Wireless Hacking Resources - Appendixes- Hacking Wireless Networks (2015)

Hacking Wireless Networks (2015)

Part V


27_597302_pt05.qxd 8/4/05 7:07 PM Page 326

In this part . . .

We feel that this book is just the start of your jour-

ney. If you want to hone your proficiency in ethical

hacking, then you’ll need to use this book as a launch

pad — and keep up with the field over the longer term.

By the time this book comes to press, for example, it’s

a good bet someone will have released the next big cracker tool. You’ll need to come up with a means of keeping

abreast of the latest technology and tools.

To this end, we thought you would benefit from some links to organizations that specialize in wireless standards and some references to wireless user groups (WUGs). Find a

group in your neighborhood and get involved. And, should you not know all the intricacies of wireless geek-speak, we have provided a list of acronyms and initialisms.

28_597302_appa.qxd 8/4/05 7:07 PM Page 327

Appendix A

Wireless Hacking Resources

In This Appendix

ᮣ Making contact with wireless organizations

ᮣ Finding local wireless user groups

ᮣ Shopping for wireless tools

Wireless networking is evolving extremely fast. To keep your company and yourself current, you will need to keep up to date on developing standards and tools. This book gets you started, but learning is a life-long experience. We have listed some organizations and tools to help.


We covered a lot about wireless and ethical hacking in this book. You may want to find out how knowledgeable you now are. The best way to do that is to take a certification test. Following are two organizations that certify individuals on this material.

ߜ Certified Ethical Hacker: www.eccouncil.org/CEH.htm ߜ Certified Wireless Network Professional Program: www.cwnp.com General Resources

The Internet is a valuable resource. However, using it is like trying to get a sip of water from a fire hose. So you need to damper the flow of information. We have found that the following sites provide useful information on wireless on a recurring basis. They also have free subscription mailing lists.

ߜ SearchMobileComputing.com: www.searchmobilecomputing.com ߜ SearchNetworking.com: www.searchnetworking.com

ߜ SearchSecurity.com: www.searchsecurity.com

28_597302_appa.qxd 8/4/05 7:07 PM Page 328

328 Part V: Appendixes

Hacker Stuff

Sun Tzu in the “Art of War” writes that you must understand your enemy to defeat your enemy. Learning about your enemy is a good tactic. When you can put yourself in the mindset of your enemy then you can truly understand your enemy. There are many good “hacker” sites available to you. Following are several sites that will help you understand crackers.

ߜ 2600 — The Hacker Quarterly magazine: www.2600.com ߜ Computer Underground Digest: www.soci.niu.edu/~cudigest ߜ Hacker t-shirts, equipment, and other trinkets: www.thinkgeek.com ߜ Honeypots: Tracking Hackers: www.tracking-hackers.com ߜ The Online Hacker Jargon File: www.jargon.8hz.com ߜ PHRACK: www.phrack.org

Wireless Organizations

There are two wireless organizations that you need to acquaint yourself with.

These are the IEEE and the Wi-Fi Alliance. The former concerns itself with setting standards for wireless, and the latter certifies that WLAN equipment meets the standards set by the former.

Institute of Electrical and Electronics

Engineers (IEEE): www.ieee.org

In this book we mention the pertinent wireless standards: 802.11, 802.11a, 802.11b, 802.11g, and 802.11i. These standards are all the creations of the Institute of Electrical and Electronic Engineers (IEEE). The IEEE leads the way in developing open standards for Wireless Local Area Networks (Wireless LANs), Wireless Personal Area Networks (Wireless PANs), and Wireless Metropolitan Area Networks (Wireless MANs). You can compare and contrast the 802.11 wireless standards for “over the air” to the 802.3

Ethernet standards for “over the wire.”

28_597302_appa.qxd 8/4/05 7:07 PM Page 329

Appendix A: Wireless Hacking Resources


Wi-Fi Alliance (formerly WECA):


Formed in 1999, the Wi-Fi Alliance is a nonprofit association that certifies the interoperability of wireless Local Area Network products that are based on IEEE 802.11 specifications. The Wi-Fi Alliance has over 200 member companies from around the world — and has certified over 1,000 devices. All the equipment used in the making of this book (for example) was tested and certified by the Wi-Fi Alliance — and without animal testing!

