Wi-Foo / Andrew A. Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky.

Format:

Book

Author/Creator:

Vladimirov, Andrew A.

Contributor:

Gavrilenko, Konstantin V.

Mikhailovsky, Andrei A.

Language:

English

Subjects (All):

Computer networks--Security measures.

Computer networks.

Wireless communication systems.

Physical Description:

xxvii, 555 pages : illustrations ; 24 cm

Other Title:

Secrets of wireless hacking

Place of Publication:

Boston, MA : Pearson Education, Inc., [2004]

Summary:

Straight from the field, this is the definitive guide to hacking wireless networks. Authored by world-renowned wireless security auditors, this hands-on, practical guide covers everything you need to attack -- or protect -- any wireless network. The authors introduce the "battlefield," exposing today's "wide open" 802.11 wireless networks and their attackers. One step at a time, you'll master the attacker's entire arsenal of hardware and software tools: crucial knowledge for crackers and auditors alike. Next, you'll learn systematic countermeasures for building hardened wireless "citadels" -- including cryptography-based techniques, authentication, wireless VPNs, intrusion detection, and more.

Contents:

Chapter 1 Real World Wireless Security 1

Why Do We Concentrate on 802.11 Security? 2

Getting a Grip on Reality: Wide Open 802.11 Networks Around Us 5

The Future of 802.11 Security: Is It as Bright as It Seems? 7

Chapter 2 Under Siege 11

Why Are "They" After Your Wireless Network? 11

Wireless Crackers: Who Are They? 15

Corporations, Small Companies, and Home Users: Targets Acquired 17

Target Yourself: Penetration Testing as Your First Line of Defense 20

Chapter 3 Putting the Gear Together: 802.11 Hardware 23

PDAs Versus Laptops 23

PCMCIA and CF Wireless Cards 25

Selecting or Assessing Your Wireless Client Card Chipset 26

Selecting or Assessing Your Wireless Client Card RF Characteristics 33

Antennas 36

RF Amplifiers 40

RF Cables and Connectors 41

Chapter 4 Making the Engine Run: 802.11 Drivers and Utilities 43

Operating System, Open Source, and Closed Source 43

The Engine: Chipsets, Drivers, and Commands 45

Making Your Client Card Work with Linux and BSD 46

Getting Used to Efficient Wireless Interface Configuration 54

Linux Wireless Extensions 55

Linux-wlan-ng Utilities 63

Cisco Aironet Configuration 66

Configuring Wireless Client Cards on BSD Systems 69

Chapter 5 Learning to WarDrive: Network Mapping and Site Surveying 71

Active Scanning in Wireless Network Discovery 72

Monitor Mode Network Discovery and Traffic Analysis Tools 76

Kismet 76

Wellenreiter 85

Airtraf 86

Gtkskan 88

Airfart 89

Mognet 90

WifiScanner 91

Miscellaneous Command-Line Scripts and Utilities 93

BSD Tools for Wireless Network Discovery and Traffic Logging 98

Tools That Use the iwlist scan Command 102

RF Signal Strength Monitoring Tools 104

Chapter 6 Assembling the Arsenal: Tools of the Trade 109

Encryption Cracking Tools 110

WEP Crackers 111

Tools to Retrieve WEP Keys Stored on the Client Hosts 118

Traffic Injection Tools Used to Accelerate WEP Cracking 118

802.1x Cracking Tools 120

Wireless Frame-Generating Tools 123

AirJack 123

File2air 126

Libwlan 127

FakeAP 130

Void11 131

Wnet 132

Wireless Encrypted Traffic Injection Tools: Wepwedgie 134

Access Point Management Utilities 139

Chapter 7 Planning the Attack 143

The "Rig" 143

Network Footprinting 145

Site Survey Considerations and Planning 147

Proper Attack Timing and Battery Power Preservation 151

Stealth Issues in Wireless Penetration Testing 152

An Attack Sequence Walk-Through 153

Chapter 8 Breaking Through 155

The Easiest Way to Get in 155

A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering 156

Picking a Trivial Lock: Various Means of Cracking WEP 161

