Hacking Wireless Networks For Dummies
.pdf
80 Part II: Getting Rolling with Common Wi-Fi Hacks
by passing out items (such as the following) with security messages on them:
Screen savers
Mouse pads
Pens and pencils
Sticky-note pads
Posters in the break room
Several organizations specialize in these security awareness products. Check out
www.securityawareness.com
www.thesecurityawarenesscompany.com
www.greenidea.com
www.privacyposters.com
Your best defense is your people, so keep them in the know and make sure you put a positive spin on your security initiatives so you don’t tire them out.
Scan for unauthorized equipment
A great way to help enforce your wireless security policy is to install a centrally managed wireless gateway or IDS system, such as the products offered from Bluesocket (www.bluesocket.com) and AirDefense (www.airdefense. net). These systems can prevent problems from the get-go through strong authentication or alerts when they detect unauthorized wireless systems, can monitor for malicious wireless behavior, and more. We outline how to get similar functionality out of other tools such as commercial monitoring programs and wireless sniffers in Chapter 11.
Secure your systems from the start
Another great defense against people-related security vulnerabilities on your wireless network is to prevent them in the first place. Set your users and your systems up for success. You should not only make it policy to harden wireless systems but also help users do the hands-on work if possible. Also, ongoing ethical hacks and audits (comparing what is supposed to be done according to policy to what is actually being done) are essential. This can help you make sure that wireless systems haven’t been changed back to include the insecure settings you’re trying so hard to prevent.
Chapter 6
Containing the Airwaves
In This Chapter
Monitoring link strength and quality
Choosing monitoring software
Protecting your organization
Many companies expose themselves to attack because they don’t attempt to control the radio signals leaking from their organization. In
such cases, a cracker could sit in your parking lot or stand across the street and monitor your network. This chapter shows you how to control your signals. In later chapters, we show you how to monitor frames (Chapter 8), discover networks (Chapters 9 and 10), intercept frames (Chapter 12), deny service (Chapter 13), crack encryption keys (Chapter 14), and beat user authentication (Chapter 15). Before you can try these tests, you need to find radio signals — yours and others.
Signal Strength
A first step to testing your network is to determine the bounds of your network. You can use sophisticated tools like AiroPeek (see Chapter 8) or a spectrum analyzer, but that would really be overkill. All you need are various software programs that supply link-quality information. Several freeware products run on Linux.
Using Linux Wireless Extension
and Wireless Tools
The Linux Wireless Extension and Wireless Tools are an open source project sponsored by Hewlett Packard. The Wireless Extension is a generic application programming interface (API) that gives you information and statistics about the user space. Wireless Tools is a set of tools that use the Wireless Extensions. The Wireless Tools are
82 Part II: Getting Rolling with Common Wi-Fi Hacks
iwconfig: Changes the basic wireless parameters.
iwpriv: Changes the Wireless Extensions specific to a driver (private).
iwlist: Lists addresses, frequencies, and bit rates.
iwspy: Gets per-node link quality.
We explore these tools in turn in the following sections. For each tool, we provide an illustrative example. If you want to really understand the command and its many parameters, however, please check out the man page for the syntax and other information about any of these commands. If you have a Web browser, you can use Google.
Linux Wireless Extensions are powerful additions to your ethical hacking utility belt. Linux Wireless Extensions are available from http://pcmcia-cs. sourceforge.net/ftp/contrib. Look for the entry wireless_tools.27.tar.gz near the bottom of the available documents and programs. Wireless Extensions v.14 is bundled in the 2.4.20 kernel, and v.16 is in the 2.4.21 kernel.
iwlist and the others are great tools. They get their information from the standard kernel interface /proc/net/wireless. But these tools provide only a snapshot in time; they do not provide statistics over time. If you favor the Windows platform, you can use a great tool like NetStumbler (we cover this tool in depth in Chapter 9). But when you work with Linux, you want to find a better link-monitoring tool. The other tools in this section provide more functionality than iwconfig, iwpriv, iwlist, and iwspy.
