Tải bản đầy đủ - 0 (trang)
Chapter 11. Scanning and Penetrating Wireless Networks

Chapter 11. Scanning and Penetrating Wireless Networks

Tải bản đầy đủ - 0trang

HistoryofWirelessNetworks

Wirelessnetworkingfirstbecamepopularamongthemilitary.Theyneededa

meansofsecurecommunicationwithouttheuseofwires,suchasbetween

airplanesoronlandincombatsituations,whereitisdifficulttolaywireover

longdistancesinashortamountoftime.Asthecostofwirelesstechnologies

decreased,corporationsbeganlookingintotheuseofwirelessnetworkingas

alternativestotraditionalwiredinfrastructures.

ThewirelesstechnologiesoftodayaredefinedbytheIEEE.Theoriginal

wirelessstandardisIEEE802.11.Whenyouthinkaboutmodernwireless

technologiesusedincorporationsandhomenetworkstoday,threeIEEE

standardscometomind:

802.11a

802.11b

802.11g

Thefirsttobeimplementedwas802.11b.802.11bdefinesDirectSequence

SpreadSpectrum(DSSS)wirelessnetworkingatspeedsof1,2,5.5,and11

Mbps,with11Mbpsbeingthemostcommon.802.11bnetworksoperateat2.4

GHz.

Incontrast,802.11anetworksoperateinthe5-GHzband.802.11aismuchfaster

than802.11b,operatingupto54Mbps.

Thethirdstandard,802.11g,isquicklybecomingthede-factostandardinmost

environmentstoday.802.11gprovidesthebestof802.11aand802.11b.Similar

to802.11a,thisstandardspecifiesratesupto54Mbps.However,like802.11b,

thisstandardoperatesinthe2.4-GHzband.Becauseofthis,802.11gisbackward

compatiblewith802.11b,makingiteasyforexisting802.11bnetworksto

upgrade.

Note



Asapenetrationtester,youshouldbeawareofthesedifferenttypes

ofwirelessnetworks.Forexample,ifyouaretestingagainstan

802.11bnetwork,youshouldensurethatyourequipmentand

softwarearetailoredtotestagainst802.11bnetworks.Because

802.11gisbackwardcompatible,youcoulduse802.11bor802.11g

equipmentinyourtesting.Beawarethatnotallsoftwaretestsagainst

allthreeofthesecommonstandards.



AntennasandAccessPoints

Essentialtoanywirelessnetworkistheproperacquisitionandplacementof

wirelessantennas.Wirelessnetworkstodayusethreetypesofantennas:

Omni-directionalAlsoknownasdipoleantennas,omni-directional

antennasarethemostcommon.Omni-directionalantennasradiatetheir

energyequallyinalldirections.Ifyouwanttogogreaterdistances,youcan

useahigh-gain,omni-directionalantenna,whichoffersgreaterhorizontal

coverageatthesacrificeofverticalcoverage.High-gainomni-directional

antennasprovidecoverageatrightanglestotheantennas.Ifyoucanmount

theaccesspoint(AP)neartheceilingandtilttheantennaata45-degree

angle,youcancoveranentireroom.

Semi-directionalUsedwhenyouneedshortorrangebridging,suchas

betweentwobuildingsincloseproximitytoeachother.Theseantennas

directtheirenergyprimarilyinonegeneraldirection.Yagi,patch,andpanel

antennasarealltypesofsemi-directionalantennas.

HighlydirectionalNotusedbyclientmachinesbutratherforpoint-to-point

bridges.Theseantennascangolongdistances(upto25miles,sotheyare

goodforbridgingbuildingstogether).Becauseofthestrengthofthese

antennas,theyaresometimesusedtopenetratewallsthatotherantennasare

unableto.Thechallengeoftheseantennasisthattheymustbeaccurately

positionedtoprovidealine-of-sightlinkbetweenbothantennas.

Omni-directionalantennasareanalogoustoalightbulbinahouse,providinga

smallrangeoflightequallyinalldirections.Semi-directionalantennasarelike

spotlightsinthattheygenerallyspreadalightinasingledirection.Finally,

highlydirectionalantennasarelikesearchlights,offeringastrongbeamoflight

inasingledirection.



WirelessSecurityTechnologies

Althoughwirelessnetworkingprovidesgreateaseinsettingupnetworked

communicationsandoffersmobilityamongusers,itcomesatariskofsecurity.

Malicioushackerscaneasilydetectwirelessnetworksandgainaccesstoyour

corporatenetwork.Althoughafewmethodsareinplacetoenhancesecurity,

mostareweakandeasilybroken.Therefore,youshouldkeepyourwireless

networkseparatefromyourcriticalnetworkandonlyuseitfornonsensitive

transmissions,suchasInternetaccess.



ServiceSetIdentifiers(SSIDs)

WirelessnetworksidentifythemselvesthroughtheuseofServiceSetIdentifiers

(SSIDs).SSIDsarelikesharedpasswordsusedbetweenclientmachinesand

APs.Whenperformingapenetrationtest,youshouldbeonthelookoutforthe

following:

BlankSSID

"any"SSID/BroadcastSSID

DefaultSSID

Someofthemostcommonmistakesthatadministratorsmakearetheuseof

broadcastingSSIDsanddefaultSSIDs.

