Human (In)Security - Getting Rolling with Common Wi-Fi Hacks - Hacking Wireless Networks (2015)

Hacking Wireless Networks (2015)

Part II

Getting Rolling

with Common

Wi-Fi Hacks

10_597302_pt02.qxd 8/4/05 6:56 PM Page 66

In this part . . .

It’s time to roll! With Part I under your belt, you’re ready to move into the testing phase of your wireless-hacking

efforts. This part starts out with a discussion of human insecurities — that is, things your users do that make

your wireless networks vulnerable. Then we get into physical security vulnerabilities, common wireless client weaknesses, and default settings that can leave your systems begging to be attacked. We finish off with an introduction to wardriving — that’s where the true fun begins. Stick

around. It only gets better from here.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 67

Chapter 5

Human (In)Security

In This Chapter

ᮣ The effect of human vulnerabilities on wireless networks

ᮣ Undertaking social engineering tests

ᮣ Looking for unauthorized APs

ᮣ Understanding default wireless settings

ᮣ Avoiding weak passwords

ᮣ Implementing practical countermeasures to your non-technical threats and vulnerabilities When people think about the various vulnerabilities of wireless networks, they often concentrate only on the technical vulnerabilities associated with things like WEP, radio signal leakage, and the potential for DoS (denial of service) attacks. However, higher-level wireless-network vulnerabilities are often overlooked — namely, human insecurities. We’re not talking about people with low self-esteem, but insecurities involving users who are ignorant of wireless risks or careless with wireless networks.

What kinds of problems can this cause? For starters, employees, and even trusted outsiders such as contractors and auditors, can bring in their wireless APs and plug them right into your network. Some may even set up their wireless clients to run in peer-to-peer — or ad hoc — mode with each other, which can pose even more risks to your network.

Adding to the mess, wireless systems are often implemented with the default settings by unknowing users. Hackers love this. Most of these users aren’t malicious, they’re just uninformed. But setting up unapproved wireless devices without considering the first bit of security is the last thing you need.

And users, or even wireless network administrators, often unknowingly choose weak passwords, making systems even more vulnerable.

Another good way for hackers to break in to your systems is through the use of social engineering. This is when someone poses as a legitimate person (employee, consultant, or government official) and exploits the trusting nature of humans for ill-gotten gains.

Human fallibility is arguably the greatest threat to your systems, and these types of non-technical weaknesses are often the root cause of most 11_597302_ch05.qxd 8/4/05 7:10 PM Page 68

68 Part II: Getting Rolling with Common Wi-Fi Hacks

Melts in your mouth, not in your hands

Some networks are said to have candy security.

on security due to its soft, chewy inside (your

This occurs when the wireless network has a

people and weak processes). Make sure you

hard, crunchy outside for protection (WEP,

avoid this problem.

secure authentication, and so on) but falls short

wireless-network risks. This chapter explores these weaknesses and shows you how best to eliminate them.

What Can Happen

New wireless vulnerabilities come and go, and securing against unknown threats and vulnerabilities is very difficult. However, one thing’s for sure: When the human element is introduced into information systems (and when is it not?), vulnerabilities start popping up everywhere and often remain indefinitely.

The big picture must not be forgotten. In fact, securing the technical piece is pretty easy — it’s securing the human element that takes more time and effort.

Remember that both types of security must be accounted for. Otherwise, you’re running a partially secured wireless network that can provide only limited information security.

What sorts of things can happen when human vulnerabilities are ignored?

Well, for starters, things like this:

ߜ Managers and network administrators deploy wireless network connectivity just because it’s the latest and greatest technology or to appease their users who think it’d be neat to have all without considering the security issues or consequences involved with their actions.

ߜ Social engineers work their way into your building or computer room.

ߜ Users install APs for the sake of convenience and end up bypassing security controls, extending your network, and letting in unauthorized users without your knowledge.

ߜ Hackers or malicious insiders exploit physical security weaknesses, leading to theft, reconfiguration of APs, cracking of WEP keys, and more.