Using iwconfig
You use iwconfig to configure a wireless network interface. If you’re familiar with the ifconfig command, the iwconfig command is similar but works only with wireless interfaces. You use iwconfig to set the network interface parameters, such as frequency. As well, you can use iwconfig to set the wireless parameters and display statistics. The syntax is as follows:
iwconfig interface [essid X] [nwid N] [freq F] [channel C] [sens S] [mode M] [ap A] [nick NN]
[rate R] [rts RT] [frag FT] [txpower T] [enc E] [key K] [power P] [retry R] [commit]
iwconfig --help iwconfig --version
Let’s look at each one of the parameters.
essid: Use the ESSID parameter to specify the ESSID or Network Name. For example, the following specifies that you want to set the ESSID for the wireless adapter to ANY for wardriving.
iwconfig eth0 essid any
Chapter 6: Containing the Airwaves |
83 |
nwid/domain: Use the Network ID parameter to specify the network ID or Domain ID. For example, the following specifies that you want to disable Network ID checking.
iwconfig eth0 nwid off
freq/channel: Use this parameter to set the operating frequency or channel. A value below 1,000 represents the channel number, while a value over is the frequency in Hz. For example, the following specifies that you want to set the frequency to 2.422 GHz.
iwconfig eth0 freq 2.422G
Or for example, the following specifies that you want to use channel three.
iwconfig eth0 channel 3
sens: Use this parameter to set the sensitivity threshold. For example, the following specifies the level as 80 dBm.
iwconfig eth0 sens -80
mode: Use this parameter to set the operating mode of the device. The operating mode is one of the following:
•Ad-hoc: no Access Point.
•Managed: more than one Access Point, with roaming.
•Master: synchronization master or an Access Point.
•Repeater: node forwards packets between other wireless nodes.
•Secondary: node acts as a backup master or repeater.
•Monitor: the node acts as a passive monitor and only receives packets.
•Auto: self-explanatory.
For example, the following specifies that the network is infrastructure mode.
iwconfig eth0 mode managed
ap: Use this parameter to force the card to register to the Access Point given by the address. Use off to re-enable automatic mode without changing the current Access Point, or use any or auto to force the card to re-associate with the current best Access Point. For example, the following forces association with the access point with the hardware address of 00:60:1D:01:23:45.
iwconfig eth0 ap 00:60:1D:01:23:45
84 Part II: Getting Rolling with Common Wi-Fi Hacks
nick[name]: Use this parameter to set the nickname or station name. For example, the following sets the nickname to Peter Node.
iwconfig eth0 nickname Peter Node
rate/bit[rate]: Use this parameter to set the bit-rate in bits per second for cards supporting multiple bit rates. For example, the following sets the bit rate to 11 Mbps.
iwconfig eth0 rate 11M
rts[_threshold]: Use this parameter to turn RTS/CTS on or off. For example, the following turns RTS/CTS off.
iwconfig eth0 rts off
frag[mentation_threshold]: Use this parameter to turn fragmentation on or off. For example, the following specifies a maximum fragment size of 512K.
iwconfig eth0 frag 512
key/enc[ryption]: Use this parameter to turn encryption or scrambling keys on or off and to set the encryption mode. For example, the following specifies an encryption key.
iwconfig eth0 key 0123-4567-89
power: Use this parameter to set the power management scheme and mode. For example, the following disables power management.
iwconfig eth0 power off
txpower: Use this parameter to set the transmit power in dBm for cards supporting multiple transmit powers. For example, the following set the transmit power to 15 dBm.
iwconfig eth0 txpower 15
If you are unfamiliar with dBM as a measurement, refer to www.atis.org/ tg2k/_dbm.html for a definition.
retry: Use this parameter to set the maximum number of MAC retransmission retries. For example, the following specifies to retry 16 times.
iwconfig eth0 retry 16
commit: Use this parameter to force the card to apply all pending changes rather than waiting for the issuance of an ifconfig command. For example, the following specifies to commit the changes.
iwconfig eth0 commit
Chapter 6: Containing the Airwaves |
85 |
Link quality: Use this parameter to display the quality of the link.