Local Wireless Groups

Should you really want to get serious about wireless ethical hacking, you’ll need to immerse yourself in the culture. Hook up with other wireless aficiona-dos, who can turn you on to new tools and point you to useful whitepapers and other resources. Wireless grassroots organizations are springing up like crabgrass across the world. You can meet like-minded wireless buffs and do some networking — the social kind. Here is a sampling of wireless user groups:

ߜ Air-Stream, Adelaide, SA, AU: www.air-stream.org/tiki-custom_


ߜ AirShare, San Diego, CA, US: www.airshare.org/

ߜ Albany Wireless User Group, Albany, NY, US: http://community.


ߜ Austin Wireless, Austin, TX, US: www.austinwireless.net ߜ Barcelona Wireless, Barcelona, Cataluña, ES: http://barcelona wireless.net/

ߜ Bay Area Wireless Users Group (BAWUG), Bay Area, CA, US: www.


ߜ BC Wireless, Vancouver, Vancouver Island and Prince Rupert, BC, CA: http://bcwireless.net/

ߜ Capital Area Wireless Network, Northern Virginia, VA, US: www.


ߜ Consume, London, England, UK: www.consume.net/

28_597302_appa.qxd 8/4/05 7:07 PM Page 330

330 Part V: Appendixes

ߜ Corkwireless, Cork, Cork County, IE: www.corkwireless.com/

ߜ Georgia Wireless User Group, Atlanta, GA, US: www.gawug.com ߜ Green Bay Professional Packet Radio, Green Bay, WI, US: www.qsl.


ߜ Houston Wireless, Houston, TX, US: www.houstonwireless.org ߜ IrishWAN, IE: www.irishwan.org/

ߜ Longmount Community Wireless Project, Longmount, CO, US: http://


ߜ Madrid Wireless, Madrid, Madrid, ES: http://madridwireless.net/

ߜ Marin Unwired, Marin County, CA, US: www.digiville.com/


ߜ NoCatNet, Sonoma County, CA, US: http://nocat.net ߜ NYCWireless, New York City, NY, US: http://nycwireless.net ߜ NZ Wireless, Auckland, NZ: www.nzwireless.org/

ߜ Orange County California Wireless Users Group, Brea, CA, US: www.occalwug.org/

ߜ Personal Telco, Portland, OR, US: www.personaltelco.net ߜ Rooftops, Boston/Cambridge, MA, US: http://rooftops.media.


ߜ Salt Lake Area Wireless Users Group (SLWUG), Salt Lake City, UT, US: www.saltlakewireless.net/

ߜ San Diego Wireless Users Group, San Diego, CA, US: www.sdwug.org ߜ Seattle Wireless, Seattle, WA, US: www.seattlewireless.net ߜ Southern California Wireless Users Group, Southern California, CA, US: www.socalwug.org

ߜ StockholmOpen.net, Stockholm, SE: www.stockholmopen.net/


ߜ The Toronto Wireless User Group (TorWUG), Toronto, ON, CA: www.torwug.org/

ߜ Tri-Valley Wireless Users Group, US: www.tvwug.org ߜ Xnet Wireless, Mornington, AU: www.x.net.au/

ߜ WiFi Ecademy, London, England, UK: www.wifi.ecademy.com/

ߜ Wireless Technology Forum, Atlanta, GA, US: www.wireless technologyforum.com

ߜ Wireless France, FR: www.wireless-fr.org/spip/

28_597302_appa.qxd 8/4/05 7:07 PM Page 331

Appendix A: Wireless Hacking Resources


If you can’t find your location from this list, then try the following sites to find a user group near you:

ߜ www.practicallynetworked.com/tools/wireless_articles_


ߜ www.wirelessanarchy.com/#Community%20Groups

ߜ www.personaltelco.net/index.cgi/WirelessCommunities

Security Awareness and Training

You may find that getting management and staff to pay attention to information security is at best a difficult task. You are not alone. Fortunately the following companies can help you get the message across in your organization.

