Hacking Wireless Networks For Dummies
.pdf
330 Part V: Appendixes
Corkwireless, Cork, Cork County, IE: www.corkwireless.com/
Georgia Wireless User Group, Atlanta, GA, US: www.gawug.com
Green Bay Professional Packet Radio, Green Bay, WI, US: www.qsl. net/n9zia/
Houston Wireless, Houston, TX, US: www.houstonwireless.org
IrishWAN, IE: www.irishwan.org/
Longmount Community Wireless Project, Longmount, CO, US: http:// long-wire.net/
Madrid Wireless, Madrid, Madrid, ES: http://madridwireless.net/
Marin Unwired, Marin County, CA, US: www.digiville.com/ wifi-marin/index.htm
NoCatNet, Sonoma County, CA, US: http://nocat.net
NYCWireless, New York City, NY, US: http://nycwireless.net
NZ Wireless, Auckland, NZ: www.nzwireless.org/
Orange County California Wireless Users Group, Brea, CA, US: www.occalwug.org/
Personal Telco, Portland, OR, US: www.personaltelco.net
Rooftops, Boston/Cambridge, MA, US: http://rooftops.media. mit.edu/
Salt Lake Area Wireless Users Group (SLWUG), Salt Lake City, UT, US: www.saltlakewireless.net/
San Diego Wireless Users Group, San Diego, CA, US: www.sdwug.org
Seattle Wireless, Seattle, WA, US: www.seattlewireless.net
Southern California Wireless Users Group, Southern California, CA, US: www.socalwug.org
StockholmOpen.net, Stockholm, SE: www.stockholmopen.net/ index.php
The Toronto Wireless User Group (TorWUG), Toronto, ON, CA: www.torwug.org/
Tri-Valley Wireless Users Group, US: www.tvwug.org
Xnet Wireless, Mornington, AU: www.x.net.au/
WiFi Ecademy, London, England, UK: www.wifi.ecademy.com/
Wireless Technology Forum, Atlanta, GA, US: www.wireless technologyforum.com
Wireless France, FR: www.wireless-fr.org/spip/
Appendix A: Wireless Hacking Resources 331
If you can’t find your location from this list, then try the following sites to find a user group near you:
www.practicallynetworked.com/tools/wireless_articles_ community.htm
www.wirelessanarchy.com/#Community%20Groups
www.personaltelco.net/index.cgi/WirelessCommunities
Security Awareness and Training
You may find that getting management and staff to pay attention to information security is at best a difficult task. You are not alone. Fortunately the following companies can help you get the message across in your organization.
Greenidea, Inc. Visible Statement: www.greenidea.com
The Security Awareness Company: www.thesecurityawareness company.com
Security Awareness, Inc. Awareness Resources: www.security awareness.com
U.S. Security Awareness: www.ussecurityawareness.org
Wireless Tools
Throughout the book, we have described many tools — showing where to get them, classifying, and summarizing them. If you are just starting out, the tools listed here make a nice shopping list. If you are getting married, you can register at hackersrus.com. Ethical-hacking tools also make great anniversary gifts for those two-hacker households.
General tools
We have grouped tools into specific categories. But some of them defied categorization. But rather than lose these excellent tools you can use, we offer the following list:
BLADE Software IDS Informer: www.bladesoftware.net
Foundstone SiteDigger Google query tool: www.foundstone.com/ resources/freetools.htm
332 Part V: Appendixes
MAC-address-vendor lookup: http://coffer.com/mac_find
SMAC MAC-address editor for Windows: www.klcconsulting.net/ smac/
WiGLE database: www.wigle.net/gps/gps/GPSDB/query/
WiFimaps: www.wifimaps.com
Vulnerability databases
You will need to understand the vulnerabilities associated with your particular hardware and software. During the planning process, you will use this information to determine the exact tests to perform. Following are some wellknown vulnerability database sites.
