Hacking Wireless Networks (2015)
Part III
Advanced Wi-Fi
Hacks
Chapter 12
Network Attacks
In This Chapter
ᮣ Understanding the consequences of attacks on wireless systems at the network level
ᮣ Unmasking MAC address spoofing
ᮣ Unmanning man-in-the-middle attacks
ᮣ Reviewing known problems with SNMP
ᮣ Defining the Queensland protocol attack
ᮣ Examining the quirky network issues with network analyzers
ᮣ Exploring practical and cost-effective countermeasures Your computer systems and applications require one of the most fundamental communications systems in your organization — your network.
Although many organizations don’t completely rely on wireless networks for everything, others do. Either way, your wireless network likely depends on critical servers; you can’t afford to have them compromised via the network.
These computers, even if they’re an ancillary part of your overall network, are there for business reasons; damage them, damage the business. Therefore it’s important to understand just what can happen when network-based 802.11
vulnerabilities are exploited.
There are thousands of possible network-level vulnerabilities on your wireless systems — and seemingly just as many tools and testing techniques.
The key point to remember here is that you don’t need to test your wireless network for every possible vulnerability, using every tool available and technique imaginable. Instead, look for vulnerabilities that can have a swift and immediate impact on your systems.
Some of the hacks and associated tests we demonstrate in this chapter are specific to 802.11. Others are security weaknesses common to any network —
and those not only have a higher likelihood of being exploited, they can also have a high impact on your business.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 196
196 Part III: Advanced Wi-Fi Hacks
No, it’s not a Zip code
802.11 is a standard (in effect, a precise func-
set up according to the 802.11 standard have
tional definition) that describes how a network
certain characteristic weaknesses that bad-guy
can be accessed and controlled. The Institute
hackers use to get your network to give them
of Electrical and Electronics Engineers (IEEE)
(you guessed it) access and control. Ethical
establishes such standards and updates them,
hackers must test and fix those vulnerabilities;
but so far no standard is perfect. Networks this chapter describes them.
There are two main reasons that 802.11-based wireless systems are vulnerable at the network level:
ߜ Inherent trust allows wireless systems to come and go as they please on the network. Practically everything about 802.11 is open by default —
from authentication to cleartext communications to a dangerous lack of frame authentication. In addition to this equivalent of a “Hack Me” sign, wireless networks don’t have the same layer of physical security present in wired networks.
ߜ Common network issues that 802.11 has inherited from its wired siblings enable attackers to exploit network-based vulnerabilities easily, regardless of the transmission medium. The suspect activities allowed under 802.11 defaults include MAC-address spoofing, system scanning and enumeration, and packet sniffing. For openers.
Okay, some of the concepts in this chapter overlap material in other chapters in this book — and some of these vulnerabilities and tests could arguably be placed in other chapters that cover different categories of attacks. But our goal in this chapter is to give you the basis for a good overall assessment of your wireless systems at its most fundamental technical level — the network level.
What Can Happen
Network infrastructure vulnerabilities are the foundation for all technical security issues in your information systems. These lower-level vulnerabilities affect everything running on your network. That’s why you need to test for them and eliminate them whenever possible.
Network-level attacks against wireless systems are usually simple to execute —
but they have a high payoff. Though they may not be quite as disruptive as all-out denial-of-service (DoS) attacks, which we cover in Chapter 13, network-based attacks often lead to the compromise of wireless clients and APs —
wreaking havoc on your business.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 197
Chapter 12: Network Attacks
197
There’s always the possibility that the tests we outline in this chapter can cause your wireless (and wired) networks to slow to a crawl — or crash altogether —
so proceed with caution. If possible, perform your tests on non-production systems first — or perform them during times of non-peak network usage.
An important network test (covered in Chapter 7) is to see which systems are available and what security vulnerabilities are present on your wireless network. Previous chapters also harp (we think justly) on how important it is to keep your wireless network separate from your wired network. Unsecured wireless systems are about as safe as a screen door on a submarine.
When you know exactly what wireless systems are out there and where they’re located, there are specific tests you can perform to exploit various vulnerabilities at the network level. This involves assessing such areas as MAC-address controls, whether or not a virtual private network (VPN) is in use, whether cleartext (unencrypted) communications are going on, which protocols are present, and more.
By exploiting these vulnerabilities, attackers can cause bad things to happen on your wireless network — these, for example:
ߜ Attacking specific hosts by exploiting local vulnerabilities from across the network (which we cover in Chapter 7).
ߜ Using a network analyzer to steal confidential information in e-mails and files being transferred.
ߜ Gaining unauthorized access to your network.
Let’s jump right into things and see these little nightmares in action.
MAC-Address Spoofing
A common attack carried out by hackers to circumvent basic access controls in wireless networks is to masquerade as a legitimate host on the network.
