22,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Become a cyber-hero - know the common wireless weaknesses "Reading a book like this one is a worthy endeavor toward becoming an experienced wireless security professional." --Devin Akin - CTO, The Certified Wireless Network Professional (CWNP) Program Wireless networks are so convenient - not only for you, but also for those nefarious types who'd like to invade them. The only way to know if your system can be penetrated is to simulate an attack. This book shows you how, along with how to strengthen any weak spots you find in your network's armor. Discover how to: * Perform ethical hacks without compromising a system * Combat denial of service and WEP attacks * Understand how invaders think * Recognize the effects of different hacks * Protect against war drivers and rogue devices
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 452
Veröffentlichungsjahr: 2011
Ähnliche
Hacking Wireless Networks For Dummies
by Kevin Beaver and Peter T. Davis
Foreword by Devin K. Akin
Chief Technology Officer, The Certified Wireless Network Professional (CWNP) Program
Hacking Wireless Networks For Dummies®
Published by Wiley Publishing, Inc.111 River Street Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.
For technical support, please visit www.wiley.com/techsupport.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Library of Congress Control Number: 2005924619
ISBN-13: 978-0-7645-9730-5
ISBN-10: 0-7645-9730-2
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1O/ST/QY/QV/IN
Foreword
In all of networking history, it has never been easier to penetrate a network. IEEE 802.11 wireless LAN technology gives the hacker and network-security professional inexpensive — many times free — tools to work with. Whether you are an avid user of Linux or Windows, the tools are everywhere. Due to the enduring and ubiquitous warez community, hackers can obtain even the expensive analysis and penetration tools — such as 802.11-protocol analyzers — with no investment.
This book will show you quite a few of the latest tools, but an exhaustive text covering all currently-available wireless hacking tools would require a forklift to move, and would require you to remove all other books from your bookshelves to make room. With this many available tools, the important factor becomes learning how to use them effectively and efficiently.
Beginners have wasted many weekends wardriving neighborhoods or business districts. This type of probing for low-hanging fruit yields little, and is a waste of valuable learning time. It is much more to an individual’s benefit to learn an assortment of wireless-LAN penetration tools and work toward the goal of obtaining useful information. Learning the tools and techniques takes time and hard work in a closed environment, but yields much in the information-technology arena.
The current demand for wireless-security professionals is staggering. Those individuals who have taken the time to hone their skills in the use of available tools and the latest penetration techniques will be financially rewarded with a great career. I urge you to consider practicing and studying rather than driving around from neighborhood to neighborhood hoping to send an e-mail through someone’s cable modem.
One of the biggest problems with wireless networks today is the lack of intrusion detection. Banks, investment firms, hospitals, law offices, and other organizations that house sensitive information may have a corporate policy stating that wireless LANs are not allowed. They may think that this “no-use” policy keeps their networks safe and secure, but they are gravely mistaken. A rogue access point could be placed on their network by intruders or by employees, and without a wireless-intrusion detection system, there would be no way to know that all of their security mechanisms have been bypassed — giving full access to anyone within 300 feet of the facility. Wireless-security professionals should be able to use available tools to locate wireless LANs, disable unauthorized access points, and test for a full array of wireless vulnerabilities.
One of the most difficult tasks for a consultant today is teaching customers about wireless LAN technology. Often, organizations understand neither the technology nor the risks associated with it. 802.11 networks have a significant ROI for some organizations, but inherently create a security hole so big that you could drive a truck through it. Organizations should carefully consider whether 802.11 networks are feasible and can be cost-justified. Many things go into the securing of 802.11 networks, from secure installation to end-user and IT staff training.
Forgetting to cover a single base in wireless-LAN security can lead to intrusion and financial disaster. The risks can often far outweigh the gain of using 802.11 technology, so organizations decide to have a no-use policy. Still, those organizations must consider how to protect from wireless intrusion. One of the tricks to getting customers to “bite” — commit to the notion of protecting their wireless LAN — is to give them a quick demonstration of hacking tools. If they have (for example) a heavily loaded 802.11g network secured with WEP, cracking their WEP key should open their eyes very quickly.
Keep in mind that these demonstrations should ALWAYS be done with the permission of a person in authority at the client organization — and in a closed environment. Doing otherwise can lead to criminal prosecution, defamation of your organization, and a plethora of other undesirable results.
Time is never the IT professional’s friend. Staying abreast of the latest tools and techniques takes lots of hard work and time. Reading a book like this one is a worthy endeavor toward becoming an experienced wireless security professional.
I am a firm believer in picking a field of study and becoming the best you can be in that particular area. Wireless LAN technology is so deep and wide that it can easily consume all of your time, so focusing on being a wireless LAN security professional is a reasonable and attainable choice. The market demand, the pay, and the career itself are all good. Best wishes to all who choose this career path — or endeavor to increase their networking knowledge by reading great books like this one.
Devin K. Akin
Chief Technology Officer, The Certified Wireless Network Professional (CWNP) Program http://www.cwnp.com
About the Authors
Kevin Beaver is founder and information security advisor with Principle Logic, LLC, an Atlanta-based information-security services firm. He has over 17 years of experience in the IT industry and specializes in information security assessments for those who take security seriously — and incident response for those who don’t. Before starting his own information-security services business, Kevin served in various information-technology and security roles for several healthcare, e-commerce, financial, and educational institutions.
Kevin is author of Hacking For Dummies as well as the e-book The Definitive Guide to Email Management and Security (Realtimepublishers.com). In addition, Kevin co-authored The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach Publications). He was also a contributing author and editor of Healthcare Information Systems, 2nd ed., (Auerbach Publications), and technical editor of Network Security For Dummies.
