Smokey
July 19th, 2003, 06:08 AM
The Hacker's Wireless LAN Toolbox
Hackers—as well as white hat researchers—are notorious for quickly breaking the new security standards soon after the standards are released and they did so again with the standards for wireless LANs. The following are a few examples of the hardware and freeware tools available on the Internet.
Freeware tools: New WLAN hacking tools are introduced every week and are widely available on the Internet for anyone to download. Rather than wait for a hacker to attack your network, security managers should familiarize themselves with tools and learn how to defend against them. The table on this page gives a few examples of widely available freeware tools.
Tool Description
NetStumbler Freeware wireless access point identifier – listens for SSIDs & sends beacons as probes searching for access points
Kismet Freeware wireless sniffer and monitor – passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds
Wellenreiter Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS
THC-RUT Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; “your first knife on a foreign network”
Ethereal Freeware WLAN analyzer – interactively browse the capture data, viewing summary and detail information for all observed wireless traffic
WEPCrack Freeware encryption breaker – Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling
AirSnort Freeware encryption breaker – passively monitoring transmissions, computing the encryption key when enough packets have been gathered
HostAP Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset)
Antennas: To connect with WLANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or built easily with cans or cylinders found in a kitchen cupboard and can pick up 802.11 signals from up to 2,000 feet away. The intruders can be in the parking lot or completely out of site.
Breaking encryption tools: The industry's initial encryption technology, Wired Equivalent Privacy (WEP), was quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP encryption algorithm. WEPCrack and AirSnort passively observe WLAN traffic until they collect enough data to recognize repetitions and break the encryption key.
Breaking 802.1x authentication tools: The next step in the evolution of WLAN security was the introduction of 802.1x for port-based authentication. However, University of Maryland professor William Arbaugh published a research paper in February 2002 that demonstrated how the newly proposed security standard can be defeated. The IEEE is now working on a new standard, 802.11i, which is expected to be ratified in 2004.
War driving tools: To locate the physical presence of WLANs, hackers developed scanning and probing tools that introduced the concept of "war driving" -- driving around a city in a car to discover unprotected WLANs. User-friendly Windows-based freeware tools, such as Netstumbler, probe the airwaves in search of access points that broadcasted their service set identifiers (SSID) and offer easy ways to find open networks. More advanced tools, such as Kismet, were then introduced on Linux systems to passively monitor wireless traffic. Both Netstumbler and Kismet work in tandem with a Global Positioning System to map exact locations of the identified WLANs. These maps and data are posted on Web sites such as www.wigle.net and www.wifinder.com where wireless freeloaders and other hackers can locate these open networks.
Attacks at DefCon
One of the best ways to study what kind of attacks you can expect and what tools attackers will use is to study what happens at DefCon. At DefCon X in August 2002, AirDefense surveyed the WLAN at the Las Vegas convention for two hours and identified more than 10 previously undocumented methods for wireless attacks. That information showed us that hackers had become a lot more creative in learning how to manipulate 802.11. The result was a new flavors of denial-of-service attacks, identity thefts and man-in-the-middle attacks.
During the two hours of monitoring the conference's WLAN, AirDefense identified eight sanctioned access points, 35 rogue access points and more than 800 different station addresses.
AirDefense's 802.11 security experts estimated that 200 to 300 of the station addresses were fakes because roughly 350 people were in the WLAN network room at a single time.
AirDefense discovered 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours.
Among the 807 attacks:
490 were wireless probes from tools such as Netstumbler and Kismet, which were used to scan the network and determine who was most vulnerable to greater attacks.
190 were identity thefts, such as when MAC addresses and SSIDs were spoofed to assume the identity of another user.
100 were varying forms of denial-of-service attacks that either jammed the airwaves with noise to shut down an access point, targeted specific stations by continually disconnecting them from an access point, or forced stations to route their traffic through other stations that ultimately didn't connect back to the network.
And 27 attacks came from out-of-specification management frames where hackers launched attacks that exploited 802.11 protocols to take over other stations and control the network.
Of the more than 10 new types of attacks identified by AirDefense, the company's 802.11 security experts determined that many were new forms of denial-of-service attacks. But an apparent danger came from the growing number of ways in which hackers have learned to abuse 802.11 protocols.