ߜ Network administrators and security managers deploy wireless networks with security requirements that are too stringent, which leads to users ignoring policies and bypassing controls any chance they get.

The possibilities are limitless.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 69

Chapter 5: Human (In)Security

69

Ignoring the Issues

We’re heading toward a wireless world in which we’ll have as much wireless traffic as wired traffic, if not more. The demand for “anywhere all-the-time”

wireless network access, from the boardroom to the coffee shop, is continually growing. The bad thing is that many wireless networks are being deployed without concern for the big picture. The long-term consequences of insecurely implementing wireless systems are being ignored from the get-go.

One of the best things IT professionals can do is to consider security at the ground level before installing any type of system. If wireless networks are put in place with security in mind, it’s much easier to make security changes long-term.

Most users, many business executives, and even some administrators ignore warnings that 802.11-based wireless networks are inherently insecure. By now, anyone watching television, reading the paper, or even reading their wireless network user’s guide should know that simply connecting a wireless AP to the network without enabling any of the basic security features can have a negative impact on information privacy and security. However, as we often see, the desire for unlimited wireless connectivity usually outweighs any potential risks.

In the ongoing battle of security versus convenience and usability, what’s secure is often not convenient or very usable for the user, and what’s convenient, feature-rich, and user-friendly is often not secure. This mindset is what leads to many wireless network exploits.

Hotspots are now all the rage. Everyone wants connectivity and ease of use, and security is often pushed aside. What most users don’t realize is just how insecure their computers and data are when they connect to an unsecured wireless network. Many people just connect to whatever AP is available, especially if they’re out of the office, without thinking about the consequences.

Making matters worse, newer, more “user-friendly” operating systems such as Windows XP make wireless network connection even more dangerous because the computer automatically connects to the first wireless network it sees — yours, theirs, or someone else’s.

Common excuses for setting up unauthorized wireless networks are “I didn’t know wireless security was such a problem,” or “management just won’t buy into the costs associated with securing our wireless network.” However, the constant deluge of new information exposes the truth: 802.11-based systems can be made very secure with minimal money, time, and effort.

Not all users make the wireless security mistakes we speak of. However, the general tendency is to get things up and running as quickly as possible, overlooking what really needs to be done to secure 802.11-based networks.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 70

70 Part II: Getting Rolling with Common Wi-Fi Hacks

Still, study after study shows that a large portion — quite often the majority —

of wireless networks don’t even utilize the most basic security features, such as WEP encryption and SSIDs, other than the defaults. Our work on ethical-hacking projects confirms these findings.

The only way to fix this problem is to change the mindset of general computer users, and that means educating users about security vulnerabilities that they might not even realize. Let’s jump right in and look at some specific non-technical vulnerabilities you can test for.

Social Engineering

Social engineering is a technique used by attackers to take advantage of the natural trusting nature of most human beings. Criminals often pose as an insider or other trusted person to gain information they otherwise wouldn’t be able to access. Hackers then use the information gained to further penetrate the wireless and quite possibly the wired network and do whatever they please.

Social engineering shouldn’t be taken lightly. It can allow confidential or sensitive information to be leaked and cause irreparable harm to jobs and reputations. Proceed with caution and think before you act.

Social engineering is more common and easier to carry out in larger organizations, but it can happen to anyone. Testing for social-engineering exploits usually requires assuming the role of a social engineer and seeking vulnerabilities by approaching people and subtly probing them for information. If your organization is large enough that most people won’t readily recognize you, carrying out the tests yourself should be pretty easy. You can claim to be a ߜ Customer

ߜ Business partner

ߜ Outside consultant or auditor

ߜ Service technician

ߜ Student at a university

If there’s any chance of being noticed, or if you simply don’t feel comfortable doing this type of testing, you can always hire a third party to perform the tests we talk about in this section. Just make sure you hire a trusted third party, preferably someone you’ve worked with before. Be sure to check references, perform criminal background checks, and have the testing approved by management up front.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 71

Chapter 5: Human (In)Security

71

The key is to look at this from a hacker’s perspective. Outside of the technical methods we describe elsewhere in this book, ask yourself how a malicious outsider could gain access to your wireless network. The options and techniques are limitless.