They do it by spoofing (that is, faking and pretending to have) the identity of another system (which explains why this attack is sometimes referred to as a wireless identity-theft attack). Wireless NICs in clients, access points — basically any network device, wired or wireless — must have an identifier called a MAC
(media-access control) address. This address is a 48-bit (six byte) number assigned by the component’s manufacturer to make it unique. The idea is to identify the component (usually a specific network-interface card) to the host so switching, routing, and so on can happen without causing conflicts with other systems. No wonder someone who uses a fake address can make big trouble.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 198
198 Part III: Advanced Wi-Fi Hacks
False sense of security
A popular — and pretty weak — security mea-
network. Sounds good, sure — and we often
sure for wireless networks is to enable MAC
hear people saying, “I’ve enabled MAC address
address controls. This provides a form of AP
controls on my wireless network, so it’s pretty
authentication by allowing only clients with spe-
secure.” Well, actually, a hacker can circum-
cific MAC addresses to access the wireless
vent this security measure very easily.
The IEEE calls the 48-bit MAC address space “MAC-48” — as originally published in the IEEE Ethernet specification. The first 24 bits (three bytes) of a MAC address make up a number unique to each NIC manufacturer. For example 00:40:5e belongs to Philips, 00:40:96 belongs to Aironet (now Cisco), and so on. Although this vendor identifier is called the Organizationally Unique Identifier (OUI), 16,777,216 OUIs are possible — and a vendor can have more than one. Each vendor can use the final 24 bits (three bytes) of the MAC
address as desired, to create unique identifiers for all their cards (16,777,216
such identifiers are possible). The IEEE figures that all possible MAC
addresses won’t be exhausted any sooner than the year 2100.
You can look up the vendor ID of a specific MAC address at the following Web sites:
ߜ http://standards.ieee.org/regauth/oui/index.shtml
ߜ http://coffer.com/mac_find
Let’s take a look at how MAC addresses can be changed on different platforms — and then we show you how a spoofing attack is carried out.
Changing your MAC in Linux
In Linux, you can spoof MAC addresses by following these steps: 1. While logged in as root, disable the network interface so you can change the MAC address.
You do this by inserting the network-interface number that you want to disable (typically wlan0 or ath0) into the command, like this:
[root@localhost root]# ifconfig wlan0 down
19_597302_ch12.qxd 8/4/05 7:09 PM Page 199
Chapter 12: Network Attacks
199
2. Enter a command for the MAC address you want to use. Here’s how to insert the fake MAC address — and the network-interface number again — into the command:
[root@localhost root]# ifconfig wlan0 hw ether
01:23:45:67:89:ab
The following command also works in Linux:
[root@localhost root]# ip link set wlan0 address
01:23:45:67:89:ab
3. Bring the interface back up with this command:
[root@localhost root]# ifconfig wlan0 up
If you’ll be changing your Linux MAC address(es) often, you can use a more feature-rich utility called MAC Changer (www.alobbs.com/macchanger).
You can use the ifconfig utility in other flavors of UNIX as well. Refer to the ifconfig man pages for specific parameters for your version.
Tweaking your Windows settings
If your test system is running Windows 2000 or XP, you may have several options for changing your MAC address, depending on the wireless NIC you have (and on its driver).
The first option to try is to see whether you can change the address by resetting your NIC’s network properties. Here’s the drill:
1. Right-click My Network Places and then choose Properties.
A list of wireless NIC models appears.
2. Right-click the maker and model of your wireless NIC and then choose Properties again.
The Properties window appears.
3. Click Configure.
Another Properties window appears.
4. Click the Advanced tab.
If your wireless NIC will allow you to change its MAC address, you’ll have a Network Address (or MAC address) listed under Property.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 200
200 Part III: Advanced Wi-Fi Hacks
5. Click Network Address, click the radio button next to the Value field, and enter the 12-digit MAC address you want to use.
Figure 12-1 illustrates this procedure.
Figure 12-1:
Changing
the MAC
address in
a wireless
NIC’s driver
settings in
Windows.
If your wireless NIC doesn’t have the Network Address option, you can edit the Windows Registry to get the same result. Here’s how to make it happen: 1. At a Windows command prompt, enter ipconfig /all to view yourcurrent MAC address (as shown in Figure 12-2).
Figure 12-2:
Description
Viewing
your cur-
rent MAC
address in
Windows.
MAC address
19_597302_ch12.qxd 8/4/05 7:09 PM Page 201
Chapter 12: Network Attacks
201
2. Run regedt32 (not regedit) in Windows 2000, or regedit in Windows XP.
The Windows Registry opens, ready for editing.
3. Make a backup copy of the Windows Registry as it is now.
This is a safety measure in case something goes awry and you have to restore it to its previous state.
• If you’re using regedit in XP, select File➪Export.
• If you’re using regedt32 in 2000, select Registry➪Save Key.
4. Browse to the key and expand it.
Here’s the path to the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
5. Find the subkey for the NIC you want to modify:
a. Click through the various four-digit folders starting at 0000.
