| |
| |
| Introduction | |
| |
| |
| |
| Real World Wireless Security | |
| |
| |
| Why Do We Concentrate on 802.11 Security? | |
| |
| |
| Getting a Grip on Reality: Wide Open 802.11 Networks Around Us | |
| |
| |
| The Future of 802.11 Security: Is It as Bright as It Seems? | |
| |
| |
| Summary | |
| |
| |
| |
| Under Siege | |
| |
| |
| Why Are "They" After Your Wireless Network? | |
| |
| |
| Wireless Crackers: Who Are They? | |
| |
| |
| Corporations, Small Companies, and Home Users: Targets Acquired | |
| |
| |
| Target Yourself: Penetration Testing as Your First Line of Defense | |
| |
| |
| Summary | |
| |
| |
| |
| Putting the Gear Together: 802.11 Hardware | |
| |
| |
| PDAs Versus Laptops | |
| |
| |
| PCMCIA and CF Wireless Cards | |
| |
| |
| Selecting or Assessing Your Wireless Client Card Chipset | |
| |
| |
| Selecting or Assessing Your Wireless Client Card RF Characteristics | |
| |
| |
| Antennas | |
| |
| |
| RF Amplifiers | |
| |
| |
| RF Cables and Connectors | |
| |
| |
| Summary | |
| |
| |
| |
| Making the Engine Run: 802.11 Drivers and Utilities | |
| |
| |
| Operating System, Open Source, and Closed Source | |
| |
| |
| The Engine: Chipsets, Drivers, and Commands | |
| |
| |
| Making Your Client Card Work with Linux and BSD | |
| |
| |
| Getting Used to Efficient Wireless Interface Configuration | |
| |
| |
| Linux Wireless Extensions | |
| |
| |
| Linux-wlan-ng Utilities | |
| |
| |
| Cisco Aironet Configuration | |
| |
| |
| Configuring Wireless Client Cards on BSD Systems | |
| |
| |
| Summary | |
| |
| |
| |
| Learning to WarDrive: Network Mapping and Site Surveying | |
| |
| |
| Active Scanning in Wireless Network Discovery | |
| |
| |
| Monitor Mode Network Discovery and Traffic Analysis Tools | |
| |
| |
| Kismet | |
| |
| |
| Wellenreiter | |
| |
| |
| Airtraf | |
| |
| |
| Gtkskan | |
| |
| |
| Airfart | |
| |
| |
| Mognet | |
| |
| |
| WifiScanner | |
| |
| |
| Miscellaneous Command-Line Scripts and Utilities | |
| |
| |
| BSD Tools for Wireless Network Discovery and Traffic Logging | |
| |
| |
| Tools That Use the iwlist scan Command | |
| |
| |
| RF Signal Strength Monitoring Tools | |
| |
| |
| Summary | |
| |
| |
| |
| Assembling the Arsenal: Tools of the Trade | |
| |
| |
| Encryption Cracking Tools | |
| |
| |
| WEP Crackers | |
| |
| |
| Tools to Retrieve WEP Keys Stored on the Client Hosts | |
| |
| |
| Traffic Injection Tools Used to Accelerate WEP Cracking | |
| |
| |
| 802.1x Cracking Tools | |
| |
| |
| Wireless Frame-Generating Tools | |
| |
| |
| AirJack | |
| |
| |
| File2air | |
| |
| |
| Libwlan | |
| |
| |
| FakeAP | |
| |
| |
| Void11 | |
| |
| |
| Wnet | |
| |
| |
| Wireless Encrypted Traffic Injection Tools: Wepwedgie | |
| |
| |
| Access Point Management Utilities | |
| |
| |
| Summary | |
| |
| |
| |
| Planning the Attack | |
| |
| |
| The "Rig" | |
| |
| |
| Network Footprinting | |
| |
| |
| Site Survey Considerations and Planning | |
| |
| |
| Proper Attack Timing and Battery Power Preservation | |
| |
| |
| Stealth Issues in Wireless Penetration Testing | |
| |
| |
| An Attack Sequence Walk-Through | |
| |
| |
| Summary | |
| |
| |
| |
| Breaking Through | |