Kevin is a regular columnist and information-security expert for SearchSecurity. com, SearchWindowsSecurity.com, SearchNetworking.com, SearchExchange. com, and SearchSmallBizIT.com. He also serves as a contributing editor for HCPro’s Briefings on HIPAA newsletter and is a Security Clinic Expert for ITsecurity.com. In addition, Kevin’s information-security work has been published in Information Security Magazine, SecurityFocus.com, and Computerworld.com. Kevin is an information-security instructor for the Southeast Cybercrime Institute, and frequently speaks on information security at various conferences for CSI, TechTarget, IIA, SecureWorld Expo, and the Cybercrime Summit.
Kevin earned his bachelor’s degree in Computer Engineering Technology from Southern Polytechnic State University and his master’s degree in Management of Technology from Georgia Tech. He also holds MCSE, Master CNE, and IT Project+ certifications. Kevin can be reached at [email protected].
Peter T. Davis (CISA, CMA, CISSP, CWNA,CCNA, CMC, CISM) founded Peter Davis+Associates (a very original name) as a firm specializing in the security, audit, and control of information. A 30-year information-systems veteran, Mr. Davis’s career includes positions as programmer, systems analyst, security administrator, security planner, information-systems auditor, and consultant. Peter is also the founder (and past President) of the Toronto ISSA chapter, past Recording Secretary of the ISSA’s International Board, and past Computer Security Institute Advisory Committee member. Mr. Davis has written or co-written numerous articles and 10 books, including Wireless Networks For Dummies and Securing and Controlling Cisco Routers. In addition, Peter was the technical editor for Hacking For Dummies and Norton Internet Security For Dummies. Peter is listed in the International Who’s Who of Professionals. In addition, he was only the third editor in the three-decade history of EDPACS, a publication in the field of security, audit, and control. He finds time to be a part-time lecturer in data communications at Seneca College (http://cs.senecac.on.ca). He lives with his wife Janet, daughter Kelly, two cats, and a dog in Toronto, Ontario.
Dedication
Little G — this one’s for you. You’re such a great motivator and inspiration to me — more than words can say. Thanks for reminding me of what’s really important. Thanks for being you.
—Kevin
To all my friends and enemies. Hopefully, the first group is bigger than the second.
—Peter
Authors’ Acknowledgments
Kevin:
Thanks to Melody Layne, our acquisitions editor, for approaching me about this project and getting the ball rolling.
I’d like to thank our project editor, Chris Morris, as well as Kevin Kirschner and all the behind-the-scenes copy editors for pulling this thing together. Many thanks to my co-author Peter T. Davis for working with me on this book. It has been an honor and a pleasure.
I’d also like to thank Hugh Pepper, our technical editor, for the feedback and insight he gave us during the technical editing process.
Also, many thanks to Devin Akin with Planet3 Wireless for writing the foreword. Major kudos too for all the positive things you’ve done for the industry with the CWNP program. You’re a true wireless network pioneer.
Many thanks to Ronnie Holland with WildPackets, Chia Chee Kuan with AirMagnet, Michael Berg with TamoSoft, Matt Foster with BLADE Software, Ashish Mistry with AirDefense, and Wayne Burkan with Interlink Networks for helping out with my requests.
Thanks, appreciation, and lots of love to Mom and Dad for all the values and common sense you instilled in me long ago. I wouldn’t be where I’m at today without it.
Finally, to my dear wife Amy for all her support during this book. Yet another one I couldn’t have done without you! You’re the best.
Peter:
Melody Layne (our acquisitions editor) for pitching the book to the editorial committee and getting us a contract. As always, much appreciated.
Chris Morris for helping us bring this project to fruition. Kudos, Chris.
Hugh Pepper, tech editor, for his diligence in reviewing the material. Thanks, Hugh, for stepping in and stepping up.
Peter would like to thank Kevin Beaver for suggesting we write this together. Thanks Kevin. Peter would also like to thank Ken Cutler, Gerry Grindler, Ronnie Holland, Carl Jackson, Ray Kaplan, Kevin Kobelsky, Carrie Liddie, Dexter Mills Jr. and Larry Simon for responding to a request for wireless information. Thanks for answering the call for help. And a really big shout-out to John Selmys and Danny Roy for their efforts. Thanks, guys. The provided information shows in this book. Peter would be remiss should he not thank the NHL and NHLPA for canceling the hockey season. Thanks for freeing up his time to write this book. But the book is done, so get it together so he has something to watch this fall! (Come on guys, the Raptors don’t quite fill the void.) A special thanks to Janet and Kelly for allowing Peter to work on the book as they painted the family room. Now he can kick back and enjoy the room!
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Media Development
Project Editor: Christopher Morris
Acquisitions Editor: Melody Layne
Copy Editors: Barry Childs-Helton, Andy Hollandbeck, Beth Taylor
Technical Editor: Hugh Pepper
Editorial Manager: Kevin Kirschner
Editorial Assistant: Amanda Foxworth
Cartoons: Rich Tennant (www.the5thwave.com)
Composition Services
Project Coordinator: Adrienne Martinez
Layout and Graphics: Carl Byers, Andrea Dahl, Mary Gillot Virgin
Proofreaders: Jessica Kramer, Joe Niesen, Carl William Pierce, Dwight Ramsey, TECHBOOKS Production Services
Indexer: TECHBOOKS Production Services
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Acquisitions Director
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Joyce Pepple, Acquisitions Director
Composition Services
Gerry Fahey, Vice President of Production Services
Debbie Stailey, Director of Composition Services
Contents
Title
Introduction
Who Should Read This Book?