You’re looking for the device that has a DriverDesc value that matches the Description shown when you enter ipconfig /all at a command prompt.
b. When you find the appropriate folder, expand it.
6. Right-click in the right window pane of the folder you’ve found, and then choose New➪String Value.
A window appears, offering a place to enter a name for the folder.
7. Enter NetworkAddress for the name.
Rest assured that a black-hat hacker would enter something more devious.
8. Double-click the NetworkAddress key you just created, and then enter the new, 12-digit MAC address you’d like to use.
This new key is shown in Figure 12-3.
9. Exit the Registry editor (regedit or regedit32).
10. Right-click My Network Places, click Properties, and choose Disable/Enable for the NIC you modified.
You can do this by simply right-clicking the NIC in the listing and selecting Disable, and then right-clicking again and selecting Enable. You can also reboot Windows — and may have to, depending on whether Disable/Enable works — to activate the new MAC address.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 202
202 Part III: Advanced Wi-Fi Hacks
Figure 12-3:
Creating the
Network
Address
key in the
Windows
registry.
Network Address key
11. Verify that your change has taken place.
You do so by entering ipconfig /all at a Windows command prompt again, as shown in Figure 12-4.
Figure 12-4:
Viewing
your new
MAC
address in
Windows.
Because MAC address changes are not immediate in Windows, you can use a tool called DevCon by Microsoft — which is essentially a command-line version of the Device Manager utility for Windows 2000 and XP — to reset your
19_597302_ch12.qxd 8/4/05 7:09 PM Page 203
Chapter 12: Network Attacks
203
wireless NIC to make your Windows MAC-address changes immediate.
DevCon is available for download at
http://support.microsoft.com/default.aspx?scid=kb;en-us;311272
SMAC’ing your address
If your wireless NIC driver doesn’t allow MAC address changes as described in this chapter — or if you don’t like editing the Windows Registry manually to change your MAC address — there’s a neat and inexpensive tool you can use by KLC Consulting called SMAC (presumably short for S poof MAC) at www.klcconsulting.net/smac.
Follow these steps to use SMAC:
1. Load the program.
2. Select the adapter for which you want to change the MAC address.
3. Enter the new MAC address in the New Spoofed MAC Address fields and then click Update MAC.
4. Stop and restart the network card with these steps: a. Right-click the network card in Network and Dialup Connections.
b. Select Disable and then right-click again.
c. Click Enable to put the change into effect.
You may have to reboot for this to work properly.
5. Click Refresh in the SMAC interface.
You should see a screen similar to the one shown in Figure 12-5.
Figure 12-5:
SMAC
showing a
spoofed
MAC
address.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 204
204 Part III: Advanced Wi-Fi Hacks
KLC Consulting also has a command-line version of SMAC that can be integrated with Microsoft’s DevCon tool (mentioned earlier) for a complete solution to MAC address changes — and to resetting your hardware on the fly.
To reverse any of the MAC address changes shown here, simply reverse the steps performed and delete any data you created.
A walk down MAC-Spoofing Lane
So you’ve enabled MAC-address controls on your wireless network — but you’re curious: Just how effective are those controls? Unfortunately, not very.
Your wireless network is still vulnerable to unauthorized access, even though you’ve enabled MAC address filtering on your APs. Of course, if you don’t have WEP, WPA, or some other form of encrypted communications in place, anyone with a wireless network analyzer (such as CommView for WiFi or AiroPeek) will still be able to view unencrypted traffic — all they have to do is jump through a couple more hoops, and they’re in. By bypassing MAC
address controls and obtaining an IP address, they can easily become part of the network. Once this occurs, an attacker can gain full access to your airwaves — and anything’s fair game.
Come along with us, and we’ll show you how you can test your MAC-address controls — and demonstrate just how easy they are to circumvent. Here’s the procedure:
1. Find an AP to attach to.
That’s easy: Simply load NetStumbler, as shown in Figure 12-6.
Figure 12-6:
Finding an
acces-
sible AP
via Net-
Stumbler.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 205
Chapter 12: Network Attacks
205
You could skip Step 1 and just look for Probe Requests, but it’s always good to make certain you’re working with your wireless systems and not messing around with your neighbors’ stuff. Instead of waiting to look for Probe Requests to get a valid MAC address, you could send out a Deauthentication frame to the broadcast address. This would force any wireless client within range to reauthenticate and reassociate to the AP
revealing their MAC addresses in the process. You have to be careful doing this though so as not to disturb your neighbors’ systems. We cover deauthentication and disassociation in Chapter 13.
In our “test” organization, shown in Figure 12-6, we know that the AP
with an SSID of doh! is a valid one to test because that’s the SSID we use on our network. Take note of the MAC address of this AP as well. Doing so helps you make sure you’re looking at the right packets in the steps that follow. Although we’ve “hidden” most of the MAC address of this AP for the sake of privacy, let’s just say that the MAC address you’re looking for here is 00:40:96:FF:FF:FF. Also notice in Figure 12-6 that NetStumbler was able to determine the IP address of the AP. Getting an IP address helps us confirm that we’re on the right wireless network.