ߜ Greenidea, Inc. Visible Statement: www.greenidea.com ߜ The Security Awareness Company: www.thesecurityawareness company.com

ߜ Security Awareness, Inc. Awareness Resources: www.security awareness.com

ߜ U.S. Security Awareness: www.ussecurityawareness.org Wireless Tools

Throughout the book, we have described many tools — showing where to get them, classifying, and summarizing them. If you are just starting out, the tools listed here make a nice shopping list. If you are getting married, you can register at hackersrus.com. Ethical-hacking tools also make great anniversary gifts for those two-hacker households.

General tools

We have grouped tools into specific categories. But some of them defied categorization. But rather than lose these excellent tools you can use, we offer the following list:

ߜ BLADE Software IDS Informer: www.bladesoftware.net ߜ Foundstone SiteDigger Google query tool: www.foundstone.com/


28_597302_appa.qxd 8/4/05 7:07 PM Page 332

332 Part V: Appendixes

ߜ MAC-address-vendor lookup: http://coffer.com/mac_find ߜ SMAC MAC-address editor for Windows: www.klcconsulting.net/


ߜ WiGLE database: www.wigle.net/gps/gps/GPSDB/query/

ߜ WiFimaps: www.wifimaps.com

Vulnerability databases

You will need to understand the vulnerabilities associated with your particular hardware and software. During the planning process, you will use this information to determine the exact tests to perform. Following are some well-known vulnerability database sites.

ߜ US-CERT Vulnerability Notes Database: www.kb.cert.org/vuls ߜ NIST ICAT Metabase: http://icat.nist.gov/icat.cfm ߜ Common Vulnerabilities and Exposures: http://cve.mitre.org/cve Linux distributions

Since many wireless testing tools only run on UNIX, Linux or BSD, you will need to become familiar with one of these platforms. You can purchase a commercial product like SuSe or Red Hat Linux, but this is overkill for our purposes. So instead use one of the following freeware Linux distributions.

ߜ Auditor: http://new.remote-exploit.org/index.php/Auditor_


ߜ Cool Linux CD: http://sourceforge.net/project/showfiles.php?


ߜ DSL (Damn Small Linux): www.damnsmalllinux.org/

ߜ GNU/Debian Linux: www.debian.org/

ߜ KNOPPIX: www.knoppix.net/get.php

ߜ SLAX: http://slax.linux-live.org/

ߜ WarLinux: http://sourceforge.net/projects/warlinux/

28_597302_appa.qxd 8/4/05 7:07 PM Page 333

Appendix A: Wireless Hacking Resources


Software emulators

If you want to run more than one operating system at a time on the same hardware or want to paste from one operating system to another, then you will want to consider a software emulation product. Following are some of the better-known products.

ߜ Bochs: http://bochs.sourceforge.net/

ߜ Cygwin: http://cygwin.com/

ߜ DOSEMU: www.dosemu.org/

ߜ Microsoft Virtual PC: www.microsoft.com/mac/products/


ߜ Plex86: http://savannah.nongnu.org/projects/plex86/

ߜ Vmware: www.vmware.com/

ߜ WINE: www.winehq.com/

ߜ Win4lin: www.netraverse.com/

RF prediction software

RF prediction software helps you simulate the radiation pattern of an access point without having to physically install one. So as a tester you use the same software to predict where you may find a signal. Following are three such software programs.

ߜ Airespace: www.airespace.com/products/AS_ACS_location_


ߜ Alcatel: www.ind.alcatel.com/products/index.cfm?cnt=


ߜ Radioplan: www.electronicstalk.com/news/rop/rop100.html RF monitoring

You can use software to monitor signal strength and bit error rate. Of course, tools like Kismet or NetStumbler give you signal strength, but they don’t do it as well as the following tools.