Passive tests

The easiest way to start gathering information you can use during your social engineering tests is to simply search the Internet. You can use your favorite search engine to look up public information such as phone lists, organizational charts, network diagrams, and more. You can then see, from an outsider’s perspective, what public information is available that can be used as an inroad for social engineering and ultimate penetration into your network.

One of the best tools for performing this initial reconnaissance is Google. It’s amazing what you can do and find with Google. It’s even more amazing that this information is made accessible to the public in the first place! You can perform generic Google queries for keywords and files that could lead to more information about your organization and network. Be sure to do both a Web and Groups search in Google because they may both contain some interesting information.

You can also perform some more advanced Google queries that are specific to your network and hosts. Simply enter the following directly into Google’s search field to look for information that could be used against you: ߜ site: your~public~host~name/IP keywords to search for Look for keywords such as wireless, address, SSID, password, .xls (Excel spreadsheets), .doc (Word documents), .ppt (Power Point slides), .ns1

(Network Stumbler files), .vsd (Visio drawings), .pkt (sniffer packet captures), and so on.

ߜ site: your~public~host~name/IP filetype:ns1 ns1

This searches for Network Stumbler files that contain wireless network configuration information. You can perform this query on any type of file, such as .vsd, .doc, and so on.

ߜ site: your~public~host~name/IP inurl:”h_wireless_11g.html”

or inurl:”ShowEvents.shm”

This searches publicly accessible APs (yikes!) such as D-Link and Cisco Aironet for wireless setup pages and event logs, respectively. You may not think your systems have such a vulnerability, but do this test — you may be surprised.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 72

72 Part II: Getting Rolling with Common Wi-Fi Hacks

These are just a few potential Google queries you can perform manually, just to get you started. Be sure to perform these queries against all of your publicly accessible hosts. If you’re not sure which of your servers are publicly accessible, you can perform a ping sweep or port scan from outside your firewall to see which systems respond. (This is not foolproof because some systems don’t respond to these queries, but it’s a good place to start.) For in-depth details on using Google as an ethical-hacking tool, check out Johnny Long’s Web site, http://johnny.ihackstuff.com. This site has a wealth of information on using Google for advanced queries. It also includes a query database, called the Google Hacking Database (GHDB), where you can run various queries directly from the site.

You can also run automated Google tests in-house using a neat tool by Foundstone called SiteDigger. This tool, which is available at www.foundstone.

com/resources/freetools.htm, allows you to run various pre-packaged Google queries against your systems — including the ones from Johnny Long’s GHDB — as well as custom queries you make up yourself. The only limitation to this is that the Google API license required to run these tests permits a maximum of 1,000 Google queries per day. This limitation, however, is often more than you need. Figure 5-1 shows the user interface for SiteDigger version 2.0.

Figure 5-1:

Found-

stone’s

SiteDigger

for automat-

ing Google

queries.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 73

Chapter 5: Human (In)Security

73

Active tests

You can use various methods to go about gathering information from insiders. Two simple and less in-your-face methods are e-mail and the telephone.

Simply pick up the phone, make a call to the help desk or to a random user, and start asking questions. Use a phone on which your caller ID won’t give away your identity, such as a phone in the reception area or break room, a pay phone, or perhaps a colleague’s office. You can even use your own phone if you think your users are gullible enough or won’t recognize your name or number. You can do the same with e-mail. Change your e-mail address in your e-mail client (if possible) or use an obscure Webmail account and pose as an outsider.

A common method of social engineering is to gain direct physical access to wireless clients and APs. However, the good thing (or bad thing, depending on how you look at it) about wireless networks is that physical access is not necessary. Chapter 6 covers the physical aspects of wireless security in depth.

