Hacking Wireless Networks For Dummies
.pdf
210 Part III: Advanced Wi-Fi Hacks
no inherent authentication of management frames — and MAC addresses are simple to spoof — which makes this a popular wireless attack.
A MITM attack that exploits 802.11 management-frame vulnerabilities can be executed via the following steps:
1.The attacker finds a wireless client that’s associated and communicating with an AP — and gathers the client’s RF channel and MAC address information.
2.The attacker sends a Deauthenticate or Disassociate frame to the client system, forcing it to disconnect from the AP.
3.The attacker then enables a fake AP — posing as the original AP, using the same SSID and MAC address, with the only difference being that his system has to run on a different wireless channel — let’s say channel 1 instead of channel 6.
4.The client system automatically tries to reauthenticate and associate itself with the original AP — only this time the odds are good that it will connect to the attacker’s rogue system instead.
5.The attacker’s system then connects to the original AP so all client traffic is forwarded to the victim’s system — and the victim’s traffic is forwarded to the rogue system.
The attacker has successfully inserted his system into the middle of the client-to-AP communications stream — and achieved “man-in-the-middle” status.
The monkey_jack utility can perform this type of wireless MITM attack. If you have the AirJack suite downloaded and compiled on a Linux-based system, the following parameters can be used to run the program:
# ./monkey_jack –h
Monkey Jack: Wireless 802.11(b) MITM proof of concept.
Usage: ./monkey_jack -b <bssid> -v <victim mac> -C <channel number> [ -c <channel number> ] [ -i <interface name> ] [ -I <interface name> ] [ -e <essid> ]
-a: number of disassociation frames to send (defaults to 7) -t: number of deauthentication frames to send (defaults
to 0)
-b: bssid, the mac address of the access point (e.g.
00:de:ad:be:ef:00)
-v: victim mac address.
-c: channel number (1-14) that the access point is on, defaults to current.
-C: channel number (1-14) that we’re going to move them to. -i: the name of the AirJack interface to use (defaults to aj0).
-I: the name of the interface to use (defaults to eth1). -e: the essid of the AP.
Chapter 12: Network Attacks 211
Now you know the parameters it requires, here’s an example. We’ll use monkey_jack to insert our system (using ports aj0 and eth0) between the wireless client 00:09:5B:FF:FF:FF and the AP 00:40:96:FF:FF:FF
with an SSID of doh!. We’ll also force it from wireless channel 6 to channel 1, and use the defaults for all other parameters. Here we go:
# ./monkey_jack –b 00:40:96:FF:FF:FF –v 00:09:5b:FF:FF:FF –C 6 –c 1 –I eth0 –e
“doh!”
So there you have it — assuming you received no errors during the execution of the command shown here, you’re now officially the man-in-the middle.
ARP-poisoning attacks
Attackers can exploit ARP (Address Resolution Protocol) if it’s running on your network. The aim is to make their systems appear to be authorized hosts on your network. What happens with this attack is that a client running a program such as dsniff or Ettercap can change the ARP tables — the tables that store IP addresses to MAC-address mappings — on network hosts. This causes the victim computers to think they need to send traffic to the attacker’s computer (rather than to the true destination computer) when communicating on the network.
This security vulnerability is inherent in how ARP communications are handled. Compounding the problem is the fact that wireless networks use a shared medium that makes this type of attack even easier.
Walking through a typical ARP attack
Here’s a typical ARP spoofing attack with a hacker’s computer (Hacky), a legitimate wireless user’s computer (Waveboy), and the AP (Commander):
1.Hacky poisons the ARP cache of victims Waveboy and Commander by using dsniff, ettercap, or a similar utility.
2.Waveboy associates Hacky’s MAC address with Commander’s IP address.
3.Commander associates Hacky’s MAC address with Waveboy’s IP address.
4.Waveboy’s traffic and Commander’s traffic are sent to Hacky’s IP address first.
5.Hacky loads a network analyzer and captures all traffic between Waveboy and Commander. If Hacky is configured to act like a router and forward packets, it forwards the traffic to its original destination, and the original sender and receiver never know the difference!
MITM attacks that exploit ARP spoofing vulnerabilities are slightly more difficult but are still a threat. This type of attack takes advantage of the fact that ARP packets — just like 802.11 management frames — do not require any type of authentication and are easily spoofed.
212 Part III: Advanced Wi-Fi Hacks
An attacker can also execute a nifty traffic-redirection attack by using his own system as the end point. This ends up redirecting all traffic originally destined for the victim’s system to the attacker’s system instead. This process is depicted in Figure 12-11.
Using Ettercap
The Ettercap program can perform this type of wireless MITM attack. The following screen captures of Ettercap NG for Windows show the options for executing MITM attacks from a nice GUI interface.
1.Load Ettercap NG and choose Unified sniffing from the Sniff menu.
2.Select the NIC you want to use from the drop-down list, as shown in Figure 12-12.
