Sunday, December 31, 2006

Wardriver

The sport of detecting and/or locating wireless LANs.
The ethics (and, in most places, the laws)
of wardriving dictate that the wireless LANs
thus found must not be used without
the owner's permission.

Wednesday, May 31, 2006

Wardriving Softwares

Some of you out there for one reason or another don’t
want to use NetStumbler, MiniStumbler, Wellenreiter,
Kismet, or WarLinux. One good reason is that your
organization has a policy against the use of freeware
or open source software. That alone would preclude the
use of those programs. Other wardriving tools are
available to you, however. Some are free and some
are not. Here is a few examples:
There is something for every random out there on that list,
whether you run Windows XP, Windows CE, SunOS, Red Hat
Linux, FreeBSD, Mac OS, Zaurus, or a Pocket PC. Yoper
from here, is an excellent flavour of linux, works well with most
softwares tested.

Hacking Software

To do your job properly, you need a selection of freeware and commercial software. Fortunately, a multitude of freeware programs is available, so you don’t need a champagne budget, a beer budget should suffice. In fact, if you are prepared to run more than one operating system (see Multi-Boot Post), you can get by using only freeware tools.

Things Needed/Things to Google:
Partitioning or emulation software
Signal strength–testing software
Packet analyzer
Wardriving software
Password crackers
Packet injectors

Other Software Options

In addition to using the wireless-client, stumbling, and
network analysis software mentioned here, you have some
additional ways to search for wireless devices that don’t
belong ie some basic port-scanning and vulnerability
assessment tools can give you useful results.
Here is a quick list:

1 SuperScan
2 GFI LANguard
3 Nessus
4 NeWT
5 QualysGuard

These programs aren’t wireless specific but they may
be able to turn up wireless-device IP addresses and
other vulnerabilities that you wouldn’thave been able
to discover otherwise.

Info on Vulnerabilities

~Finding more Information~
After you or your tools find suspected vulnerabilities, there are various wireless security vulnerability resources you can utilise to help find out more information on the issues you find. A good place to start is your wireless vendor’s Web site. Look in the Support or Knowledge base section of the Web site for known problems and available security patches. You can also peruse the following vulnerability databases for in-depth details on random vulnerabilities, how they can be exploited, and possible fixes:

1 US-CERT Vulnerability Notes Database
2 NIST ICAT Metabase
3 Common Vulnerabilities and Exposures

Another good way to get more information on specific security issues is to do a Google groups search. Here you can often find other message boards, and newsgroups where randoms like myself have posted problems an/or solutions about your particular issue\problem.

Network Security

The following are a few random progs to help monitor, log and protect your network, be it Wifi or not.

ActivePerl
Perl implementation for Windows. Needed to run Multi Router Traffic Grapher.

Look@LAN Network Monitor
See what's going on around your network and generate reports and graphs. Be alerted when servers or particular services appear or dissappear.

Multi Router Traffic Grapher
MRTG uses SNMP to monitor the traffic on network links, then presents the data in the form of one or more graphs on a Web page. It can monitor any SNMP variables and - with the aid of external programs - other types of data.

ShareWatch
Convenient and lightweight tool to reveal what shares are present on your network and to disconnect users if necessary. Commit the Control+N shortcut to memory before selecting No Caption, Menu, and Toolbar mode, or you may never get the menubar back..

SoftPerfect Network Scanner
Generates a list of network nodes, checks for shares (including those that are hidden) and open ports, and interrogates MAC addresses. Easily explores or maps discovered shares.

xCat IP Monitor
Provides a simple up/down status display for up to ten nodes on your LAN or on the Internet. The polling frequency is adjustable, but the same setting applies to all nodes.

HenWen
Snort with a Mac-style GUI to simplify configuration and use.

IDScenter
A Windows front-end for Snort. Brings the configuration and messages out into the open.

Snort
A widely used network intrusion detection and prevention system. Registered users can download new rules in between Snort releases.

LucidLink Wireless LAN Security
Manages access points to use 802.1x and WPA, and limits access to those computers running the included client. Limited to three users.

Network Sniffers

Most serious hackers and network auditors use the open-source operating system Linux as the platform from which they launch attacks and perform analysis. This section highlights some of the more popular tools, mostly Linux, that can be used to search out and hack wireless networks.

