| |
| |
Introduction | |
| |
| |
| |
Real World Wireless Security | |
| |
| |
Why Do We Concentrate on 802.11 Security? | |
| |
| |
Getting a Grip on Reality: Wide Open 802.11 Networks Around Us | |
| |
| |
The Future of 802.11 Security: Is It as Bright as It Seems? | |
| |
| |
Summary | |
| |
| |
| |
Under Siege | |
| |
| |
Why Are "They" After Your Wireless Network? | |
| |
| |
Wireless Crackers: Who Are They? | |
| |
| |
Corporations, Small Companies, and Home Users: Targets Acquired | |
| |
| |
Target Yourself: Penetration Testing as Your First Line of Defense | |
| |
| |
Summary | |
| |
| |
| |
Putting the Gear Together: 802.11 Hardware | |
| |
| |
PDAs Versus Laptops | |
| |
| |
PCMCIA and CF Wireless Cards | |
| |
| |
Selecting or Assessing Your Wireless Client Card Chipset | |
| |
| |
Selecting or Assessing Your Wireless Client Card RF Characteristics | |
| |
| |
Antennas | |
| |
| |
RF Amplifiers | |
| |
| |
RF Cables and Connectors | |
| |
| |
Summary | |
| |
| |
| |
Making the Engine Run: 802.11 Drivers and Utilities | |
| |
| |
Operating System, Open Source, and Closed Source | |
| |
| |
The Engine: Chipsets, Drivers, and Commands | |
| |
| |
Making Your Client Card Work with Linux and BSD | |
| |
| |
Getting Used to Efficient Wireless Interface Configuration | |
| |
| |
Linux Wireless Extensions | |
| |
| |
Linux-wlan-ng Utilities | |
| |
| |
Cisco Aironet Configuration | |
| |
| |
Configuring Wireless Client Cards on BSD Systems | |
| |
| |
Summary | |
| |
| |
| |
Learning to WarDrive: Network Mapping and Site Surveying | |
| |
| |
Active Scanning in Wireless Network Discovery | |
| |
| |
Monitor Mode Network Discovery and Traffic Analysis Tools | |
| |
| |
Kismet | |
| |
| |
Wellenreiter | |
| |
| |
Airtraf | |
| |
| |
Gtkskan | |
| |
| |
Airfart | |
| |
| |
Mognet | |
| |
| |
WifiScanner | |
| |
| |
Miscellaneous Command-Line Scripts and Utilities | |
| |
| |
BSD Tools for Wireless Network Discovery and Traffic Logging | |
| |
| |
Tools That Use the iwlist scan Command | |
| |
| |
RF Signal Strength Monitoring Tools | |
| |
| |
Summary | |
| |
| |
| |
Assembling the Arsenal: Tools of the Trade | |
| |
| |
Encryption Cracking Tools | |
| |
| |
WEP Crackers | |
| |
| |
Tools to Retrieve WEP Keys Stored on the Client Hosts | |
| |
| |
Traffic Injection Tools Used to Accelerate WEP Cracking | |
| |
| |
802.1x Cracking Tools | |
| |
| |
Wireless Frame-Generating Tools | |
| |
| |
AirJack | |
| |
| |
File2air | |
| |
| |
Libwlan | |
| |
| |
FakeAP | |
| |
| |
Void11 | |
| |
| |
Wnet | |
| |
| |
Wireless Encrypted Traffic Injection Tools: Wepwedgie | |
| |
| |
Access Point Management Utilities | |
| |
| |
Summary | |
| |
| |
| |
Planning the Attack | |
| |
| |
The "Rig" | |
| |
| |
Network Footprinting | |
| |
| |
Site Survey Considerations and Planning | |
| |
| |
Proper Attack Timing and Battery Power Preservation | |
| |
| |
Stealth Issues in Wireless Penetration Testing | |
| |
| |
An Attack Sequence Walk-Through | |
| |
| |
Summary | |
| |
| |
| |
Breaking Through | |
| |
| |
The Easiest Way to Get in | |
| |
| |
A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering | |
| |
| |
Picking a Trivial Lock: Various Means of Cracking WEP | |
| |
| |
WEP Brute-Forcing | |
| |
| |
The FMS Attack | |
| |
| |
An Improved FMS Attack | |
| |
| |
Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking | |
| |
| |
Field Observations in WEP Cracking | |
| |
| |
Cracking TKIP: The New Menace | |
| |
| |
The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment | |
| |
| |
DIY: Rogue Access Points and Wireless Bridges for Penetration Testing | |
| |
| |
Hit or Miss: Physical Layer Man-in-the-Middle Attacks | |
| |
| |
Phishing in the Air: Man-in-the-Middle Attacks Combined | |
| |
| |
Breaking the Secure Safe | |
| |
| |
Crashing the Doors: Authentication Systems Attacks | |
| |
| |
Tapping the Tunnels: Attacks Against VPNs | |
| |
| |
The Last Resort: Wireless DoS Attacks | |
| |
| |
| |
Physical Layer Attacks or Jamming | |
| |
| |
| |
Spoofed Deassociation and Deauthentication Frames Floods | |
