirm the existence of a wireless network. Be careful when talking to employees and asking questions, as you do not want to tip anybody off to a potential attack. Even when performing a legitimate security audit of your own network, you still must have prior written permission from your company’s management, and you must always obey all local and regional laws. Surveillance attack is extremely targeted, attackers can go days without seeing anything. In addition, this type of attack is unavailable if an attacker does not have physical access to the premises. Because of this, hackers developed a new method of discovery—war driving.
<br />