You can also just show up in person, acting as an outsider. Whichever method you choose, your goal is to glean information from employees and other users on your network that would essentially give you the “keys” you need for gaining external access to the wireless network. This includes: ߜ SSIDs

ߜ WEP key(s)

ߜ Computer and network login passwords

ߜ Preshared secret passphrases used by authentication systems such as WPA

ߜ Legitimate MAC or IP addresses used to get onto the network You could call up your help desk or any random user, pose as a legitimate employee or business partner, and ask for wireless configuration information such as the SSID or WEP key(s). You can ask practically anyone for this information. They may

ߜ Know it off the top of their head

ߜ Have it written down and readily available

ߜ Let you walk them through looking the information up on their computer

ߜ Refer to someone else who can help

11_597302_ch05.qxd 8/4/05 7:10 PM Page 74

74 Part II: Getting Rolling with Common Wi-Fi Hacks

After you gather as much information as you feel comfortable gathering, you should check to see just how far you can penetrate the network as an outsider.

Unauthorized Equipment

A very common problem network administrators and security managers face is the introduction of unauthorized wireless systems onto the network. Some users — especially those who are technically savvy — don’t like to be told they can’t use wireless network technology in their workspace, so they may take the initiative to do it themselves, often in direct defiance of organizational policy.

You can even have a malicious insider or, worse, an outsider on an adjacent floor, who has set up a rogue AP for your users to connect to. This is a very simple setup for the hacker. All he has to do is set up an AP using your SSID

and wait for your wireless systems to associate with it. There are also programs that automate the process of creating “fake” APs. If this occurs, hackers can capture virtually all traffic flowing to and from your wireless clients.

We cover this in more depth in Chapter 11.

A more common problem is the naïve introduction of wireless systems by users who either don’t understand the security issues associated with their actions or aren’t aware of company policies. Either way, you’ve got a potential mess on your hands.

Let’s take a look at an unauthorized AP scenario. When it comes to users installing unauthorized wireless systems, here’s how it usually happens: 1. An employee, Lars, wants to be able to work on his laptop in an adjacent, more plush, cubicle. However, that cubicle doesn’t have an Ethernet network drop.

2. Lars thinks of a solution: ‘Instead of dealing with IT to get a new drop installed or asking them to come up with another solution, I can just install a wireless AP in my main work area and communicate wirelessly from my laptop to the network!’

3. Lars strolls merrily down to the local consumer electronics store during his lunch break and buys a “wireless-network-in-a-box” solution. What a deal — he can get an AP, a wireless PC Card for his laptop, and 5,000 free hours on AOL for the low price of $59.95. Subtracting the $50 in mail-in rebates, Lars has a newfound freedom from network cabling for only $9.95!

4. Lars returns to the office, unpacks his treasure, plugs the AP into the network jack in his original cubicle, and installs the wireless NIC in his laptop.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 75

Chapter 5: Human (In)Security

75

5. Lars powers up the AP, which, in typical fashion, has a valid IP address for your network preprogrammed into it. Remember, to make things convenient for the end users, no security settings are enabled on the AP — no WEP, broadcasting of the default SSID, blank admin password — nothing.

He thinks to himself, ‘Wow, who would’ve thought it’d be this easy!?’

6. Lars boots his laptop, which grabs an IP address from the AP that is running its own DHCP server, and he’s off! He’s now able to log on to your network and browse the Internet. Again, Lars can’t believe how easy this was to set up and thinks that maybe IT is his calling.

Total elapsed time: 45 minutes. Consequences of Lars’s actions: Complete and unlimited exposure of your network to the outside world.

This is a typical scenario, and it didn’t require a whole lot of know-how on Lars’s part. But some people are savvier. They know that they don’t need an AP to communicate with other wireless users directly. These peer-to-peer or ad hoc systems can be even trickier to track down because no AP is involved.

We often hear “my users wouldn’t do that” or “I know my network,” but believe it or not, regardless of the size of the organization, this scenario happens very easily and very often.