One simple way to determine whether an AP has MAC-address controls enabled is to try to associate with it so you can obtain an IP address via DHCP. If you can get an IP address, then the AP doesn’t have MAC-address controls enabled. Now, for security’s sake and if you so desire, take a few minutes to go turn on MAC-address controls on your AP(s) — you can come back and run this test again to verify that you cannot obtain an address via DHCP.
2. Using a wireless network analyzer, look for a wireless client sending a probe request packet to the broadcast address — or for the AP replying with a probe response.
You can set up a filter in your analyzer to look for such frames, or simply capture packets and browse through them, looking for your AP’s MAC
address as noted earlier. Figure 12-7 shows what the Probe Request and Probe Response packets look like.
Note the wireless client (again, for privacy, let’s say its full MAC is 00:09:5B:FF:FF:FF) first sends out a Probe Request to the broadcast address (FF:FF:FF:FF:FF:FF) in packet number 98. The AP with the MAC address we’re looking for replies with a Probe Response to 00:09:5B:FF:FF:FF that confirms this is indeed a wireless client on the network for which we’ll be testing MAC-address controls.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 206
206 Part III: Advanced Wi-Fi Hacks
Figure 12-7:
Looking for
the MAC
address of a
wireless
client on the
network
being
tested.
3. Change your test computer’s MAC address to that of the wireless client’s MAC address (the one you found in Step 2 of these instructions).
You can verify your new MAC address as shown by running ipconfig
/all at a Windows command prompt, as shown in Figure 12-8.
Figure 12-8:
Verifying
your new,
spoofed
MAC
address in
Windows.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 207
Chapter 12: Network Attacks
207
Note that APs, routers, switches, and the like should be able to detect when more than one system is using the same MAC address on the network (yours and the client that you’re spoofing). You may have to wait until that other system is no longer on the network or send a Deauthenticate packet to knock it off as shown in Chapter 13. However, we’ve seen very few quirky issues emerge from spoofing a MAC address in this way, so you may not have to do anything at all — it’s likely to work without any problems.
4. Ensure your wireless NIC is configured for the appropriate SSID. For this example, we’ll set the SSID to doh! (as shown in the Netgear Smart Wizard utility in Figure 12-9).
Figure 12-9:
Ensuring
that your
SSID is
correctly
set.
Even if your network is running WEP, as is the case here, you can still test your MAC address controls. You’ll just need to enter your WEP
key(s) before you can connect.
5. Obtain an IP address on the network.
You can do this by rebooting, or disabling/enabling your wireless NIC.
However, you can do it manually as shown by running ipconfig
/renew.
Because we know the IP addressing scheme of the wireless network in this example (10.11.12. x), we could also manually set our IP address and get on the network.
6. Confirm that you’re on the network by pinging another host or browsing the Internet.
You can do this by pinging the AP (10.11.12.154) or by simply loading your favorite Web browser and browsing to your favorite site.
That’s all there is to it! You’ve circumvented your wireless network’s MAC-address controls in six simple steps. We told you it was easy.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 208
208 Part III: Advanced Wi-Fi Hacks
Who’s that Man in the Middle?
Man-in-the-middle attacks — referred to as MITM or monkey-in-the-middle attacks (taken from a popular MITM tool called monkey_jack) — are network-level attacks whereby the attacker (the monkey) inserts his system in between a wireless client and an AP, as shown in Figure 12-10.
AP
Figure 12-10:
Man-in-
Attacker system becomes
“man-in-the-middle”
the-middle
attack.
Victim system
These attacks are slightly more theoretical (less practical) and definitely more difficult to carry out than other network attacks. However, once an attacker has inserted himself as the man-in-the-middle, he can do it again —
and do various unpleasant things, including
ߜ Capture data
ߜ Inject new packets into the data stream
ߜ Manipulate encryption mechanisms in IPsec, SSL, SSH, and so on 19_597302_ch12.qxd 8/4/05 7:09 PM Page 209
Chapter 12: Network Attacks
209
ߜ Delay wireless communications
ߜ Deny wireless communications
ߜ Redirect traffic to a malicious application
The attacker can exploit MITM vulnerabilities in standard unencrypted wireless sessions as well as 802.1x EAP and PEAP sessions. It’s even possible for an attacker to perform MITM attacks that exploit management packets —
even when the wireless victims are running WEP or WPA.
Wireless hackers can exploit MITM vulnerabilities regardless of whether the communication is encrypted.
These attacks can happen in various ways such as
ߜ ARP poisoning: This manipulates OS, router, and switch ARP tables so an attacker can spoof a victim’s MAC address.
ߜ Port stealing: Here an attacker can spoof packets by setting the source address to his victim’s address and the destination address to his own address. In effect, the hacker takes control of his victim’s traffic.