Source: ComputerWorld
Hackers—as well as white hat researchers—are notorious for quickly breaking the new security standards soon after the standards are released and they did so again with the standards for wireless LANs. The following are a few examples of the hardware and freeware tools available on the Internet.
Freeware tools: New WLAN hacking tools are introduced every week and are widely available on the Internet for anyone to download. Rather than wait for a hacker to attack your network, security managers should familiarize themselves with tools and learn how to defend against them. The table on this page gives a few examples of widely available freeware tools.
Tool Description
NetStumbler Freeware wireless access point identifier – listens for SSIDs & sends beacons as probes searching for access points
Kismet Freeware wireless sniffer and monitor – passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds
Wellenreiter Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS
THC-RUT Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; “your first knife on a foreign network”
Ethereal Freeware WLAN analyzer – interactively browse the capture data, viewing summary and detail information for all observed wireless traffic
WEPCrack Freeware encryption breaker – Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling
AirSnort Freeware encryption breaker – passively monitoring transmissions, computing the encryption key when enough packets have been gathered
HostAP Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset)
Antennas: To connect with WLANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or built easily with cans or cylinders found in a kitchen cupboard and can pick up 802.11 signals from up to 2,000 feet away. The intruders can be in the parking lot or completely out of site.
Breaking encryption tools: The industry's initial encryption technology, Wired Equivalent Privacy (WEP), was quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP encryption algorithm. WEPCrack and AirSnort passively observe WLAN traffic until they collect enough data to recognize repetitions and break the encryption key.
Breaking 802.1x authentication tools: The next step in the evolution of WLAN security was the introduction of 802.1x for port-based authentication. However, University of Maryland professor William Arbaugh published a research paper in February 2002 that demonstrated how the newly proposed security standard can be defeated. The IEEE is now working on a new standard, 802.11i, which is expected to be ratified in 2004.
War driving tools: To locate the physical presence of WLANs, hackers developed scanning and probing tools that introduced the concept of "war driving" -- driving around a city in a car to discover unprotected WLANs. User-friendly Windows-based freeware tools, such as Netstumbler, probe the airwaves in search of access points that broadcasted their service set identifiers (SSID) and offer easy ways to find open networks. More advanced tools, such as Kismet, were then introduced on Linux systems to passively monitor wireless traffic. Both Netstumbler and Kismet work in tandem with a Global Positioning System to map exact locations of the identified WLANs. These maps and data are posted on Web sites such as www.wigle.net and www.wifinder.com where wireless freeloaders and other hackers can locate these open networks.
Attacks at DefCon
One of the best ways to study what kind of attacks you can expect and what tools attackers will use is to study what happens at DefCon. At DefCon X in August 2002, AirDefense surveyed the WLAN at the Las Vegas convention for two hours and identified more than 10 previously undocumented methods for wireless attacks. That information showed us that hackers had become a lot more creative in learning how to manipulate 802.11. The result was a new flavors of denial-of-service attacks, identity thefts and man-in-the-middle attacks.
During the two hours of monitoring the conference's WLAN, AirDefense identified eight sanctioned access points, 35 rogue access points and more than 800 different station addresses.
AirDefense's 802.11 security experts estimated that 200 to 300 of the station addresses were fakes because roughly 350 people were in the WLAN network room at a single time.
AirDefense discovered 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours.
Among the 807 attacks:
490 were wireless probes from tools such as Netstumbler and Kismet, which were used to scan the network and determine who was most vulnerable to greater attacks.
190 were identity thefts, such as when MAC addresses and SSIDs were spoofed to assume the identity of another user.
100 were varying forms of denial-of-service attacks that either jammed the airwaves with noise to shut down an access point, targeted specific stations by continually disconnecting them from an access point, or forced stations to route their traffic through other stations that ultimately didn't connect back to the network.
And 27 attacks came from out-of-specification management frames where hackers launched attacks that exploited 802.11 protocols to take over other stations and control the network.
Of the more than 10 new types of attacks identified by AirDefense, the company's 802.11 security experts determined that many were new forms of denial-of-service attacks. But an apparent danger came from the growing number of ways in which hackers have learned to abuse 802.11 protocols.
Source: ComputerWorld