3.After the program loads, choose the type of attack you want to execute from the MITM menu, as shown in Figure 12-13.
In our example here, you’d select Arp poisoning.
4.Traffic now destined from the network backbone to Joe’s system is no longer sent to AP1...
AP1
1.Normal flow of wireless traffic
Figure 12-11:
Flow of a
traffic redirection
attack.
Joe’s wireless laptop
Network backbone
5. ...but, instead, sent to AP2.
3.AP2 sends updated MAC address info to the network routers and switches, which in turn update their routing and switching tables.
AP2
2.Attacker spoofs the MAC address of
Joe’s wireless laptop and attempts to authenticate to AP2.
Attacker system
Chapter 12: Network Attacks 213
Figure 12-12:
Selecting a NIC for Ettercap NG to use.
Figure 12-13:
Selecting the MITM attack of your choice in Ettercap NG.
Again, note how simple it is to achieve a MITM attack. At this point, you can use Ettercap NG and your favorite network analyzer to capture your victim system’s data — or launch other attacks of the type mentioned in this section.
SNMP: That’s Why They Call It Simple
Simple Network Management Protocol (SNMP) is a protocol built in to virtually every network infrastructure device — both wireless and wired. Everything from switches to routers to servers to APs can be managed via SNMP. There
214 Part III: Advanced Wi-Fi Hacks
are various network-management programs such as HP OpenView (www. managementsoftware.hp.com), LANDesk (www.landesk.com), and Silverback Technologies (www.silverbacktech.com) that use SNMP for remote networkhost management. Their capabilities are especially helpful in wireless networks when you’re trying to manage what’s happening on your airwaves. Unfortunately, they all depend on SNMP — which presents various security vulnerabilities.
The problem is that most wireless APs run SNMP as is — not locked down from the elements. In fact, most APs have SNMP enabled when it doesn’t need to be. If SNMP is compromised, a hacker can gather network information and use it to attack your systems. If a hacker is trying to attack your wireless network and SNMP shows up in her port scans, you can bet she’ll try to compromise the system.
Figure 12-14 shows how GFI LANguard Network Security Scanner was able not only to detect that SNMP is enabled on a Cisco Aironet AP but also to glean some basic information from it.
In Figure 12-15, the QualysGuard vulnerability-assessment tool discovered that this same AP has writeable SNMP information due to an insecure SNMP community name. This could be especially bad if you’re trying to manage such an AP and an attacker is able to modify its settings!
If you want to perform a quick-and-dirty test to see whether SNMP is running on a host, perform a port scan and look to see if UDP port 161 is open. If it is, then SNMP is alive and well — and vulnerable — on the host system.
Figure 12-14:
LANguard
Network
Security
Scanner discovered SNMP information.
Chapter 12: Network Attacks 215
Figure 12-15:
Qualys-
Guard discovered that SNMP information is writable.
Various other utilities — both Windowsand UNIX/Linux-based — can enumerate SNMP on APs and other wireless hosts:
Windows GUI-based Getif (www.wtcs.org/snmp4tpc/getif.htm)
Windows text-based SNMPUTIL (www.wtcs.org/snmp4tpc/FILES/ Tools/SNMPUTIL/SNMPUTIL.zip)
UCD-SNMP (www.ece.ucdavis.edu/ucd-snmp)
If you have APs with default SNMP enabled on your wireless network, the best-case scenario is that an attacker will be able to enumerate those systems and glean AP information such as system uptime, hardware model number, and firmware revision as shown in Figure 12-16. And that’s a best case.
216 Part III: Advanced Wi-Fi Hacks
Figure 12-16:
General
SNMP information gather using getif.
An attacker can use getif or similar tool to glean information such as MAC addresses that have associated with the AP — and even snag AP usernames for HTTP management, as shown in Figure 12-17.
This information is certainly not what you need to be advertising to the outside world. But you knew that. What you may not have known is that it’s already out there.
The worst-case scenario is that you’ll have one or more APs running a seriously vulnerable implementation of SNMP version 1 that can lead to DoS attacks, unauthorized access, and more. For a list of vendors and products that are affected by the well-known SNMP vulnerabilities, check out www. cert.org/advisories/CA-2002-03.html.
Figure 12-17:
HTTP user IDs gleaned via getif’s SNMP browsing function.
Chapter 12: Network Attacks 217
All Hail the Queensland Attack
A relatively new attack against the 802.11 protocol showed up Down Under in May 2004, discovered by researchers at Queensland University of Technology’s Information Security Research Centre (www.kb.cert.org/vuls/id/106678) in Australia. This attack, initially referred to as the Clear Channel Assessment attack, affects the Direct Sequence Spread Spectrum function that works as part of 802.11’s Carrier-Sense Multiple Access/Collision Avoidance (CSMA/CA) protocol that manages the wireless communications medium. This attack
is often called the Queensland Attack — crediting the researchers who discovered it.
