Hacking Wireless Networks For Dummies
.pdf
200 Part III: Advanced Wi-Fi Hacks
5.Click Network Address, click the radio button next to the Value field, and enter the 12-digit MAC address you want to use.
Figure 12-1 illustrates this procedure.
Figure 12-1:
Changing the MAC address in a wireless NIC’s driver settings in Windows.
If your wireless NIC doesn’t have the Network Address option, you can edit the Windows Registry to get the same result. Here’s how to make it happen:
1.At a Windows command prompt, enter ipconfig /all to view your current MAC address (as shown in Figure 12-2).
Figure 12-2: |
Description |
|
Viewing |
||
|
||
your cur- |
|
|
rent MAC |
|
|
address in |
|
|
Windows. |
|
MAC address
Chapter 12: Network Attacks 201
2.Run regedt32 (not regedit) in Windows 2000, or regedit in
Windows XP.
The Windows Registry opens, ready for editing.
3.Make a backup copy of the Windows Registry as it is now.
This is a safety measure in case something goes awry and you have to restore it to its previous state.
•If you’re using regedit in XP, select File Export.
•If you’re using regedt32 in 2000, select Registry Save Key.
4.Browse to the key and expand it.
Here’s the path to the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-
E325-11CE-BFC1-08002BE10318}
5.Find the subkey for the NIC you want to modify:
a.Click through the various four-digit folders starting at 0000.
You’re looking for the device that has a DriverDesc value that matches the Description shown when you enter ipconfig /all at a command prompt.
b.When you find the appropriate folder, expand it.
6.Right-click in the right window pane of the folder you’ve found, and then choose New String Value.
A window appears, offering a place to enter a name for the folder.
7.Enter NetworkAddress for the name.
Rest assured that a black-hat hacker would enter something more devious.
8.Double-click the NetworkAddress key you just created, and then enter the new, 12-digit MAC address you’d like to use.
This new key is shown in Figure 12-3.
9.Exit the Registry editor (regedit or regedit32).
10.Right-click My Network Places, click Properties, and choose Disable/Enable for the NIC you modified.
You can do this by simply right-clicking the NIC in the listing and selecting Disable, and then right-clicking again and selecting Enable. You can also reboot Windows — and may have to, depending on whether Disable/Enable works — to activate the new MAC address.
202 Part III: Advanced Wi-Fi Hacks
Figure 12-3:
Creating the Network Address key in the Windows
registry.
Network Address key
11.Verify that your change has taken place.
You do so by entering ipconfig /all at a Windows command prompt again, as shown in Figure 12-4.
Figure 12-4:
Viewing your new MAC address in Windows.
Because MAC address changes are not immediate in Windows, you can use a tool called DevCon by Microsoft — which is essentially a command-line version of the Device Manager utility for Windows 2000 and XP — to reset your
Chapter 12: Network Attacks 203
wireless NIC to make your Windows MAC-address changes immediate. DevCon is available for download at
http://support.microsoft.com/default.aspx?scid=kb;en-us;311272
SMAC’ing your address
If your wireless NIC driver doesn’t allow MAC address changes as described in this chapter — or if you don’t like editing the Windows Registry manually to change your MAC address — there’s a neat and inexpensive tool you can use by KLC Consulting called SMAC (presumably short for Spoof MAC) at www.klcconsulting.net/smac.
Follow these steps to use SMAC:
1.Load the program.
2.Select the adapter for which you want to change the MAC address.
3.Enter the new MAC address in the New Spoofed MAC Address fields and then click Update MAC.
4.Stop and restart the network card with these steps:
a.Right-click the network card in Network and Dialup Connections.
b.Select Disable and then right-click again.
c.Click Enable to put the change into effect.
You may have to reboot for this to work properly.
5.Click Refresh in the SMAC interface.
You should see a screen similar to the one shown in Figure 12-5.
Figure 12-5:
SMAC showing a spoofed MAC address.