There are various tools that hackers can use to create MITM attacks. The most popular MITM tools are open-source tools for the UNIX/Linux and Windows platforms (in the case of Ettercap).
ߜ Airjack suite (http://sourceforge.net/projects/airjack), which includes monkey_jack for automated wireless MITM attacks.
ߜ dsniff (www.monkey.org/~dugsong/dsniff)
ߜ Arpmim (http://packetstorm.linuxsecurity.com/groups/teso/
arpmim-0.2.tar.gz)
ߜ Ettercap (http://sourceforge.net/projects/ettercap/)
You can, of course, use these same utilities to test your wireless systems in an ethical-hacking fashion — but again, be careful.
Performing MITM attacks against your wireless network can be hazardous to your network’s health. If one of those goes awry, it can redirect traffic, disconnect clients, and even create denial-of-service conditions. Proceed with caution.
Management-frame attacks
The first type of wireless MITM attack is an attack against various 802.11
management frames. As we’ve discussed in other chapters, 802.11 specifies 19_597302_ch12.qxd 8/4/05 7:09 PM Page 210
210 Part III: Advanced Wi-Fi Hacks
no inherent authentication of management frames — and MAC addresses are simple to spoof — which makes this a popular wireless attack.
A MITM attack that exploits 802.11 management-frame vulnerabilities can be executed via the following steps:
1. The attacker finds a wireless client that’s associated and communicating with an AP — and gathers the client’s RF channel and MAC address information.
2. The attacker sends a Deauthenticate or Disassociate frame to the client system, forcing it to disconnect from the AP.
3. The attacker then enables a fake AP — posing as the original AP, using the same SSID and MAC address, with the only difference being that his system has to run on a different wireless channel — let’s say channel 1
instead of channel 6.
4. The client system automatically tries to reauthenticate and associate itself with the original AP — only this time the odds are good that it will connect to the attacker’s rogue system instead.
5. The attacker’s system then connects to the original AP so all client traffic is forwarded to the victim’s system — and the victim’s traffic is forwarded to the rogue system.
The attacker has successfully inserted his system into the middle of the client-to-AP communications stream — and achieved “man-in-the-middle”
status.
The monkey_jack utility can perform this type of wireless MITM attack. If you have the AirJack suite downloaded and compiled on a Linux-based system, the following parameters can be used to run the program:
# ./monkey_jack –h
Monkey Jack: Wireless 802.11(b) MITM proof of concept.
Usage: ./monkey_jack -b <bssid> -v <victim mac> -C <channel number> [ -c
<channel number> ] [ -i <interface name> ] [ -I <interface name> ]
[ -e <essid> ]
-a: number of disassociation frames to send (defaults to 7)
-t: number of deauthentication frames to send (defaults
to 0)
-b: bssid, the mac address of the access point (e.g.
00:de:ad:be:ef:00)
-v: victim mac address.
-c: channel number (1-14) that the access point is on,
defaults to current.
-C: channel number (1-14) that we’re going to move them to.
-i: the name of the AirJack interface to use (defaults to aj0).
-I: the name of the interface to use (defaults to eth1).
-e: the essid of the AP.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 211
Chapter 12: Network Attacks
211
Now you know the parameters it requires, here’s an example. We’ll use monkey_jack to insert our system (using ports aj0 and eth0) between the wireless client 00:09:5B:FF:FF:FF and the AP 00:40:96:FF:FF:FF
with an SSID of doh!. We’ll also force it from wireless channel 6 to channel 1, and use the defaults for all other parameters. Here we go:
# ./monkey_jack –b 00:40:96:FF:FF:FF –v 00:09:5b:FF:FF:FF –C 6 –c 1 –I eth0 –e
“doh!”
So there you have it — assuming you received no errors during the execution of the command shown here, you’re now officially the man-in-the middle.
ARP-poisoning attacks
Attackers can exploit ARP (Address Resolution Protocol) if it’s running on your network. The aim is to make their systems appear to be authorized hosts on your network. What happens with this attack is that a client running a program such as dsniff or Ettercap can change the ARP tables — the tables that store IP addresses to MAC-address mappings — on network hosts.
This causes the victim computers to think they need to send traffic to the attacker’s computer (rather than to the true destination computer) when communicating on the network.
This security vulnerability is inherent in how ARP communications are handled. Compounding the problem is the fact that wireless networks use a shared medium that makes this type of attack even easier.
Walking through a typical ARP attack
Here’s a typical ARP spoofing attack with a hacker’s computer (Hacky), a legitimate wireless user’s computer (Waveboy), and the AP (Commander): 1. Hacky poisons the ARP cache of victims Waveboy and Commander by using dsniff, ettercap, or a similar utility.
2. Waveboy associates Hacky’s MAC address with Commander’s IP address.
3. Commander associates Hacky’s MAC address with Waveboy’s IP address.
4. Waveboy’s traffic and Commander’s traffic are sent to Hacky’s IP address first.
5. Hacky loads a network analyzer and captures all traffic between Waveboy and Commander. If Hacky is configured to act like a router and forward packets, it forwards the traffic to its original destination, and the original sender and receiver never know the difference!