BroadcastingyourSSIDmeansthatyourAPperiodicallybroadcastsitsSSIDto

clientswhoarelistening.YoushoulddisableSSIDbroadcastsandforceclients

tomanuallyentertheSSIDtogainaccesstothenetwork.

DefaultSSIDsareanothermistakecommonlyseen.Here,wireless

administratorsfailtochangetheSSIDfromthefactorydefault.Forexample,

LinksyswirelessroutersusethedefaultSSIDofLinksysandareconfiguredwith

theIPaddressof192.168.1.1.IfyouseetheLinksysSSIDonawireless

network,youcanmostlikelyfindtheAPatthe192.168.1.1IPaddress.



SimplychangingtheSSIDandturningoffthebroadcastingoptionisnotenough

tosecureyourwirelessnetwork.ActivescanningtoolssuchasNetStumblercan

detectSSIDsevenifyoutakethesesecuritymeasures.Nevertheless,youshould

changetheSSIDfromthedefaultanddisablebroadcastingtoprovidesome

securityprotection,howeverminor,toyourwirelessnetwork.



WiredEquivalentPrivacy(WEP)

WhenIEEEestablishedthewireless802.11standards,itdidnotforgetabout

security.Includedinthe802.11bstandardisWiredEquivalentPrivacy(WEP).

WEPusesasecretkeythatissharedbetweenaclientandanAP.Thissecretkey

isusedwiththeRC4algorithmtoencryptallcommunicationbetweenclients

andtheAPs.

WEPcanoperatewith40-bitencryption(64-bitWEP)or104-bitencryption

(128-bitWEP).Thestrongertheencryption,themoresecureyournetwork.This

comesatthecostofspeed,however.

TheproblemwithWEPisitsshortinitializationvector(IV)value,whichmakes

iteasytocrack.TheIVmakesupthefirst24bitsoftheWEPkey.Many

implementationsstartwithusingIVvaluesofzero(0)andincrementbyonefor

eachpacketsent.24bitsequatesto16,777,216values,soafter16million

packetsaresent,theIVreturnstoavalueof0.Thispredictablebehaviorofthe

first24bitsoftheWEPkeymakescrackingtheIV,andsubsequentlycracking

theWEPkey,easy.

Also,manyenvironmentsdonotchangetheirWEPkeysonaregularbasis,

makingiteasierformalicioushackerstomaintainaccess.

YoucaneasilycrackWEPkeysusingtoolssuchasWEPCrackandAirSnort,

discussedlaterinthischapter.



MACFiltering

Insmallnetworks,wirelessadministratorsmightrestrictaccesstospecificMAC

addresses.TheadministratorcanconfigureafilterontheAPtoallowonly



certainMACaddressestouseawirelessnetwork.

Althoughsuchfilteringmightprovideamilddeterrenttomalicioushackers,this

securitymeasureiseasilycircumventedbyspoofingMACaddresses.Usinga

packetsniffersuchasKismet(discussedlaterinthischapter),amalicioushacker

candeterminetheMACaddressesusedonanetwork.ByspoofingaMAC

address,hecangainaccesstothewirelessnetwork.



802.1xPortSecurity

BecauseitissoeasytospoofaMACaddress,IEEEdevisedanothersolutionto

provideaddedsecuritythroughnetworkadmissioncontrol.Althoughyoucan

use802.1xonmanydifferenttypesofnetworks,ithasbecomepopularin

wirelessenvironments.TheIEEE802.1xportaccesscontrolstandardoperates

likeabouncerforyourAP,decidingwhogetsaccessintoyournetwork.

802.1xusestheExtensibleAuthenticationProtocoloverWireless(EAPOW)asa

mechanismformessageexchangebetweenaRADIUSserverandaclient.

Beforeaclientcanaccessawirelessnetwork,itmustauthenticatethrougha

RADIUSserver.Authenticationoptionsincludeeverythingfromasimple

usernameandpasswordtomoresecureoptionssuchasadigitalsignature.

Although802.1xaddressesauthenticityconcernsforyournetwork,thereisa

newversionof802.1x,called802.1aa,thatalsoaddressesconfidentialityand

integrity.802.1aaprovidesafour-wayhandshaketosecureWEPkeyexchange.

Thisallowsfortheuseofper-sessionkeysinsteadofstatickeysusedbyall

clients.Thekeyexchangemechanismalsomakesman-in-the-middle(MITM)

attacksmoredifficult.802.1xisenoughtodetermostmalicioushackers,butfor

thestrongestsecurity,lookatIPsecurity(IPSec).



IPSec

ProbablythebestoptionforsecuringyourwirelessnetworkisIPSec.IPSec

providesdataintegritythroughhashingalgorithmssuchasMD5andSHA1,and

dataconfidentialitythroughencryptionalgorithmssuchasDESand3DES.Both

theclientsandtheAPsneedtobeconfiguredforIPSec.IPSecmightslowdown



yourwirelessnetwork,butitremainsthebestoptionforsecuringawireless

environment.