204 Part III: Advanced Wi-Fi Hacks
KLC Consulting also has a command-line version of SMAC that can be integrated with Microsoft’s DevCon tool (mentioned earlier) for a complete solution to MAC address changes — and to resetting your hardware on the fly.
To reverse any of the MAC address changes shown here, simply reverse the steps performed and delete any data you created.
A walk down MAC-Spoofing Lane
So you’ve enabled MAC-address controls on your wireless network — but you’re curious: Just how effective are those controls? Unfortunately, not very. Your wireless network is still vulnerable to unauthorized access, even though you’ve enabled MAC address filtering on your APs. Of course, if you don’t have WEP, WPA, or some other form of encrypted communications in place, anyone with a wireless network analyzer (such as CommView for WiFi or AiroPeek) will still be able to view unencrypted traffic — all they have to do is jump through a couple more hoops, and they’re in. By bypassing MAC address controls and obtaining an IP address, they can easily become part
of the network. Once this occurs, an attacker can gain full access to your airwaves — and anything’s fair game.
Come along with us, and we’ll show you how you can test your MAC-address controls — and demonstrate just how easy they are to circumvent. Here’s the procedure:
1.Find an AP to attach to.
That’s easy: Simply load NetStumbler, as shown in Figure 12-6.
Figure 12-6:
Finding an
acces-
sible AP
via Net-
Stumbler.
Chapter 12: Network Attacks 205
You could skip Step 1 and just look for Probe Requests, but it’s always good to make certain you’re working with your wireless systems and not messing around with your neighbors’ stuff. Instead of waiting to look for Probe Requests to get a valid MAC address, you could send out a Deauthentication frame to the broadcast address. This would force any wireless client within range to reauthenticate and reassociate to the AP revealing their MAC addresses in the process. You have to be careful doing this though so as not to disturb your neighbors’ systems. We cover deauthentication and disassociation in Chapter 13.
In our “test” organization, shown in Figure 12-6, we know that the AP with an SSID of doh! is a valid one to test because that’s the SSID we use on our network. Take note of the MAC address of this AP as well. Doing so helps you make sure you’re looking at the right packets in the steps that follow. Although we’ve “hidden” most of the MAC address of this AP for the sake of privacy, let’s just say that the MAC address you’re looking for here is 00:40:96:FF:FF:FF. Also notice in Figure 12-6 that NetStumbler was able to determine the IP address of the AP. Getting an IP address helps us confirm that we’re on the right wireless network.
One simple way to determine whether an AP has MAC-address controls enabled is to try to associate with it so you can obtain an IP address via DHCP. If you can get an IP address, then the AP doesn’t have MAC-address controls enabled. Now, for security’s sake and if you so desire, take a few minutes to go turn on MAC-address controls on your AP(s) — you can come back and run this test again to verify that you cannot obtain an address via DHCP.
2.Using a wireless network analyzer, look for a wireless client sending a probe request packet to the broadcast address — or for the AP replying with a probe response.
You can set up a filter in your analyzer to look for such frames, or simply capture packets and browse through them, looking for your AP’s MAC address as noted earlier. Figure 12-7 shows what the Probe Request and Probe Response packets look like.
Note the wireless client (again, for privacy, let’s say its full MAC is 00:09:5B:FF:FF:FF) first sends out a Probe Request to the broadcast address (FF:FF:FF:FF:FF:FF) in packet number 98. The AP with the MAC address we’re looking for replies with a Probe Response to 00:09:5B:FF:FF:FF that confirms this is indeed a wireless client on the network for which we’ll be testing MAC-address controls.
206 Part III: Advanced Wi-Fi Hacks
Figure 12-7:
Looking for the MAC address of a wireless client on the network being tested.
3.Change your test computer’s MAC address to that of the wireless client’s MAC address (the one you found in Step 2 of these instructions).
You can verify your new MAC address as shown by running ipconfig /all at a Windows command prompt, as shown in Figure 12-8.
Figure 12-8:
Verifying your new, spoofed MAC address in Windows.