US-CERT Vulnerability Notes Database: www.kb.cert.org/vuls
NIST ICAT Metabase: http://icat.nist.gov/icat.cfm
Common Vulnerabilities and Exposures: http://cve.mitre.org/cve
Linux distributions
Since many wireless testing tools only run on UNIX, Linux or BSD, you will need to become familiar with one of these platforms. You can purchase a commercial product like SuSe or Red Hat Linux, but this is overkill for our purposes. So instead use one of the following freeware Linux distributions.
Auditor: http://new.remote-exploit.org/index.php/Auditor_ main
Cool Linux CD: http://sourceforge.net/project/showfiles.php? group_id=55396&release_id=123430
DSL (Damn Small Linux): www.damnsmalllinux.org/
GNU/Debian Linux: www.debian.org/
KNOPPIX: www.knoppix.net/get.php
SLAX: http://slax.linux-live.org/
WarLinux: http://sourceforge.net/projects/warlinux/
Appendix A: Wireless Hacking Resources 333
Software emulators
If you want to run more than one operating system at a time on the same hardware or want to paste from one operating system to another, then you will want to consider a software emulation product. Following are some of the better-known products.
Bochs: http://bochs.sourceforge.net/
Cygwin: http://cygwin.com/
DOSEMU: www.dosemu.org/
Microsoft Virtual PC: www.microsoft.com/mac/products/ virtualpc/virtualpc.aspx?pid=virtualpc
Plex86: http://savannah.nongnu.org/projects/plex86/
Vmware: www.vmware.com/
WINE: www.winehq.com/
Win4lin: www.netraverse.com/
RF prediction software
RF prediction software helps you simulate the radiation pattern of an access point without having to physically install one. So as a tester you use the same software to predict where you may find a signal. Following are three such software programs.
Airespace: www.airespace.com/products/AS_ACS_location_ tracking.php
Alcatel: www.ind.alcatel.com/products/index.cfm?cnt= omnivista_acs_locationtrack
Radioplan: www.electronicstalk.com/news/rop/rop100.html
RF monitoring
You can use software to monitor signal strength and bit error rate. Of course, tools like Kismet or NetStumbler give you signal strength, but they don’t do it as well as the following tools.
334 Part V: Appendixes
aphunter: www.math.ucla.edu/~jimc/mathnet_d/download.html
E-Wireless: www.bitshift.org/wireless.shtml
Gkrellm wireless plug-in: http://gkrellm.luon.net/gkrellm wireless.phtml
Gnome Wireless Applet: http://freshmeat.net/projects/ gwifiapplet/
Gtk-Womitor: www.zevv.nl/wmifinfo/
GWireless: http://gwifiapplet.sourceforge.net/
Kifi: http://kifi.staticmethod.net/
KOrinoco: http://korinoco.sourceforge.net/
KWaveControl: http://kwavecontrol.sourceforge.net/
KWiFiManager: http://kwifimanager.sourceforge.net/
Linux Wireless Extensions: http://pcmciacs.sourceforge.net/ ftp/contrib/
Mobydik.tk: www.cavone.com/services/mobydik_tk.aspx
NetworkControl: www.arachnoid.com/NetworkControl/index.html
NetworkManager: http://people.redhat.com/dcbw/Network Manager/
Qwireless: www.uv-ac.de/qwireless/
Wavemon: www.janmorgenstern.de/wavemon-current.tar.gz
WaveSelect: www.kde-apps.org/content/show.php?content=19152
Wimon: http://imil.net/wimon/
Wmap: www.datenspuren.org/wmap
wmifinfo: www.zevv.nl/wmifinfo/
WMWave: www.schuermann.org/~dockapps/
WmWiFi: http://wmwifi.digitalssg.net/?sec=1
Wscan: www.handhelds.org/download/packages/wscan/
wvlanmon: http://file.wankota.org/program/linux/wavelan/
XNetworkStrength: http://gabriel.bigdam.net/home/ xnetstrength/
xosview: http://open-linux.de/index.html.en
Appendix A: Wireless Hacking Resources 335
Antennae
You can spend a lot of money on an antenna. However, you need not spend all that money. You can build one yourself or acquire one for a pretty reasonable sum. Following are three sites to help you acquire an economical antenna for your ethical-hacking work.