Note

Anewformofwireless,calledType-1wireless,isemergingto

providestrongsecurity.Type-1wirelessisaNationalSecurity

Agency(NSA)certifiedstandardusingType1encryption.Atthe

timeofthiswriting,Type-1isonlyavailablefortheU.S.military,

althoughplansareintheworksbyHarrisCorporationtoprovidea

modifiedformofthistechnologyforusebythepublicsector.



WarDriving

Manypeoplethinkofcomputerhackingassomethingdonewithintheconfines

ofsomeone'sbasementwithseveralpowerfulcomputers.Thisisfarfromthe

truth.Now,withtheadventofwirelessLANsandtheeaseofbreakingintothem,

wardrivingispopular.Inwardriving,amalicioushackerisarmedwithalaptop

andapowerfulantenna.Whiledrivingthroughoutacity,amalicioushackercan

pickupandsniffwirelessnetworks.

Variantsofwardrivingincludewarwalking,whereamalicioushackerhasa

handhelddevicewithwirelesscapabilities,warpedaling,whereamalicious

hackerusesabicycleinsteadofanautomobile,andwarflying,wherea

malicioushackerusesanairplanetoscoutoutwirelessnetworks.Warflyingis

alsosometimesusedbysecurityauditorstoscanlargeorganizationsandmilitary

basestodetectvulnerablewirelessnetworks.Insomecities,thereisariseinthe

useofwarsailing,wherepeopleareusingboatsandgoingupanddownariver

orcoastlinesearchingforwirelessnetworks.

Thenextsectioncoversmanyofthepopulartoolsusedbypenetrationtesters

andmalicioushackerswhenattemptingtoaccesswirelessnetworks.



Tools

Youcanuseseveraltoolswhenperformingpenetrationtestsagainstwireless

networks.Thissectioncoversthefollowingtools:

NetStumbler

StumbVerter

DStumbler

Kismet

GPSMap

AiroPeekNX

AirSnort

WEPCrack



NetStumbler

NetStumbler(http://stumbler.net)isprobablythemostwidelyusedwireless

auditingtoolbypenetrationtestersandmalicioushackersalike.NetStumbler

runsonWindowsanddetectswith802.11a,802.11b,and802.11gnetworks.

NetStumblerdetectswirelessnetworksandshowstheirsignalstrengthand

whetherencryptionisbeingused.Thisishelpfulindiscoveringwireless

networksforfurtherpenetrationtesting,detectingoverlappingwirelessnetworks

fromsurroundingcompanies,anddetectingunauthorizedrogueAPsinyour

organization.Figure11-1showsNetStumblerhavingdetectedtwowireless

SSIDs.

Figure11-1.NetStumbler



[Viewfullsizeimage]



NetStumblerisanactivebeaconscanner.Itactivelysendsconnectionrequeststo

alllisteningAPs,eveniftheyarenotbroadcastingtheirSSID.Accesspoints

subsequentlyrespondtotherequestswiththeirSSID.



StumbVerter

StumbVerter(http://www.sonar-security.com)worksinconjunctionwith

NetStumblerandMicrosoftMapPointtoprovideamapofdiscoveredwireless

networks.StumbVerterimportsthesummaryfilesofNetStumblerintoMicrosoft

MapPoint2004andcreatesiconsonamapofalldiscoveredAPs.Thisutilityis

helpfulinpinpointingunauthorizedrogueAPsonyournetwork.



DStumbler

DStumbler(http://www.dachb0den.com)issimilartoNetStumblerexceptthatit

runsonBSDplatforms.IthasmanyofthesameoptionsasNetStumbler



includingGPSsupport,coloredgraphs,maximumsupportedratedetection,and

beaconinginterval.

AlthoughDStumblerisagraphicalprogramlikeNetStumbler,itdoesoffer

severalcommand-lineoptions:

usage:dstumblerdevice[-d][-osn][-mint][-ggpsdevice][

-d:rundstumblerwithoutspecifyingawirelessdevice

-o:specifytheuseofaprism2cardinmonitormode



-s:disablescanmodeonthecard,insteaddooldstylestatpo

-n:usebasicasciicharactersforlimitedterminalfonts



-m:randomlysetmacaddressatspecifiedintervalor0forsta

-g:specifygpsdevicetouse

-l:specifylogfiletouseforrealtimelogging



Kismet

Kismet(http://www.kismetwireless.net)isaLinuxandBSD-based802.11b

wirelesssnifferthathasthecapabilitytoseparatesniffedtrafficbywireless

SSID.

Kismetrequiresan802.11bwirelessadapterthatiscapableofenteringintoRF

monitoringmode.AfterthewirelessadapterisinRFmonitoringmode,itcannot

associateitselfwithawirelessnetwork.Therefore,whenKismetisrunning,you

donothaveaccesstothewirelessnetworkforotherpurposesandcanonly

detectandsnifftrafficonwirelessnetworks.

UnlikeNetStumbler,Kismetisapassivescanner.Thismeansitdoesnotactively



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 11. Scanning and Penetrating Wireless Networks

Tải bản đầy đủ ngay(0 tr)

×