Hacking Wireless Networks For Dummies

102 Part II: Getting Rolling with Common Wi-Fi Hacks

Table 7-1 (continued)

Notice in Figure 7-2 that TCP port 22 (SSH) is open on host 10.11.12.154, which is the access point (AP) on the network. To find out if it’s an AP, you can run a NetStumbler, Wellenreiter, or another wireless discovery tool and match the MAC address found there with what Network Scanner finds.

After performing a generic sweep of the network, you can dig deeper into specific hosts you’ve found. Hmmmm — perhaps a few SSH login attempts on the AP in Figure 7-2 above could get us somewhere?

Using VPNMonitor

A common security measure used to protect wireless data in transit — above and beyond WEP — is to use a Virtual Private Network (VPN). If you installed or manage the VPNs in your organization, you probably know which clients are using them. Then again, if your network is fairly complex, you may not. A free tool you can use to discover whether or not VPNs are being used where they’re supposed to be — and thus, whether or not policy is being adhered to — is VPNMonitor (http://sourceforge.net/projects/vpnmonitor).

VPNMonitor sniffs the network and looks for specific signatures belonging to IPsec, PPTP, SSH, and HTTPS traffic. Figure 7-3 shows a basic capture of some VPN traffic, including an SSH connection to the AP at 10.11.12.154, which is denoted by a red line in VPNMonitor.

Chapter 7: Hacking Wireless Clients 103

Figure 7-3:

Using VPNMonitor to look for VPN traffic on the network.

Wireless networks use a shared communications medium, so it’s trivial to capture this type of traffic off the airwaves. However, if you’d like to use VPNMonitor to check for VPN traffic going across your wired network, you can either plug in to a monitor or span port on an Ethernet switch or use a tool such as Ettercap to perform ARP poisoning to make your switch(es) act like a hub. Just be careful because a tool such as Ettercap can take your entire network down if your switch is overly sensitive to ARP poisoning. We cover Ettercap and ARP poisoning in Chapter 12.

Looking for General Client Vulnerabilities

After you find out which wireless systems are alive on your network, you can take your testing a step further and see which vulnerabilities really stand out. There are various freeware, open source, and commercial tools to help you along with your efforts including:

LanSpy (www.lantricks.com): LanSpy is a Windows-based freeware tool for enumerating Windows systems.

Amap (http://thc.org/thc-amap): Amap is an open source Linuxand Windows-based application mapping tool.

Nessus (www.nessus.org): This is an open source network and OS vul- nerability-assessment tool that runs on Linux and Windows.

GFI LANguard Network Security Scanner (www.gfi.com/lannetscan):

This is a Windows-based commercial tool for performing network and OS vulnerability assessments.

QualysGuard (www.qualys.com): QualysGuard is an application service, provider-based commercial tool for performing network and OS vulnerability assessments.

104 Part II: Getting Rolling with Common Wi-Fi Hacks

Keep in mind that you’ll need more than one security-testing tool. No single tool can do everything.

The presence of these vulnerabilities is why it’s so important to run personal firewall and IPS software, such as BlackICE for Windows (http://blackice. iss.net) and GNOME-Lokkit (www.gnome.org), for Linux systems.

Again, we want to remind you that the tests and vulnerabilities we outline here are just the tip of the iceberg, so check out Hacking For Dummies for more details.

Common AP weaknesses

Your wireless APs are wireless clients with operating systems and insecure programs just like any other computer. One of the best ways to check for AP vulnerabilities is to use an all-in-one vulnerability-assessment program, such as Nessus, LANguard Network Security Scanner, or QualysGuard. (QualysGuard is shown in Figure 7-4.)

Figure 7-4:

Using

QualysGuard to dig out vulnerabilities in a Cisco AP.

Chapter 7: Hacking Wireless Clients 105

Notice in Figure 7-4 how the AP contains common vulnerabilities such as:

SNMP issues (Vulnerabilities section)

Weak version of SSH (Potential Vulnerabilities section)

Open UDP and TCP services (Information Gathered section)

SSH banner information (Information Gathered section)

Many of these vulnerabilities are not critical, but at least these vulnerabilities need to be addressed because they can likely lead to further AP and network compromise.

Linux application mapping

When it comes to Linux client security, a common attack is against applications with known security vulnerabilities. These applications include FTP, telnet, sendmail, and Apache. Vulnerabilites in these applications can be determined through application mapping. A nice — and regularly maintained — tool you can use for application mapping is Amap.

Amap is a very fast application scanner that can grab banners that include version information and even can detect applications that are configured to run on nonstandard ports, such as when Apache is running on port 1711 instead of its default 80. The output of an Amap scan run against a local host is shown in Figure 7-5.

Figure 7-5:

Using Amap to check application versions.

Notice that SSH, telnet, and FTP servers were discovered. As is the case here, by perusing the support sites of the applications you discover with Amap, you’ll likely find that they’ve been updated with newer versions to fix various security problems.

