This chapter discusses hacking wireless networks. It explains wireless technology and standards such as 802.11. Authentication in wireless networks involves establishing that a user is authorized to use the network. Various wireless hacking tools and the process of "wardriving" are also described.

1. Hands-On EthicalHands-On Ethical
Hacking and NetworkHacking and Network
DefenseDefense
Chapter 11Chapter 11
Hacking Wireless NetworksHacking Wireless Networks
Last revised 10-30-08 5 pm

2. 2
ObjectivesObjectives
 Explain wireless technologyExplain wireless technology
 Describe wireless networking standardsDescribe wireless networking standards
 Describe the process of authenticationDescribe the process of authentication
 Describe wardrivingDescribe wardriving
 Describe wireless hacking and tools usedDescribe wireless hacking and tools used
by hackers and security professionalsby hackers and security professionals

3. 3
Understanding WirelessUnderstanding Wireless
TechnologyTechnology
 For a wireless network to function, youFor a wireless network to function, you
must have the right hardware andmust have the right hardware and
softwaresoftware
 Wireless technology is part of our livesWireless technology is part of our lives
 Baby monitorsBaby monitors
 Cell and cordless phonesCell and cordless phones
 PagersPagers
 GPSGPS
 Remote controlsRemote controls
 Garage door openersGarage door openers
 Two-way radiosTwo-way radios

4. 4
Components of a WirelessComponents of a Wireless
NetworkNetwork
 A wireless network has only three basicA wireless network has only three basic
componentscomponents
 Access Point (AP)Access Point (AP)
 Wireless network interface card (WNIC)Wireless network interface card (WNIC)
 Ethernet cableEthernet cable

5. 5
Access PointsAccess Points
 An access point (AP) is a transceiver thatAn access point (AP) is a transceiver that
connects to an Ethernet cableconnects to an Ethernet cable
 It bridges the wireless network with the wiredIt bridges the wireless network with the wired
networknetwork
 Not all wireless networks connect to a wiredNot all wireless networks connect to a wired
networknetwork
 Most companies have Wireless LANsMost companies have Wireless LANs
(WLANs) that connect to their wired network(WLANs) that connect to their wired network
topologytopology

6. 6
Access PointsAccess Points
 The AP is where channels are configuredThe AP is where channels are configured
 An AP enables users to connect to a LANAn AP enables users to connect to a LAN
using wireless technologyusing wireless technology
 An AP is available only within a defined areaAn AP is available only within a defined area

7. 7
Service Set IdentifiersService Set Identifiers
(SSIDs)(SSIDs)
 Name used to identify the wireless localName used to identify the wireless local
area network (WLAN)area network (WLAN)
 The SSID is configured on the APThe SSID is configured on the AP
 Unique 1- to 32-character alphanumericUnique 1- to 32-character alphanumeric
namename
 Name is case sensitiveName is case sensitive
 Wireless computers need to configureWireless computers need to configure
the SSID before connecting to a wirelessthe SSID before connecting to a wireless
networknetwork

8. 8
Service Set IdentifiersService Set Identifiers
(SSIDs)(SSIDs)
 SSID is transmitted with each packetSSID is transmitted with each packet
 Identifies which network the packet belongsIdentifies which network the packet belongs
 The AP usually broadcasts the SSIDThe AP usually broadcasts the SSID

9. 9
Service Set IdentifiersService Set Identifiers
(SSIDs)(SSIDs)
 Many vendors have SSIDs set to a defaultMany vendors have SSIDs set to a default
value that companies never changevalue that companies never change
 An AP can be configured to not broadcastAn AP can be configured to not broadcast
its SSID until after authenticationits SSID until after authentication
 Wireless hackers can attempt to guess theWireless hackers can attempt to guess the
SSIDSSID
 Verify that your clients or customers areVerify that your clients or customers are
not using a default SSIDnot using a default SSID

