| |
| |
Foreword | |
| |
| |
Introduction | |
| |
| |
Who Should Read This Book? | |
| |
| |
About This Book | |
| |
| |
How to Use This Book | |
| |
| |
Foolish Assumptions | |
| |
| |
How This Book Is Organized | |
| |
| |
Icons Used in This Book | |
| |
| |
Where to Go from Here | |
| |
| |
| |
Building the Foundation for Testing Wireless Networks | |
| |
| |
| |
Introduction to Wireless Hacking | |
| |
| |
Why You Need to Test Your Wireless Systems | |
| |
| |
Knowing the dangers your systems face | |
| |
| |
Understanding the enemy | |
| |
| |
Wireless-network complexities | |
| |
| |
Getting Your Ducks in a Row | |
| |
| |
Gathering the Right Tools | |
| |
| |
To Protect, You Must Inspect | |
| |
| |
Non-technical attacks | |
| |
| |
Network attacks | |
| |
| |
Software attacks | |
| |
| |
| |
The Wireless Hacking Process | |
| |
| |
Obeying the Ten Commandments of Ethical Hacking | |
| |
| |
Thou shalt set thy goals | |
| |
| |
Thou shalt plan thy work, lest thou go off course | |
| |
| |
Thou shalt obtain permission | |
| |
| |
Thou shalt work ethically | |
| |
| |
Thou shalt keep records | |
| |
| |
Thou shalt respect the privacy of others | |
| |
| |
Thou shalt do no harm | |
| |
| |
Thou shalt use a "scientific" process | |
| |
| |
Thou shalt not covet thy neighbor's tools | |
| |
| |
Thou shalt report all thy findings | |
| |
| |
Understanding Standards | |
| |
| |
Using ISO 17799 | |
| |
| |
Using CobiT | |
| |
| |
Using SSE-CMM | |
| |
| |
Using ISSAF | |
| |
| |
Using OSSTMM | |
| |
| |
| |
Implementing a Testing Methodology | |
| |
| |
Determining What Others Know | |
| |
| |
What you should look for | |
| |
| |
Footprinting: Gathering what's in the public eye | |
| |
| |
Mapping Your Network | |
| |
| |
Scanning Your Systems | |
| |
| |
Determining More about What's Running | |
| |
| |
Performing a Vulnerability Assessment | |
| |
| |
Manual assessment | |
| |
| |
Automatic assessment | |
| |
| |
Finding more information | |
| |
| |
Penetrating the System | |
| |
| |
| |
Amassing Your War Chest | |
| |
| |
Choosing Your Hardware | |
| |
| |
The personal digital assistant | |
| |
| |
The portable or laptop | |
| |
| |
Hacking Software | |
| |
| |
Using software emulators | |
| |
| |
Linux distributions on CD | |
| |
| |
Stumbling tools | |
| |
| |
You got the sniffers? | |
| |
| |
Picking Your Transceiver | |
| |
| |
Determining your chipset | |
| |
| |
Buying a wireless NIC | |
| |
| |
Extending Your Range | |
| |
| |
Using GPS | |
| |
| |
Signal Jamming | |
| |
| |
| |
Getting Rolling with Common Wi-Fi Hacks | |
| |
| |
| |
Human (In) Security | |
| |
| |
What Can Happen | |
| |
| |
Ignoring the Issues | |
| |
| |
Social Engineering | |
| |
| |
Passive tests | |
| |
| |
Active tests | |
| |
| |
Unauthorized Equipment | |
| |
| |
Default Settings | |
| |
| |
Weak Passwords | |
| |
| |
Human (In)Security Countermeasures | |
| |
| |
Enforce a wireless security policy | |
| |
| |
Train and educate | |
| |
| |
Keep people in the know | |
| |
| |
Scan for unauthorized equipment | |
| |
| |
Secure your systems from the start | |
| |
| |
| |
Containing the Airwaves | |
| |
| |
Signal Strength | |
| |
| |
Using Linux Wireless Extension and Wireless Tools | |
| |
| |
Using Wavemon | |
| |
| |
Using Wscan | |
| |
| |
Using Wmap | |
| |
| |
Using XNetworkStrength | |
| |
| |
Using Wimon | |
| |
| |
Other link monitors | |
| |
| |
Network Physical Security Countermeasures | |
| |
| |
Checking for unauthorized users | |
| |
| |
Antenna type | |
| |
| |
Adjusting your signal strength | |
| |
| |
| |
Hacking Wireless Clients | |
| |
| |
What Can Happen | |
| |
| |
Probing for Pleasure | |
| |
| |
Port scanning | |
| |
| |
Using VPNMonitor | |
| |
| |
Looking for General Client Vulnerabilities | |
| |
| |
Common AP weaknesses | |
| |
| |