Cantenna: www.cantenna.com
Hugh Pepper’s cantennas, pigtails, and supplies: http://home. comast.net/~hughpep
Making a wireless antenna from a Pringles can: www.oreilly net.com/cs/weblog/view/wlg/448
You can find a very good reference page for antennae at www.wardrive.net/ general/antenna.
Wardriving
A very useful tool for your wireless ethical-hacking kit is a wardriving or network discovery program. Fortunately for you, there is an overabundance of tools as the following list shows.
Aerosol: www.sec33.com/sniph/aerosol.php
AirMagnet: www.airmagnet.com/products/index.htm
AiroPeek: www.wildpackets.com/products/airopeek
Airscanner: www.snapfiles.com/get/pocketpc/airscanner.html
AP Scanner: www.macupdate.com/info.php/id/5726
AP Radar: http://apradar.sourceforge.net
Apsniff: www.monolith81.de/mirrors/index.php?path=apsniff/
BSD-Airtools: www.dachb0den.com/projects/bsd-air tools.html
dstumbler: www.dachb0den.com/projects/dstumbler.html
gtk-scanner: http://sourceforge.net/projects/wavelan-tools
gWireless: http://gwifiapplet.sourceforge.net/
iStumbler: http://istumbler.net/
KisMAC: www.binaervarianz.de/projekte/programmieren/ kismac/
336 Part V: Appendixes
Kismet: www.kismetwireless.net
MacStumbler: www.macstumbler.com/
MiniStumbler: www.netstumbler.com/downloads/
Mognet: www.l0t3k.net/tools/Wireless/Mognet-1.16.tar.gz
NetChaser: www.bitsnbolts.com
Network Stumbler: www.netstumbler.com/downloads
perlskan: http://sourceforge.net/projects/wavelan-tools
PocketWarrior: www.pocketwarrior.org/
pocketWinc: www.cirond.com/pocketwinc.php
Prismstumbler: http://prismstumbler.sourceforge.net
Sniff-em: www.sniff-em.com
Sniffer Wireless: www.networkgeneral.com/
StumbVerter: www.michiganwireless.org/tools/Stumbverter/
THC-Scan: www.thc.org/releases.php?q=scan
THC-WarDrive: www.thc.org/releases.php?q=wardrive
WarGlue: www.lostboxen.net/warglue/
WarKizniz: www.michiganwireless.org/tools/WarKizNiz/
Wellenreiter: www.wellenreiter.net/
Wi-Scan: www.michiganwireless.org/tools/wi-scan/
WiStumbler: www.gongon.com/persons/iseki/wistumbler/ index.html
Wireless Security Auditor: www.research.ibm.com/gsal/wsa/
Wlandump: www.guerrilla.net/gnet_linux_software.html
Wireless IDS/IPS vendors
Wireless IDS/IPS products are necessary whether you support wireless networking or not in your organization. If you do support wireless, then you need a tool to protect your network. If you don’t have wireless, then you need a tool to ensure you don’t. Following are some IDS/IPS products.
AirDefense: www.airdefense.net
AirMagnet: www.airmagnet.com
Appendix A: Wireless Hacking Resources 337
BlueSocket: www.bluesocket.com
ManageEngine: http://origin.manageengine.adventnet.com/ products/wifi-manager
NetMotion Wireless: www.netmotionwireless.com
Red-Detect: www.red-m.com/Products/Red-Detect
Senforce Wi-Fi Security: www.senforce.com/entwirelessecur.htm
Vigilant Minds: www.vigilantminds.com
WiFi Manager: http://manageengine.adventnet.com/products/ wifi-manager/index.html
Wireless sniffers
You know that old saw: a picture is worth a thousand words. Well, the message from the saw applies to ethical hacking. Show someone his password that you captured because it wasn’t encrypted, and he gets it. Following are some packet capture tools.