10. 10
 See links Ch 11a, bSee links Ch 11a, b

11. 11
Configuring an Access PointConfiguring an Access Point
 Configuring an AP varies depending onConfiguring an AP varies depending on
the hardwarethe hardware
 Most devices allow access through any WebMost devices allow access through any Web
browserbrowser
 Enter IP address on your Web browser andEnter IP address on your Web browser and
provide your user logon name and passwordprovide your user logon name and password

12. 12
Wireless RouterWireless Router
 A wireless router includes an access point,A wireless router includes an access point,
a router, and a switcha router, and a switch

13. 13
Demo: Configuring anDemo: Configuring an
Access PointAccess Point
 Wireless ConfigurationWireless Configuration
OptionsOptions
 SSIDSSID
 Wired EquivalentWired Equivalent
Privacy (WEP)Privacy (WEP)
encryptionencryption
 Changing AdminChanging Admin
PasswordPassword

14. 14
Configuring an Access PointConfiguring an Access Point
 Wireless Configuration OptionsWireless Configuration Options
 SSIDSSID
 Wired Equivalent Privacy (WEP) encryptionWired Equivalent Privacy (WEP) encryption
 WPA (WiFi Protected Access ) is betterWPA (WiFi Protected Access ) is better

15. 15
Configuring an Access PointConfiguring an Access Point
(continued)(continued)
 Steps for configuring a D-Link wirelessSteps for configuring a D-Link wireless
router (continued)router (continued)
 Turn off SSID broadcastTurn off SSID broadcast
 You should also change your SSIDYou should also change your SSID

16. 16

17. 17
Wireless NICsWireless NICs
 For wireless technology to work, eachFor wireless technology to work, each
node or computer must have a wirelessnode or computer must have a wireless
NICNIC
 NIC’s main functionNIC’s main function
 Converting the radio waves it receives intoConverting the radio waves it receives into
digital signals the computer understandsdigital signals the computer understands

18. 18
Wireless NICsWireless NICs
 There are many wireless NICs on theThere are many wireless NICs on the
marketmarket
 Choose yours depending on how you plan toChoose yours depending on how you plan to
use ituse it
 Some tools require certain specific brands ofSome tools require certain specific brands of
NICsNICs

19. 19
Understanding WirelessUnderstanding Wireless
Network StandardsNetwork Standards
 A standard is a set of rules formulated byA standard is a set of rules formulated by
an organizationan organization
 Institute of Electrical and ElectronicsInstitute of Electrical and Electronics
Engineers (IEEE)Engineers (IEEE)
 Defines several standards for wirelessDefines several standards for wireless
networksnetworks

20. 20
IEEE: CCSF Student ChapterIEEE: CCSF Student Chapter
 Next meeting:Next meeting:
 Thurs, Nov 6, 2008 in Sci 37, 5:00 pmThurs, Nov 6, 2008 in Sci 37, 5:00 pm
 EmailEmail sbowne@ccsf.edusbowne@ccsf.edu for more infofor more info

21. 21
IEEE StandardsIEEE Standards
 Standards pass through these groups:Standards pass through these groups:
 Working group (WG)Working group (WG)
 Sponsor Executive Committee (SEC)Sponsor Executive Committee (SEC)
 Standards Review Committee (RevCom)Standards Review Committee (RevCom)
 IEEE Standards BoardIEEE Standards Board
 IEEE Project 802IEEE Project 802
 LAN and WAN standardsLAN and WAN standards

22. 22
The 802.11 StandardThe 802.11 Standard
 The first wireless technology standardThe first wireless technology standard
 Defined wireless connectivity at 1 MbpsDefined wireless connectivity at 1 Mbps
and 2 Mbps within a LANand 2 Mbps within a LAN
 Applied to layers 1 and 2 of the OSI modelApplied to layers 1 and 2 of the OSI model
 Wireless networks cannot detect collisionsWireless networks cannot detect collisions
 Carrier sense multiple access/collisionCarrier sense multiple access/collision
avoidance (CSMA/CA) is used instead ofavoidance (CSMA/CA) is used instead of
CSMA/CDCSMA/CD