Airsnort
The home page for the free cracking application, AirSnort, plainly states, "AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys." AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. In even more simplistic terms, AirSnort is a program that listens to the wireless radio transmissions of a network and gathers them into a meaningful manner. After enough time has passed (sometimes in a matter of hours) and data are gathered, analytical tools process the data until the network security is broken. At that point everything that crosses the network can be read in plain text.
The authors of this fully functional encryption-cracking tool have maintained from the first days of release it would expose the true threats of WEP encryption. Jeremy Bruestle, one of two lead programmers for the project, has truly recognized the inherent dangers of WEP. He states during an interview in 2001, “It is not obvious to the layman or the average administrator how vulnerable 802.11b is to attack. It's too easy to trust WEP.” AirSnort is not the only open source tool used for wireless cracking but the first publicly recognized freeware to put the power of an intellectually skilled-criminal into the hands of a neighbor, who just got the cheapest deal from the local ISP.

WEPcrack
WEPcrack, simultaneously being developed along with AirSnort, is another wireless network cracking tool. It too exploits the vulnerabilities in the RC4 Algorithm, which comprise the WEP security parameters. While WEPcrack is a complete cracking tool, it is actually comprised of three different hacking applications all of which are based on the development language of PERL. The first, WeakIVGen, allows a user to emulate the encryption output of 802.11 networks to weaken the secret key used to encrypt the network traffic. Prism getIV is the second application that will analyze packets of information until ultimately matching patterns to the one known to decrypt the secret key. Thirdly the WEPcrack application pulls the two other beneficial data outputs together to decipher the network encryption.

KISMET
Kismet is an extremely useful tool that supports more of an intrusion detection approach to the wireless security. However, Kismet can be used to detect and analyze access points within range of the computer on which it is installed. Among many other things, the software will report the SSID of the access point, whether or not it is using WEP, which channels are being
used, and the range of IP addresses employed. Other useful features of Kismet include de-cloaking of hidden wireless networks, and graphical mapping of networks using GPS integration.

Ethereal
Ethereal is a pre-production network capturing utility. Currently capable of identifying and analyzing 530 different network protocols, Ethereal can pose a substantial threat through the discovery and detection of any network communication. One of many network analyzers, this application arguably does the most comprehensive job of seeing and recognizing everything that goes by its sensor.

Airjack
Known as a packet injection/reception tool, Airjack is an 802.11 device driver is designed to be used with a Prism network card (mainly Linux hardware). Other names include wlan-jack, essid-jack, monkey-jack, and kracker-jack. This tool was originally used as a development tool for wireless applications and drivers to capture, inject, or receive packets as they are transmitted. It’s a fundamental tool used in DoS attacks and Man-in-the-Middle attacks. Its capabilities include being able to inject data packets into a network to wreck havoc on the connections between wireless node and their current access point. A common hacking use for this tool is to kick everyone off of an access point immediately, and keep them logged off for as long as you like. Without the Layer-1, frame level authentication on all 802.11a/b/g networks, a computer running Airjack would passively assume the identity of an access point and then once inside of the channel of communication between node and AP, Airjack would begin sending dissociate or deauthenticate frames sequentially at a high rate. The users’ networks network cards interpret this as their AP and they drop their connection.

HostAP
HostAP is really nothing more than a firmware for Prism cards to act as an access point in any environment. With multiple scanning, broadcasting, and management options, HostAP can lure disconnected clients into a connection with the HostAP user’s computer and engage into whatever activities suitable to that situation. This is a very common tool used with growing compatibility where it will be ubiquitous with any Open Source OS in the near future.

Dweputils
Dweputils is not one application but a set of applications that together comprise a larger threat to wireless networks of any character. Dweputils is a set of utilities that can completely inspect and lock-down any WEP network. Dwepdumpis a packet-gathering tool, which provides the ability to collect WEP encrypted packets. Dwepcrack then gives you the power to deduce WEP keys with a variety of frequently employed technique. Finally dwepkeygen, a 40-bit key generator, can creates keys that aren't susceptible to the Tim Newsham 221 attack with a variable length seed.