If you’re on a limited budget and want to get a general view of wireless APs in your building, you can use a wireless laptop running Windows XP. Here’s a quick test you can run to look for unauthorized APs and wireless clients before they get the best of your network:

1. On the Windows XP desktop, right-click My Network Places and select Properties.

The Network Connections window opens.

2. Double-click your wireless network card.

The Status window opens.

3. Select View Wireless Networks.

You can walk around your building to see what comes up. Unfortunately, in order for new APs to show up, you have to click Refresh Network List in the upper-left corner of the window, or simply press F5 on your keyboard.

Figure 5-2 shows an example of what this looks like. Notice how one AP

shows up with the Lock icon labeled Security-enabled wireless network, and the other two (including Lars’) don’t. The one that has security enabled is using WEP encryption. The other two (including Lars’) are, well, wide open.

Shame on Lars!

11_597302_ch05.qxd 8/4/05 7:10 PM Page 76

76 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 5-2:

Browsing

for available

wireless

networks in

Windows

XP.

In the name of privacy and protecting the innocent, in Figure 5-2 and many other figures throughout the book, we cropped MAC addresses and other wireless information from the screenshots.

For this kind of testing, you can also use the software that comes with your wireless NIC. These programs often offer greater details about the wireless systems found. For instance, ORiNOCO’s Client Manager has a feature called Site Monitor that allows you to browse your airwaves and view such settings as MAC addresses; signal-to-noise ratios (SNR), which can indicate how close you are to the wireless device; and specific radio channels being used. Added bonuses include a logging feature and the fact that you don’t have to continuously hit refresh for updated information, as you do with the generic Windows XP management software.

One caveat to all this is that many APs can be configured so that their SSIDs are not broadcast and 802.11 beacon packets — packets APs use to advertise their presence — are sent out only every minute or so. This helps hackers keep their rogue systems from showing up on client management and stumbling software. Because the main focus is on the average user setting up an AP, this is not really an issue to worry about here. We cover more advanced rogue AP detection in Chapter 11.

Default Settings

Although we dedicate an entire chapter to the topic of default wireless settings (Chapter 8), they deserve mention here because of the human issues surrounding them. An unbelievable number of APs are deployed with the default settings still intact, including, for example:

ߜ IP addresses

ߜ SSIDs

11_597302_ch05.qxd 8/4/05 7:10 PM Page 77

Chapter 5: Human (In)Security

77

ߜ Broadcasting of SSIDs

ߜ Admin passwords

ߜ Remote management enabled

ߜ Full power settings

ߜ Use of omnidirectional antennas that come standard on most APs ߜ No MAC-address filtering

ߜ WEP turned off

There are also related updates to AP firmware as well as client management software and drivers that come with the wireless systems. Wireless vendors are continually updating their firmware and software to fix security vulnerabilities and add enhanced security features, yet patching and updating is often overlooked.

Hackers know they can download the documentation for practically any 802.11-based wireless network right off the Internet. This documentation often reveals many of the default settings in use. In addition, several independent Internet sites list default settings, including:

ߜ www.cirt.net/cgi-bin/passwd.pl

ߜ www.phenoelit.de/dpl/dpl.html

ߜ http://new.remote-exploit.org/index.php/Wlan_defaults

ߜ www.thetechfirm.com/wireless/ssids.htm

If you want to see if your users or any of the systems you’ve set up are using vulnerable default settings, you can perform some basic tests with the information you’ve gathered, including

ߜ Connecting to APs by using their default SSIDs

ߜ Remotely connecting to the default admin port

ߜ Spoofing MAC addresses (we cover this in detail in Chapter 13) Refer to Chapter 8 for details of the various default setting tests you can perform against your network.

Weak Passwords

The use of weak passwords on wireless systems is a major problem. Passwords are often one of the weakest links in the information-security chain — especially on wireless networks, where they’re easier to glean and crack. From remote 11_597302_ch05.qxd 8/4/05 7:10 PM Page 78

78 Part II: Getting Rolling with Common Wi-Fi Hacks

admin access to WEP to WPA preshared secrets to wireless client operating systems, passwords can be the Achilles heel of your network in quite a number of ways.

