One of the problems with wireless security is that you don't need expensive tools to break into a wireless network. All you need in your toolbox is a computer, a wireless card, some suitable software, and perhaps a good antenna for receiving wireless signals.
The following is a list of software that you can use to detect wireless networks, sniff wireless packets in transit, and much more. These tools have numerous legitimate uses, such as detecting unauthorized access points, intrusion detection, network traffic analysis, and debugging networked applications such as a web server.
NetStumbler is a free application that allows you to detect the presence of wireless networks. Using NetStumbler, you can obtain information about a particular access point, the SSID used, whether WEP is enabled, and so on. Coupled with a GPS, you can even pinpoint the location of an access point. NetStumbler is often used for Wardriving, site surveys, and detecting rogue access points.
AiroPeek is a wireless LAN analyzer from WildPackets. It is an extremely powerful wireless LAN analyzer that most security professionals use (be forewarned, this package costs $3499!). AiroPeek is able to sniff raw wireless packets transmitted through the air, which is why protecting your wireless network with 802.1X, a VPN, SSH, or even WEP is important. Data packets that are not encrypted can easily be sniffed by AiroPeek.
Ethereal is a free network protocol analyzer for Unix and Windows computers. It is similar to AiroPeek in that it allows you to sniff wireless (and wired) packets in transit. Many network protocols are susceptible to sniffing in this manner. For example, Telnet and FTP both send passwords as plaintext (for secure alternatives, see Section 4.3, earlier in this chapter). Figure 4-36 shows an Ethereal session capturing an FTP password.
AirSnort is a wireless LAN analyzer with the capability of recovering WEP keys. It does so by passively collecting packets that have been transmitted. After collecting enough packets, AirSnort is able to recover the WEP key.
All this software works in Windows XP, except for AirSnort, which runs on Linux. A Windows version is in the works, but for now, only Linux is supported.
Most wireless access points provide some degree of protection against unauthorized access to the network. Here are a few common features found in most consumer access points:
Disabling SSID broadcast causes the access point to suppress the broadcast of SSID information to wireless clients. In order to join the wireless network, a wireless client needs to manually specify the SSID that the network uses, or else it will not be able to associate with the access point.
Most access points support MAC address filtering by allowing only network cards with the specified MAC addresses to be associated with them. In a small network, this is feasible but it becomes administratively prohibitive in a large network. Note that MAC address filtering authenticates a device, not a user.
IP filtering works just like MAC address filtering, but instead filters computers based on IP addresses.
NAT allows multiple computers to connect to the Internet by sharing a single public IP address. One side effect of this is that computers within the internal network are shielded against the outside parties, since the IP addresses used are only valid within the network.
As 802.1X gains acceptance, expect to see support of 802.1X in consumer access points, not just enterprise-level access points. Check with your vendor to see if your access point supports 802.1X authentication (or can be upgraded to do so via a firmware upgrade).
In the following sections, I discuss some of the common techniques used for securing wireless networks, and their effectiveness.
While MAC address filtering can prevent unauthorized network devices from gaining entry to a network, there are two problems with it:
It is the device that is authenticated in MAC address filtering, not the user. Hence if a user loses the network card, another user who picks up the network card is able to gain access to the network without any problem.
MAC addresses can easily be spoofed. Using AiroPeek, it is easy to impersonate the MAC address of another device. Also, if you are a little adventurous, you can try changing the MAC address of your wireless card manually in Windows XP. Visit http://www.klcconsulting.net/Change_MAC_w2k.htm for more information.
Disabling SSID broadcast prevents uninvited users from accessing the network. However, there are two fundamental flaws with this approach:
It is not difficult to guess the SSID of a network. Most users deploy wireless networks using the default SSID that comes with the access point. It is too easy to guess the SSID of a wireless network based on hints like the brand of the access point, or from clues like the thrown-away box of the access point.
When you disable SSID broadcast, the access point does not broadcast the SSID information. However, as soon as one user connects to the access point using the known SSID, it is possible to sniff the SSID that is transmitted in the network. Hence this method is only secure if there is no user on the network; but as soon as one user is on the network, the SSID is no longer a secret.
As we have discussed, WEP has some fundamental flaws that make it prone to hackers. For example, AirSnort can recover the WEP key after collecting a sizeable number of packets from the wireless network.
Even though WEP is not secure, it is still advisable to use it to at least make it somewhat difficult to breach your network. Site surveys will often show that the majority of wireless networks do not use WEP! Using AiroPeek or Ethereal, it is very easy to examine the data transmitted across the air.