AirSnarf
AirSnarf is an access point spoofing tool based off the simplest way to dupe users into handing over their sensitive information to rouge hackers. Quite simply this application mimics a legitimate access point. The method of attack is broken down into recreating an identical logon webpage that would normally be displayed by the AP. The user is bumped off the network and forced to re-login or is caught before they login the first time. The simple trick convinces them into voluntary sending their login information to the hacker who can then use it at their disposal. It is extremely simple yet effective.
All the details of the AP connection are legitimate to the unsuspecting user within their network configuration. They never realize this has happened in some cases as you then authenticate them to the network and allow them to pass through your computer.

NetStumbler
This is the primary tool available for Windows users to detect 802.11 networks. It does not have any cracking tools that are inherent in the software package but can be used in conjunction with numerous other tools to find and hack a wireless network. NetStumbler is perhaps the least dangerous application discussed here, but the first challenge of any hack is finding where and what you are hacking.

THC-RUT
Also referred to as the “aRe yoU There” network tool, THC-RUT, combines detection, spoofing, masking, and cracking into the same tool. Many see it as the, “first knife used on a foreign network” boasting its brute force all-in-one capabilities. Resources in the tool included spoofing Dynamic Host Configuration Protocol (DHCP), Reverse Address Resolution Protocol (RARP), and Bootstrap Protocol (BOOTP) requests.

Hotspotter
Hotspotter is another rouge access point tool that can mimic any access point, dupe users to connecting, and authenticate with the hacker’s tool. This, again, is done with a deauthenticate frame sent to a MS Windows XP user’s computer that would cause the victim’s wireless connection to be switched to a non-preferred connection, AKA a rouge AP. This sort of trick is a passive approach that seeks to identify the probe frame sent by any Windows XP machine looking for its preferred network containing exploitable information.

ASLEAP
LEAP stand for Lightweight Extensible Authentication Protocol, which is intellectual property of Cisco Systems, Inc. This is a broadly used protocol for authentication on Cisco Access points with inherent weaknesses. ASLEAP is able to use hashing algorithms to create brute force attacks to recover passwords, and actively deauthenticate users from the AP making them reauthenticate quickly to expedite the process of hacking. This is another tool in the arsenal of hackers with an ever-shrinking learning curve.

IKECrack
IKECrack is an open source IKE/IPSec authentication crack tool. It uses brute force dictionary based attacks searching for password and key combinations to Pre-Shared-Key (PSK) authentication networks. With repetitive attempts at authentication with random passphrases or keys this crack tool undermines the latest WiFi security protocol.

JiWire Hotspot Locator
Find Wi-Fi access points when travelling around Australia or overseas. Has its own database (updated periodically) so you don't need an Internet connection to find out where you can connect to the Internet.

iStumbler 95 - Mac OS X
Discovers Wi-FI, Bluetooth and Bonjour services. Includes a widget to display signal strength history.

Cain & Abel
A pair of tools to recover various kinds of passwords stored on a PC or network. Does so by sniffing, performing dictionary, bruteforce and cryptanalysis attacks, decoding scrambled passwords, revealing password boxes,uncovering cached passwords and analysing routing protocols. Can also be used to record VoIP.

Random Tips For the Wardriver

~Random Wardriving Tips~

-Beginners waste many weekends wardriving their local neighborhoods or business districts. This is probing for low-hanging fruit some say, and is a waste of valuable learning time. It's more to an individuals benefit to learn an assortment of wireless LAN penetration tools and work toward the goal of gaining useful information. Learning the correct application of tools and techniques(not to mention keeping up-to-date)takes time and hard work in a closed environment, but yields much in the way of information technology.

-The current demand for wireless-security professionals is staggering on an international level. Those who have taken the time to hone their skills in the use of available tools and the latest penetration techniques will be financially rewarded with a great career. I urge you to consider practicing, studying and reading random comments much like this from randoms like myself rather than driving around from neighborhood to neighborhood hoping to send an e-mail through someone’s cable modem. Decrypting fact from crap will become a natural tool.

