Hacking Wireless Networks For Dummies
.pdf
30 |
Part I: Building the Foundation for Testing Wireless Networks |
Each step has associated tasks that provide more detail and specific tests. As well, each step has a table that outlines the expected results. For example, expected results for Step 3 include these:
Verification of the organization’s security policy and practices — and those of its users.
Identification of the outermost physical edge of the wireless network.
Identification of the logical boundaries of the wireless network.
Enumeration of access points that lead into the network.
Identification of the IP-range (and possibly DHCP-server) of the wireless network.
Identification of the encryption methods used for data transfer.
Identification of the authentication methods of exploitable “mobile units” (that is, the clients) and users.
Verification of the configuration of all devices.
Determination of the flaws in hardware or software that facilitate attacks.
Obviously, you need to cut and paste these tests according to your needs. For instance, should your organization not have infrared, then you would skip Step 11.
The OSSTMM is available from www.isecom.org/osstmm/.
With resources like these, you have a methodology — and everything you need to map out your plan. But rather than leave you hanging there, the rest of the book shows you how to work through a methodology. In Chapter 3, you develop a methodology for a review. In Chapter 4, you select your weapons of mass disruption. Chapters 6 through 16 show you how to use the tools to test your security posture. The only thing left after that is to evaluate your results. So . . .
Chapter 3
Implementing a Testing
Methodology
In This Chapter
Appreciating the importance of formal procedures
Finding out what others can easily see
Scanning for live systems
Enumerating wireless systems to see what’s running
Finding and exploiting the security holes
Before you start testing your wireless network for security vulnerabilities, it’s important to have a formal, ordered methodology in place. Ethical
hacking is more than just running a wireless-network analyzer and scanning willy-nilly for open ports. There are some formal procedures that should be incorporated into your testing to do it right and get the most of it — these, for example:
Gathering public information such as domain names and IP addresses that can serve as a good starting point
Mapping your network to get a general idea of the layout
Scanning your systems to see which devices are active and communicating
Determining what services are running
Looking for specific vulnerabilities
Penetrating the system to finish things off
The next few sections discuss these points in greater detail. By planning things out (in the ways we covered in Chapter 2) and having specific goals and methods — even checklists — you’ll know where you’re headed and you’ll know when your testing is complete. It’ll make your job a lot easier, and document the steps you take. Speaking of which . . .
32 |
Part I: Building the Foundation for Testing Wireless Networks |
Keep a log of what you do and when. Your logging can be more thorough if you take screen captures with a tool such as SnagIt (available at www.tech smith.com). Such visual samples come in handy when you know you won’t be able to reproduce the same information on your screen again. Logging can be helpful if you need to go back and look at which tests you ran, figure out what worked and what didn’t, or refer to special notes. It’s also just the professional thing to do, and wise in case any problems crop up. For instance, you can show your boss or client what you did and when you did it if he needs to track a potential security intrusion.
When you’re performing any type of information-security testing, it’s important to work methodically and make sure you’re running the right tests on the right systems. This will help ensure you find the greatest number of security weaknesses. A nice side benefit is that it can minimize sloppiness and help keep you from crashing your systems.
Ethically hacking your wireless network requires testing your systems with a pretty specific goal in mind: a more secure network (well, yeah). Getting there involves looking at your wireless systems from many perspectives — including that of a hacker outside your work area and that of a regular user inside your work area.
Be flexible in your methodology. You must adapt the rules of warfare to your enemy. No security-testing parameters are set in stone. The bad guys are using the latest tools, so you need those tools. They’re breaking in from across the street, so you need to test from across the street. They’re searching for network-configuration information from across the Internet — and you should, too. No two ethical hacks are alike; you may need to adjust your procedures if the need arises.
Determining What Others Know
Hackers start out by poking and prodding their victims’ systems to find weaknesses — and you should, too. Look at your network from an outsider’s perspective; find out what’s available to just about anyone. This is even more important in the wireless realm because we don’t have the added veil of physical security (as we do with our hard-wired systems).
What you should look for
Here’s what you need to search for to get started with your wireless network testing:
Chapter 3: Implementing a Testing Methodology |
33 |
Radio-signal strength
Specific SSIDs that are being broadcast
IP addressing schemes
Encryption such as WEP or VPN traffic
Hardware makes and models
Software versions
Footprinting: Gathering what’s in the public eye
The first formal step in your ethical-hacking methodology is to perform a high-level network reconnaissance called footprinting. If you’re performing a broader information-security assessment (the sort Kevin covered in Hacking For Dummies), you may want to search for things like employee names, patents and trademarks, or company files. You can gather this information through places such as your organization’s Web site or the U.S. Patent and Trademark Office Web site (at www.uspto.gov), or by using a search engine such as Google (www.google.com). Because wireless networks are more infrastructure-based and localized, publicly available information might not be as prevalent as it is for your other network systems. It still pays to take a gander and see what’s out there.