28_597302_appa.qxd 8/4/05 7:07 PM Page 334

334 Part V: Appendixes

ߜ aphunter: www.math.ucla.edu/~jimc/mathnet_d/download.html ߜ E-Wireless: www.bitshift.org/wireless.shtml

ߜ Gkrellm wireless plug-in: http://gkrellm.luon.net/gkrellm wireless.phtml

ߜ Gnome Wireless Applet: http://freshmeat.net/projects/


ߜ Gtk-Womitor: www.zevv.nl/wmifinfo/

ߜ GWireless: http://gwifiapplet.sourceforge.net/

ߜ Kifi: http://kifi.staticmethod.net/

ߜ KOrinoco: http://korinoco.sourceforge.net/

ߜ KWaveControl: http://kwavecontrol.sourceforge.net/

ߜ KWiFiManager: http://kwifimanager.sourceforge.net/

ߜ Linux Wireless Extensions: http://pcmciacs.sourceforge.net/


ߜ Mobydik.tk: www.cavone.com/services/mobydik_tk.aspx ߜ NetworkControl: www.arachnoid.com/NetworkControl/index.html ߜ NetworkManager: http://people.redhat.com/dcbw/Network Manager/

ߜ Qwireless: www.uv-ac.de/qwireless/

ߜ Wavemon: www.janmorgenstern.de/wavemon-current.tar.gz ߜ WaveSelect: www.kde-apps.org/content/show.php?content=19152

ߜ Wimon: http://imil.net/wimon/

ߜ Wmap: www.datenspuren.org/wmap

ߜ wmifinfo: www.zevv.nl/wmifinfo/

ߜ WMWave: www.schuermann.org/~dockapps/

ߜ WmWiFi: http://wmwifi.digitalssg.net/?sec=1

ߜ Wscan: www.handhelds.org/download/packages/wscan/

ߜ wvlanmon: http://file.wankota.org/program/linux/wavelan/

ߜ XNetworkStrength: http://gabriel.bigdam.net/home/


ߜ xosview: http://open-linux.de/index.html.en

28_597302_appa.qxd 8/4/05 7:07 PM Page 335

Appendix A: Wireless Hacking Resources



You can spend a lot of money on an antenna. However, you need not spend all that money. You can build one yourself or acquire one for a pretty reasonable sum. Following are three sites to help you acquire an economical antenna for your ethical-hacking work.

ߜ Cantenna: www.cantenna.com

ߜ Hugh Pepper’s cantennas, pigtails, and supplies: http://home.


ߜ Making a wireless antenna from a Pringles can: www.oreilly net.com/cs/weblog/view/wlg/448

You can find a very good reference page for antennae at www.wardrive.net/



A very useful tool for your wireless ethical-hacking kit is a wardriving or network discovery program. Fortunately for you, there is an overabundance of tools as the following list shows.

ߜ Aerosol: www.sec33.com/sniph/aerosol.php

ߜ AirMagnet: www.airmagnet.com/products/index.htm ߜ AiroPeek: www.wildpackets.com/products/airopeek ߜ Airscanner: www.snapfiles.com/get/pocketpc/airscanner.html ߜ AP Scanner: www.macupdate.com/info.php/id/5726

ߜ AP Radar: http://apradar.sourceforge.net

ߜ Apsniff: www.monolith81.de/mirrors/index.php?path=apsniff/

ߜ BSD-Airtools: www.dachb0den.com/projects/bsd-air tools.html

ߜ dstumbler: www.dachb0den.com/projects/dstumbler.html ߜ gtk-scanner: http://sourceforge.net/projects/wavelan-tools ߜ gWireless: http://gwifiapplet.sourceforge.net/

ߜ iStumbler: http://istumbler.net/

ߜ KisMAC: www.binaervarianz.de/projekte/programmieren/


28_597302_appa.qxd 8/4/05 7:07 PM Page 336

336 Part V: Appendixes

ߜ Kismet: www.kismetwireless.net

ߜ MacStumbler: www.macstumbler.com/

ߜ MiniStumbler: www.netstumbler.com/downloads/

ߜ Mognet: www.l0t3k.net/tools/Wireless/Mognet-1.16.tar.gz ߜ NetChaser: www.bitsnbolts.com

ߜ Network Stumbler: www.netstumbler.com/downloads ߜ perlskan: http://sourceforge.net/projects/wavelan-tools ߜ PocketWarrior: www.pocketwarrior.org/

