Hacking Wireless Networks For Dummies
.pdf
190 Part III: Advanced Wi-Fi Hacks
Figure 11-13:
AiroPeek
NX Expert analysis, showing unauthorized wireless devices.
Figure 11-14:
AiroPeek NX, pointing out anomalies during a basic packet capture.
Chapter 11: Unauthorized Wireless Devices 191
It’s these types of features combined with general ease of use that make commercial tools such as AiroPeek NX and its sister application AiroPeek stand out. AiroPeek is discussed in greater detail in Chapter 8.
Probing further
In the previous sections, we outlined how to determine which wireless systems are transmitting radio signals in and around your organization. But how do you know if they’re benign systems belonging to someone else outside your organization or are actually unauthorized systems connected to your network. There’s one obvious way to find these systems — walk around and look for them. However, this may not be practical, especially if you have a large number of wireless devices or you’re having trouble spotting them.
Let’s look at how you can determine if an ad-hoc device is connected to your network. It’s actually pretty simple by following these steps:
1.Track down the MAC address of the system in question.
In this example, the system we want to check out is the one with the Philips Components address (as shown in Figure 11-15). We view this system by clicking the Nodes tab in AiroPeek NX. Note that AiroPeek NX displays the NIC vendor name in place of the first three bytes of the MAC address. (We’ve hidden the last three bytes just to provide our personal MACs some privacy.)
Figure 11-15:
Using AiroPeek NX to find the MAC address of an ad-hoc system in question.
2.Find the MAC address in the packets you’ve captured.
In AiroPeek NX, this simply involves switching to the Packets view by clicking the Packets tab and performing a hex search (by pressing Ctrl+F
192 Part III: Advanced Wi-Fi Hacks
in AiroPeek NX) for the MAC address within the packets. In this example, dozens of packets were discovered; to keep things simple, we filtered out the unneeded management frames (beacons, probe requests, and so on) and focused on the IP-based traffic shown in Figure 11-16.
Figure 11-16:
Displaying
pertinent
IP-based
packets
in Airo-
Peek NX.
3.Determine whether the associated IP address and protocols point to your network.
In this case, we found that the Philips Components MAC address has an IP address of 192.168.1.3. Now that you know the IP address, the next question is, Is it a valid address on your network? You may be surprised. Figure 11-16 shows this address, along with some interesting traffic — a PING Request and NB Name Svc broadcasts. This system is pinging another system (192.168.1.1 in this case) and appears to be a Windowsbased computer — hence the NB (NetBIOS) broadcasts that tell the network I’m here. This type of traffic — especially if you know your users would never initiate it — could indicate an unauthorized system.
If you find a MAC address and you’re not sure whether it belongs on your system, you can track down its IP address by matching it up to the IP-MAC address findings in SoftPerfect’s Network Scanner (www.softperfect. com/products/networkscanner). This is a great way to match up MAC addresses to IP addresses and see if a system is on your network, and it’s a lot quicker and simpler than performing reverse ARP lookups.
This test is not 100 percent foolproof, but it’s a great test to run nonetheless. You can also use this method to determine whether unauthorized APs are connected to your network.
Chapter 11: Unauthorized Wireless Devices 193
Additional Software Options
In addition to using the wireless-client, stumbling, and network-analysis software mentioned here, you have some additional ways to search for wireless devices that don’t belong. For example, some basic port-scanning and vulnerability-assessment tools can give you useful results. Here’s a quick list:
SuperScan
GFI LANguard Network Security Scanner
Nessus
NeWT
QualysGuard
These programs aren’t wireless-specific but they may be able to turn up wireless-device IP addresses and other vulnerabilities that you wouldn’t have been able to discover otherwise.
Online Databases
One more place to look for unauthorized wireless systems is the Internet. (Well, yeah . . .) Up to this point, we’ve mentioned several Web sites you can browse to and query to see whether your “authorized” wireless devices have been made public — as in, plastered all over the Net. Well, you can also use these databases to search for unauthorized systems as well. If you know the exact GPS coordinates of your building, you can perform a detailed lookup in WiGLE’s database at
www.wigle.net/gps/gps/GPSDB/query
to see whether any systems in your vicinity have been posted. If you don’t mind sorting through entries by, city, state, or Zip code, you can also check out www.wifimaps.com and www.wifinder.com to see what you can find.