23. 23
AddressingAddressing
 Wireless LANs do not have an addressWireless LANs do not have an address
associated with a physical locationassociated with a physical location
 An addressable unit is called a station (STA)An addressable unit is called a station (STA)

24. 24
The Basic Architecture ofThe Basic Architecture of
802.11802.11
 802.11 uses a basic service set (BSS) as802.11 uses a basic service set (BSS) as
its building blockits building block
 Computers within a BSS can communicateComputers within a BSS can communicate
with each otherwith each other

25. 25
The Basic Architecture of 802.11The Basic Architecture of 802.11
 To connectTo connect
two BSSs,two BSSs,
802.11802.11
requires arequires a
distributiondistribution
system (DS)system (DS)

26. 26
Frequency RangeFrequency Range
 In the United States, Wi-Fi usesIn the United States, Wi-Fi uses
frequencies near 2.4 GHzfrequencies near 2.4 GHz
 (Except 802.11a at 5 GHz)(Except 802.11a at 5 GHz)
 There are 11 channels, but they overlap, soThere are 11 channels, but they overlap, so
only three are commonly usedonly three are commonly used
 See link Ch 11c (cisco.com)See link Ch 11c (cisco.com)

27. 27
Infrared (IR)Infrared (IR)
 Infrared light can’t be seen by the human eyeInfrared light can’t be seen by the human eye
 IR technology is restricted to a single room orIR technology is restricted to a single room or
line of sightline of sight
 IR light cannot penetrate walls, ceilings, or floorsIR light cannot penetrate walls, ceilings, or floors
 Image: IR transmitter for wireless headphonesImage: IR transmitter for wireless headphones

28. 28
IEEE Additional 802.11IEEE Additional 802.11
ProjectsProjects
 802.11a802.11a
 Created in 1999Created in 1999
 Operating frequency 5 GHzOperating frequency 5 GHz
 Throughput 54 MbpsThroughput 54 Mbps

29. 29
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 802.11b802.11b
 Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range
 Throughput 11 MbpsThroughput 11 Mbps
 Also referred as Wi-Fi (wireless fidelity)Also referred as Wi-Fi (wireless fidelity)
 Allows for 11 channels to prevent overlappingAllows for 11 channels to prevent overlapping
signalssignals
 Effectively only three channels (1, 6, and 11) canEffectively only three channels (1, 6, and 11) can
be used in combination without overlappingbe used in combination without overlapping
 Introduced Wired Equivalent Privacy (WEP)Introduced Wired Equivalent Privacy (WEP)

30. 30
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 802.11e802.11e
 It has improvements to address the problemIt has improvements to address the problem
of interferenceof interference
 When interference is detected, signals can jump toWhen interference is detected, signals can jump to
another frequency more quicklyanother frequency more quickly
 802.11g802.11g
 Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range
 Throughput increased from 11 Mbps to 54Throughput increased from 11 Mbps to 54
MbpsMbps

31. 31
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 802.11i802.11i
 Introduced Wi-Fi Protected Access (WPA)Introduced Wi-Fi Protected Access (WPA)
 Corrected many of the security vulnerabilitiesCorrected many of the security vulnerabilities
of 802.11bof 802.11b
 802.11n (draft)802.11n (draft)
 Will be finalized in Dec 2009Will be finalized in Dec 2009
 Speeds up to 300 MbpsSpeeds up to 300 Mbps
 Aerohive AP runs at 264 Mbps nowAerohive AP runs at 264 Mbps now
 Links Ch 11zc, Ch 11zdLinks Ch 11zc, Ch 11zd

32. 32
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 802.15802.15
 Addresses networkingAddresses networking
devices within onedevices within one
person’s workspaceperson’s workspace
 Called wirelessCalled wireless
personal area networkpersonal area network
(WPAN)(WPAN)
 Bluetooth is one of sixBluetooth is one of six
802.15 standards802.15 standards
 Image fromImage from
ubergizmo.comubergizmo.com