ߜ pocketWinc: www.cirond.com/pocketwinc.php

ߜ Prismstumbler: http://prismstumbler.sourceforge.net ߜ Sniff-em: www.sniff-em.com

ߜ Sniffer Wireless: www.networkgeneral.com/

ߜ StumbVerter: www.michiganwireless.org/tools/Stumbverter/

ߜ THC-Scan: www.thc.org/releases.php?q=scan

ߜ THC-WarDrive: www.thc.org/releases.php?q=wardrive ߜ WarGlue: www.lostboxen.net/warglue/

ߜ WarKizniz: www.michiganwireless.org/tools/WarKizNiz/

ߜ Wellenreiter: www.wellenreiter.net/

ߜ Wi-Scan: www.michiganwireless.org/tools/wi-scan/

ߜ WiStumbler: www.gongon.com/persons/iseki/wistumbler/


ߜ Wireless Security Auditor: www.research.ibm.com/gsal/wsa/

ߜ Wlandump: www.guerrilla.net/gnet_linux_software.html Wireless IDS/IPS vendors

Wireless IDS/IPS products are necessary whether you support wireless networking or not in your organization. If you do support wireless, then you need a tool to protect your network. If you don’t have wireless, then you need a tool to ensure you don’t. Following are some IDS/IPS products.

ߜ AirDefense: www.airdefense.net

ߜ AirMagnet: www.airmagnet.com

28_597302_appa.qxd 8/4/05 7:07 PM Page 337

Appendix A: Wireless Hacking Resources


ߜ BlueSocket: www.bluesocket.com

ߜ ManageEngine: http://origin.manageengine.adventnet.com/


ߜ NetMotion Wireless: www.netmotionwireless.com

ߜ Red-Detect: www.red-m.com/Products/Red-Detect

ߜ Senforce Wi-Fi Security: www.senforce.com/entwirelessecur.htm ߜ Vigilant Minds: www.vigilantminds.com

ߜ WiFi Manager: http://manageengine.adventnet.com/products/


Wireless sniffers

You know that old saw: a picture is worth a thousand words. Well, the message from the saw applies to ethical hacking. Show someone his password that you captured because it wasn’t encrypted, and he gets it. Following are some packet capture tools.

ߜ AirMagnet: www.airmagnet.com/

ߜ AiroPeek: www.wildpackets.com/products/airopeek ߜ AirScanner Mobile Sniffer: http://airscanner.com/downloads/


ߜ AirTraf: http://airtraf.sourceforge.net/

ߜ Capsa: www.colasoft.com/products/capsa/index.php?id=75430g ߜ CENiffer: www.epiphan.com/products_ceniffer.html ߜ CommView for WiFi: www.tamos.com/products/commview/

ߜ ethereal: www.ethereal.com

ߜ Gulpit: www.crak.com/gulpit.htm

ߜ KisMAC: www.binaervarianz.de/projekte/programmieren/


ߜ Kismet: www.kismetwireless.net/

ߜ LANfielder: www.wirelessvalley.com/

ߜ LinkFerret: www.baseband.com/

ߜ Mognet: www.l0t3k.net/tools/Wireless/Mognet-1.16.tar.gz 28_597302_appa.qxd 8/4/05 7:07 PM Page 338

338 Part V: Appendixes

ߜ ngrep: www.remoteassessment.com/?op=pub_archive_search& query=wireless

ߜ Observer: www.networkinstruments.com/

ߜ Packetyzer: www.networkchemistry.com/

ߜ Sniffer Netasyst: www.sniffer-netasyst.com/

ߜ Sniffer Wireless: www.networkgeneral.com/Products_details.


WEP/WPA cracking

If we had a dollar for every time someone said she’s OK because she uses WEP or WPA, we would retire to a nice island in the Caribbean. The following tools should show them that they are not OK.

ߜ Aircrack: www.cr0.net:8040/code/network/

ߜ AirSnort: http://sourceforge.net/projects/airsnort/

ߜ Destumbler: http://sourceforge.net/projects/destumbler ߜ Dwepcrack: www.e.kth.se/~pvz/wifi/

ߜ jc-wepcracker: www.astalavista.com/?section=dir&cmd=file&id=


ߜ Lucent Orinoco Registry Encryption/Decryption program: www.