About This Book
How to Use This Book
Foolish Assumptions
How This Book Is Organized
Icons Used in This Book
Where to Go from Here
Part I : Building the Foundation for Testing Wireless Networks
Chapter 1: Introduction to Wireless Hacking
Why You Need to Test Your Wireless Systems
Getting Your Ducks in a Row
Gathering the Right Tools
To Protect, You Must Inspect
Chapter 2: The Wireless Hacking Process
Obeying the Ten Commandments of Ethical Hacking
Understanding Standards
Chapter 3: Implementing a Testing Methodology
Determining What Others Know
Mapping Your Network
Scanning Your Systems
Determining More about What’s Running
Performing a Vulnerability Assessment
Penetrating the System
Chapter 4: Amassing Your War Chest
Choosing Your Hardware
Hacking Software
Picking Your Transceiver
Extending Your Range
Using GPS
Signal Jamming
Part II : Getting Rolling with Common Wi-Fi Hacks
Chapter 5: Human (In)Security
What Can Happen
Ignoring the Issues
Social Engineering
Unauthorized Equipment
Default Settings
Weak Passwords
Human (In)Security Countermeasures
Chapter 6: Containing the Airwaves
Signal Strength
Network Physical Security Countermeasures
Chapter 7: Hacking Wireless Clients
What Can Happen
Probing for Pleasure
Looking for General Client Vulnerabilities
Ferreting Out WEP Keys
Wireless Client Countermeasures
Chapter 8: Discovering Default Settings
Collecting Information
Cracking Passwords
Gathering IP Addresses
Gathering SSIDs
Default-Setting Countermeasures
Chapter 9: Wardriving
Introducing Wardriving
Installing and Running NetStumbler
Setting Up NetStumbler
Interpreting the Results
Mapping Your Stumbling
Part III : Advanced Wi-Fi Hacks
Chapter 10: Still at War
Using Advanced Wardriving Software
Organization Wardriving Countermeasures
Chapter 11: Unauthorized Wireless Devices
What Can Happen
Wireless System Configurations
Characteristics of Unauthorized Systems
Wireless Client Software
Stumbling Software
Network-Analysis Software
Additional Software Options
Online Databases
Unauthorized System Countermeasures
Chapter 12: Network Attacks
What Can Happen
MAC-Address Spoofing
Who’s that Man in the Middle?
SNMP: That’s Why They Call It Simple
All Hail the Queensland Attack
Sniffing for Network Problems
Network Attack Countermeasures
Chapter 13: Denial-of-Service Attacks
What Can Happen
We Be Jamming
AP Overloading
Are You Dis’ing Me?
Physical Insecurities
DoS Countermeasures
Chapter 14: Cracking Encryption
What Can Happen
Protecting Message Privacy
Protecting Message Integrity
Using Encryption
WEP Weaknesses
Other WEP Problems to Look For
Attacking WEP
Cracking Keys
Countermeasures Against Home Network-Encryption Attacks
Organization Encryption Attack Countermeasures
Chapter 15: Authenticating Users
Three States of Authentication
I Know Your Secret
Have We Got EAP?
Implementing 802.1X
Cracking LEAP
Network Authentication Countermeasures
Part IV : The Part of Tens
Chapter 16: Ten Essential Tools for Hacking Wireless Networks
Laptop Computer
Wireless Network Card
Antennas and Connecting Cables
GPS Receiver
Stumbling Software
Wireless Network Analyzer
Port Scanner
Vulnerability Assessment Tool
An 802.11 Reference Guide
Chapter 17: Ten Wireless Security-Testing Mistakes
Skipping the Planning Process
Not Involving Others in Testing
Not Using a Methodology
Forgetting to Unbind the NIC When Wardriving
Failing to Get Written Permission to Test
Failing to Equip Yourself with the Proper Tools
Over-Penetrating Live Networks
Using Data Improperly
Failing to Report Results or Follow Up
Breaking the Law
Chapter 18: Ten Tips for Following Up after Your Testing
Organize and Prioritize Your Results
Prepare a Professional Report
Retest If Necessary
Obtain Sign-Off
Plug the Holes You Find
Document the Lessons Learned
Repeat Your Tests
Monitor Your Airwaves
Practice Using Your Wireless Tools
Keep Up with Wireless Security Issues
Part V : Appendixes
Appendix A: Wireless Hacking Resources
Certifications
General Resources
Hacker Stuff
Wireless Organizations
Local Wireless Groups
Security Awareness and Training
Wireless Tools
Appendix B: Glossary of Acronyms
Introduction
W elcome to Hacking Wireless Networks For Dummies.
When we refer to ethical hacking, we mean the professional, aboveboard, and legal type of security testing that you — as an IT professional — can perform as part of your job. Villains need not apply.
Wireless networks are popping up everywhere. They provide a lot of freedom but not without cost: All too many wireless networks are left wide open for attack. As with any other computer or network, you must be up on the latest security concepts to properly secure 802.11-based wireless networks. But locking them down involves more than just port-scanning testing and patching vulnerabilities. You must also have the right security tools, use the proper testing techniques, and possess a watchful eye. And know your enemy: It’s critical to think like a hacker to get a true sense of how secure your information really is.
Ethical hacking is a means of using the bad-guy (black-hat) techniques for good-guy (white-hat) purposes. It’s testing your information systems with the goal of making them more secure — and keeping them that way. This type of security testing is sometimes called penetration testing,white-hat hacking, or vulnerability testing, but it goes further than that as you’ll see when we outline the methodology in this book.