-One of the tricks to getting noticed by potential customers: Commit to the notion of protecting their wireless LAN. Give them a quick demonstration of hacking tools. If they have (for example) a heavily loaded 802.11g network secured with WEP, cracking their WEP key should open their eyes very quickly. --Keep in mind that these demonstrations should ALWAYS be done with the permission of a person in authority at the client organization(see post WiFi Hazards)—- And in a closed environment. Doing otherwise can lead to criminal prosecution, defamation of your organization, and a plethora of other undesirable results.

-Many hackers don’t necessarily want to steal your information or crash your systems. They often just want to prove to themselves and their friends that they can break in. This creates a warm fuzzy feeling that makes them feel like they’re contributing to society somehow, when in fact all they are doing is impressing themselves, and their equally stupid friends. On the other hand, sometimes they attack simply to get under the administrator’s skin. Sometimes they are
seeking revenge. Hackers may want to use a system so they can attack other people’s networks under disguise. Or maybe they’re bored.. and just want tosee what information is flying through the airwaves for the taking.

-The high-end uberhackers go where the money is.. literally. These are the guys who break into online banks, e-commerce sites, and internal corporate databases for financial gain. What better way to break into these systems than through a vulnerable wireless network, making the real culprit harder to trace..One random AP or vulnerable wireless client is all it takes to get the ball rolling. However, just because you have gotten away with something does not mean you yourself have not been penetrated and tagged, no matter how good you are, there is always someone better.(Unless you are the smartest on the planet.. But what are thee odds:)

-You know what they say about secrets? Here’s a hint: It’s no secret. Have you ever lost a laptop? Have you ever lost an employee? In both cases, you should change all 3,000 keys. Otherwise someone can decrypt every message, because everybody is using the same key. And just how often do you really think administrators will change the keys?

-IEEE 802.11i defines the 'robust security network (RSN).' An access point that meets this standard will only allow RSN-capable devices to connect. RSN is the environment it seems we are evolving to because it provides the security services we require for a network.

-Basically, one can crack Wi-Fi Protected Access Pre-Shared Keys that use short passphrases based on words found in the dictionary (yes, randoms still do that). For WPA, certain short or dictionary based keys are easy to crack because an attacker can monitor a short transaction or force that transaction to occur and then perform the crack remotely. Check 'Network Sniffers' for WPA cracking tools.

Why 802.11 is Vulnerable

There are two main reasons that 802.11-based wireless systems
are vulnerable at the network level:

1 Inherent trust allows wireless systems to come and go as they please on the network. Practically everything about 802.11 is open by default, from authentication to cleartext communications to a dangerous lack of frame authentication. In addition to this equivalent of a 'Hack Me' sign, wireless networks don’t have the same layer of physical security present in wired networks.

2 Common network issues that 802.11 has inherited from its wired siblings enable attackers to exploit network-based vulnerabilities easily, regardless of the transmission medium. The suspect activities allowed under 802.11 defaults include
MAC-address spoofing, system scanning and enumeration, and packet sniffing. For openers. Okay, some of these random comments overlap material in previous posts . But the aim in this weBlog is to give you the basis for a good overall assessment of your wireless systems at
its most fundamental technical level....the network level.

Wardriving Counter-Measures

~~Random Wardriving Countermeasures~~

-Firstly..-
~Implement a reasonable and enforceable wireless security
policy that forbids unauthorized wireless devices, and
enforce it.

-Kismet-
~Kismet sees and records the Probe Request. So here is
your first countermeasure. Get yourself Kismet and look
for others probing your wireless network. Commercial
products like AiroPeek can help as well.

-Disabling probe responses-
~When a workstation starts, it listens for beacon
messages to find an access point in range to send
a beacon to. Even though the access point is sending
about 10 beacons a second, this is not always enough
to detect them because the workstation has to monitor
11 channels by going to each channel and waiting 0.1
seconds before moving to the next channel. Further,
when your authenticated access point’s signal starts
to weaken, your workstation needs to find another
access point. For this reason, the 802.11 standard
authors created the Probe Request. Your workstation
can send a Probe Request, which any access point in
range will respond to with a Probe Response. The
workstation quickly learns about all access points
in range. Now imagine that you’re not trying to
associate, but you’re just trying to find access
points in range, and you understand how NetStumbler
works. So, the countermeasure is quite obvious:
Turn off Probe Response on your access point.