ߜ WepAttack: http://wepattack.sourceforge.net/

ߜ WEPcrack: http://sourceforge.net/projects/wepcrack/

ߜ WEPWedgie: http://sourceforge.net/projects/wepwedgie/

ߜ WepLab: http://weplab.sourceforge.net/

ߜ WinAirSnort: www.nwp.nevillon.org/attack.html

ߜ WPA Cracker: www.tinypeap.com/page8.html

Cracking passwords

There are tools that will grab packets, look for passwords, and provide them to you. Following are some of these very desirable tools.

ߜ Cain & Abel: www.oxid.it/cain.html

ߜ Dsniff: www.monkey.org/~dugsong/dsniff/

28_597302_appa.qxd 8/4/05 7:07 PM Page 339

Appendix A: Wireless Hacking Resources


ߜ Dsniff (Windows port): www.datanerds.net/~mike/dsniff.html ߜ Dsniff (MacOS X port): http://blafasel.org/~floh/ports/


Crack only passwords that you have the authority to crack. Cracking other passwords could end you up in jail.

Dictionary files and word lists

Most password crackers take a list of words or a dictionary and encrypt the words and then compare them to the password file. So you need to get different dictionaries or wordlists. Following are five good sources for dictionaries and wordlists.

ߜ CERIAS Dictionaries and Wordlists: ftp://ftp.cerias.purdue.edu/


ߜ Default vendor passwords: www.cirt.net/cgi-bin/passwd.pl ߜ Outpost9 Wordlists: www.outpost9.com/files/WordLists.html ߜ PacketStorm Wordlists: http://packetstormsecurity.nl/


ߜ University of Oxford Dictionaries and Wordlists: ftp://ftp.ox.ac.


Gathering IP addresses and SSIDs

Many wireless security books recommend that you turn off SSID broadcasting as a control. However, you can use one of the following programs to get the SSID even when they do.

ߜ air-jack: http://sourceforge.net/projects/airjack/

ߜ Arping: www.habets.pp.se/synscan/programs.php?prog=arping ߜ essid_jack: http://sourceforge.net/projects/airjack/

ߜ pong: http://mobileaccess.de/wlan/index.html?go=


ߜ SSIDsniff: www.bastard.net/~kos/wifi/ssidsniff-0.40.tar.gz 28_597302_appa.qxd 8/4/05 7:07 PM Page 340

340 Part V: Appendixes

LEAP crackers

EAP is touted as the solution to the WEP authentication problem. However EAP

has its own problems. Following are three tools you can use to crack LEAP.

ߜ anwrap: http://packetstormsecurity.nl/cisco/anwrap.pl ߜ asleap: http://asleap.sourceforge.net/

ߜ THC-LEAPcracker: http://thc.org/releases.php?s=4&q=&o=

Network mapping

After you connect to an access point, you will want to map the network.

You will want to know how many servers you can find and what operating system the server is running. Following are some tools to help you map your network.

ߜ Cheops: www.marko.net/cheops/

ߜ Cheops-ng: http://cheops-ng.sourceforge.net

ߜ SNMPUTIL.EXE: www.microsoft.com

ߜ Snmpwalk: www.trinux.org

ߜ Solarwinds Standard Edition Version: www.solarwinds.net ߜ WhatsUp Gold: www.ipswitch.com/products/network-management.html

Network scanners

Network scanners help you identify applications running on the systems on your network. You may find these applications on servers and network devices alike. Following are some that we have used.

ߜ fping: www.fping.com

ߜ GFI LANguard Network Security Scanner: www.gfi.com/lannetscan ߜ nessus: www.nessus.org

ߜ nmap: www.insecure.org/nmap

ߜ QualysGuard: www.qualys.com

ߜ SoftPerfect Network Scanner: www.softperfect.com/products/


ߜ SuperScan: www.foundstone.com/resources/proddesc/


29_597302_appb.qxd 8/4/05 7:08 PM Page 341