| |
| |
| |
Spoofed Malformed Authentication Frame Attack | |
| |
| |
| |
Filling Up the Access Point Association and Authentication Buffers | |
| |
| |
| |
Frame Deletion Attack | |
| |
| |
| |
DoS Attacks Based on Specific Wireless Network Settings | |
| |
| |
| |
Attacks Against 802.11i Implementations | |
| |
| |
Summary | |
| |
| |
| |
Looting and Pillaging: The Enemy Inside | |
| |
| |
| |
Analyze the Network Traffic | |
| |
| |
802.11 Frames | |
| |
| |
Plaintext Data Transmission and Authentication Protocols | |
| |
| |
Network Protocols with Known Insecurities | |
| |
| |
DHCP, Routing, and Gateway Resilience Protocols | |
| |
| |
Syslog and NTP Traffic | |
| |
| |
Protocols That Shouldn't Be There | |
| |
| |
| |
Associate to WLAN and Detect Sniffers | |
| |
| |
| |
Identify the Hosts Present and Perform Passive Operating System Fingerprinting | |
| |
| |
| |
Scan and Exploit Vulnerable Hosts on WLAN | |
| |
| |
| |
Take the Attack to the Wired Side | |
| |
| |
| |
Check Wireless-to-Wired Gateway Egress Filtering Rules | |
| |
| |
Summary | |
| |
| |
| |
Building the Citadel: An Introduction to Wireless LAN Defense | |
| |
| |
Wireless Security Policy: The Cornerstone | |
| |
| |
| |
Device Acceptability, Registration, Update, and Monitoring | |
| |
| |
| |
User Education and Responsibility | |
| |
| |
| |
Physical Security | |
| |
| |
| |
Physical Layer Security | |
| |
| |
| |
Network Deployment and Positioning | |
| |
| |
| |
Security Countermeasures | |
| |
| |
| |
Network Monitoring and Incident Response | |
| |
| |
| |
Network Security and Stability Audits | |
| |
| |
Layer 1 Wireless Security Basics | |
| |
| |
The Usefulness of WEP, Closed ESSIDs, MAC Filtering, and SSH Port Forwarding | |
| |
| |
Secure Wireless Network Positioning and VLANs | |
| |
| |
Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design | |
| |
| |
Deploying a Linux-Based, Custom-Built Hardened Wireless Gateway | |
| |
| |
Proprietary Improvements to WEP and WEP Usage | |
| |
| |
802.11i Wireless Security Standard and WPA: The New Hope | |
| |
| |
Introducing the Sentinel: 802.1x | |
| |
| |
Patching the Major Hole: TKIP and CCMP | |
| |
| |
Summary | |
| |
| |
| |
Introduction to Applied Cryptography: Symmetric Ciphers | |
| |
| |
Introduction to Applied Cryptography and Steganography | |
| |
| |
Modern-Day Cipher Structure and Operation Modes | |
| |
| |
A Classical Example: Dissecting DES | |
| |
| |
Kerckhoff's Rule and Cipher Secrecy | |
| |
| |
The 802.11i Primer: A Cipher to Help Another Cipher | |
| |
| |
There Is More to a Cipher Than the Cipher: Understanding Cipher Operation Modes | |
| |
| |
Bit by Bit: Streaming Ciphers and Wireless Security | |
| |
| |
The Quest for AES | |
| |
| |
AES (Rijndael) | |
| |
| |
MARS | |
| |
| |
RC6 | |
| |
| |
Twofish | |
| |
| |
Serpent | |
| |
| |
Between DES and AES: Common Ciphers of the Transition Period | |
| |
| |
3DES | |
| |
| |
Blowfish | |
| |
| |
IDEA | |
| |
| |
Selecting a Symmetric Cipher for Your Networking or Programming Needs | |
| |
| |
Summary | |
| |
| |
| |
Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms | |
| |
| |
Cryptographic Hash Functions | |
| |
| |
Dissecting an Example Standard One-Way Hash Function | |
| |
| |
Hash Functions, Their Performance, and HMACs | |
| |
| |
MIC: Weaker But Faster | |
| |
| |
Asymmetric Cryptography: A Different Animal | |
| |
| |
The Examples of Asymmetric Ciphers: ElGamal, RSA, and Elliptic Curves | |
| |
| |
Practical Use of Asymmetric Cryptography: Key Distribution, Authentication, and Digital Signatures | |
| |
| |
Summary | |
| |
| |
| |
The Fortress Gates: User Authentication in Wireless Security | |
| |
| |
Radius | |
| |
| |
Basics of AAA Framework | |
| |
| |
An Overview of the RADIUS Protocol | |
| |
| |
RADIUS Features | |
| |
| |
Packet Formats | |
| |
| |
Packet Types | |
| |
| |
Installation of FreeRADIUS | |
| |
| |
Configuration | |
| |
| |
User Accounting | |
| |
| |
RADIUS Vulnerabilities | |
| |
| |
Response Authenticator Attack | |