33. 33
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 BluetoothBluetooth
 Defines a method for interconnecting portableDefines a method for interconnecting portable
devices without wiresdevices without wires
 Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters
 It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band
 Throughput of up to 2.1 Mbps for BluetoothThroughput of up to 2.1 Mbps for Bluetooth
2.02.0
 Note: the speed value of 12 Mbps in your book andNote: the speed value of 12 Mbps in your book and
the lecture notes is wrongthe lecture notes is wrong
 Link Ch 11zgLink Ch 11zg

34. 34
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 802.16 (also called WIMAX)802.16 (also called WIMAX)
 Addresses the issue of wireless metropolitanAddresses the issue of wireless metropolitan
area networks (MANs)area networks (MANs)
 Defines the WirelessMAN Air InterfaceDefines the WirelessMAN Air Interface
 Range of up to 30 milesRange of up to 30 miles
 Throughput of up to 120 MbpsThroughput of up to 120 Mbps
 802.20802.20
 Addresses wireless MANs for mobile usersAddresses wireless MANs for mobile users
who are sitting in trains, subways, or carswho are sitting in trains, subways, or cars
traveling at speeds up to 150 miles per hourtraveling at speeds up to 150 miles per hour

35. 35
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
 BluetoothBluetooth
 Defines a method for interconnecting portableDefines a method for interconnecting portable
devices without wiresdevices without wires
 Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters
 It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band
 Throughput of up to 12 MbpsThroughput of up to 12 Mbps
 HiperLAN2HiperLAN2
 European WLAN standardEuropean WLAN standard
 It is not compatible with 802.11 standardsIt is not compatible with 802.11 standards

36. 36
2.1 Mbps

37. 37
Understanding AuthenticationUnderstanding Authentication
 Wireless technology brings new securityWireless technology brings new security
risks to a networkrisks to a network
 AuthenticationAuthentication
 Establishing that a user is authentic—Establishing that a user is authentic—
authorized to use the networkauthorized to use the network
 If authentication fails, anyone in radio rangeIf authentication fails, anyone in radio range
can use your networkcan use your network

38. 38
The 802.1X StandardThe 802.1X Standard
 Defines the process of authenticating andDefines the process of authenticating and
authorizing users on a WLANauthorizing users on a WLAN
 Basic conceptsBasic concepts
 Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)
 Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP)
 Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)
 Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)

39. 39
Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)
 Many ISPs use PPP to connect dial-up orMany ISPs use PPP to connect dial-up or
DSL usersDSL users
 PPP handles authentication with a userPPP handles authentication with a user
name and password, sent with PAP orname and password, sent with PAP or
CHAPCHAP
 PAP (Password Authentication Protocol)PAP (Password Authentication Protocol)
sends passwords unencryptedsends passwords unencrypted
 Vulnerable to trivial sniffing attacksVulnerable to trivial sniffing attacks
 See link Ch 11fSee link Ch 11f

40. 40
CHAP VulnerabilityCHAP Vulnerability
 CHAP (Challenge-HandshakeCHAP (Challenge-Handshake
Authentication Protocol)Authentication Protocol)
 Server sends a Challenge with a randomServer sends a Challenge with a random
valuevalue
 Client sends a Response, hashing theClient sends a Response, hashing the
random value with the secret passwordrandom value with the secret password
 This is still vulnerable to a sort of sessionThis is still vulnerable to a sort of session
hijacking attack (see links Ch 11e)hijacking attack (see links Ch 11e)

41. 41
Extensible AuthenticationExtensible Authentication
Protocol (EAP)Protocol (EAP)
 EAP is an enhancement to PPPEAP is an enhancement to PPP
 Allows a company to select itsAllows a company to select its
authentication methodauthentication method
 CertificatesCertificates
 KerberosKerberos
 Kerberos is used on LANs for authenticationKerberos is used on LANs for authentication
 Uses Tickets and KeysUses Tickets and Keys
 Used by Windows 2000, XP, and 2003 Server byUsed by Windows 2000, XP, and 2003 Server by
defaultdefault
 Not common on WLANS (I think)Not common on WLANS (I think)

