Reconnaissance Attacks
The most obvious security problem with wireless LANs is also their chief virtue: Data can be received by anyone who is anywhere in range of the signal. The signal passes through walls, outside buildings, and off property boundaries. Attackers can both capture and transmit wireless signals provided they are within range. Powerful antennae allow attackers to receive and transmit 802.11 packets from up to several miles away.
Note
An attacker uses reconnaissance to discover and analyze the targets of his attack. During this analysis, he tries to determine what protocols and security mechanisms are being used so that he can choose which tools to use to attack them. Although sniffing and wardriving are not attacks and have legitimate purposes for system administrators, they can serve as the reconnaissance stage of an attack.
Sniffing and SSIDs
Sniffing is a general networking term that refers to eavesdropping packets on any medium, but it is especially easy over the airwaves. In the wireless medium, sniffing is undetectable. Several groups have written free drivers to perform sniffing on most of the major vendors' client adapters. There are also commercial sniffing tools. The chipsets most commonly used for sniffing are Prism2 (used by Linksys, D-Link, SMC, and others), Orinoco (used by Lucent), and Aironet (used by Cisco). Many of the free drivers allow the sending of any packets the attacker wants.
Service Set Identifiers (SSIDs) are sometimes touted as a security mechanism to keep outsiders off your network. However, they were not designed as security mechanisms. SSIDs should be thought of as a method of separating wireless networks for convenience only. SSIDs are broadcast in beacons from APs and in probes from stations. Tools such as Network Stumbler, Kismet, and Wellenreiter sniff and record SSIDs that they hear. Most vendors allow SSID broadcasts to be turned off. This can lower your profile for random drive-by attacks, but several tools sniff SSIDs from association packets, which must still include the SSID in the clear. At least one vendor has a security solution that treats SSIDs as an access control mechanism. Such "closed" networks are secure only in name.
In Figure 6-1, a packet capture shows the SSID 5ECUR3w3p5TOR3 in a probe packet.
Figure 6-1. Packet Dump Showing a Cleartext SSID
This odd SSID is hard to type, so it appears that it is being used for access control. Hopefully, the site using this SSID does not use the obscure string for security, because anybody can sniff it.
Sniffing Tools
One of the best ways to figure out what is happening on a network is sniffing. Sniffing is useful for both attackers and defenders of a network, and as a result, there are a wide variety of tools to do this. Some of these tools are commercial, and some are available free of charge, usually with open-source code.
Sniffing tools must perform two key functions: packet capture and useful packet analysis and display. Some of the open-source tools only capture packets, but most of the tools perform some level of display.
Packet analysis is a key reconnaissance tool for an attacker. By analyzing probe packets, an attacker can determine what capabilities a network has. By analyzing captured packets, an attacker can also sometimes discover interesting information such as usernames or other confidential information. Packet capture is also important, especially for some of the WEP key-cracking attacks described later. An attacker can capture traffic and analyze it or run cracking tools on it later.
For a network administrator, packet analysis can be useful for determining whether a network is configured correctly. From a security perspective, he can also use it to determine whether attacks are taking place. This is usually too time consuming to do by hand and relies on specialized software to analyze the data.
Prismdump
Prismdump is a text-based, freeware Linux tool that allows sniffing with Prism2 chipset-based cards. It only performs packet capture and is not capable of analysis. It dumps packets in a pcap format, which each of the next two tools can read. The open-source software community uses pcap as a de facto standard format for files of packets. Prismdump's reliability makes it valuable for packet capture.
Ethereal and Tcpdump
Ethereal (http://ethereal.com) and tcpdump (http://tcpdump.org) are network sniffers based on the libpcap (http://tcpdump.org) packet capture library. Both are open-source tools that are available free of charge. Tcpdump is text based, whereas Ethereal can be used in text or GUI mode. Tcpdump is primarily useful for packet capture because it does not allow for graphical analysis of packets. It has some powerful filtering capabilities that can permit selective packet capture. Ethereal's graphical user interface makes it a great tool for viewing captured packets and becoming familiar with the structure of wireless protocols. Figure 6-1 shows Ethereal's interface.
Commercial Sniffers
Several commercial tools can capture and display wireless packets. The two most widely used are AiroPeek from WildPackets and Sniffer Wireless from Network Associates.
Wardriving and Its Tools
Wardriving is a term that refers to surveying wireless networks, typically from a car. The term goes back to wardialing, which is an old technique for finding computer modems by automatically dialing thousands of numbers. Wardriving has been made easy by programs such as Network Stumbler and Wellenreiter, which use consumer WiFi cards to automatically scan the airwaves for networks. Sites such as http://netstumbler.com have online databases of unprotected wireless networks. These wardriving programs and databases are often correlated with global positioning system (GPS) data so that physical maps of these networks can be made. Websites sell cheap antennae and describe how to make your own. Therefore, all it takes for your network to become a potential target is for someone to wardrive by it and post it on a website.
