| |
| |
| Foreword | |
| |
| |
| Introduction | |
| |
| |
| Who Should Read This Book? | |
| |
| |
| About This Book | |
| |
| |
| How to Use This Book | |
| |
| |
| Foolish Assumptions | |
| |
| |
| How This Book Is Organized | |
| |
| |
| Icons Used in This Book | |
| |
| |
| Where to Go from Here | |
| |
| |
| |
| Building the Foundation for Testing Wireless Networks | |
| |
| |
| |
| Introduction to Wireless Hacking | |
| |
| |
| Why You Need to Test Your Wireless Systems | |
| |
| |
| Knowing the dangers your systems face | |
| |
| |
| Understanding the enemy | |
| |
| |
| Wireless-network complexities | |
| |
| |
| Getting Your Ducks in a Row | |
| |
| |
| Gathering the Right Tools | |
| |
| |
| To Protect, You Must Inspect | |
| |
| |
| Non-technical attacks | |
| |
| |
| Network attacks | |
| |
| |
| Software attacks | |
| |
| |
| |
| The Wireless Hacking Process | |
| |
| |
| Obeying the Ten Commandments of Ethical Hacking | |
| |
| |
| Thou shalt set thy goals | |
| |
| |
| Thou shalt plan thy work, lest thou go off course | |
| |
| |
| Thou shalt obtain permission | |
| |
| |
| Thou shalt work ethically | |
| |
| |
| Thou shalt keep records | |
| |
| |
| Thou shalt respect the privacy of others | |
| |
| |
| Thou shalt do no harm | |
| |
| |
| Thou shalt use a "scientific" process | |
| |
| |
| Thou shalt not covet thy neighbor's tools | |
| |
| |
| Thou shalt report all thy findings | |
| |
| |
| Understanding Standards | |
| |
| |
| Using ISO 17799 | |
| |
| |
| Using CobiT | |
| |
| |
| Using SSE-CMM | |
| |
| |
| Using ISSAF | |
| |
| |
| Using OSSTMM | |
| |
| |
| |
| Implementing a Testing Methodology | |
| |
| |
| Determining What Others Know | |
| |
| |
| What you should look for | |
| |
| |
| Footprinting: Gathering what's in the public eye | |
| |
| |
| Mapping Your Network | |
| |
| |
| Scanning Your Systems | |
| |
| |
| Determining More about What's Running | |
| |
| |
| Performing a Vulnerability Assessment | |
| |
| |
| Manual assessment | |
| |
| |
| Automatic assessment | |
| |
| |
| Finding more information | |
| |
| |
| Penetrating the System | |
| |
| |
| |
| Amassing Your War Chest | |
| |
| |
| Choosing Your Hardware | |
| |
| |
| The personal digital assistant | |
| |
| |
| The portable or laptop | |
| |
| |
| Hacking Software | |
| |
| |
| Using software emulators | |
| |
| |
| Linux distributions on CD | |
| |
| |
| Stumbling tools | |
| |
| |
| You got the sniffers? | |
| |
| |
| Picking Your Transceiver | |
| |
| |
| Determining your chipset | |
| |
| |
| Buying a wireless NIC | |
| |
| |
| Extending Your Range | |
| |
| |
| Using GPS | |
| |
| |
| Signal Jamming | |
| |
| |
| |
| Getting Rolling with Common Wi-Fi Hacks | |
| |
| |
| |
| Human (In) Security | |
| |
| |
| What Can Happen | |
| |
| |
| Ignoring the Issues | |
| |
| |
| Social Engineering | |
| |
| |
| Passive tests | |
| |
| |
| Active tests | |
| |
| |
| Unauthorized Equipment | |
| |
| |
| Default Settings | |
| |
| |
| Weak Passwords | |
| |
| |
| Human (In)Security Countermeasures | |
| |
| |
| Enforce a wireless security policy | |
| |
| |
| Train and educate | |
| |
| |
| Keep people in the know | |
| |
| |
| Scan for unauthorized equipment | |
| |
| |
| Secure your systems from the start | |
| |
| |
| |
| Containing the Airwaves | |
| |
| |
| Signal Strength | |
| |
| |
| Using Linux Wireless Extension and Wireless Tools | |
| |
| |
| Using Wavemon | |
| |
| |
| Using Wscan | |
| |
| |
| Using Wmap | |
| |
| |
| Using XNetworkStrength | |
| |
| |
| Using Wimon | |
| |
| |
| Other link monitors | |
| |
| |
| Network Physical Security Countermeasures | |
| |
| |
| Checking for unauthorized users | |
| |
| |
| Antenna type | |
| |
| |
| Adjusting your signal strength | |
| |
| |
| |
| Hacking Wireless Clients | |
| |
| |
| What Can Happen | |
| |
| |
| Probing for Pleasure | |
| |
| |
| Port scanning | |
| |
| |
| Using VPNMonitor | |
| |
| |
| Looking for General Client Vulnerabilities | |
| |
| |
| Common AP weaknesses | |
| |
| |