42. 42
X.509 CertificateX.509 Certificate
 Record that authenticates networkRecord that authenticates network
entitiesentities
 IdentifiesIdentifies
 The ownerThe owner
 The certificate authority (CA)The certificate authority (CA)
 The owner’s public keyThe owner’s public key
 See link Ch 11jSee link Ch 11j

43. 43
Sample X.509 CertificateSample X.509 Certificate
 Go to gmail.comGo to gmail.com
 Double-click the padlockDouble-click the padlock

44. 44
Public KeyPublic Key
 Your browserYour browser
uses theuses the
Public Key toPublic Key to
encrypt dataencrypt data
so only Gmailso only Gmail
can read itcan read it

45. 45
LEAPLEAP
 Lightweight ExtensibleLightweight Extensible
Authentication ProtocolAuthentication Protocol
(LEAP)(LEAP)
 A Cisco productA Cisco product
 Vulnerable, but Cisco didn’t careVulnerable, but Cisco didn’t care
 Joshua Wright wrote the ASLEAP hackingJoshua Wright wrote the ASLEAP hacking
tool to crack LEAP, and forced Cisco totool to crack LEAP, and forced Cisco to
develop a better protocoldevelop a better protocol
 See link Ch 11gSee link Ch 11g

46. 46
More Secure EAP MethodsMore Secure EAP Methods
 Extensible Authentication Protocol-Extensible Authentication Protocol-
Transport Layer Security (EAP-TLS)Transport Layer Security (EAP-TLS)
 Secure but rarely used, because both clientSecure but rarely used, because both client
and server need certificates signed by a CAand server need certificates signed by a CA
 Protected EAP (PEAP) and MicrosoftProtected EAP (PEAP) and Microsoft
PEAPPEAP
 Very secure, only requires server to have aVery secure, only requires server to have a
certificate signed by a CAcertificate signed by a CA
 See link Ch 11hSee link Ch 11h

47. 47
802.1X components802.1X components
 SupplicantSupplicant
 The user accessing a WLANThe user accessing a WLAN
 AuthenticatorAuthenticator
 The APThe AP
 Authentication serverAuthentication server
 Checks an account database to see if user’sChecks an account database to see if user’s
credentials are acceptablecredentials are acceptable
 May use RADIUS (Remote Access Dial-In UserMay use RADIUS (Remote Access Dial-In User
Service)Service)
 See link Ch 11kSee link Ch 11k

48. 48

49. 49
Wired Equivalent PrivacyWired Equivalent Privacy
(WEP)(WEP)
 Part of the 802.11b standardPart of the 802.11b standard
 Encrypts data on a wireless networkEncrypts data on a wireless network
 WEP has many vulnerabilitiesWEP has many vulnerabilities
 To crack WEP, see links Ch 11l, 11mTo crack WEP, see links Ch 11l, 11m

50. 50
Wi-Fi Protected AccessWi-Fi Protected Access
(WPA)(WPA)
 Specified in the 802.11i standardSpecified in the 802.11i standard
 Replaces WEPReplaces WEP
 WPA improves encryption by usingWPA improves encryption by using
Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP)

51. 51
TKIP EnhancementsTKIP Enhancements
 Message Integrity Check (MIC)Message Integrity Check (MIC)
 Prevent attacker from injecting forged packetsPrevent attacker from injecting forged packets
 Extended Initialization Vector (IV) withExtended Initialization Vector (IV) with
sequencing rulessequencing rules
 Prevent replays (attacker re-sending copiedPrevent replays (attacker re-sending copied
packets)packets)

52. 52
TKIP EnhancementsTKIP Enhancements
 Per-packet key mixingPer-packet key mixing
 MAC addresses are used to create a keyMAC addresses are used to create a key
 Each link uses a different keyEach link uses a different key
 Rekeying mechanismRekeying mechanism
 Provides fresh keysProvides fresh keys
 Prevents attackers from reusing old keysPrevents attackers from reusing old keys