| |
| |
Password Attribute-Based Shared Secret Attack | |
| |
| |
User Password-Based Attack | |
| |
| |
Request Authenticator-Based Attacks | |
| |
| |
Replay of Server Responses | |
| |
| |
Shared Secret Issues | |
| |
| |
RADIUS-Related Tools | |
| |
| |
802.1x: The Gates to Your Wireless Fortress | |
| |
| |
Basics of EAP-TLS | |
| |
| |
FreeRADIUS Integration | |
| |
| |
Supplicants | |
| |
| |
An Example of Access Point Configuration: Orinoco AP-2000 | |
| |
| |
LDAP | |
| |
| |
Overview | |
| |
| |
Installation of OpenLDAP | |
| |
| |
Configuration of OpenLDAP | |
| |
| |
Testing LDAP | |
| |
| |
Populating the LDAP Database | |
| |
| |
Centralizing Authentication with LDAP | |
| |
| |
Mobile Users and LDAP | |
| |
| |
LDAP-Related Tools | |
| |
| |
NoCat: An Alternative Method of Wireless User Authentication | |
| |
| |
Installation and Configuration of NoCat Gateway | |
| |
| |
Installation and Configuration of Authentication Server | |
| |
| |
Summary | |
| |
| |
| |
Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs | |
| |
| |
Why You Might Want to Deploy a VPN | |
| |
| |
VPN Topologies Review: The Wireless Perspective | |
| |
| |
Network-to-Network | |
| |
| |
Host-to-Network | |
| |
| |
Host-to-Host | |
| |
| |
Star | |
| |
| |
Mesh | |
| |
| |
Common VPN and Tunneling Protocols | |
| |
| |
IPSec | |
| |
| |
PPTP | |
| |
| |
GRE | |
| |
| |
L2TP | |
| |
| |
Alternative VPN Implementations | |
| |
| |
cIPe | |
| |
| |
OpenVPN | |
| |
| |
VTun | |
| |
| |
The Main Player in the Field: IPSec Protocols, Operations, and Modes Overview | |
| |
| |
Security Associations | |
| |
| |
AH | |
| |
| |
ESP | |
| |
| |
IP Compression | |
| |
| |
IPSec Key Exchange and Management Protocol | |
| |
| |
IKE | |
| |
| |
Perfect Forward Secrecy | |
| |
| |
Dead Peer Discovery | |
| |
| |
IPSec Road Warrior | |
| |
| |
Opportunistic Encryption | |
| |
| |
Deploying Affordable IPSec VPNs with FreeS/WAN | |
| |
| |
FreeS/WAN Compilation | |
| |
| |
FreeS/WAN Configuration | |
| |
| |
Network-to-Network VPN Topology Setting | |
| |
| |
Host-to-Network VPN Topology Setting | |
| |
| |
Windows 2000 Client Setup | |
| |
| |
Windows 2000 IPSec Client Configuration | |
| |
| |
Summary | |
| |
| |
| |
Counterintelligence: Wireless IDS Systems | |
| |
| |
Categorizing Suspicious Events on WLANs | |
| |
| |
| |
RF/Physical Layer Events | |
| |
| |
| |
Management/Control Frames Events | |
| |
| |
| |
802.1x/EAP Frames Events | |
| |
| |
| |
WEP-Related Events | |
| |
| |
| |
General Connectivity/Traffic Flow Events | |
| |
| |
| |
Miscellaneous Events | |
| |
| |
Examples and Analysis of Common Wireless Attack Signatures | |
| |
| |
Radars Up! Deploying a Wireless IDS Solution for Your WLAN | |
| |
| |
Commercial Wireless IDS Systems | |
| |
| |
Open Source Wireless IDS Settings and Configuration | |
| |
| |
A Few Recommendations for DIY Wireless IDS Sensor Construction | |
| |
| |
Summary | |
| |
| |
Afterword | |
| |
| |
| |
Decibel-Watts Conversion Table | |
| |
| |
| |
802.11 Wireless Equipment | |
| |
| |
| |
Antenna Irradiation Patterns | |
| |
| |
Omni-Directionals | |
| |
| |
Semi-Directionals | |
| |
| |
Highly-Directionals | |
| |
| |
| |
Wireless Utilities Manpages | |
| |
| |
| |
Iwconfig | |
| |
| |
| |
Iwpriv | |
| |
| |
| |
Iwlist | |
| |
| |
| |
Wicontrol | |
| |
| |
| |
Ancontrol | |
| |
| |
| |
Signal Loss for Obstacle Types | |
| |
| |
| |
Warchalking Signs | |
| |
| |
Original Signs | |
| |
| |
Proposed New Signs | |
| |
| |
| |
Wireless Penetration Testing Template | |
| |
| |
Arhont Ltd Wireless Network Security and Stability Audit Checklist Template | |
| |
| |
| |
Reasons for an audit | |
| |
| |
| |
Preliminary investigations | |
| |
| |
| |
Wireless site survey | |
| |
| |
| |
Network security features present | |
| |
| |
| |
Network problems / anomalies detected | |
| |
| |
| |
Wireless penetration testing procedure | |
| |
| |
| |
Final recommendations | |
| |
| |
| |
Default SSIDs for Several Common 802.11 Products | |
| |
| |
Glossary | |
| |
| |
Index | |