| |
| |
| The Easiest Way to Get in | |
| |
| |
| A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering | |
| |
| |
| Picking a Trivial Lock: Various Means of Cracking WEP | |
| |
| |
| WEP Brute-Forcing | |
| |
| |
| The FMS Attack | |
| |
| |
| An Improved FMS Attack | |
| |
| |
| Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking | |
| |
| |
| Field Observations in WEP Cracking | |
| |
| |
| Cracking TKIP: The New Menace | |
| |
| |
| The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment | |
| |
| |
| DIY: Rogue Access Points and Wireless Bridges for Penetration Testing | |
| |
| |
| Hit or Miss: Physical Layer Man-in-the-Middle Attacks | |
| |
| |
| Phishing in the Air: Man-in-the-Middle Attacks Combined | |
| |
| |
| Breaking the Secure Safe | |
| |
| |
| Crashing the Doors: Authentication Systems Attacks | |
| |
| |
| Tapping the Tunnels: Attacks Against VPNs | |
| |
| |
| The Last Resort: Wireless DoS Attacks | |
| |
| |
| |
| Physical Layer Attacks or Jamming | |
| |
| |
| |
| Spoofed Deassociation and Deauthentication Frames Floods | |
| |
| |
| |
| Spoofed Malformed Authentication Frame Attack | |
| |
| |
| |
| Filling Up the Access Point Association and Authentication Buffers | |
| |
| |
| |
| Frame Deletion Attack | |
| |
| |
| |
| DoS Attacks Based on Specific Wireless Network Settings | |
| |
| |
| |
| Attacks Against 802.11i Implementations | |
| |
| |
| Summary | |
| |
| |
| |
| Looting and Pillaging: The Enemy Inside | |
| |
| |
| |
| Analyze the Network Traffic | |
| |
| |
| 802.11 Frames | |
| |
| |
| Plaintext Data Transmission and Authentication Protocols | |
| |
| |
| Network Protocols with Known Insecurities | |
| |
| |
| DHCP, Routing, and Gateway Resilience Protocols | |
| |
| |
| Syslog and NTP Traffic | |
| |
| |
| Protocols That Shouldn't Be There | |
| |
| |
| |
| Associate to WLAN and Detect Sniffers | |
| |
| |
| |
| Identify the Hosts Present and Perform Passive Operating System Fingerprinting | |
| |
| |
| |
| Scan and Exploit Vulnerable Hosts on WLAN | |
| |
| |
| |
| Take the Attack to the Wired Side | |
| |
| |
| |
| Check Wireless-to-Wired Gateway Egress Filtering Rules | |
| |
| |
| Summary | |
| |
| |
| |
| Building the Citadel: An Introduction to Wireless LAN Defense | |
| |
| |
| Wireless Security Policy: The Cornerstone | |
| |
| |
| |
| Device Acceptability, Registration, Update, and Monitoring | |
| |
| |
| |
| User Education and Responsibility | |
| |
| |
| |
| Physical Security | |
| |
| |
| |
| Physical Layer Security | |
| |
| |
| |
| Network Deployment and Positioning | |
| |
| |
| |
| Security Countermeasures | |
| |
| |
| |
| Network Monitoring and Incident Response | |
| |
| |
| |
| Network Security and Stability Audits | |
| |
| |
| Layer 1 Wireless Security Basics | |
| |
| |
| The Usefulness of WEP, Closed ESSIDs, MAC Filtering, and SSH Port Forwarding | |
| |
| |
| Secure Wireless Network Positioning and VLANs | |
| |
| |
| Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design | |
| |
| |
| Deploying a Linux-Based, Custom-Built Hardened Wireless Gateway | |
| |
| |
| Proprietary Improvements to WEP and WEP Usage | |
| |
| |