AirMagnet: www.airmagnet.com/
AiroPeek: www.wildpackets.com/products/airopeek
AirScanner Mobile Sniffer: http://airscanner.com/downloads/ sniffer/sniffer.html
AirTraf: http://airtraf.sourceforge.net/
Capsa: www.colasoft.com/products/capsa/index.php?id=75430g
CENiffer: www.epiphan.com/products_ceniffer.html
CommView for WiFi: www.tamos.com/products/commview/
ethereal: www.ethereal.com
Gulpit: www.crak.com/gulpit.htm
KisMAC: www.binaervarianz.de/projekte/programmieren/ kismac/
Kismet: www.kismetwireless.net/
LANfielder: www.wirelessvalley.com/
LinkFerret: www.baseband.com/
Mognet: www.l0t3k.net/tools/Wireless/Mognet-1.16.tar.gz
338 Part V: Appendixes
ngrep: www.remoteassessment.com/?op=pub_archive_search& query=wireless
Observer: www.networkinstruments.com/
Packetyzer: www.networkchemistry.com/
Sniffer Netasyst: www.sniffer-netasyst.com/
Sniffer Wireless: www.networkgeneral.com/Products_details. aspx?PrdId=20046178370181
WEP/WPA cracking
If we had a dollar for every time someone said she’s OK because she uses WEP or WPA, we would retire to a nice island in the Caribbean. The following tools should show them that they are not OK.
Aircrack: www.cr0.net:8040/code/network/
AirSnort: http://sourceforge.net/projects/airsnort/
Destumbler: http://sourceforge.net/projects/destumbler
Dwepcrack: www.e.kth.se/~pvz/wifi/
jc-wepcracker: www.astalavista.com/?section=dir&cmd=file&id= 3316
Lucent Orinoco Registry Encryption/Decryption program: www. cqure.net/tools.jsp?id=3
WepAttack: http://wepattack.sourceforge.net/
WEPcrack: http://sourceforge.net/projects/wepcrack/
WEPWedgie: http://sourceforge.net/projects/wepwedgie/
WepLab: http://weplab.sourceforge.net/
WinAirSnort: www.nwp.nevillon.org/attack.html
WPA Cracker: www.tinypeap.com/page8.html
Cracking passwords
There are tools that will grab packets, look for passwords, and provide them to you. Following are some of these very desirable tools.
Cain & Abel: www.oxid.it/cain.html
Dsniff: www.monkey.org/~dugsong/dsniff/
Appendix A: Wireless Hacking Resources 339
Dsniff (Windows port): www.datanerds.net/~mike/dsniff.html
Dsniff (MacOS X port): http://blafasel.org/~floh/ports/ dsniff-2.3.osx.tgz
Crack only passwords that you have the authority to crack. Cracking other passwords could end you up in jail.
Dictionary files and word lists
Most password crackers take a list of words or a dictionary and encrypt the words and then compare them to the password file. So you need to get different dictionaries or wordlists. Following are five good sources for dictionaries and wordlists.
CERIAS Dictionaries and Wordlists: ftp://ftp.cerias.purdue.edu/ pub/dict
Default vendor passwords: www.cirt.net/cgi-bin/passwd.pl
Outpost9 Wordlists: www.outpost9.com/files/WordLists.html
PacketStorm Wordlists: http://packetstormsecurity.nl/ Crackers/wordlists
University of Oxford Dictionaries and Wordlists: ftp://ftp.ox.ac. uk/pub/wordlists
Gathering IP addresses and SSIDs
Many wireless security books recommend that you turn off SSID broadcasting as a control. However, you can use one of the following programs to get the SSID even when they do.
air-jack: http://sourceforge.net/projects/airjack/
Arping: www.habets.pp.se/synscan/programs.php?prog=arping
essid_jack: http://sourceforge.net/projects/airjack/
pong: http://mobileaccess.de/wlan/index.html?go= technik&sid=
SSIDsniff: www.bastard.net/~kos/wifi/ssidsniff-0.40.tar.gz