WEP Brute-Forcing 161

The FMS Attack 163

An Improved FMS Attack 164

Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking 168

Field Observations in WEP Cracking 168

Cracking TKIP: The New Menace 169

The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment 171

DIY: Rogue Access Points and Wireless Bridges for Penetration Testing 173

Hit or Miss: Physical Layer Man-in-the-Middle Attacks 178

Phishing in the Air: Man-in-the-Middle Attacks Combined 179

Breaking the Secure Safe 181

Crashing the Doors: Authentication Systems Attacks 181

Tapping the Tunnels: Attacks Against VPNs 186

The Last Resort: Wireless DoS Attacks 192

1. Physical Layer Attacks or Jamming 193

2. Spoofed Deassociation and Deauthentication Frames Floods 193

3. Spoofed Malformed Authentication Frame Attack 194

4. Filling Up the Access Point Association and Authentication Buffers 195

5. Frame Deletion Attack 196

6. DoS Attacks Based on Specific Wireless Network Settings 196

7. Attacks Against 802.11i Implementations 197

Chapter 9 Looting and Pillaging: The Enemy Inside 199

Step 1 Analyze the Network Traffic 200

802.11 Frames 200

Plaintext Data Transmission and Authentication Protocols 201

Network Protocols with Known Insecurities 203

DHCP, Routing, and Gateway Resilience Protocols 203

Syslog and NTP Traffic 205

Protocols That Shouldn't Be There 205

Step 2 Associate to WLAN and Detect Sniffers 206

Step 3 Identify the Hosts Present and Perform Passive Operating System Fingerprinting 208

Step 4 Scan and Exploit Vulnerable Hosts on WLAN 210

Step 5 Take the Attack to the Wired Side 213

Step 6 Check Wireless-to-Wired Gateway Egress Filtering Rules 218

Chapter 10 Building the Citadel: An Introduction to Wireless LAN Defense 221

Wireless Security Policy: The Cornerstone 221

1. Device Acceptability, Registration, Update, and Monitoring 222

2. User Education and Responsibility 222

3. Physical Security 223

4. Physical Layer Security 223

5. Network Deployment and Positioning 223

6. Security Countermeasures 224

7. Network Monitoring and Incident Response 224

8. Network Security and Stability Audits 225

Layer 1 Wireless Security Basics 225

The Usefulness of WEP, Closed ESSIDs, MAC Filtering, and SSH Port Forwarding 228

Secure Wireless Network Positioning and VLANs 231

Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design 231

Deploying a Linux-Based, Custom-Built Hardened Wireless Gateway 235

Proprietary Improvements to WEP and WEP Usage 242

802.11i Wireless Security Standard and WPA: The New Hope 244

Introducing the Sentinel: 802.1x 245

Patching the Major Hole: TKIP and CCMP 248

Chapter 11 Introduction to Applied Cryptography: Symmetric Ciphers 253

Introduction to Applied Cryptography and Steganography 254

Modern-Day Cipher Structure and Operation Modes 260

A Classical Example: Dissecting DES 260

Kerckhoff's Rule and Cipher Secrecy 264

The 802.11i Primer: A Cipher to Help Another Cipher 265

There Is More to a Cipher Than the Cipher: Understanding Cipher Operation Modes 268

Bit by Bit: Streaming Ciphers and Wireless Security 272

The Quest for AES 274

AES (Rijndael) 278

MARS 279

RC6 282

Twofish 284

Serpent 287

Between DES and AES: Common Ciphers of the Transition Period 290

3DES 290

Blowfish 291

IDEA 293

Selecting a Symmetric Cipher for Your Networking or Programming Needs 296

Chapter 12 Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms 303

Cryptographic Hash Functions 304

Dissecting an Example Standard One-Way Hash Function 305

Hash Functions, Their Performance, and HMACs 308

MIC: Weaker But Faster 309

Asymmetric Cryptography: A Different Animal 312

The Examples of Asymmetric Ciphers: ElGamal, RSA, and Elliptic Curves 314

Practical Use of Asymmetric Cryptography: Key Distribution, Authentication, and Digital Signatures 317