-Increasing beacon broadcast intervals-
~The beacon interval is a fixed field in the management
frame. You can adjust the field to foil the fumbling
stumblers. If someone drives by your access point and
his or her device has to search all the channels and
land on each for 0.1 seconds, then again the
countermeasure is intuitive: Increase the beacon
broadcast interval. This increases the likelihood
that they won’t grab your beacon when driving by.

-The HoneyPot, Fake'em Out-
~The term honeypot harkens back to childhood, Winnie
the Pooh and his love for honey. Perhaps you remember
how he found a pot of honey, put his head in, and got
stuck. Imagine this same concept applied to your
wireless network. You put an attractive system on
the network to draw hackers like a Pooh-bear
to honey. Invite the hackers in. While the hackers
are exploring the system, you watch them and try
to learn about them or their behavior. You can learn
about honeypots by clicking here .
It’s easy really to setup a honeypot system. Install
some access point software on a computer and then
create directories with names like Payroll or anything
that may grab the 'Hackers' attention.

-Warning-
~Human nature suggests you might want to strike back
when you find someone attempting to breach your security.
This is not a good idea. You cannot fight back and you
might not want to anyway. Crackers often take over other
sites so you may harm an innocent party. If you have
evidence that someone is attempting to break in, contact
the Secret Service, the FBI, or your local law enforcement
agency.

-Turning The Tables-
~As we often see, security tools are double edged.
Hackers have used Fake AP against hotspots. The hacker
runs Fake AP on a laptop near a hotspot, say at a
Starbucks. The clients wanting to use the Starbucks
hotspot cannot discern the real access point from the
cacophony of signals. This results in a denial of service
to the hotspot’s clients.

-Default SSID-
~Don’t turn on WEP and use a default SSID like linksys.
Scanning almost anywhere in the world will no doubt bring
up at least one system using the default SSID (ie linksys).
A program like Fake AP (click here for AP info)
is useful for this purpose. If one access point is good,
then more is better. Black Alchemy developed Fake Access
Point, which generates thousands of counterfeit 802.11b
access points. Your real access point can hide in plain sight
amongst the flood of fake beacon frames. As part of a honeypot
or flying solo, Fake AP confuses NetStumblers and others.
Because stumblers cannot easily determine the real AP, the
theory is that they’ll move on to the real low-hanging
fruit, your neighbors. Fake AP runs on Linux and requires
Perl 5.6 or later. If you’re not Linux-inclined and prefer
the Windows platform, you could use Honeyd-WIN32
(click here for Honeyd- windows platform), which creates
fake access points and simulates multiple operating systems.
And if you have some change burning a hole in your wallet,
try KF Sensor .

-The NeverEnding Search-
~Searching for unauthorized systems is often a matter of
timing and luck. You may find nothing during some walkthroughs
and several unauthorized systemsduring others. If at first
you don’t find anything suspicious, keep checking:
The unauthorized system could be temporarily powered
off at the time of your search.

-Wireless Intrusion Detection System-
~Use a full-fledged wireless intrusion-detection system
(WIDS) or network monitoring system that can find wireless
network anomalies, prevent bad things from happening, and
alert you in real time. Control access to authorized wireless
devices only by one or more of the following:
• MAC address
• SSID
• Communications channel used
• Hardware vendor type

Enhancing Network Throughput

Network Throughput depends on a variety of factors and as such you never no what could be the bottleneck slowing your connection/transfers. One of the things we can try out is the network redirector reserves. Open registry editor(regedit @ command prompt) & navigate to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters].
Once here, click on right panel and add following Dwords. Dwords are in hexadecimal (and value as shown below indicates that of 104, valid values are 0-255). Keep both values same. I think default is 15 or 20. This may help network throughput but there is no guarantee.. Try it out.

"MaxCmds"=dword:00000068
"MaxThreads"=dword:00000068

WiFi Hazards

Hackers Beware
Crimes Amendment Bill 2003 Clause 19 deals with
'intentionally accessing a computer system without authorisation..'
say no more..

Sharers Beware
Security: If your network's open,
all your machines risk being compromised,
small businesses take heed..