Note
Warchalking is the practice of signposting open access points, often with chalk or spray paint on a sidewalk or wall. Most often, the owners of these devices do not intend for the public to access them and are simply ignorant of their insecure configuration. If you find one of the warchalk symbols in Figure 6-2 on your sidewalk, you might want to check that your wireless configuration is secure. Some public wireless access hotspots have even started incorporating the warchalking symbols in their signage. Warchalking is documented at http://www.warchalking.org.
Figure 6-2. Standard Set of Basic Warchalking Symbols
Warstrolling is simply walking around with wireless equipment looking for networks. Some have even done warflying by mounting antennas on a plane and flying around a city.
Network Stumbler and Mini Stumbler
Network Stumbler (http://netstumbler.com) is a popular tool. It is Windows-based and is easy to use. It records SSIDs in beacons it sniffs and can interface with various GPS systems to make a spatial database. This data can be used to create maps of networks. Mini Stumbler is a version that runs on PDAs running PocketPC. PDAs are easy to conceal, and an attacker can use them for surreptitious warstrolling in an environment where having a laptop might look suspicious. Figure 6-3 shows Network Stumbler in action.
Figure 6-3. Network Stumbler Displays the Networks It Has Discovered
Macintosh Tools
MacStumbler (http://www.macstumbler.com) is unrelated to Network Stumbler and brings wardriving capability to the Macintosh. It works by sending out probe requests and listening for responses. It cannot discover "closed" networks, which don't respond to probes.
KisMAC (http://www.binaervarianz.de/projekte/programmieren/kismac) is another Macintosh wardriving application. It has good mapping capabilities and a good user interface. KisMAC is not related to the next tool, despite the similar name.
Kismet
Kismet (http://kismetwireless.net) is a powerful Linux-based wardriving tool. It sniffs and displays networks and clients and can use most client cards, including cards based on the Aironet, Orinoco, and Prism2 chipsets.
The software records ESSIDs, BSSIDs, channels, signal levels, and any IP addresses seen in the traffic. Like Network Stumbler, it can integrate with GPS devices and add location data to its records. It has a fun feature that uses a voice generator to read out names of networks as they are discovered. This is an "eyes-free" feature for drivers.
Kismet can dump printable strings (which might include passwords). For an attacker, this is a key advantage over Network Stumbler. Kismet saves several files for each session, including a list of networks in both CSV and XML format, a listing of Cisco CDP packets, a dump of all packets sniffed during the session, and a dump of weak initialization vectors. These packets with weak IVs (called interesting packets) can be used for the Fluhrer-Mantin-Shamir attack on the key (described later in this chapter). Although Kismet doesn't crack the keys, it can save the interesting packets to a pcap file to feed to other programs. All in all, Kismet is the most complete free wardriving tool around. Figure 6-4 shows its main interface.
Figure 6-4. Kismet Displays Networks It Finds (The Networks with N in the W (WEP) Column Have No Encryption Configured)
Wellenreiter
Wellenreiter (available from http://www.wellenreiter.net) is a Perl-based wardriving tool for Linux or BSD. It integrates GPS data and has sound output. Wellenreiter is more graphically oriented than Kismet. It has the ability to save its status to a file, but it does not save packet dumps. Wellenreiter is primarily a tool for discovering networks. It does not save data for use in breaking WEP keys offline.
Figure 6-5 shows Wellenreiter's interface.
Figure 6-5. Wellenreiter Displays Networks, Channels, and APs
bsd-airtools
bsd-airtools is a set of utility tools for the FreeBSD operating system. It includes the following tools:
dstumbler is the wardriving component of bsd-airtools. It is modeled after Network Stumbler and has GPS capabilities.
prism2dump is a sniffing program for putting Prism2-based cards into promiscuous mode and displaying the packets.
bsd-airtools also has some tools for cracking and creating WEP keys. (They are described in the "WEP Key Recovery Attacks" section later in this chapter.) bsd-airtools is available from http://www.dachb0den.com/projects/bsd-airtools.html. It is also available on a bootable CD-ROM called WarBSD (http://www.warbsd.com), which eliminates the need for installation and configuration.
Note
Several distributions of Linux and the BSD UNIX variants are trimmed down to fit on a bootable CD-ROM. These distributions (known as live CDs) are valuable for security testing because they allow you to run a preinstalled operating system that is completely independent of what is on the hard drive. They run in memory and do not touch the hard drive. Live CDs also allow for rapid testing of tools without having to install an operating system or compile tools. Many of the tools in this chapter are available on bootable CD-ROM distributions such as WarBSD (http://www.warbsd.com) or WarLinux (http://sourceforge.net/projects/warlinux). Network administrators should be aware of how easy it is for their adversaries to run various wireless attack tools. Figure 6-6 shows what a user sees after booting with the WarBSD CD.