If you use the resources provided in this book, maintain a security-focused mindset, and dedicate some time for testing, we believe you’ll be well on your way to finding the weaknesses in your wireless systems and implementing countermeasures to keep the bad guys off your airwaves and out of your business.
The ethical hacking tests and system-hardening tips outlined in this book can help you test and protect your wireless networks at places like warehouses, coffee shops, your office building, your customer sites, and even at your house.
Who Should Read This Book?
If you want to find out how to maliciously break into wireless networks this book is not for you. In fact, we feel so strongly about this, we provide the following disclaimer.
If you choose to use the information in this book to maliciously hack or break into wireless systems in an unauthorized fashion — you’re on your own. Neither Kevin nor Peter as the co-authors nor anyone else associated with this book shall be liable or responsible for any unethical or criminal choices you may make using the methodologies and tools we describe. This book and its contents are intended solely for IT professionals who wish to test the security of wireless networks in an authorized fashion.
So, anyway, this book is for you if you’re a network administrator, information- security manager, security consultant, wireless-network installer, or anyone interested in finding out more about testing 802.11-based wireless networks in order to make them more secure — whether it’s your own wireless network or that of a client that you’ve been given permission to test.
About This Book
Hacking Wireless Networks For Dummies is inspired by the original Hacking For Dummies book that Kevin authored and Peter performed the technical editing. Hacking For Dummies covered a broad range of security testing topics, but this book focuses specifically on 802.11-based wireless networks. The techniques we outline are based on information-security best practices, as well as various unwritten rules of engagement. This book covers the entire ethical-hacking process, from establishing your plan to carrying out the tests to following up and implementing countermeasures to ensure your wireless systems are secure.
There are literally hundreds, if not thousands, of ways to hack wireless network systems such as (for openers) laptops and access points (APs). Rather than cover every possible vulnerability that may rear its head in your wireless network, we’re going to cover just the ones you should be most concerned about. The tools and techniques we describe in this book can help you secure wireless networks at home, in small-to-medium sized businesses (SMBs) including coffee shops, and even across large enterprise networks.
How to Use This Book
This book bases its approach on three standard ingredients of ethical- hacking wisdom:
Descriptions of various non-technical and technical hack attacks — and their detailed methodologies
Access information to help you get hold of common freeware, open-source, and commercial security-testing tools
Countermeasures to protect wireless networks against attacks
Each chapter is as an individual reference on a specific ethical-hacking subject. You can refer to individual chapters that pertain to the type of testing you wish to perform, or you can read the book straight through.
Before you start testing your wireless systems, it’s important to familiarize yourself with the information in Part I so you’re prepared for the tasks at hand. You’ve undoubtedly heard the saying, “If you fail to plan, you plan to fail.” Well, it applies especially to what we’re covering here.
Foolish Assumptions
Right off the bat, we make a few assumptions about you, the IT professional:
You’re familiar with basic computer-, network-, wireless- and information- security-related concepts and terms.
You have a wireless network to test that includes two wireless clients at a minimum but will likely include AP(s), wireless router(s), and more.
You have a basic understanding of what hackers do.
You have access to a computer and a wireless network on which to perform your tests.
You have access to the Internet in order to obtain the various tools used in the ethical-hacking process.
Finally, perhaps the most important assumption is that you’ve obtained permission to perform the hacking techniques contained in this book. If you haven’t, make sure you do — before you do anything we describe here.
How This Book Is Organized
This book is organized into five parts — three standard chapter parts, a Part of Tens, and a part with appendixes. These parts are modular, so you can jump around from one part to another to your heart’s content.
Part I: Building the Foundation for Testing Wireless Networks
In Chapter 1, we talk about why you need to be concerned with wireless security — and outline various dangers that wireless networks face. We also talk about various wireless-testing tools, as well as hacks you can perform. Chapter 2 talks about planning your ethical-hacking journey, and Chapter 3 talks about the specific methods you can use to perform your tests. Chapter 4 finishes things off by outlining various testing tools you’ll need to hack your wireless systems.
Part II: Getting Rolling with Common Wi-Fi Hacks
This part begins with Chapter 5, in which we talk about various non-technical, people-related attacks, such as a lack of security awareness, installing systems with default settings, and social engineering. Chapter 6 talks about various physical security ailments that can leave your network open to attack. Chapter 7 covers common vulnerabilities found in wireless-client systems associated with wireless PC Cards, operating system weaknesses, and personal firewalls — any of which can make or break the security of your wireless network. In Chapter 8, we dig a little deeper into the “people problems” covered in Chapter 5 — in particular, what can happen when people don’t change the default settings (arrgh). We talk about SSIDs, passwords, IP addresses, and more, so be sure to check out this vital information on an often-overlooked wireless weakness. In Chapter 9, we cover the basics of war driving including how to use stumbling software and a GPS system to map out your wireless network. We’ll not only cover the tools and techniques, but also what you can do about it — and that includes doing it ethically before somebody does it maliciously.
Part III: Advanced Wi-Fi Hacks
In Chapter 10, we continue our coverage on war driving and introduce you to some more advanced hacking tools, techniques, and countermeasures. In Chapter 11, we go into some depth about unapproved wireless devices — we lay out why they’re an issue, and talk about the various technical problems associated with rogue wireless systems on your network. We show you tests you can run and give you tips on how you can prevent random systems from jeopardizing your airwaves. In Chapter 12, we look at the various ways your communications and network protocols can cause problems — whether that’s with MAC address spoofing, Simple Network Management Protocol (SNMP) weaknesses, man-in-the-middle vulnerabilities, and Address Resolution Protocol (ARP) poisoning. In Chapter 13, we cover denial-of-service attacks including jamming, disassociation, and deauthentication attacks that can be performed against wireless networks and how to defend against them. In Chapter 14, you get a handle on how to crack WEP encryption; Chapter 15 outlines various attacks against wireless-network authentication systems. In these chapters, we not only show you how to test your wireless systems for these vulnerabilities but also make suggestions to help you secure your systems from these attacks.