Unauthorized System Countermeasures
The countermeasures necessary to help prevent unauthorized wireless devices are similar to those we’ve discussed up to this point. They are:
194 Part III: Advanced Wi-Fi Hacks
First and foremost, implement a reasonable and enforceable wireless security policy that forbids unauthorized wireless devices — and actually enforce it.
Use stumbling software or a network analyzer to monitor for network changes and systems that don’t belong.
Use a full-fledged wireless intrusion-detection system (WIDS) or networkmonitoring system that can find wireless network anomalies, prevent bad things from happening, and alert you in real time. Control access to authorized wireless devices only by one or more of the following:
•MAC address
•SSID
•Communications channel used
•Hardware vendor type
Chapter 12
Network Attacks
In This Chapter
Understanding the consequences of attacks on wireless systems at the network level
Unmasking MAC address spoofing
Unmanning man-in-the-middle attacks
Reviewing known problems with SNMP
Defining the Queensland protocol attack
Examining the quirky network issues with network analyzers
Exploring practical and cost-effective countermeasures
Your computer systems and applications require one of the most fundamental communications systems in your organization — your network.
Although many organizations don’t completely rely on wireless networks for everything, others do. Either way, your wireless network likely depends on critical servers; you can’t afford to have them compromised via the network. These computers, even if they’re an ancillary part of your overall network, are there for business reasons; damage them, damage the business. Therefore it’s important to understand just what can happen when network-based 802.11 vulnerabilities are exploited.
There are thousands of possible network-level vulnerabilities on your wireless systems — and seemingly just as many tools and testing techniques. The key point to remember here is that you don’t need to test your wireless network for every possible vulnerability, using every tool available and technique imaginable. Instead, look for vulnerabilities that can have a swift and immediate impact on your systems.
Some of the hacks and associated tests we demonstrate in this chapter are specific to 802.11. Others are security weaknesses common to any network — and those not only have a higher likelihood of being exploited, they can also have a high impact on your business.
196 Part III: Advanced Wi-Fi Hacks
No, it’s not a Zip code
802.11 is a standard (in effect, a precise functional definition) that describes how a network can be accessed and controlled. The Institute of Electrical and Electronics Engineers (IEEE) establishes such standards and updates them, but so far no standard is perfect. Networks
set up according to the 802.11 standard have certain characteristic weaknesses that bad-guy hackers use to get your network to give them (you guessed it) access and control. Ethical hackers must test and fix those vulnerabilities; this chapter describes them.
There are two main reasons that 802.11-based wireless systems are vulnerable at the network level:
Inherent trust allows wireless systems to come and go as they please on the network. Practically everything about 802.11 is open by default — from authentication to cleartext communications to a dangerous lack of frame authentication. In addition to this equivalent of a “Hack Me” sign, wireless networks don’t have the same layer of physical security present in wired networks.
Common network issues that 802.11 has inherited from its wired siblings enable attackers to exploit network-based vulnerabilities easily, regardless of the transmission medium. The suspect activities allowed under 802.11 defaults include MAC-address spoofing, system scanning and enumeration, and packet sniffing. For openers.
Okay, some of the concepts in this chapter overlap material in other chapters in this book — and some of these vulnerabilities and tests could arguably be placed in other chapters that cover different categories of attacks. But our goal in this chapter is to give you the basis for a good overall assessment of your wireless systems at its most fundamental technical level — the network level.
What Can Happen
Network infrastructure vulnerabilities are the foundation for all technical security issues in your information systems. These lower-level vulnerabilities affect everything running on your network. That’s why you need to test for them and eliminate them whenever possible.
Network-level attacks against wireless systems are usually simple to execute — but they have a high payoff. Though they may not be quite as disruptive as all-out denial-of-service (DoS) attacks, which we cover in Chapter 13, networkbased attacks often lead to the compromise of wireless clients and APs — wreaking havoc on your business.
Chapter 12: Network Attacks 197
There’s always the possibility that the tests we outline in this chapter can cause your wireless (and wired) networks to slow to a crawl — or crash altogether — so proceed with caution. If possible, perform your tests on non-production systems first — or perform them during times of non-peak network usage.
An important network test (covered in Chapter 7) is to see which systems are available and what security vulnerabilities are present on your wireless network. Previous chapters also harp (we think justly) on how important it is to keep your wireless network separate from your wired network. Unsecured wireless systems are about as safe as a screen door on a submarine.