| Linux application mapping | |
| |
| |
| Windows null sessions | |
| |
| |
| Ferreting Out WEP Keys | |
| |
| |
| Wireless Client Countermeasures | |
| |
| |
| |
| Discovering Default Settings | |
| |
| |
| Collecting Information | |
| |
| |
| Are you for Ethereal? | |
| |
| |
| This is AirTraf control, you are cleared to sniff | |
| |
| |
| Let me AiroPeek at your data | |
| |
| |
| Another CommView of your data | |
| |
| |
| Gulpit | |
| |
| |
| That's Mognet not magnet | |
| |
| |
| Other analyzers | |
| |
| |
| Cracking Passwords | |
| |
| |
| Using Cain & Abel | |
| |
| |
| Using dsniff | |
| |
| |
| Gathering IP Addresses | |
| |
| |
| Gathering SSIDs | |
| |
| |
| Using essid_jack | |
| |
| |
| Using SSIDsniff | |
| |
| |
| Default-Setting Countermeasures | |
| |
| |
| Change SSIDs | |
| |
| |
| Don't broadcast SSIDs | |
| |
| |
| Using pong | |
| |
| |
| Detecting sniffers | |
| |
| |
| |
| Wardriving | |
| |
| |
| Introducing Wardriving | |
| |
| |
| Installing and Running NetStumbler | |
| |
| |
| Setting Up NetStumbler | |
| |
| |
| Interpreting the Results | |
| |
| |
| Mapping Your Stumbling | |
| |
| |
| Using StumbVerter and MapPoint | |
| |
| |
| Using Microsoft Streets & Trips | |
| |
| |
| Using DiGLE | |
| |
| |
| |
| Advanced Wi-Fi Hacks | |
| |
| |
| |
| Still at War | |
| |
| |
| Using Advanced Wardriving Software | |
| |
| |
| Installing and using Kismet | |
| |
| |
| Installing and using Wellenreiter | |
| |
| |
| Using WarLinux | |
| |
| |
| Installing and using MiniStumbler | |
| |
| |
| Using other wardriving software | |
| |
| |
| Organization Wardriving Countermeasures | |
| |
| |
| Using Kismet | |
| |
| |
| Disabling probe responses | |
| |
| |
| Increasing beacon broadcast intervals | |
| |
| |
| Fake 'em out with a honeypot | |
| |
| |
| |
| Unauthorized Wireless Devices | |
| |
| |
| What Can Happen | |
| |
| |
| Wireless System Configurations | |
| |
| |
| Characteristics of Unauthorized Systems | |
| |
| |
| Wireless Client Software | |
| |
| |
| Stumbling Software | |
| |
| |
| Network-Analysis Software | |
| |
| |
| Browsing the network | |
| |
| |
| Probing further | |
| |
| |
| Additional Software Options | |
| |
| |
| Online Databases | |
| |
| |
| Unauthorized System Countermeasures | |
| |
| |
| |
| Network Attacks | |
| |
| |
| What Can Happen | |
| |
| |
| MAC-Address Spoofing | |
| |
| |
| Changing your MAC in Linux | |
| |
| |
| Tweaking your Windows settings | |
| |
| |
| SMAC'ing your address | |
| |
| |
| A walk down MAC-Spoofing Lane | |
| |
| |
| Who's that Man in the Middle? | |
| |
| |
| Management-frame attacks | |
| |
| |
| ARP-poisoning attacks | |
| |
| |
| SNMP: That's Why They Call It Simple | |
| |
| |
| All Hail the Queensland Attack | |
| |
| |
| Sniffing for Network Problems | |
| |
| |
| Network-analysis programs | |
| |
| |
| Network analyzer tips | |
| |
| |
| Weird stuff to look for | |
| |
| |
| Network Attack Countermeasures | |
| |
| |
| |
| Denial-of-Service Attacks | |
| |
| |
| What Can Happen | |
| |
| |
| Types of DoS attacks | |
| |
| |
| It's so easy | |
| |
| |
| We Be Jamming | |
| |
| |
| Common signal interrupters | |
| |
| |
| What jamming looks like | |
| |
| |
| Fight the power generators | |
| |
| |
| AP Overloading | |
| |
| |
| Guilty by association | |
| |
| |
| Too much traffic | |
| |
| |
| Are You Dis'ing Me? | |
| |
| |
| Disassociations | |
| |
| |
| Deauthentications | |
| |
| |
| Invalid authentications via fata_jack | |
| |
| |
| Physical Insecurities | |
| |
| |
| DoS Countermeasures | |
| |
| |
| Know what's normal | |
| |
| |
| Contain your radio waves | |
| |
| |
| Limit bandwidth | |
| |
| |
| Use a Network Monitoring System | |
| |
| |
| Use a WIDS | |
| |
| |
| Attack back | |
| |
| |
| Demand fixes | |
| |
| |
| |
| Cracking Encryption | |
| |
| |
| What Can Happen | |
| |
| |
| Protecting Message Privacy | |
| |
| |
| Protecting Message Integrity | |
| |
| |
| Using Encryption | |
| |
| |
| WEP Weaknesses | |
| |
| |
| Other WEP Problems to Look For | |