Signal level: Use this parameter to show the received signal strength.
Noise level: Use this parameter to display the background noise level.
invalid nwid: Use this parameter to detect configuration problems or the existence of an adjacent network.
invalid crypt: Use this parameter to display the number of packets that the hardware couldn’t decrypt.
invalid misc: Use this parameter to display other packets lost in relation with specific wireless operations.
There you have it. Remember you can get more information by using the man command.
Using iwpriv
iwpriv is the companion tool to iwconfig. Again, you use iwpriv to configure optional (private) parameters for a wireless network interface. You use iwpriv for parameters and settings specific to each driver, as opposed to iwconfig, which deals with generic ones. The syntax is as follows:
iwpriv interface private-command [I] [private-parameters] iwpriv interface –all
iwpriv interface roam {on,off}
iwpriv interface port {ad-hoc,managed,N}
Using the iwpriv command without any parameters lists the available private commands for each interface and the parameters required.
Let’s look at each one of the parameters.
private-command [I] [private-parameters]: Use the specified private-command on the interface. The I parameter, which stands for an integer, is the integer to pass to the command as a Token Index. Your
driver documentation should specify the value for the integer, otherwise leave the value out.
The command may optionally take or require arguments, and may display information. The following paragraphs provide information on the arguments.
-a/--all: Use this parameter to execute and display all the private commands that don’t require any arguments, for example, read only.
roam: Use this parameter to enable or disable roaming, when supported.
port: Use this parameter to read or configure the port type.
86 Part II: Getting Rolling with Common Wi-Fi Hacks
Using iwlist
iwlist allows you to display more detailed information from a wireless interface than you can get with iwconfig. For instance, you can get the ESSID, node name, frequency, signal quality and strength and bit data and error rate. The syntax is as follows:
iwlist interface scanning iwlist interface frequency iwlist interface rate iwlist interface key iwlist interface power iwlist interface txpower iwlist interface retry iwlist –-help
iwlist –version
Let’s look at each one of the parameters.
scan[ning]: Use this parameter to specify the access points and ad-hoc cells in range. For example, the following enables scanning.
iwlist wlan0 scan
Run this command and you may see something like the following:
wlan0 Scan completed:
Cell 01 – Address: 00:02:2D:8F:09:8D ESSID:”pdaconsulting” Mode:Master
Frequency:2.462GHz
Quality:0/88 Signal level:-50 dBm Noise level:-
092 dBm
Encryption key:off Bit Rate:1Mb/s Bit Rate:2Mb/s Bit Rate:5.5Mb/s Bit Rate:11Mb/s
freq[uency]/channel: Use this parameter to specify the list of available frequencies for the device and the number of defined channels.
rate/bit[rate]: Use this parameter to list the bit-rates supported by the device.
key/enc[ryption]: Use this parameter to list the supported encryption key sizes and to display all the available encryption keys.
power: Use this parameter to list the various Power Management attributes and modes of the device.
txpower: Use this parameter to list the various Transmit Powers available on the device.
Chapter 6: Containing the Airwaves |
87 |
retry: Use this parameter to list the transmit retry limits and retry lifetime on the device.
--version: Use this parameter to display the version of the tools, as well as the recommended and current Wireless Extensions version for the tool and the various wireless interfaces.
Using iwspy
You use iwspy to get statistics from specific wireless nodes. With iwspy, you can list the addresses associated with a wireless network interface and get link-quality information for each. The syntax is as follows:
iwspy interface [+] DNSNAME | IPADDR | HWADDR [...]
iwspy interface off
Let’s look at each one of the parameters.
DNSNAME | IPADDR: Use this parameter to set an IP address or DNS name (using the name resolver).
HWADDR: Use this parameter to set a hardware (MAC) address.
Plus sign (+): Use this parameter to add a new set of addresses to the end of the current.
off: Use this parameter to remove the current list of addresses and to disable the spy functionality.