MITM attacks that exploit ARP spoofing vulnerabilities are slightly more difficult but are still a threat. This type of attack takes advantage of the fact that ARP packets — just like 802.11 management frames — do not require any type of authentication and are easily spoofed.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 212
212 Part III: Advanced Wi-Fi Hacks
An attacker can also execute a nifty traffic-redirection attack by using his own system as the end point. This ends up redirecting all traffic originally destined for the victim’s system to the attacker’s system instead. This process is depicted in Figure 12-11.
Using Ettercap
The Ettercap program can perform this type of wireless MITM attack. The following screen captures of Ettercap NG for Windows show the options for executing MITM attacks from a nice GUI interface.
1. Load Ettercap NG and choose Unified sniffing from the Sniff menu.
2. Select the NIC you want to use from the drop-down list, as shown in Figure 12-12.
3. After the program loads, choose the type of attack you want to execute from the MITM menu, as shown in Figure 12-13.
In our example here, you’d select Arp poisoning.
4. Traffic now destined from
the network backbone to
Joe’s system is no longer
3. AP2 sends updated MAC
sent to AP1...
address info to the network
routers and switches, which
Network backbone
in turn update their routing
and switching tables.
5. ...but, instead,
sent to AP2.
AP2
AP1
1. Normal flow of
wireless traffic
2. Attacker spoofs
the MAC address of
Joe’s wireless laptop
and attempts to
authenticate to AP2.
Figure 12-11:
Flow of a
traffic
redirection
attack.
Attacker system
Joe’s wireless laptop
19_597302_ch12.qxd 8/4/05 7:09 PM Page 213
Chapter 12: Network Attacks
213
Figure 12-12:
Selecting
a NIC for
Ettercap
NG to use.
Figure 12-13:
Selecting
the MITM
attack of
your choice
in Ettercap
NG.
Again, note how simple it is to achieve a MITM attack. At this point, you can use Ettercap NG and your favorite network analyzer to capture your victim system’s data — or launch other attacks of the type mentioned in this section.
SNMP: That’s Why They Call It Simple
Simple Network Management Protocol (SNMP) is a protocol built in to virtually every network infrastructure device — both wireless and wired. Everything from switches to routers to servers to APs can be managed via SNMP. There
19_597302_ch12.qxd 8/4/05 7:09 PM Page 214
214 Part III: Advanced Wi-Fi Hacks
are various network-management programs such as HP OpenView (www.
managementsoftware.hp.com), LANDesk (www.landesk.com), and Silverback Technologies (www.silverbacktech.com) that use SNMP for remote network-host management. Their capabilities are especially helpful in wireless networks when you’re trying to manage what’s happening on your airwaves.
Unfortunately, they all depend on SNMP — which presents various security vulnerabilities.
The problem is that most wireless APs run SNMP as is — not locked down from the elements. In fact, most APs have SNMP enabled when it doesn’t need to be. If SNMP is compromised, a hacker can gather network information and use it to attack your systems. If a hacker is trying to attack your wireless network and SNMP shows up in her port scans, you can bet she’ll try to compromise the system.
Figure 12-14 shows how GFI LANguard Network Security Scanner was able not only to detect that SNMP is enabled on a Cisco Aironet AP but also to glean some basic information from it.
In Figure 12-15, the QualysGuard vulnerability-assessment tool discovered that this same AP has writeable SNMP information due to an insecure SNMP
community name. This could be especially bad if you’re trying to manage such an AP and an attacker is able to modify its settings!
If you want to perform a quick-and-dirty test to see whether SNMP is running on a host, perform a port scan and look to see if UDP port 161 is open. If it is, then SNMP is alive and well — and vulnerable — on the host system.
Figure 12-14:
LANguard
Network
Security
Scanner
discovered
SNMP
information.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 215
Chapter 12: Network Attacks
215
Figure 12-15:
Qualys-
Guard
discovered
that SNMP
information
is writable.
Various other utilities — both Windows- and UNIX/Linux-based — can enumerate SNMP on APs and other wireless hosts:
ߜ Windows GUI-based Getif (www.wtcs.org/snmp4tpc/getif.htm) ߜ Windows text-based SNMPUTIL (www.wtcs.org/snmp4tpc/FILES/
Tools/SNMPUTIL/SNMPUTIL.zip)
ߜ UCD-SNMP (www.ece.ucdavis.edu/ucd-snmp)
If you have APs with default SNMP enabled on your wireless network, the best-case scenario is that an attacker will be able to enumerate those systems and glean AP information such as system uptime, hardware model number, and firmware revision as shown in Figure 12-16. And that’s a best case.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 216
216 Part III: Advanced Wi-Fi Hacks
Figure 12-16:
General
SNMP
information
gather using
getif.