Samaritans Beware
Never leave a message on someone else's PC
to the effect that you discovered their unsecured network..
(see hackers beware above)

Mr/Mrs Fix-It Beware
The bane of big companies, these folk innocently add
cheap WiFi gear to help out someone in their department,
not realising they may have compromised the entire
company's security.. This i know to well.

Open-Network Beware
An open network is exactly that.. Open..
to whom ever wants to browse.

No peeking!
Reverse-engineering is explicitly permitted by many legal
frameworks but not many EULA's(End-User-Licence-Agreement).
Intel forbids it outright, Napster insists you get permission
first while windows XP hides behind legalese and keeps a foot
in both camps by stating you can do so 'only to the extent that
such activity is expressly permitted by applicable law
notwithstanding this limitation' ..

WiFi Passwords

Wireless equipment remembers its passwords so there's nothing to type each time you connect. That means you can use really long random strings of characters that are impossible to crack. For a selection of perfect passwords click here - grc.com password generation -Each time you refresh a new selection of 63- and 64-character passwords is generated. These are so called maximum entropy passwords - any character has an equal likelyhood of following any other character - making them ungeussable and, if the string is long enough, unbreakable.

Public 'Open' Networks

If you know the exact GPS coordinates of your building (easily found out via Google Earth here or on NASA's World Wind found here(World Wind is Far beta in my opinion)), you can perform a detailed lookup in WiGLE’s database by clicking here to see whether any systems in your vicinity have been posted. If you don’t mind sorting through entries by, city, state, or Zip code, you can also check out an excellent site by clicking here or here to see what you can find.

Virtual Private Networks

~Virtual Private Networking~

Your organization's network or home network can supplement
traffic with a virtual private network(VPN), a network
that is created using public wires to connect private nodes.
It’s essentially a secure “tunnel” through the Internet;
its 'walls' are made of high-level encryption measures.
It’s attractive because it normally means less investment
in hardware; many of us, in fact, arealready using the
Internet to connect to office applications. But the
Internet is a very public network, and the public is
full of bad guys. I use this site for work and this client
for private more temp workings..

Multi-Boot

~Using software Emulators~
In a perfect world, all the tools available would work on the same operating system. But in the real world, that's not the case. Many great tools operate on operating systems that are incompatible with each other. Very few of us, of course, are conversant with multiple operating systems. Also, few have the money to support duplicate hardware and software.

Enter dual-boot or multi-boot workstations. You can use a product like PartitionMagic to set up partitions for the various operating systems. I used Mandrake for re-partitioning for what now seems too long, a random (codefoo) suggested i try Knoppix instead, I haven't used mandrake since.. After you set up your partitions, you install the operating systems on the various partitions.

When everything’s installed, you can select the operating system you want to use when you boot the system. Say you’re using NetStumbler on Windows XP and you decide to use WEPcrack (which is available only on Linux) on the access points you just identified with NetStumbler. You shut down Windows XP, reboot your system, and select the Red Hat Linux operating system. When you want to use Windows XP again, you must do the reverse. This isn’t a bad solution, but flipping back and forth a lot eats up valuable time. And managing your partitions and trying to make the operating systems coexist on the same hardware can be challenging.

Enter software emulators. Software emulators allow you to emulate a guest operating system by running it on top of a host operating system. You can run Linux emulation on a Windows host, and vice versa. To emulate Windows or DOS on a Linux host, you can choose one of the following Windows-based emulators:
Windows
- Bocht
- DOSEMU
- Plex86
- VMware
- WINE
- Win4Lin
Linux
- Cygwin
- VMware

Commandments

The Ten Wifi Commandments
These Commandments were not brought down from Mount Sinai, but thou shalt follow these commandments shouldst thou decide to become a believer in the doctrine of ethical hacking. The commandments are as follows:

1 - Thou shalt set thy goals.
2 - Thou shalt plan thy work, lest thou go off course.
3 - Thou shalt obtain permission.
4 - Thou shalt work ethically.
5 - Thou shalt work diligently.
6 - Thou shalt respect the privacy of others.
7 - Thou shalt do no harm.
8 - Thou shalt not covet thy neighbour's tools.
9 - Thou shalt use a scientific process.
10-Thou shalt report all findings.

Admin Interview


Networking Help

~Some random links that have helped over the Years~

How to setup a Home Network