Searching with Google
An excellent tool to get started with this process is Google. In fact, Google is one of our favorite tools for performing security assessments in general. It’s amazing what you can do with it. You can perform a ton of Web and newsgroup queries to search for information about your wireless systems. You can perform keyword searches and more detailed queries (using Google’s advanced tools) to look for network configuration information and more that has been accidentally or intentionally made public on the Internet. This information can give a hacker a leg up on attacking your wireless systems. For example, using advanced queries in Google, you can search for:
Word-processing documents
Spreadsheets
Presentations
Network diagrams
Network Stumbler mapping files
Network-analysis packet files
34 |
Part I: Building the Foundation for Testing Wireless Networks |
Foundstone has a neat Google query tool that performs some advanced
Google queries that you might not have thought up on your own at
www.foundstone.com/resources/freetools.htm
We show you how to put Google to work for you with various tests we’ll outline in later chapters.
Searching Wi-Fi databases
The next area to search for information about your wireless systems is online Wi-Fi databases. These databases contain information such as SSIDs, MAC addresses, and more on wireless APs that have been discovered by curious outsiders. To get an idea what we’re talking about, browse to the WiGLE database at
www.wigle.net/gps/gps/GPSDB/query/
and see if any of your APs are listed. (You’ll have to register if you’re a firsttime visitor.) Once in, you can submit various search options as shown in Figure 3-1.
Figure 3-1:
Wirelessquery options of the WiGLE database.
Chapter 3: Implementing a Testing Methodology |
35 |
You can also check to see whether your AP is listed at another wireless lookup site at www.wifimaps.com.
You should also look up your domain name(s) at www.whois.org and your IP addresses at the American Registry for Internet Numbers (ARIN) site http:// ws.arin.net/cgi-bin/whois.pl. These databases may be providing information about your wireless systems that you’re not aware of or should not be advertising altogether.
Mapping Your Network
When you’re satisfied that you’ve gotten a general view of what the general public can find out about your network without breathing hard, the next step is to create a network map to show how your wireless systems are laid out. You should do this from both inside and outside your network. That’s necessary because wireless networks have a third dimension — the radio wave dimension — and tossing out all those radio waves allows them to be discovered from either side of your firewall or physical building. This allows you not only to see internal and external configuration information but also to see configuration information specific to wireless radio waves that are transmitted both “inside” and “outside” the network.
Compared to the way a typical wired network does its job, a wireless network opens a whole new dimension. Radio waves are like a virtual “third dimension” that can (in effect) allow hackers to jump over conventional boundaries.
Here are some suggestions for the best tools to help you map your network:
Network Stumbler: The best tool to get started creating both internal and external maps of your wireless APs is Network Stumbler (www.net stumbler.com/downloads). This Windows-based tool allows you to scan the airwaves from outside your building to see what any hacker sitting in the parking lot or driving by can see. You can also run it from inside the confines of your building to look for any additional wireless APs that don’t belong. Figure 3-2 shows the information that Network Stumbler can gather about your wireless network. (Note that the MAC addresses and SSIDs have been concealed to protect the innocent.)
AiroPeek: A full-blown wireless network analyzer, or sniffer, AiroPeek (www.wildpackets.com/products/airopeek) is another great tool for gathering network map information. We demonstrate its features in later chapters.
36 |
Part I: Building the Foundation for Testing Wireless Networks |
Figure 3-2:
Network
Stumbler, showing various data on APs it has
discovered.
Cheops-ng and QualysGuard: You’ll want to gather not only information transmitted via RF but also any information about the wireless network that’s only accessible via the internal wired network infrastructure. To do this bit of collecting, you can use a tool such as the open-source Cheops-ng (http://cheops-ng.sourceforge.net) or the commercial QualysGuard (www.qualys.com). Using either tool, you can create a network map of the inside of your network, which helps lay out the general IP addressing schemes and internal hostnames. You can also do this sort of mapmaking from outside your network to determine the names, external IP addresses, and registered domain name system (DNS) hostnames of publicly available hosts. Both methods give your wireless network more of a backbone, so to speak.
nmap and fping: The other network mapping utilities in this list often utilize the Internet Control Message Protocol (ICMP) to determine which systems are “alive” on the network. Another way you can do this is by performing a ping sweep of your network, using a utility such as nmap (www.insecure.org/nmap) for Windows computers or a utility such as fping (www.fping.com) for UNIX and Linux. As shown in Figure 3-3, these tools won’t create pretty graphical layouts of your network (that’s the sort of thing you get from the network-mapping programs) but they’re still very beneficial.
Figure 3-3: nmap ping sweep, showing which systems are alive on a network.
Chapter 3: Implementing a Testing Methodology |
37 |
On the outside looking in
It may seem tricky to try and scan your network from the “outside” — that is, from the public Internet. This is actually pretty simple. All you need is an available public IP address that you
can assign to your test computer and plug in on the “public” side of your firewall or router that is connected directly to the Internet.
Note that the utilities we’ve mentioned in this section aren’t necessarily going to be able to decipher which live systems are wireless and which ones are wired. It’s up to you to determine which IP networks, IP addresses, and specific hostnames belong to your wireless devices. (You do have a recent network diagram, don’t you? Just checking.)