Part IV: The Part of Tens
This part contains tips to help ensure the success of your ethical-hacking program. You find out our listing of ten wireless-hacking tools. In addition, we include the top ten wireless-security testing mistakes, along with ten tips on following up after you’re done testing. Our aim is to help ensure the ongoing security of your wireless systems and the continuing success of your ethical hacking program.
Part V: Appendixes
This part includes an appendix that covers ethical wireless-network hack- ing resources and a glossary of acronyms.
Icons Used in This Book
This icon points out technical information that is (although interesting) not absolutely vital to your understanding of the topic being discussed. Yet.
This icon points out information that is worth committing to memory.
This icon points out information that could have a negative impact on your ethical hacking efforts — so pay close attention.
This icon refers to advice that can help highlight or clarify an important point.
Where to Go from Here
The more you know about how the bad guys work, how your wireless networks are exposed to the world, and how to test your wireless systems for vulnerabilities, the more secure your information will be. This book provides a solid foundation for developing and maintaining a professional ethical- hacking program to keep your wireless systems in check.
Remember that there’s no one best way to test your systems because everyone’s network is different. If you practice regularly, you’ll find a routine that works best for you. Don’t forget to keep up with the latest hacker tricks and wireless-network vulnerabilities. That’s the best way to hone your skills and stay on top of your game. Be ethical, be methodical, and be safe — happy hacking!
Part I
Building the Foundation for Testing Wireless Networks
In this part . . .
Welcome to the wireless frontier. A lot of enemies and potholes lurk along the journey of designing, installing, and securing IEEE 802.11-based networks — but the payoffs are great. Learning the concepts of wireless security is an eye-opening experience. After you get the basics down, you’ll be the security wizard in your organization, and you’ll know that all the information floating through thin air is being protected.
If you’re new to ethical hacking, this is the place to begin. The chapters in this part get you started with information on what to do, how to do it, and what tools to use when you’re hacking your own wireless systems. We not only talk about what to do, but also about something equally important: what not to do. This information will guide, entertain, and start you off in the right direction to make sure your ethical-hacking experiences are positive and effective.
Chapter 1
Introduction to Wireless Hacking
In This Chapter
Understanding the need to test your wireless systems
Wireless vulnerabilities
Thinking like a hacker
Preparing for your ethical hacks
Important security tests to carry out
What to do when you’re done testing
W ireless local-area networks — often referred to as WLANs or Wi-Fi networks — are all the rage these days. People are installing them in their offices, hotels, coffee shops, and homes. Seeking to fulfill the wireless demands, Wi-Fi product vendors and service providers are popping up just about as fast as the dot-coms of the late 1990s. Wireless networks offer convenience, mobility, and can even be less expensive to implement than wired networks in many cases. Given the consumer demand, vendor solutions, and industry standards, wireless-network technology is real and is here to stay. But how safe is this technology?
Wireless networks are based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 set of standards for WLANs. In case you’ve ever wondered, the IEEE 802 standards got their name from the year and month this group was formed — February 1980. The “.11” that refers to the wireless LAN working group is simply a subset of the 802 group. There’s a whole slew of industry groups involved with wireless networking, but the two main players are the IEEE 802.11 working group and the Wi-Fi Alliance.
Years ago, wireless networks were only a niche technology used for very specialized applications. These days, Wi-Fi systems have created a multibillion-dollar market and are being used in practically every industry — and in every size organization from small architectural firms to the local zoo. But with this increased exposure comes increased risk: The widespread use of wireless systems has helped make them a bigger target than the IEEE ever bargained for. (Some widely publicized flaws such as the Wired Equivalent Privacy (WEP) weaknesses in the 802.11 wireless-network protocol haven’t helped things, either.) And, as Microsoft has demonstrated, the bigger and more popular you are, the more attacks you’re going to receive.
With the convenience, cost savings, and productivity gains of wireless networks come a whole slew of security risks. These aren’t the common security issues, such as spyware, weak passwords, and missing patches. Those weaknesses still exist; however, networking without wires introduces a whole new set of vulnerabilities from an entirely different perspective.
This brings us to the concept of ethical hacking. Ethical hacking — sometimes referred to as white-hat hacking — means the use of hacking to test and improve defenses against unethical hackers. It’s often compared to penetration testing and vulnerability testing, but it goes even deeper. Ethical hacking involves using the same tools and techniques the bad guys use, but it also involves extensive up-front planning, a group of specific tools, complex testing methodologies, and sufficient follow-up to fix any problems before the bad guys — the black- and gray-hat hackers — find and exploit them.
Understanding the various threats and vulnerabilities associated with 802.11-based wireless networks — and ethically hacking them to make them more secure — is what this book is all about. Please join in on the fun.
In this chapter, we’ll take a look at common threats and vulnerabilities associated with wireless networks. We’ll also introduce you to some essential wireless security tools and tests you should run in order to strengthen your airwaves.