53. 53
WPA Adds 802.1xWPA Adds 802.1x
 WPA also adds an authenticationWPA also adds an authentication
mechanism implementing 802.1X andmechanism implementing 802.1X and
EAPEAP
 This was not available in WEPThis was not available in WEP

54. 54
Understanding WardrivingUnderstanding Wardriving
 Hackers use wardrivingHackers use wardriving
 Finding insecure access pointsFinding insecure access points
 Using a laptop or palmtop computerUsing a laptop or palmtop computer
 Wardriving is not illegalWardriving is not illegal
 But using the resources of these networks isBut using the resources of these networks is
illegalillegal
 WarflyingWarflying
 Variant where an airplane is used instead of aVariant where an airplane is used instead of a
carcar

55. 55
How It WorksHow It Works
 An attacker or security tester simply drivesAn attacker or security tester simply drives
around with the following equipmentaround with the following equipment
 Laptop computerLaptop computer
 Wireless NICWireless NIC
 An antennaAn antenna
 Software that scans the area for SSIDsSoftware that scans the area for SSIDs
 Not all wireless NICs are compatible withNot all wireless NICs are compatible with
scanning programsscanning programs
 Antenna prices vary depending on theAntenna prices vary depending on the
quality and the range they can coverquality and the range they can cover

56. 56
How It Works (continued)How It Works (continued)
 Scanning software can identifyScanning software can identify
 The company’s SSIDThe company’s SSID
 The type of security enabledThe type of security enabled
 The signal strengthThe signal strength
 Indicating how close the AP is to the attackerIndicating how close the AP is to the attacker

57. 57
Demo: VistaStumblerDemo: VistaStumbler
 Link Ch 11zeLink Ch 11ze

58. 58
NetStumblerNetStumbler
 Shareware tool written for Windows thatShareware tool written for Windows that
enables you to detect WLANsenables you to detect WLANs
 Supports 802.11a, 802.11b, and 802.11gSupports 802.11a, 802.11b, and 802.11g
standardsstandards
 NetStumbler was primarily designed toNetStumbler was primarily designed to
 Verify your WLAN configurationVerify your WLAN configuration
 Detect other wireless networksDetect other wireless networks
 Detect unauthorized APsDetect unauthorized APs

59. 59
NetStumblerNetStumbler
 NetStumbler is capable of interface with aNetStumbler is capable of interface with a
GPSGPS
 Enabling a security tester or hacker to mapEnabling a security tester or hacker to map
out locations of all the WLANs the softwareout locations of all the WLANs the software
detectsdetects

60. 60
NetStumblerNetStumbler
 NetStumbler logs the following informationNetStumbler logs the following information
 SSIDSSID
 MAC address and Manufacturer of the APMAC address and Manufacturer of the AP
 ChannelChannel
 Signal StrengthSignal Strength
 EncryptionEncryption
 Can detect APs within a 350-foot radiusCan detect APs within a 350-foot radius
 With a good antenna, they can locate APs aWith a good antenna, they can locate APs a
couple of miles awaycouple of miles away

61. 61

62. 62

63. 63
KismetKismet
 Another product for conducting wardrivingAnother product for conducting wardriving
attacksattacks
 Runs on Linux, BSD, MAC OS X, andRuns on Linux, BSD, MAC OS X, and
Linux PDAsLinux PDAs
 Kismet is advertised also as a sniffer andKismet is advertised also as a sniffer and
IDSIDS
 Kismet can sniff 802.11b, 802.11a, andKismet can sniff 802.11b, 802.11a, and
802.11g traffic802.11g traffic

64. 64
Kismet featuresKismet features
 Ethereal- and Tcpdump-compatible dataEthereal- and Tcpdump-compatible data
logginglogging
 AirSnort compatibleAirSnort compatible
 Network IP range detectionNetwork IP range detection