Linux application mapping | |
| |
| |
Windows null sessions | |
| |
| |
Ferreting Out WEP Keys | |
| |
| |
Wireless Client Countermeasures | |
| |
| |
| |
Discovering Default Settings | |
| |
| |
Collecting Information | |
| |
| |
Are you for Ethereal? | |
| |
| |
This is AirTraf control, you are cleared to sniff | |
| |
| |
Let me AiroPeek at your data | |
| |
| |
Another CommView of your data | |
| |
| |
Gulpit | |
| |
| |
That's Mognet not magnet | |
| |
| |
Other analyzers | |
| |
| |
Cracking Passwords | |
| |
| |
Using Cain & Abel | |
| |
| |
Using dsniff | |
| |
| |
Gathering IP Addresses | |
| |
| |
Gathering SSIDs | |
| |
| |
Using essid_jack | |
| |
| |
Using SSIDsniff | |
| |
| |
Default-Setting Countermeasures | |
| |
| |
Change SSIDs | |
| |
| |
Don't broadcast SSIDs | |
| |
| |
Using pong | |
| |
| |
Detecting sniffers | |
| |
| |
| |
Wardriving | |
| |
| |
Introducing Wardriving | |
| |
| |
Installing and Running NetStumbler | |
| |
| |
Setting Up NetStumbler | |
| |
| |
Interpreting the Results | |
| |
| |
Mapping Your Stumbling | |
| |
| |
Using StumbVerter and MapPoint | |
| |
| |
Using Microsoft Streets & Trips | |
| |
| |
Using DiGLE | |
| |
| |
| |
Advanced Wi-Fi Hacks | |
| |
| |
| |
Still at War | |
| |
| |
Using Advanced Wardriving Software | |
| |
| |
Installing and using Kismet | |
| |
| |
Installing and using Wellenreiter | |
| |
| |
Using WarLinux | |
| |
| |
Installing and using MiniStumbler | |
| |
| |
Using other wardriving software | |
| |
| |
Organization Wardriving Countermeasures | |
| |
| |
Using Kismet | |
| |
| |
Disabling probe responses | |
| |
| |
Increasing beacon broadcast intervals | |
| |
| |
Fake 'em out with a honeypot | |
| |
| |
| |
Unauthorized Wireless Devices | |
| |
| |
What Can Happen | |
| |
| |
Wireless System Configurations | |
| |
| |
Characteristics of Unauthorized Systems | |
| |
| |
Wireless Client Software | |
| |
| |
Stumbling Software | |
| |
| |
Network-Analysis Software | |
| |
| |
Browsing the network | |
| |
| |
Probing further | |
| |
| |
Additional Software Options | |
| |
| |
Online Databases | |
| |
| |
Unauthorized System Countermeasures | |
| |
| |
| |
Network Attacks | |
| |
| |
What Can Happen | |
| |
| |
MAC-Address Spoofing | |
| |
| |
Changing your MAC in Linux | |
| |
| |
Tweaking your Windows settings | |
| |
| |
SMAC'ing your address | |
| |
| |
A walk down MAC-Spoofing Lane | |
| |
| |
Who's that Man in the Middle? | |
| |
| |
Management-frame attacks | |
| |
| |
ARP-poisoning attacks | |
| |
| |
SNMP: That's Why They Call It Simple | |
| |
| |
All Hail the Queensland Attack | |
| |
| |
Sniffing for Network Problems | |
| |
| |
Network-analysis programs | |
| |
| |
Network analyzer tips | |
| |
| |
Weird stuff to look for | |
| |
| |
Network Attack Countermeasures | |
| |
| |
| |
Denial-of-Service Attacks | |
| |
| |
What Can Happen | |
| |
| |
Types of DoS attacks | |
| |
| |
It's so easy | |
| |
| |
We Be Jamming | |
| |
| |
Common signal interrupters | |
| |
| |
What jamming looks like | |
| |
| |
Fight the power generators | |
| |
| |
AP Overloading | |
| |
| |
Guilty by association | |
| |
| |
Too much traffic | |
| |
| |
Are You Dis'ing Me? | |
| |
| |
Disassociations | |
| |
| |
Deauthentications | |
| |
| |
Invalid authentications via fata_jack | |
| |
| |
Physical Insecurities | |
| |
| |
DoS Countermeasures | |
| |
| |
Know what's normal | |
| |
| |
Contain your radio waves | |
| |
| |
Limit bandwidth | |
| |
| |
Use a Network Monitoring System | |
| |
| |
Use a WIDS | |
| |
| |
Attack back | |
| |
| |
Demand fixes | |
| |
| |
| |
Cracking Encryption | |
| |
| |
What Can Happen | |
| |
| |
Protecting Message Privacy | |
| |
| |
Protecting Message Integrity | |
| |
| |
Using Encryption | |
| |
| |
WEP Weaknesses | |
| |
| |
Other WEP Problems to Look For | |