Why You Need to Test Your Wireless Systems
Wireless networks have been notoriously insecure since the early days of the 802.11b standard of the late 1990s. Since the standard’s inception, major 802.11 weaknesses, such as physical security weaknesses, encryption flaws, and authentication problems, have been discovered. Wireless attacks have been on the rise ever since. The problem has gotten so bad that two wireless security standards have emerged to help fight back at the attackers:
Wi-Fi Protected Access (WPA): This standard, which was developed by the Wi-Fi Alliance, served as an interim fix to the well-known WEP vulnerabilities until the IEEE came out with the 802.11i standard.
IEEE 802.11i (referred to as WPA2): This is the official IEEE standard, which incorporates the WPA fixes for WEP along with other encryption and authentication mechanisms to further secure wireless networks.
These standards have resolved many known security vulnerabilities of the 802.11a/b/g protocols. As with most security standards, the problem with these wireless security solutions is not that the solutions don’t work — it’s that many network administrators are resistant to change and don’t fully implement them. Many administrators don’t want to reconfigure their existing wireless systems and don’t want to have to implement new security mechanisms for fear of making their networks more difficult to manage. These are legitimate concerns, but they leave many wireless networks vulnerable and waiting to be compromised.
Even after you have implemented WPA, WPA2, and the various other wireless protection techniques described in this book, your network may still be at risk. This can happen when (for example) employees install unsecured wireless access points or gateways on your network without you knowing about it. In our experience — even with all the wireless security standards and vendor solutions available — the majority of systems are still wide open to attack. Bottom line: Ethical hacking isn’t a do-it-once-and-forget-it measure. It’s like an antivirus upgrade — you have to do it again from time to time.
Knowing the dangers your systems face
Before we get too deep into the ethical-hacking process, it will help to define a couple of terms that we’ll be using throughout this book. They are as follows:
Threat: A threat is an indication of intent to cause disruption within an information system. Some examples of threat agents are hackers, disgruntled employees, and malicious software (malware) such as viruses or spyware that can wreak havoc on a wireless network.
Vulnerability:A vulnerability is a weakness within an information system that can be exploited by a threat. Some examples are wireless networks not using encryption, weak passwords on wireless access points or APs (which is the central hub for a set of wireless computers), and an AP sending wireless signals outside the building. Wireless-network vulnerabilities are what we’ll be seeking out in this book.
Beyond these basics, quite a few things can happen when a threat actually exploits the vulnerabilities of a various wireless network. This situation is called risk. Even when you think there’s nothing going across your wireless network that a hacker would want — or you figure the likelihood of something bad happening is very low — there’s still ample opportunity for trouble. Risks associated with vulnerable wireless networks include
Full access to files being transmitted or even sitting on the server
Stolen passwords
Intercepted e-mails
Back-door entry points into your wired network
Denial-of-service attacks causing downtime and productivity losses
Violations of state, federal, or international laws and regulations relating to privacy, corporate financial reporting, and more
“Zombies” — A hacker using your system to attack other networks making you look like the bad guy
Spamming — A spammer using your e-mail server or workstations to send out spam, spyware, viruses, and other nonsense e-mails
We could go on and on, but you get the idea. The risks on wireless networks are not much different from those on wired ones. Wireless risks just have a greater likelihood of occurring — that’s because wireless networks normally have a larger number of vulnerabilities.
The really bad thing about all this is that without the right equipment and vigilant network monitoring, it can be impossible to detect someone hacking your airwaves — even from a couple of miles away! Wireless-network compromises can include a nosy neighbor using a frequency scanner to listen in on your cordless phone conversations — or nosy co-workers overhearing private boardroom conversations. Without the physical layer of protection we’ve grown so accustomed to with our wired networks, anything is possible.
Understanding the enemy
The wireless network’s inherent vulnerabilities, in and of themselves, aren’t necessarily bad. The true problem lies with all the malicious hackers out there just waiting to exploit these vulnerabilities and make your job — and life — more difficult. In order to better protect your systems, it helps to understand what you’re up against — in effect, to think like a hacker. Although it may be impossible to achieve the same malicious mindset as the cyberpunks, you can at least see where they’re coming from technically and how they work.
For starters, hackers are likely to attack systems that require the least amount of effort to break into. A prime target is an organization that has just one or two wireless APs. Our findings show that these smaller wireless networks help stack the odds in the hackers’ favor, for several reasons:
Smaller organizations are less likely to have a full-time network administrator keeping tabs on things.
Small networks are also more likely to leave the default settings on their wireless devices unchanged, making them easier to crack into.
Smaller networks are less likely to have any type of network monitoring, in-depth security controls such as WPA or WPA2, or a wireless intrusion-detection system (WIDS). These are exactly the sorts of things that smart hackers take into consideration.
However, small networks aren’t the only vulnerable ones. There are various other weaknesses hackers can exploit in networks of all sizes, such as the following:
The larger the wireless network, the easier it may be to crack Wired Equivalent Privacy (WEP) encryption keys. This is because larger networks likely receive more traffic, and an increased volume of packets to be captured thus leads to quicker WEP cracking times. We cover WEP in-depth in Chapter 14.
Most network administrators don’t have the time or interest in monitoring their networks for malicious behavior.
Network snooping will be easier if there’s a good place such as a crowded parking lot or deck to park and work without attracting attention.
Most organizations use the omnidirectional antennae that come standard on APs — without even thinking about how these spread RF signals around outside the building.
Because wireless networks are often an extension of a wired network, where there’s an AP, there’s likely a wired network behind it. Given this, there are often just as many treasures as the wireless network, if not more.