65. 65
Kismet features (continued)Kismet features (continued)
 Hidden network SSID detectionHidden network SSID detection
 Graphical mapping of networksGraphical mapping of networks
 Client-server architectureClient-server architecture
 Manufacturer and model identification of APsManufacturer and model identification of APs
and clientsand clients
 Detection of known default access pointDetection of known default access point
configurationsconfigurations
 XML outputXML output
 Supports 20 card typesSupports 20 card types

66. 66
Understanding WirelessUnderstanding Wireless
HackingHacking
 Hacking a wireless network is not muchHacking a wireless network is not much
different from hacking a wired LANdifferent from hacking a wired LAN
 Techniques for hacking wireless networksTechniques for hacking wireless networks
 Port scanningPort scanning
 EnumerationEnumeration

67. 67
Tools of the TradeTools of the Trade
 EquipmentEquipment
 Laptop computerLaptop computer
 A wireless NICA wireless NIC
 An antennaAn antenna
 Sniffer softwareSniffer software

68. 68
AirSnortAirSnort
 Created by Jeremy Bruestle and BlakeCreated by Jeremy Bruestle and Blake
HegerleHegerle
 It is the tool most hackers wanting toIt is the tool most hackers wanting to
access WEP-enabled WLANs useaccess WEP-enabled WLANs use
 AirSnort limitationsAirSnort limitations
 Runs on either Linux or Windows (textbook isRuns on either Linux or Windows (textbook is
wrong)wrong)
 Requires specific driversRequires specific drivers
 Not all wireless NICs function with AirSnortNot all wireless NICs function with AirSnort
 See links Ch 11p, 11qSee links Ch 11p, 11q

69. 69
WEPCrackWEPCrack
 Another open-source tool used to crackAnother open-source tool used to crack
WEP encryptionWEP encryption
 WEPCrack was released about a week beforeWEPCrack was released about a week before
AirSnortAirSnort
 It also works on *NIX systemsIt also works on *NIX systems
 WEPCrack uses Perl scripts to carry outWEPCrack uses Perl scripts to carry out
attacks on wireless systemsattacks on wireless systems
 AirSnort is considered better (link Ch 11r)AirSnort is considered better (link Ch 11r)

70. 70
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
 Anti-wardriving software makes it moreAnti-wardriving software makes it more
difficult for attackers to discover yourdifficult for attackers to discover your
wireless LANwireless LAN
 HoneypotsHoneypots
 Servers with fake data to snare intrudersServers with fake data to snare intruders
 Fakeap and Black Alchemy Fake APFakeap and Black Alchemy Fake AP
 Software that makes fake Access PointsSoftware that makes fake Access Points
 Link Ch 11sLink Ch 11s

71. 71
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
 Use special paint to stop radio fromUse special paint to stop radio from
escaping your buildingescaping your building
 Allow only predetermined MAC addressesAllow only predetermined MAC addresses
and IP addresses to have access to theand IP addresses to have access to the
wireless LANwireless LAN
 Use an authentication server instead ofUse an authentication server instead of
relying on a wireless device torelying on a wireless device to
authenticate usersauthenticate users

72. 72
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
 Use an EAP authentication protocolUse an EAP authentication protocol
 If you use WEP, use 104-bit encryptionIf you use WEP, use 104-bit encryption
rather than 40-bit encryptionrather than 40-bit encryption
 But just use WPA insteadBut just use WPA instead
 Assign static IP addresses to wirelessAssign static IP addresses to wireless
clients instead of using DHCPclients instead of using DHCP
 Don’t broadcast the SSIDDon’t broadcast the SSID

73. 73
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
 Place the AP in the demilitarized zonePlace the AP in the demilitarized zone
(DMZ)(DMZ) (image from wikipedia)(image from wikipedia)

74. 74
Demo: Defeating MACDemo: Defeating MAC
Address FilteringAddress Filtering
 Link Ch 11zfLink Ch 11zf