Chapter 12: Network Attacks 207
Note that APs, routers, switches, and the like should be able to detect when more than one system is using the same MAC address on the network (yours and the client that you’re spoofing). You may have to wait until that other system is no longer on the network or send a Deauthenticate packet to knock it off as shown in Chapter 13. However, we’ve seen very few quirky issues emerge from spoofing a MAC address in this way, so you may not have to do anything at all — it’s likely to work without any problems.
4.Ensure your wireless NIC is configured for the appropriate SSID. For this example, we’ll set the SSID to doh! (as shown in the Netgear Smart Wizard utility in Figure 12-9).
Figure 12-9:
Ensuring that your SSID is correctly set.
Even if your network is running WEP, as is the case here, you can still test your MAC address controls. You’ll just need to enter your WEP key(s) before you can connect.
5.Obtain an IP address on the network.
You can do this by rebooting, or disabling/enabling your wireless NIC. However, you can do it manually as shown by running ipconfig /renew.
Because we know the IP addressing scheme of the wireless network in this example (10.11.12.x), we could also manually set our IP address and get on the network.
6.Confirm that you’re on the network by pinging another host or browsing the Internet.
You can do this by pinging the AP (10.11.12.154) or by simply loading your favorite Web browser and browsing to your favorite site.
That’s all there is to it! You’ve circumvented your wireless network’s MACaddress controls in six simple steps. We told you it was easy.
208 Part III: Advanced Wi-Fi Hacks
Who’s that Man in the Middle?
Man-in-the-middle attacks — referred to as MITM or monkey-in-the-middle attacks (taken from a popular MITM tool called monkey_jack) — are networklevel attacks whereby the attacker (the monkey) inserts his system in between a wireless client and an AP, as shown in Figure 12-10.
AP
Figure 12-10: |
Attacker system becomes |
Man-in- |
|
the-middle |
“man-in-the-middle” |
attack. |
Victim system |
|
These attacks are slightly more theoretical (less practical) and definitely more difficult to carry out than other network attacks. However, once an attacker has inserted himself as the man-in-the-middle, he can do it again — and do various unpleasant things, including
Capture data
Inject new packets into the data stream
Manipulate encryption mechanisms in IPsec, SSL, SSH, and so on
Chapter 12: Network Attacks 209
Delay wireless communications
Deny wireless communications
Redirect traffic to a malicious application
The attacker can exploit MITM vulnerabilities in standard unencrypted wireless sessions as well as 802.1x EAP and PEAP sessions. It’s even possible for an attacker to perform MITM attacks that exploit management packets — even when the wireless victims are running WEP or WPA.
Wireless hackers can exploit MITM vulnerabilities regardless of whether the communication is encrypted.
These attacks can happen in various ways such as
ARP poisoning: This manipulates OS, router, and switch ARP tables so an attacker can spoof a victim’s MAC address.
Port stealing: Here an attacker can spoof packets by setting the source address to his victim’s address and the destination address to his own address. In effect, the hacker takes control of his victim’s traffic.
There are various tools that hackers can use to create MITM attacks. The most popular MITM tools are open-source tools for the UNIX/Linux and Windows platforms (in the case of Ettercap).
Airjack suite (http://sourceforge.net/projects/airjack), which includes monkey_jack for automated wireless MITM attacks.
dsniff (www.monkey.org/~dugsong/dsniff)
Arpmim (http://packetstorm.linuxsecurity.com/groups/teso/ arpmim-0.2.tar.gz)
Ettercap (http://sourceforge.net/projects/ettercap/)
You can, of course, use these same utilities to test your wireless systems in an ethical-hacking fashion — but again, be careful.
Performing MITM attacks against your wireless network can be hazardous to your network’s health. If one of those goes awry, it can redirect traffic, disconnect clients, and even create denial-of-service conditions. Proceed with caution.
Management-frame attacks
The first type of wireless MITM attack is an attack against various 802.11 management frames. As we’ve discussed in other chapters, 802.11 specifies