| 802.11i Wireless Security Standard and WPA: The New Hope | |
| |
| |
| Introducing the Sentinel: 802.1x | |
| |
| |
| Patching the Major Hole: TKIP and CCMP | |
| |
| |
| Summary | |
| |
| |
| |
| Introduction to Applied Cryptography: Symmetric Ciphers | |
| |
| |
| Introduction to Applied Cryptography and Steganography | |
| |
| |
| Modern-Day Cipher Structure and Operation Modes | |
| |
| |
| A Classical Example: Dissecting DES | |
| |
| |
| Kerckhoff's Rule and Cipher Secrecy | |
| |
| |
| The 802.11i Primer: A Cipher to Help Another Cipher | |
| |
| |
| There Is More to a Cipher Than the Cipher: Understanding Cipher Operation Modes | |
| |
| |
| Bit by Bit: Streaming Ciphers and Wireless Security | |
| |
| |
| The Quest for AES | |
| |
| |
| AES (Rijndael) | |
| |
| |
| MARS | |
| |
| |
| RC6 | |
| |
| |
| Twofish | |
| |
| |
| Serpent | |
| |
| |
| Between DES and AES: Common Ciphers of the Transition Period | |
| |
| |
| 3DES | |
| |
| |
| Blowfish | |
| |
| |
| IDEA | |
| |
| |
| Selecting a Symmetric Cipher for Your Networking or Programming Needs | |
| |
| |
| Summary | |
| |
| |
| |
| Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms | |
| |
| |
| Cryptographic Hash Functions | |
| |
| |
| Dissecting an Example Standard One-Way Hash Function | |
| |
| |
| Hash Functions, Their Performance, and HMACs | |
| |
| |
| MIC: Weaker But Faster | |
| |
| |
| Asymmetric Cryptography: A Different Animal | |
| |
| |
| The Examples of Asymmetric Ciphers: ElGamal, RSA, and Elliptic Curves | |
| |
| |
| Practical Use of Asymmetric Cryptography: Key Distribution, Authentication, and Digital Signatures | |
| |
| |
| Summary | |
| |
| |
| |
| The Fortress Gates: User Authentication in Wireless Security | |
| |
| |
| Radius | |
| |
| |
| Basics of AAA Framework | |
| |
| |
| An Overview of the RADIUS Protocol | |
| |
| |
| RADIUS Features | |
| |
| |
| Packet Formats | |
| |
| |
| Packet Types | |
| |
| |
| Installation of FreeRADIUS | |
| |
| |
| Configuration | |
| |
| |
| User Accounting | |
| |
| |
| RADIUS Vulnerabilities | |
| |
| |
| Response Authenticator Attack | |
| |
| |
| Password Attribute-Based Shared Secret Attack | |
| |
| |
| User Password-Based Attack | |
| |
| |
| Request Authenticator-Based Attacks | |
| |
| |
| Replay of Server Responses | |
| |
| |
| Shared Secret Issues | |
| |
| |
| RADIUS-Related Tools | |
| |
| |
| 802.1x: The Gates to Your Wireless Fortress | |
| |
| |
| Basics of EAP-TLS | |
| |
| |
| FreeRADIUS Integration | |
| |
| |
| Supplicants | |
| |
| |
| An Example of Access Point Configuration: Orinoco AP-2000 | |
| |
| |
| LDAP | |
| |
| |
| Overview | |
| |
| |
| Installation of OpenLDAP | |
| |
| |
| Configuration of OpenLDAP | |
| |
| |
| Testing LDAP | |
| |
| |
| Populating the LDAP Database | |
| |
| |
| Centralizing Authentication with LDAP | |
| |
| |
| Mobile Users and LDAP | |
| |
| |
| LDAP-Related Tools | |
| |
| |
| NoCat: An Alternative Method of Wireless User Authentication | |
| |
| |
| Installation and Configuration of NoCat Gateway | |
| |
| |
| Installation and Configuration of Authentication Server | |
| |
| |
| Summary | |
| |
| |
| |
| Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs | |
| |
| |
| Why You Might Want to Deploy a VPN | |
| |
| |
| VPN Topologies Review: The Wireless Perspective | |
| |
| |
| Network-to-Network | |
| |
| |
| Host-to-Network | |
| |
| |
| Host-to-Host | |
| |
| |
| Star | |
| |
| |
| Mesh | |
| |
| |
| Common VPN and Tunneling Protocols | |
| |
| |
| IPSec | |
| |
| |
| PPTP | |
| |
| |
| GRE | |
| |
| |
| L2TP | |
| |
| |
| Alternative VPN Implementations | |
| |
| |
| cIPe | |
| |
| |
| OpenVPN | |
| |
| |
| VTun | |
| |
| |
| The Main Player in the Field: IPSec Protocols, Operations, and Modes Overview | |
| |
| |
| Security Associations | |
| |
| |
| AH | |
| |
| |
| ESP | |
| |
| |
| IP Compression | |
| |
| |
| IPSec Key Exchange and Management Protocol | |
| |
| |
| IKE | |
| |
| |
| Perfect Forward Secrecy | |
| |
| |
| Dead Peer Discovery | |
| |
| |
| IPSec Road Warrior | |
| |
| |
| Opportunistic Encryption | |
| |
| |
| Deploying Affordable IPSec VPNs with FreeS/WAN | |
| |
| |
| FreeS/WAN Compilation | |
| |
| |
| FreeS/WAN Configuration | |
| |
| |
| Network-to-Network VPN Topology Setting | |
| |
| |
| Host-to-Network VPN Topology Setting | |
| |
| |
| Windows 2000 Client Setup | |
| |
| |
| Windows 2000 IPSec Client Configuration | |
| |
| |
| Summary | |
| |
| |
| |
| Counterintelligence: Wireless IDS Systems | |
| |
| |
| Categorizing Suspicious Events on WLANs | |
| |
| |
| |
| RF/Physical Layer Events | |
| |
| |
| |
| Management/Control Frames Events | |
| |
| |
| |
| 802.1x/EAP Frames Events | |
| |
| |
| |
| WEP-Related Events | |
| |
| |
| |
| General Connectivity/Traffic Flow Events | |
| |
| |
| |
| Miscellaneous Events | |
| |
| |
| Examples and Analysis of Common Wireless Attack Signatures | |
| |
| |
| Radars Up! Deploying a Wireless IDS Solution for Your WLAN | |
| |
| |
| Commercial Wireless IDS Systems | |
| |
| |
| Open Source Wireless IDS Settings and Configuration | |
| |
| |
| A Few Recommendations for DIY Wireless IDS Sensor Construction | |
| |
| |
| Summary | |
| |
| |
| Afterword | |
| |
| |
| |
| Decibel-Watts Conversion Table | |
| |
| |
| |
| 802.11 Wireless Equipment | |
| |
| |
| |
| Antenna Irradiation Patterns | |
| |
| |
| Omni-Directionals | |
| |
| |
| Semi-Directionals | |
| |
| |
| Highly-Directionals | |
| |
| |
| |
| Wireless Utilities Manpages | |
| |
| |
| |
| Iwconfig | |
| |
| |
| |
| Iwpriv | |
| |
| |
| |
| Iwlist | |
| |
| |
| |
| Wicontrol | |
| |
| |
| |
| Ancontrol | |
| |
| |
| |
| Signal Loss for Obstacle Types | |
| |
| |
| |
| Warchalking Signs | |
| |
| |
| Original Signs | |
| |
| |
| Proposed New Signs | |
| |
| |
| |
| Wireless Penetration Testing Template | |
| |
| |
| Arhont Ltd Wireless Network Security and Stability Audit Checklist Template | |
| |
| |
| |
| Reasons for an audit | |
| |
| |
| |
| Preliminary investigations | |
| |
| |
| |
| Wireless site survey | |
| |
| |
| |
| Network security features present | |
| |
| |
| |
| Network problems / anomalies detected | |
| |
| |
| |
| Wireless penetration testing procedure | |
| |
| |
| |
| Final recommendations | |
| |
| |
| |
| Default SSIDs for Several Common 802.11 Products | |
| |
| |
| Glossary | |
| |
| |
| Index | |