Many organizations attempt to secure their wireless networks with routine security measures — say, disabling service-set-identifier (SSID) broadcasts (which basically broadcasts the name of the wireless network to any wireless device in range) and enabling media-access control (MAC) address filtering (which can limit the wireless hosts that can attach to your network) — without knowing that these controls are easily circumvented.
SSIDs are often set to obvious company or department names that can give the intruders an idea which systems to attack first.
Throughout this book, we point out ways the bad guys work when they’re carrying out specific hacks. The more cognizant you are of the hacker mindset, the deeper and broader your security testing will be — which leads to increased wireless security.
Many hackers don’t necessarily want to steal your information or crash your systems. They often just want to prove to themselves and their buddies that they can break in. This likely creates a warm fuzzy feeling that makes them feel like they’re contributing to society somehow. On the other hand, sometimes they attack simply to get under the administrator’s skin. Sometimes they are seeking revenge. Hackers may want to use a system so they can attack other people’s networks under disguise. Or maybe they’re bored, and just want to see what information is flying through the airwaves, there for the taking.
The “high-end” uberhackers go where the money is — literally. These are the guys who break into online banks, e-commerce sites, and internal corporate databases for financial gain. What better way to break into these systems than through a vulnerable wireless network, making the real culprit harder to trace? One AP or vulnerable wireless client is all it takes to get the ball rolling.
For more in-depth insight into hackers — who they are, why they do it, and so on — check out Kevin’s book Hacking For Dummies (Wiley) where he dedicated an entire chapter to this subject. Whatever the reasons are behind all of these hacker shenanigans, the fact is that your network, your information, and (heaven forbid) your job are at risk.
There’s no such thing as absolute security on any network — wireless or not. It’s basically impossible to be completely proactive in securing your systems since you cannot defend against an attack that hasn’t already happened. Although you may not be able to prevent every type of attack, you can prepare, prepare, and prepare some more — to deal with attacks more effectively and minimize losses when they do occur.
Information security is like an arms race — the attacks and countermeasures are always one-upping each other. The good thing is that for every new attack, there will likely be a new defense developed. It’s just a matter of timing. Even though we’ll never be able to put an end to the predatory behavior of unethical cyber thugs, it’s comforting to know that there are just as many ethical security professionals working hard every day to combat the threats.
Wireless-network complexities
In addition to the various security vulnerabilities we mentioned above, one of the biggest obstacles to secure wireless networks is their complexity. It’s not enough to just install a firewall, set strong passwords, and have detailed access control settings. No, wireless networks are a completely different beast than their wired counterparts. These days, a plain old AP and wireless network interface card (NIC) might not seem too complex, but there’s a lot going on behind the scenes.
The big issues revolve around the 802.11 protocol. This protocol doesn’t just send and receive information with minimal management overhead (as does, say, plain old Ethernet). Rather, 802.11 is highly complex — it not only has to send and receive radio frequency (RF) signals that carry packets of network data, it also has to perform a raft of other functions such as
Timing message packets to ensure client synchronization and help avoid data-transmission collisions
Authenticating clients to make sure only authorized personnel connect to the network
Encrypting data to enhance data privacy
Checking data integrity to ensure that the data remains uncorrupted or unmodified
For a lot of great information on wireless-network fundamentals, check out the book that Peter co-authored — Wireless Networks For Dummies.
In addition to 802.11-protocol issues, there are also complexities associated with wireless-network design. Try these on for size:
Placement of APs relative to existing network infrastructure devices, such as routers, firewalls, and switches
What type of antennae to use and where to locate them
How to adjust signal-power settings to prevent RF signals from leaking outside your building
Keeping track of your wireless devices — such as APs, laptops, and personal digital assistants (PDAs)
Knowing which device types are allowed on your network and which ones don’t belong
These wireless-network complexities can lead to a multitude of security weaknesses that simply aren’t present in traditional wired networks.
Getting Your Ducks in a Row
Before going down the ethical-hacking road, it’s critical that you plan everything in advance. This includes:
Obtaining permission to perform your tests from your boss, project sponsor, or client
Outlining your testing goals
Deciding what tests to run
Grasping the ethical-hacking methodology (what tests to run, what to look for, how to follow-up, etc.) before you carry out your tests
For more on the ethical-hacking methodology, see Chapter 3.
All the up-front work and formal steps to follow may seem like a lot of hassle at first. However, we believe that if you’re going to go to all the effort to perform ethical hacking on your wireless network as a true IT professional, do it right the first time around. It’s the only way to go.
The law of sowing and reaping applies to the ethical-hacking planning phase. The more time and effort you put in up front, the more it pays off in the long run — you’ll be better prepared, have the means to perform a more thorough wireless-security assessment, and (odds are) you’ll end up with a more secure wireless network.
Planning everything in advance saves you a ton of time and work in the long-term; you won’t regret it. Your boss or your client will be impressed to boot!
Gathering the Right Tools
Every job requires the right tools. Selecting and preparing the proper security testing tools is a critical component of the ethical-hacking process. If you’re not prepared, you’ll most likely spin your wheels and not get the desired results.
Just because a wireless hacking tool is designed to perform a certain test, that doesn’t mean it will. You may have to tweak your settings or find another tool altogether. Also keep in mind that you sometimes have to take the output of your tools with a grain of salt. There’s always the potential for false positives (showing there’s a vulnerability when there’s not) and even false negatives (showing there’s no vulnerability when there is).
The following tools are some of our favorites for testing wireless networks and are essential for performing wireless hacking tests:
Google — yep, this Web site is a great tool
Laptop computer
Global Positioning System (GPS) satellite receiver
Network Stumbler network stumbling software
AiroPeek network-analysis software
QualysGuard vulnerability-assessment software
WEPcrack encryption cracking software
Starting in Chapter 6, we get to work with these tools in more detail later on in this book, when we lay out specific wireless hacks.