| |
| |
| Attacking WEP | |
| |
| |
| Active traffic injection | |
| |
| |
| Active attack from both sides | |
| |
| |
| Table-based attack | |
| |
| |
| Passive attack decryption | |
| |
| |
| Cracking Keys | |
| |
| |
| Using WEPcrack | |
| |
| |
| Using AirSnort | |
| |
| |
| Using aircrack | |
| |
| |
| Using WepLab | |
| |
| |
| Finding other tools | |
| |
| |
| Countermeasures Against Home Network-Encryption Attacks | |
| |
| |
| Rotating keys | |
| |
| |
| Using WPA | |
| |
| |
| Organization Encryption Attack Countermeasures | |
| |
| |
| Using WPA2 | |
| |
| |
| Using a VPN | |
| |
| |
| |
| Authenticating Users | |
| |
| |
| Three States of Authentication | |
| |
| |
| Authentication according to IEEE 802.11 | |
| |
| |
| I Know Your Secret | |
| |
| |
| Have We Got EAP? | |
| |
| |
| This method seems easy to digest | |
| |
| |
| Not another PEAP out of you | |
| |
| |
| Another big LEAP for mankind | |
| |
| |
| That was EAP-FAST | |
| |
| |
| Beam me up, EAP-TLS | |
| |
| |
| EAP-TTLS: That's funky software | |
| |
| |
| Implementing 802.1X | |
| |
| |
| Cracking LEAP | |
| |
| |
| Using asleap | |
| |
| |
| Using THC-LEAPcracker | |
| |
| |
| Using anwrap | |
| |
| |
| Network Authentication Countermeasures | |
| |
| |
| WPA improves the 8021.1 picture | |
| |
| |
| Using WPA2 | |
| |
| |
| Using a VPN | |
| |
| |
| WIDS | |
| |
| |
| Use the right EAP | |
| |
| |
| Setting up a WDMZ | |
| |
| |
| Using the Auditor Collection | |
| |
| |
| |
| The Part of Tens | |
| |
| |
| |
| Ten Essential Tools for Hacking Wireless Networks | |
| |
| |
| Laptop Computer | |
| |
| |
| Wireless Network Card | |
| |
| |
| Antennas and Connecting Cables | |
| |
| |
| GPS Receiver | |
| |
| |
| Stumbling Software | |
| |
| |
| Wireless Network Analyzer | |
| |
| |
| Port Scanner | |
| |
| |
| Vulnerability Assessment Tool | |
| |
| |
| Google | |
| |
| |
| An 802.11 Reference Guide | |
| |
| |
| |
| Ten Wireless Security-Testing Mistakes | |
| |
| |
| Skipping the Planning Process | |
| |
| |
| Not Involving Others in Testing | |
| |
| |
| Not Using a Methodology | |
| |
| |
| Forgetting to Unbind the NIC When Wardriving | |
| |
| |
| Failing to Get Written Permission to Test | |
| |
| |
| Failing to Equip Yourself with the Proper Tools | |
| |
| |
| Over-Penetrating Live Networks | |
| |
| |
| Using Data Improperly | |
| |
| |
| Failing to Report Results or Follow Up | |
| |
| |
| Breaking the Law | |
| |
| |
| |
| Ten Tips for Following Up after Your Testing | |
| |
| |
| Organize and Prioritize Your Results | |
| |
| |
| Prepare a Professional Report | |
| |
| |
| Retest If Necessary | |
| |
| |
| Obtain Sign-Off | |
| |
| |
| Plug the Holes You Find | |
| |
| |
| Document the Lessons Learned | |
| |
| |
| Repeat Your Tests | |
| |
| |
| Monitor Your Airwaves | |
| |
| |
| Practice Using Your Wireless Tools | |
| |
| |
| Keep Up with Wireless Security Issues | |
| |
| |
| |
| Appendixes | |
| |
| |
| |
| Wireless Hacking Resources | |
| |
| |
| Certifications | |
| |
| |
| General Resources | |
| |
| |
| Hacker Stuff | |
| |
| |
| Wireless Organizations | |
| |
| |
| Institute of Electrical and Electronics Engineers (IEEE): www.ieee.org | |
| |
| |
| Wi-Fi Alliance (formerly WECA): www.wifialliance.com | |
| |
| |
| Local Wireless Groups | |
| |
| |
| Security Awareness and Training | |
| |
| |
| Wireless Tools | |
| |
| |
| General tools | |
| |
| |
| Vulnerability databases | |
| |
| |
| Linux distributions | |
| |
| |
| Software emulators | |
| |
| |
| RF prediction software | |
| |
| |
| RF monitoring | |
| |
| |
| Antennae | |
| |
| |
| Wardriving | |
| |
| |
| Wireless IDS/IPS vendors | |
| |
| |
| Wireless sniffers | |
| |
| |
| WEP/WPA cracking | |
| |
| |
| Cracking passwords | |
| |
| |
| Dictionary files and word lists | |
| |
| |
| Gathering IP addresses and SSIDs | |
| |
| |
| LEAP crackers | |
| |
| |
| Network mapping | |
| |
| |
| Network scanners | |
| |
| |
| |
| Glossary of Acronyms | |
| |
| |
| Index | |