When you know exactly what wireless systems are out there and where they’re located, there are specific tests you can perform to exploit various vulnerabilities at the network level. This involves assessing such areas as MAC-address controls, whether or not a virtual private network (VPN) is in use, whether cleartext (unencrypted) communications are going on, which protocols are present, and more.
By exploiting these vulnerabilities, attackers can cause bad things to happen on your wireless network — these, for example:
Attacking specific hosts by exploiting local vulnerabilities from across the network (which we cover in Chapter 7).
Using a network analyzer to steal confidential information in e-mails and files being transferred.
Gaining unauthorized access to your network.
Let’s jump right into things and see these little nightmares in action.
MAC-Address Spoofing
A common attack carried out by hackers to circumvent basic access controls in wireless networks is to masquerade as a legitimate host on the network. They do it by spoofing (that is, faking and pretending to have) the identity of another system (which explains why this attack is sometimes referred to as a wireless identity-theft attack). Wireless NICs in clients, access points — basically any network device, wired or wireless — must have an identifier called a MAC (media-access control) address. This address is a 48-bit (six byte) number assigned by the component’s manufacturer to make it unique. The idea is to identify the component (usually a specific network-interface card) to the host so switching, routing, and so on can happen without causing conflicts with other systems. No wonder someone who uses a fake address can make big trouble.
198 Part III: Advanced Wi-Fi Hacks
False sense of security
A popular — and pretty weak — security measure for wireless networks is to enable MAC address controls. This provides a form of AP authentication by allowing only clients with specific MAC addresses to access the wireless
network. Sounds good, sure — and we often hear people saying, “I’ve enabled MAC address controls on my wireless network, so it’s pretty secure.” Well, actually, a hacker can circumvent this security measure very easily.
The IEEE calls the 48-bit MAC address space “MAC-48” — as originally published in the IEEE Ethernet specification. The first 24 bits (three bytes) of a MAC address make up a number unique to each NIC manufacturer. For example 00:40:5e belongs to Philips, 00:40:96 belongs to Aironet (now Cisco), and so on. Although this vendor identifier is called the Organizationally Unique Identifier (OUI), 16,777,216 OUIs are possible — and a vendor can have more than one. Each vendor can use the final 24 bits (three bytes) of the MAC address as desired, to create unique identifiers for all their cards (16,777,216 such identifiers are possible). The IEEE figures that all possible MAC addresses won’t be exhausted any sooner than the year 2100.
You can look up the vendor ID of a specific MAC address at the following Web sites:
http://standards.ieee.org/regauth/oui/index.shtml
http://coffer.com/mac_find
Let’s take a look at how MAC addresses can be changed on different platforms — and then we show you how a spoofing attack is carried out.
Changing your MAC in Linux
In Linux, you can spoof MAC addresses by following these steps:
1.While logged in as root, disable the network interface so you can change the MAC address.
You do this by inserting the network-interface number that you want to disable (typically wlan0 or ath0) into the command, like this:
[root@localhost root]# ifconfig wlan0 down
Chapter 12: Network Attacks 199
2.Enter a command for the MAC address you want to use. Here’s how to insert the fake MAC address — and the network-interface number again — into the command:
[root@localhost root]# ifconfig wlan0 hw ether
01:23:45:67:89:ab
The following command also works in Linux:
[root@localhost root]# ip link set wlan0 address
01:23:45:67:89:ab
3. Bring the interface back up with this command:
[root@localhost root]# ifconfig wlan0 up
If you’ll be changing your Linux MAC address(es) often, you can use a more feature-rich utility called MAC Changer (www.alobbs.com/macchanger).
You can use the ifconfig utility in other flavors of UNIX as well. Refer to the ifconfig man pages for specific parameters for your version.
Tweaking your Windows settings
If your test system is running Windows 2000 or XP, you may have several options for changing your MAC address, depending on the wireless NIC you have (and on its driver).
The first option to try is to see whether you can change the address by resetting your NIC’s network properties. Here’s the drill:
1.Right-click My Network Places and then choose Properties.
A list of wireless NIC models appears.
2.Right-click the maker and model of your wireless NIC and then choose Properties again.
The Properties window appears.
3.Click Configure.
Another Properties window appears.
4.Click the Advanced tab.
If your wireless NIC will allow you to change its MAC address, you’ll have a Network Address (or MAC address) listed under Property.