An attacker can use getif or similar tool to glean information such as MAC
addresses that have associated with the AP — and even snag AP usernames for HTTP management, as shown in Figure 12-17.
This information is certainly not what you need to be advertising to the outside world. But you knew that. What you may not have known is that it’s already out there.
The worst-case scenario is that you’ll have one or more APs running a seriously vulnerable implementation of SNMP version 1 that can lead to DoS
attacks, unauthorized access, and more. For a list of vendors and products that are affected by the well-known SNMP vulnerabilities, check out www.
cert.org/advisories/CA-2002-03.html.
Figure 12-17:
HTTP user
IDs gleaned
via getif’s
SNMP
browsing
function.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 217
Chapter 12: Network Attacks
217
All Hail the Queensland Attack
A relatively new attack against the 802.11 protocol showed up Down Under in May 2004, discovered by researchers at Queensland University of Technology’s Information Security Research Centre (www.kb.cert.org/vuls/id/106678) in Australia. This attack, initially referred to as the Clear Channel Assessment attack, affects the Direct Sequence Spread Spectrum function that works as part of 802.11’s Carrier-Sense Multiple Access/Collision Avoidance (CSMA/CA) protocol that manages the wireless communications medium. This attack is often called the Queensland Attack — crediting the researchers who discovered it.
Wireless systems (clients, APs, and so on) use CSMA/CA to determine whether or not the wireless medium is ready and the system can transmit data. The Queensland attack exploits the Clear Channel Assessment (CCA) function within CSMA/CA and basically makes it appear that the airwaves are busy — effectively preventing any other wireless system from transmitting.
This denial of service is accomplished by placing a wireless NIC in continuous transmit mode.
With the right tool, the Queensland Attack is relatively simple to execute. It can wreak havoc on a wireless network, effectively bringing it to its knees.
There’s very little that can be done about it, especially if the attacker’s signal is more powerful than that of your wireless systems. That’s no problem for hackers equipped with a high-powered wireless NIC combined with a high-gain antenna (see Chapter 13 for more information). Combine an easily overpowered network with the fact that 802.11 systems use a shared medium to communicate, and you have the makings of a very effective attack.
All it takes for an attacker to run such an attack against your wireless systems is to run an old Prism chipset-testing program called Prism Test Utility (PrismTestUtil322.exe). This program was previously available for public download on Intersil’s Web site — and it’s still easy to find elsewhere with a basic Internet search, so it’s probably not going away any time soon. This attack can just as easily be carried with other hardware tweaking as well.
Although the Queensland Attack exploits an 802.11 protocol issue, it could just as easily be considered a DoS attack, given its outcome (big-time denial of service). Refer to Chapter 13 for an in-depth look at various wireless DoS
attacks.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 218
218 Part III: Advanced Wi-Fi Hacks
Sniffing for Network Problems
As we’ve demonstrated in various other chapters in this book, a wireless network analyzer (sniffer) is a tool that allows you to look into the network and analyze data going across the airwaves for network optimization, security, and/or troubleshooting purposes. Like a microscope for a lab scientist, a wireless network analyzer is a must-have tool for any security professional performing ethical hacks against wireless networks.
A network analyzer is just software running on a computer with a network card. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network, even traffic not destined to the network analyzer host. The network analyzer performs the following functions:
ߜ Captures all network traffic
ߜ Interprets or decodes what is found into a human-readable format ߜ Displays it all in chronological order
There are literally dozens of neat uses of a wireless sniffer beyond capturing cleartext communications and searching for SSIDs. Such a program can help with:
ߜ Viewing anomalous network traffic and even tracking down intruders.
ߜ Developing a baseline of network activity and performance before a security incident occurs.
The next section outlines specific network information to look for.
Network-analysis programs
You can use one of the following programs for network analysis: ߜ AiroPeek and AiroPeek NX by WildPackets (www.wildpackets.com): It delivers a ton of features that the higher-end network analyzers of yes-terday have — for a fraction of their cost. AiroPeek is available for the Windows operating system.
ߜ CommView for WiFi (www.tamos.com/products/commwifi): Again, very feature-rich, especially given its low price. It also includes a packet generator that can really come in handy. See Chapter 13 for more details on using this feature of CommView for WiFi. CommView for WiFi is available for the Windows operating system.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 219
Chapter 12: Network Attacks
219
ߜ AirMagnet Laptop Analyzer (www.airmagnet.com/products/laptop.
htm): This program is great for wireless security testing as well. It has a great user interface and is very easy to use. AirMagnet Laptop Analyzer is available for the Windows operating system.
ߜ AirDefense Mobile (www.airdefense.net/products/admobile): Similar to each of the programs in this list, AirDefense Mobile offers a wide range of features, all within an easy-to-use GUI interface. AirDefense Mobile is available for the Windows operating system.
ߜ Ethereal (www.ethereal.org): Ethereal is a great open-source (free) program, especially if you need a quick fix and don’t have your test system nearby. It’s not as user-friendly as many other programs, but it is very powerful if you’re willing to learn its ins and outs. Ethereal is available for both Windows- and UNIX-based operating systems.