106 Part II: Getting Rolling with Common Wi-Fi Hacks

Windows null sessions

A well-known vulnerability within Windows can map an anonymous connection (null session) to a hidden share called IPC$ (interprocess communication). This attack method can be used to gather Windows information such as user IDs and share names and even allow an attacker to edit parts of the remote computer’s registry.

Windows XP and Server 2003 don’t allow null session connections by default, but Windows 2000 and NT systems do, so to protect yourself don’t forget to test all your wireless clients.

Mapping

To map a null session, follow these steps for each Windows computer to which you want to map a null session:

1.At a command prompt from your test computer, enter the following command. Format the basic net command like this:

net use \\host_name_or_IP_address\ipc$ “” “/user:”

The net command to map null sessions requires these parameters:

•net (the built-in Windows network command) followed by the use command

•IP address of the system to which you want to map a null connection

• A blank password and username

The blanks are why it’s called a null connection.

2. Press Enter to make the connection.

Figure 7-6 shows an example of the complete command when mapping a null session. After you map the null session, you should see the message

The command completed successfully.

Figure 7-6:

Mapping a null session to a Windows 2000 server.

Chapter 7: Hacking Wireless Clients 107

To confirm that the sessions are mapped, enter this command at the command prompt:

net use

As shown in Figure 7-6, you should see the mappings to the IPC$ share on each computer to which you successfully made a null session connection.

Gleaning information

With a null session connection, you can use other utilities to remotely gather critical Windows information. Dozens of tools can gather this type of information. You — like a hacker — can take the output of these enumeration programs and attempt (as an unauthorized user) to try to glean information in the following manners:

Cracking the passwords of the users found. Be sure to check out

Hacking For Dummies for a detailed look at password attacks. This chapter can also be downloaded for free at http://searchsecurity.tech target.com/searchSecurity/downloads/HackingforDummiesCh07. pdf.

Mapping drives to the network shares to gain access to files, databases, and more.

You can use Foundstone’s SuperScan version 4 to perform automated null session connections and Windows system enumeration as shown in Figure 7-7.

Foundstone’s SuperScan version 4 can be found at www.foundstone.com/ resources/proddesc/superscan.htm.

Keep in mind that Windows XP and Server 2003 are much more secure than their predecessors against such system enumeration vulnerabilities and null session attacks. If such systems are in their default configuration, it should be secure; however, you should still perform these tests against your Windows XP and Server 2003 systems to be sure.

Snooping for Windows shares

Windows shares — the available network drives that show up when browsing the network in My Network Places — are often misconfigured, allowing more people to have access to them than necessary. How this works (that is,

the default share permission) depends on the Windows system version, as follows:

108 Part II: Getting Rolling with Common Wi-Fi Hacks

Windows NT and 2000: When creating shares, the group Everyone is given Full Control access in the share by default for all files to browse, read, and write files. Anyone who maps to the IPC$ connection with a null session is automatically made part of the Everyone group! This means that remote hackers can automatically gain browse, read, and write access to a Windows NT or 2000 server if they establish a null session.

Windows XP and 2003 Server: The Everyone group is given only Read access to shares. This is definitely an improvement over the defaults in Windows 2000 and NT, but it’s not the best setting for the utmost security. You may not even want the Everyone group to have Read access to a share.

Tools such as Legion (http://packetstormsecurity.nl/groups/rhino9/ legionv21.zip), LanSpy, and LANguard Network Security Scanner can enumerate shares on Windows systems. Imagine the fun a hacker could

have with the shares found in the results shown in Figure 7-8!

Figure 7-7:

Using

SuperScan to automatically create a null session and enumerate a Windows host.

Chapter 7: Hacking Wireless Clients 109

Figure 7-8:

Using LANguard Network Security Scanner to find shares on a remote Windows system.

Ferreting Out WEP Keys

Many client vulnerabilities are specific to wireless networks. Standard security tools aren’t likely to discover such vulnerabilities. To find these weaknesses, you can use hacking tools that have been created to look for wireless-network vulnerabilities. We discuss such tools below.

Some wireless-specific vulnerabilities require physical access to the computer. It’s easy to become complacent and believe that wireless clients are safe because of this physical security requirement, but laptops are lost and stolen quite often, so it’s not unreasonable to believe this could occur — especially if users don’t report their wireless NICs or laptops stolen. Some vulnerabilities, such as the ORiNOCO WEP key vulnerability, can be exploited by an attacker connecting to the remote computer’s registry!

One serious vulnerability affects wireless clients who use the ORiNOCO wireless card. Older versions of the ORiNOCO Client Manager software stores encrypted WEP keys in the Windows registry — even for multiple networks — as shown in Figure 7-9.

You can crack the key by using the Lucent ORiNOCO Registry Encryption/ Decryption program found at www.cqure.net/tools.jsp?id=3. Make sure that you use the -d command line switch and put quotes around the encrypted key, as shown in Figure 7-10. This program comes in handy if you forget your key, but it can also be used against you.