Chapter 13 The Fortress Gates: User Authentication in Wireless Security 323

Radius 323

Basics of AAA Framework 323

An Overview of the RADIUS Protocol 324

RADIUS Features 325

Packet Formats 326

Packet Types 327

Installation of FreeRADIUS 328

Configuration 329

User Accounting 334

RADIUS Vulnerabilities 335

Response Authenticator Attack 336

Password Attribute-Based Shared Secret Attack 336

User Password-Based Attack 336

Request Authenticator-Based Attacks 337

Replay of Server Responses 337

Shared Secret Issues 337

RADIUS-Related Tools 338

802.1x: The Gates to Your Wireless Fortress 339

Basics of EAP-TLS 339

FreeRADIUS Integration 343

Supplicants 345

An Example of Access Point Configuration: Orinoco AP-2000 351

LDAP 354

Installation of OpenLDAP 356

Configuration of OpenLDAP 358

Testing LDAP 362

Populating the LDAP Database 364

Centralizing Authentication with LDAP 367

Mobile Users and LDAP 372

LDAP-Related Tools 373

NoCat: An Alternative Method of Wireless User Authentication 376

Installation and Configuration of NoCat Gateway 378

Installation and Configuration of Authentication Server 379

Chapter

14 Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs 383

Why You Might Want to Deploy a VPN 385

VPN Topologies Review: The Wireless Perspective 386

Network-to-Network 386

Host-to-Network 388

Host-to-Host 389

Star 390

Mesh 391

Common VPN and Tunneling Protocols 391

IPSec 392

PPTP 392

GRE 393

L2TP 393

Alternative VPN Implementations 394

cIPe 394

OpenVPN 394

VTun 395

The Main Player in the Field: IPSec Protocols, Operations, and Modes Overview 395

Security Associations 396

AH 397

ESP 398

IP Compression 399

IPSec Key Exchange and Management Protocol 400

IKE 400

Perfect Forward Secrecy 402

Dead Peer Discovery 402

IPSec Road Warrior 403

Opportunistic Encryption 403

Deploying Affordable IPSec VPNs with FreeS/WAN 403

FreeS/WAN Compilation 404

FreeS/WAN Configuration 409

Network-to-Network VPN Topology Setting 415

Host-to-Network VPN Topology Setting 416

Windows 2000 Client Setup 418

Windows 2000 IPSec Client Configuration 423

Chapter 15 Counterintelligence: Wireless IDS Systems 435

Categorizing Suspicious Events on WLANs 437

1. RF/Physical Layer Events 437

2. Management/Control Frames Events 437

3. 802.1x/EAP Frames Events 438

4. WEP-Related Events 438

5. General Connectivity/Traffic Flow Events 439

6. Miscellaneous Events 439

Examples and Analysis of Common Wireless Attack Signatures 440

Radars Up! Deploying a Wireless IDS Solution for Your WLAN 446

Commercial Wireless IDS Systems 446

Open Source Wireless IDS Settings and Configuration 448

A Few Recommendations for DIY Wireless IDS Sensor Construction 451

Appendix A Decibel-Watts Conversion Table 457

Appendix B 802.11 Wireless Equipment 461

Appendix C Antenna Irradiation Patterns 469

Omni-Directionals 469

Semi-Directionals 470

Highly-Directionals 472

Appendix D Wireless Utilities Manpages 475

1. Iwconfig 475

2. Iwpriv 482

3. Iwlist 484

4. Wicontrol 486

5. Ancontrol 493

Appendix E Signal Loss for Obstacle Types 503

Appendix F Warchalking Signs 505

Original Signs 505

Proposed New Signs 506

Appendix G Wireless Penetration Testing Template 507

Arhont Ltd Wireless Network Security and Stability Audit Checklist Template 507

1 Reasons for an audit 507

2 Preliminary investigations 508

3 Wireless site survey 508

4 Network security features present 511

5 Network problems / anomalies detected 514

6 Wireless penetration testing procedure 518

7 Final recommendations 522

Appendix H Default SSIDs for Several Common 802.11 Products 523.

Notes:

Includes index.

ISBN:

0321202171

OCLC:

55964683