| |
| |
Attacking WEP | |
| |
| |
Active traffic injection | |
| |
| |
Active attack from both sides | |
| |
| |
Table-based attack | |
| |
| |
Passive attack decryption | |
| |
| |
Cracking Keys | |
| |
| |
Using WEPcrack | |
| |
| |
Using AirSnort | |
| |
| |
Using aircrack | |
| |
| |
Using WepLab | |
| |
| |
Finding other tools | |
| |
| |
Countermeasures Against Home Network-Encryption Attacks | |
| |
| |
Rotating keys | |
| |
| |
Using WPA | |
| |
| |
Organization Encryption Attack Countermeasures | |
| |
| |
Using WPA2 | |
| |
| |
Using a VPN | |
| |
| |
| |
Authenticating Users | |
| |
| |
Three States of Authentication | |
| |
| |
Authentication according to IEEE 802.11 | |
| |
| |
I Know Your Secret | |
| |
| |
Have We Got EAP? | |
| |
| |
This method seems easy to digest | |
| |
| |
Not another PEAP out of you | |
| |
| |
Another big LEAP for mankind | |
| |
| |
That was EAP-FAST | |
| |
| |
Beam me up, EAP-TLS | |
| |
| |
EAP-TTLS: That's funky software | |
| |
| |
Implementing 802.1X | |
| |
| |
Cracking LEAP | |
| |
| |
Using asleap | |
| |
| |
Using THC-LEAPcracker | |
| |
| |
Using anwrap | |
| |
| |
Network Authentication Countermeasures | |
| |
| |
WPA improves the 8021.1 picture | |
| |
| |
Using WPA2 | |
| |
| |
Using a VPN | |
| |
| |
WIDS | |
| |
| |
Use the right EAP | |
| |
| |
Setting up a WDMZ | |
| |
| |
Using the Auditor Collection | |
| |
| |
| |
The Part of Tens | |
| |
| |
| |
Ten Essential Tools for Hacking Wireless Networks | |
| |
| |
Laptop Computer | |
| |
| |
Wireless Network Card | |
| |
| |
Antennas and Connecting Cables | |
| |
| |
GPS Receiver | |
| |
| |
Stumbling Software | |
| |
| |
Wireless Network Analyzer | |
| |
| |
Port Scanner | |
| |
| |
Vulnerability Assessment Tool | |
| |
| |
Google | |
| |
| |
An 802.11 Reference Guide | |
| |
| |
| |
Ten Wireless Security-Testing Mistakes | |
| |
| |
Skipping the Planning Process | |
| |
| |
Not Involving Others in Testing | |
| |
| |
Not Using a Methodology | |
| |
| |
Forgetting to Unbind the NIC When Wardriving | |
| |
| |
Failing to Get Written Permission to Test | |
| |
| |
Failing to Equip Yourself with the Proper Tools | |
| |
| |
Over-Penetrating Live Networks | |
| |
| |
Using Data Improperly | |
| |
| |
Failing to Report Results or Follow Up | |
| |
| |
Breaking the Law | |
| |
| |
| |
Ten Tips for Following Up after Your Testing | |
| |
| |
Organize and Prioritize Your Results | |
| |
| |
Prepare a Professional Report | |
| |
| |
Retest If Necessary | |
| |
| |
Obtain Sign-Off | |
| |
| |
Plug the Holes You Find | |
| |
| |
Document the Lessons Learned | |
| |
| |
Repeat Your Tests | |
| |
| |
Monitor Your Airwaves | |
| |
| |
Practice Using Your Wireless Tools | |
| |
| |
Keep Up with Wireless Security Issues | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Wireless Hacking Resources | |
| |
| |
Certifications | |
| |
| |
General Resources | |
| |
| |
Hacker Stuff | |
| |
| |
Wireless Organizations | |
| |
| |
Institute of Electrical and Electronics Engineers (IEEE): www.ieee.org | |
| |
| |
Wi-Fi Alliance (formerly WECA): www.wifialliance.com | |
| |
| |
Local Wireless Groups | |
| |
| |
Security Awareness and Training | |
| |
| |
Wireless Tools | |
| |
| |
General tools | |
| |
| |
Vulnerability databases | |
| |
| |
Linux distributions | |
| |
| |
Software emulators | |
| |
| |
RF prediction software | |
| |
| |
RF monitoring | |
| |
| |
Antennae | |
| |
| |
Wardriving | |
| |
| |
Wireless IDS/IPS vendors | |
| |
| |
Wireless sniffers | |
| |
| |
WEP/WPA cracking | |
| |
| |
Cracking passwords | |
| |
| |
Dictionary files and word lists | |
| |
| |
Gathering IP addresses and SSIDs | |
| |
| |
LEAP crackers | |
| |
| |
Network mapping | |
| |
| |
Network scanners | |
| |
| |
| |
Glossary of Acronyms | |
| |
| |
Index | |