You can’t do without good security-testing tools, but no one of them is “the” silver bullet for finding and killing off all your wireless network’s vulnerabilities. A trained eye and a good mix of tools is the best combination for finding the greatest number of weaknesses in your systems.
It’s critical that you understand how to use your various tools for the specific tests you’ll be running. This may include something as informal as playing around with the tools or something as formal as taking a training class. Don’t worry, we’ll show you how to work the basics when we walk you through specific tests in Chapters 5 through 16.
To Protect, You Must Inspect
After you get everything prepared, it’s time to roll up your sleeves and get your hands dirty by performing various ethical hacks against your wireless network. There are dozens of security tests you can run to see just how vulnerable your wireless systems are to attack — and Chapters 5 through 16 of this book walk you through the most practical and important ones. The outcomes of these tests will show you what security holes can — or cannot — be fixed to make your wireless network more secure. Not to worry, we won’t leave you hanging with a bunch of vulnerabilities to fix. We’ll outline various countermeasures you can use to fix the weaknesses you find.
In the next few sections, we outline the various types of security attacks to establish the basis for the vulnerability tests you’ll be running against your wireless network.
Non-technical attacks
These types of attacks exploit various human weaknesses, such as lack of awareness, carelessness, and being too trusting of strangers. There are also physical vulnerabilities that can give an attacker a leg up on firsthand access to your wireless devices. These are often the easiest types of vulnerabilities to take advantage of — and they can even happen to you if you’re not careful. These attacks include
Breaking into wireless devices that users installed on their own and left unsecured
Social engineering attacks whereby a hacker poses as someone else and coaxes users into giving out too much information about your network
Physically accessing APs, antennae, and other wireless infrastructure equipment to reconfigure it — or (worse) capture data off it
Network attacks
When it comes to the nitty-gritty bits and bytes, there are a lot of techniques the bad guys can use to break inside your wireless realm or at least leave it limping along in a nonworking state. Network-based attacks include
Installing rogue wireless APs and “tricking” wireless clients into connecting to them
Capturing data off the network from a distance by walking around, driving by, or flying overhead
Attacking the networking transactions by spoofing MAC addresses (masquerading as a legitimate wireless user), setting up man-in-the-middle (inserting a wireless system between an AP and wireless client) attacks, and more
Exploiting network protocols such as SNMP
Performing denial-of-service (DoS) attacks
Jamming RF signals
Software attacks
As if the security problems with the 802.11 protocol weren’t enough, we now have to worry about the operating systems and applications on wireless-client machines being vulnerable to attack. Here are some examples of software attacks:
Hacking the operating system and other applications on wireless-client machines
Breaking in via default settings such as passwords and SSIDs that are easily determined
Cracking WEP keys and tapping into the network’s encryption system
Gaining access by exploiting weak network-authentication systems
Chapter 2
The Wireless Hacking Process
In This Chapter
Understanding the hacking process
The Ten Commandments of Ethical Hacking
Understanding the standards
Evaluating your results
W e teach courses on ethical hacking — and when you’re teaching, you need an outline. Our teaching outline always starts with the introduction to the ethical-hacking process that comprises most of this chapter. Inevitably, when the subject of an ethical
Obeying the Ten Commandments of Ethical Hacking
In his book Hacking For Dummies (Wiley), Kevin discussed the hacker genre and ethos. In Chapter 1, he enumerated the Ethical Hacking Commandments. In that book, Kevin listed three commandments. But (as with everything in networking) the list has grown to fill the available space. Now these commandments were not brought down from Mount Sinai, but thou shalt follow these commandments shouldst thou decide to become a believer in the doctrine of ethical hacking. The Ten Commandments are
1. Thou shalt set thy goals.
2. Thou shalt plan thy work, lest thou go off course.
3. Thou shalt obtain permission.
4. Thou shalt work ethically.
5. Thou shalt work diligently.
6. Thou shalt respect the privacy of others.
7. Thou shalt do no harm.
8. Thou shalt use a scientific process.
9. Thou shalt not covet thy neighbor’s tools.
10. Thou shalt report all thy findings.
Thou shalt set thy goals
When Peter was a kid, he used to play a game at camp called Capture the Flag. The camp counselors would split all the campers into two teams: one with a red flag and one with a blue flag. The rules were simple: If you were on the blue team, then you tried to find the red flag that the red team had hidden and protected, and vice versa. Despite appearances, this game could get rough — on the order of, say, Australian Rules Football. It was single-minded: Capture the flag. This single-mindedness is similar to the goals of a penetration test, a security test with a defined goal that ends either when the goal is achieved or when time runs out. Getting access to a specific access point is not much different from capturing a flag: Your opponent has hidden it and is protecting it, and you’re trying to circumvent the defenses. Penetration testing is Capture the Flag without the intense physical exercise.
How does ethical hacking relate to penetration testing? Ethical hacking is a form of penetration testing originally used as a marketing ploy but has come to mean a penetration test of all systems — where there is more than one goal.
In either case, you have a goal. Your evaluation of the security of a wireless network should seek answers to three basic questions:
What can an intruder see on the target access points or networks?
What can an intruder do with that information?
Does anyone at the target notice the intruder’s attempts — or successes?
You might set a simplistic goal, such as finding unauthorized wireless access points. Or you might set a goal that requires you to obtain information from a system on the wired network. Whatever you choose, you must articulate your goal and communicate it to your sponsors.