Now you know which systems are alive on your network. The next step is to scan wireless systems for more information, such as open ports, hostnames, and more.
Scanning Your Systems
You’ve already gathered the higher-level information about your wireless systems such as SSIDs and IP addresses. You can find out more through a process called enumeration. Enumeration is when you examine a system and make an actual list of all the details you can discover about what it does and how. With enumeration, you can find
Live wireless hosts (APs and ad-hoc clients)
RF signal strength
Whether WEP encryption is enabled
Which network ports are open on wireless APs and clients
Network Stumbler, the friendly network-mapping tool mentioned a bit earlier, can not only find live wireless hosts (APs and ad-hoc clients), but it can also grab more in-depth information — for example, RF signal strength and whether WEP encryption is enabled. No surprise that Network Stumbler is a good tool for enumeration.
You can also get a little more in-depth goodies by using a port scanner such as nmap or SuperScan to poke and prod the network, looking to find out what network ports are open on your wireless APs and clients. You can find SuperScan at
38 |
Part I: Building the Foundation for Testing Wireless Networks |
www.foundstone.com/resources/proddesc/superscan.htm
Check your software licenses — even on free software — to make sure you’re abiding by their restrictions. Many licenses state that the software cannot be used for commercial purposes. If you’re doing your own internal testing, that might be okay, but testing wireless networks for paying clients is likely a nono with this type of license limitation.
This port-scanning information helps create an even more detailed picture of what’s available on your wireless network. No wonder hackers love it. This information gives them just what they need to try to exploit a ton of potential vulnerabilities on your systems. Table 3-1 outlines the ports that we often find open and vulnerable to attack, so be on special lookout for these.
Table 3-1 |
Commonly Hacked Wireless Network Ports |
|
Port Numbers |
Service |
Protocols |
20 |
FTP data (File Transfer Protocol) |
TCP |
|
|
|
21 |
FTP control |
TCP |
|
|
|
22 |
SSH |
TCP |
|
|
|
23 |
Telnet |
TCP |
|
|
|
25 |
SMTP (Simple Mail Transfer Protocol) |
TCP |
|
|
|
53 |
DNS (Domain Name System) |
UDP |
|
|
|
80 |
HTTP (HyperText Transfer Protocol) |
TCP |
|
|
|
110 |
POP3 (Post Office Protocol version 3) |
TCP |
|
|
|
135 |
RPC/DCE end point mapper for |
TCP, UDP |
|
Microsoft networks |
|
|
|
|
137, 138, 139 |
NetBIOS over TCP/IP |
TCP, UDP |
|
|
|
161 |
SNMP (Simple Network |
TCP, UDP |
|
Management Protocol) |
|
|
|
|
443 |
HTTPS (HTTP over SSL) |
TCP |
|
|
|
512, 513, 514 |
Berkeley r commands (such as rsh, |
TCP |
|
rexec, and rlogin) |
|
|
|
|
1433 |
Microsoft SQL Server |
TCP, UDP |
|
|
|
1434 |
Microsoft SQL Monitor |
TCP, UDP |
|
|
|
3389 |
Windows Terminal Server |
TCP |
|
|
|
Chapter 3: Implementing a Testing Methodology |
39 |
Determining More about What’s Running
Performing port scans on your wireless network can snag a good amount of detail about how your system is set up and how it works — and knowledge is power. This power can be used to help you or used to harm you. But guess what? Once you know which ports are open, you (or somebody who isn’t you) can find out even more details about the configuration of your wireless systems. Again, we’re thinking like a hacker here — building a picture of what’s available to be hacked.
By connecting to the open ports on your live systems, you can obtain even more in-depth enumeration information, such as:
Acceptable usage policies and login warnings (or lack thereof) on banner pages
Software and firmware versions (returned via banners or error messages)
Operating-system versions (returned via banners, errors, or unique protocol fingerprints)
Configurations of your operating system and applications
If by connecting to open ports you end up discovering a ton of exploitable information about your APs, workstations, and servers, don’t panic. Many of your wireless systems may not be public-facing, so the likelihood of you having a lot of wireless devices with public IP addresses is low — at least it should be. However, you may have wireless hotspots or wireless-based servers that must be kept publicly accessible. These systems are usually reachable by an attacker — even through firewalls or other protective measures — and obtaining configuration information from them is not very difficult. This accessibility may entail some unavoidable vulnerability — a necessary evil if you want your network to do actual, useful work (what a concept).
Regardless, keep in mind that all this information can be used against you; eternal vigilance is the price of productivity. That leads us to performing an actual vulnerability assessment where you discover true vulnerabilities that can be exploited, which findings are false-positives, and which issues don’t really matter.
Performing a Vulnerability Assessment
Now that you’ve found potential “windows” into your wireless network, the next step is to see whether any bigger vulnerabilities exist. In essence, you connect to the wireless systems and make a discreet, methodical attempt to