Using Wavemon
Wavemon is an ncurses-based monitor for wireless devices that polls /proc/ net/wireless many times per second. It allows you to watch the signal and noise levels, packet statistics, device configuration, and network parameters of your wireless network hardware. So far, Wavemon has been tested only with the Lucent ORiNOCO series of cards, although it should work (with varying features) with all wireless cards supported by the wireless kernel extensions written by Jean Tourrilhes. You can find Jean’s “Wireless Tools for Linux” Web page at www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html.
Wavemon continuously updates the statistics. While looking at the statistics, you can press F2 to bring up the Level Histogram. This display gives you a running history of the level of connectivity.
Because Wavemon uses a terminal session, you can simultaneously run more than one instance. You could use each instance to monitor a different link simultaneously.
Wavemon is available from www.janmorgenstern.de/wavemon-current. tar.gz.
88 Part II: Getting Rolling with Common Wi-Fi Hacks
Using Wscan
Wscan is a UNIX/X-based link-monitoring application intended for Lucent cards, Linux/x86, Linux/iPaq, or FreeBSD.
The application has two windows. One shows the signal strength. The other window shows details (including ESSID, signal strength, quality, and noise) on a source you select from the signal strength window.
Wscan is available from www.handhelds.org/download/packages/wscan.
Using Wmap
Wmap is a tool for creating log files about the reachability of wireless access points with signal strength and GPS coordinates.
Wmap is available from www.datenspuren.org/wmap.
Using XNetworkStrength
XNetworkStrength shows signal strength. It’s a small application (10.5 KB), is extremely fast, and uses only the X11 API. Oh, and it’s free.
XNetworkStrength is available from http://gabriel.bigdam.net/ home/xnetstrength.
Using Wimon
Wimon is a curses-based wireless connection monitor that shows a real-time graph of a wireless connection’s status. It runs on NetBSD, FreeBSD, and OpenBSD. Following is the syntax for Wimon.
wimon -i <iface> [-s <scale>] [-d delay in microsec] [-w]
Wimon is available from http://imil.net/wimon.
Other link monitors
We cover a few tools for monitoring the link quality, but the list of potential tools is long. Following is a list of other link monitors:
Chapter 6: Containing the Airwaves |
89 |
aphunter (www.math.ucla.edu/~jimc/mathnet_d/download.html): Link monitor and site survey tool.
E-Wireless (www.bitshift.org/wireless.shtml): Enlightenment link monitor.
Gkrellm wireless plug-in (http://gkrellm.luon.net/gkrellm wireless.phtml): GKrellM monitoring system plug-in.
Gnome Wireless Applet (http://freshmeat.net/projects/gwifi applet): Gnome link monitor.
Gtk-Womitor (www.larsen-b.com/Article/174.html ): Applet that shows signal strength.
GWireless (http://gwifiapplet.sourceforge.net): Yet another Gnome link monitor.
Kifi (http://kifi.staticmethod.net): KDE link monitor.
KOrinoco (http://korinoco.sourceforge.net): ORiNOCO-specific link monitor.
KWaveControl (http://kwavecontrol.sourceforge.net): KDE link monitor.
KWiFiManager (http://kwifimanager.sourceforge.net): KDE link monitor and successor to KOrinoco.
Mobydik.tk (www.cavone.com/services/mobydik_tk.aspx): TCL link monitor.
NetworkControl (www.arachnoid.com/NetworkControl/index.html): Monitor interfaces.
NetworkManager (http://people.redhat.com/dcbw/Network Manager): Red Hat/Fedora link monitor.
QWireless (www.uv-ac.de/qwireless): iPaq/Zaurus WLAN analyzer.
WaveSelect (www.kde-apps.org/content/show.php?content=19152): Another KDE link monitor.
wmifinfo (www.zevv.nl/wmifinfo): Applet to display available interface information.
WMWave (www.schuermann.org/~dockapps): Window Maker link monitor.
WmWiFi (http://wmwifi.digitalssg.net/?sec=1): Wireless Monitor for Window Maker.
xosview (http://open-linux.de/index.html.en): Xosview modification to monitor link quality.
Of course, we should mention that the utility that comes with your wireless NIC usually has a link monitor. This is a low-cost, low-fuss solution.