A slew of other wireless network analyzers are available as well, including Kismet, many of which we cover in other chapters. A general rule of thumb is that you get what you pay for. Don’t worry about whether you’re using the right network analyzer. The right network analyzer is the one that works best for you — the one that feels the most comfortable and the one that does what you need it to do — after you’ve done some careful experimenting.
Network analyzer tips
Before getting started, configure your network analyzer to capture and store the most relevant data. If your network analyzer permits it, configure your network analyzer software to use a first-in, first-out buffer. This overwrites the oldest data when the buffer fills up, but it may be your only option if memory and hard-drive space are limited on your network-analysis computer.
Also, if your network analyzer permits it, record all the traffic into a capture file and save it to the hard drive. This is the ideal scenario — especially if you have a large hard drive (50GB or bigger).
You can easily fill a several-gigabyte hard drive in next to no time, so don’t capture all packets unless absolutely necessary.
Often the most practical way to use a network analyzer is to just let it run in monitor mode if your analyzer supports it — capturing overall statistics of the network (SSIDs, channels used, active nodes, protocols seen, and so on) without capturing every single packet. You can often glean enough information from a network analyzer’s monitor mode to look for security weaknesses. Just keep in mind that you may need to let your network analyzer run for quite a while — from a few minutes to a few days — depending on what you’re looking for.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 220
220 Part III: Advanced Wi-Fi Hacks
Weird stuff to look for
A network analyzer is one of the best security tools you can own. It’s amazing what you can find on your network that you wouldn’t know about otherwise (and really need to know about). The following list sums up various types of traffic and trends you can look for to help you find security vulnerabilities in your wireless network.
ߜ Protocols in use:
• Non-standard or unsupported traffic such as instant messaging, POP3 e-mail, FTP, and telnet.
• ICMP packets — especially in large numbers — which could indicate potential ping sweeps for the start of system enumeration.
ߜ Usage trends:
• What are your peak wireless network usage times?
• Are you seeing heavy traffic during off peak hours?
• Internet usage habits can help point out malicious behavior of a rogue insider or a system that has been compromised.
AirMagnet Laptop Analyzer’s Channel monitor (as shown in Figure 12-18) is great for observing wireless trends over time.
Figure 12-18:
AirMagnet
Laptop
Analyzer’s
Channel
view
showing
graphical
usage
trends.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 221
Chapter 12: Network Attacks
221
ߜ MAC addresses:
• Do you know which MAC addresses belong on your network?
• Look for odd, default, and duplicate MAC addresses.
If you spot an odd MAC address and have CommView for WiFi, you can perform a quick lookup using the built-in NIC Vendor Identifier available from the Tools menu as shown in Figure 12-19.
Figure 12-19:
CommView
for WiFi’s
NIC Vendor
Identifier.
This comes in handy if you know you only use a certain vendor’s NICs —
and spot an odd one on your network.
CommView for WiFi’s NIC Vendor Identifier utility is especially useful if you don’t have access to the Internet to perform a lookup because your wireless-security programs have control of your wireless NIC.
ߜ Network errors and anomalies:
• CRC errors
• WEP errors
• Excessive amounts of oversized packets
• Excessive amounts of multicast or broadcast traffic
• Excessive DHCP requests
• Excessive retries
Discovering these types of network issues is made simple by AiroPeek’s Summary page, as shown in Figure 12-20.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 222
222 Part III: Advanced Wi-Fi Hacks
Figure 12-20:
AiroPeek’s
summary
page can
point out
various
network
errors.
Network Attack Countermeasures
There are various countermeasures you can put in place to defend against many of the network-level attacks we’ve outlined in this chapter.
Like with all other wireless-network countermeasures, never assume that the lower layers of your wireless network (Physical Layer 1 and MAC Layer 2) are secure just because you have high-layer security mechanisms in place (such as firewalls and authentication systems).
The following are effective countermeasures against wireless-network attacks:
ߜ Enable WEP, WPA, or use a VPN to protect wireless communications.
ߜ Disable SNMP if you are using it to manage your network.
ߜ Change your SNMP community string if you do use it.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 223
Chapter 12: Network Attacks
223
ߜ Disable other protocols and services you don’t need on your wireless infrastructure systems (such as ICMP, telnet, and HTTP).
ߜ Segment your wireless systems away from your wired network —
preferably in a DMZ off your perimeter firewall.
ߜ Utilize switch-based port security to ward off ARP attacks.
ߜ Use the directional antennae and AP power settings where possible to help keep your signals out of unfriendly airwaves.
ߜ Use a wireless IDS/IPS system to monitor your airwaves and ward off network attacks.
19_597302_ch12.qxd 8/4/05 7:09 PM Page 224
224 Part III: Advanced Wi-Fi Hacks
20_597302_ch13.qxd 8/4/05 7:06 PM Page 225