Wireless systems (clients, APs, and so on) use CSMA/CA to determine whether or not the wireless medium is ready and the system can transmit data. The Queensland attack exploits the Clear Channel Assessment (CCA) function within CSMA/CA and basically makes it appear that the airwaves are busy — effectively preventing any other wireless system from transmitting. This denial of service is accomplished by placing a wireless NIC in continuous transmit mode.
With the right tool, the Queensland Attack is relatively simple to execute. It can wreak havoc on a wireless network, effectively bringing it to its knees. There’s very little that can be done about it, especially if the attacker’s signal is more powerful than that of your wireless systems. That’s no problem for hackers equipped with a high-powered wireless NIC combined with a highgain antenna (see Chapter 13 for more information). Combine an easily overpowered network with the fact that 802.11 systems use a shared medium to communicate, and you have the makings of a very effective attack.
All it takes for an attacker to run such an attack against your wireless systems is to run an old Prism chipset-testing program called Prism Test Utility (PrismTestUtil322.exe). This program was previously available for public download on Intersil’s Web site — and it’s still easy to find elsewhere with a basic Internet search, so it’s probably not going away any time soon. This attack can just as easily be carried with other hardware tweaking as well.
Although the Queensland Attack exploits an 802.11 protocol issue, it could just as easily be considered a DoS attack, given its outcome (big-time denial of service). Refer to Chapter 13 for an in-depth look at various wireless DoS attacks.
218 Part III: Advanced Wi-Fi Hacks
Sniffing for Network Problems
As we’ve demonstrated in various other chapters in this book, a wireless network analyzer (sniffer) is a tool that allows you to look into the network and analyze data going across the airwaves for network optimization, security, and/or troubleshooting purposes. Like a microscope for a lab scientist, a wireless network analyzer is a must-have tool for any security professional performing ethical hacks against wireless networks.
A network analyzer is just software running on a computer with a network card. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network, even traffic not destined to the network analyzer host. The network analyzer performs the following functions:
Captures all network traffic
Interprets or decodes what is found into a human-readable format
Displays it all in chronological order
There are literally dozens of neat uses of a wireless sniffer beyond capturing cleartext communications and searching for SSIDs. Such a program can help with:
Viewing anomalous network traffic and even tracking down intruders.
Developing a baseline of network activity and performance before a security incident occurs.
The next section outlines specific network information to look for.
Network-analysis programs
You can use one of the following programs for network analysis:
AiroPeek and AiroPeek NX by WildPackets (www.wildpackets.com):
It delivers a ton of features that the higher-end network analyzers of yesterday have — for a fraction of their cost. AiroPeek is available for the Windows operating system.
CommView for WiFi (www.tamos.com/products/commwifi): Again, very feature-rich, especially given its low price. It also includes a packet generator that can really come in handy. See Chapter 13 for more details on using this feature of CommView for WiFi. CommView for WiFi is available for the Windows operating system.
Chapter 12: Network Attacks 219
AirMagnet Laptop Analyzer (www.airmagnet.com/products/laptop. htm): This program is great for wireless security testing as well. It has a great user interface and is very easy to use. AirMagnet Laptop Analyzer is available for the Windows operating system.
AirDefense Mobile (www.airdefense.net/products/admobile):
Similar to each of the programs in this list, AirDefense Mobile offers a wide range of features, all within an easy-to-use GUI interface. AirDefense Mobile is available for the Windows operating system.
Ethereal (www.ethereal.org): Ethereal is a great open-source (free) program, especially if you need a quick fix and don’t have your test system nearby. It’s not as user-friendly as many other programs,
but it is very powerful if you’re willing to learn its ins and outs. Ethereal is available for both Windowsand UNIX-based operating systems.
A slew of other wireless network analyzers are available as well, including Kismet, many of which we cover in other chapters. A general rule of thumb is that you get what you pay for. Don’t worry about whether you’re using the right network analyzer. The right network analyzer is the one that works best for you — the one that feels the most comfortable and the one that does what you need it to do — after you’ve done some careful experimenting.
Network analyzer tips
Before getting started, configure your network analyzer to capture and store the most relevant data. If your network analyzer permits it, configure your network analyzer software to use a first-in, first-out buffer. This overwrites the oldest data when the buffer fills up, but it may be your only option if memory and hard-drive space are limited on your network-analysis computer.
Also, if your network analyzer permits it, record all the traffic into a capture file and save it to the hard drive. This is the ideal scenario — especially if you have a large hard drive (50GB or bigger).
You can easily fill a several-gigabyte hard drive in next to no time, so don’t capture all packets unless absolutely necessary.
Often the most practical way to use a network analyzer is to just let it run in monitor mode if your analyzer supports it — capturing overall statistics of the network (SSIDs, channels used, active nodes, protocols seen, and so on) without capturing every single packet. You can often glean enough information from a network analyzer’s monitor mode to look for security weaknesses. Just keep in mind that you may need to let your network analyzer run for quite a while — from a few minutes to a few days — depending on what you’re looking for.