It’s easy to create and maintain strong passwords that are very difficult to crack, although users often neglect this. A single weak password can cause a big problem. If a hacker gains access to a password on the wireless network, all bets are off, and bad things usually start happening.

An effective password is one that’s both difficult to guess yet easy to remember.

The highly publicized encryption flaws inherent in the WEP protocol have also been an impediment to more widespread use of wireless networks. A not-so-determined hacker only has to capture a day’s worth of wireless packets —

often less — in order to use various cracking tools to determine your WEP

key. As we mentioned before, WPA and WPA2 have solved all the known WEP

issues. But they have their own problems as well! And most wireless networks are not using WEP, so hackers are still breaking in. WEP is not completely worthless, though, because it still provides a layer of security — a hoop if you will — that an attacker has to jump through to get to your systems.

We cover the topic of weak passwords in other chapters throughout the book, including Chapter 7 on wireless clients, Chapter 15 on WEP, and Chapter 16

on authentication. Kevin also discusses passwords in depth in his passwords chapter in Hacking For Dummies. If you haven’t yet purchased Hacking For Dummies but you’re just dying to learn more about password hacking, you can download the password chapter for free at http://searchsecurity.tech target.com/searchSecurity/downloads/HackingforDummiesCh07.pdf.

Human (In)Security Countermeasures

You can combat the human insecurities your wireless network faces in several ways. These come in the form of policy, education, proactive monitoring, and simple prevention. The solutions are fairly straightforward. The real trick is getting users, and most importantly, upper management to buy into them.

Here’s what you can do.

Enforce a wireless security policy

The first step is to create a company policy that no unauthorized wireless systems are to be installed. The following is an example of a wireless policy statement:

Users shall not install or operate any wireless-network system (router, AP, ad-hoc client, etc.) within the organization.

11_597302_ch05.qxd 8/4/05 7:10 PM Page 79

Chapter 5: Human (In)Security

79

If you choose to allow wireless systems inside your organization or allow remote users to have wireless networks at home, your wireless security policy should outline specific minimum requirements. The following is an example of such a policy:

Users shall not install or operate any wireless-network system (router, AP, ad-hoc client, etc.) within the organization without written permission from the Information Technology Manager. Additionally, all wireless systems must meet the following minimum requirements:

ߜ WEP is enabled.

ߜ Default SSIDs are changed to something obscure that doesn’t describe who owns it or what it is used for.

ߜ Broadcasting of SSIDs is disabled.

ߜ Default admin passwords are changed to meet the requirements of organizational password policy.

ߜ APs are placed outside the corporate firewall or in a protected DMZ.

ߜ Personal firewall software such as Windows Firewall or BlackICE is installed and enabled.

Train and educate

One of the best ways to get users to adhere to your wireless security policy is to make them aware of it — teach them what the policy means, along with the consequences of violating the policy. Educate users on what can happen when the policy is not adhered to and try to relate these issues to their everyday job tasks. For example, where a project manager is using a wireless network, describe to her how a hacker could capture detailed information about the project she’s working on, such as user lists, network diagrams, costs, and other confidential information.

If management doesn’t get user sign-off on your policies showing that they understand and agree to the terms of the policies, the policies are as good as nothing. Make sure sign-off takes place.

Also, talk to your users about how a hacker can make it look like the user actually committed the crime by spoofing the user’s address, using the user’s login information, sending e-mails on the user’s behalf, and so on.

Keep people in the know

If you want to keep security on top of everyone’s minds, the training and awareness has to be ongoing. Keep people aware of security issues 11_597302_ch05.qxd 8/4/05 7:10 PM Page 80

80 Part II: Getting Rolling with Common Wi-Fi Hacks

by passing out items (such as the following) with security messages on them:

ߜ Screen savers

ߜ Mouse pads

ߜ Pens and pencils

ߜ Sticky-note pads

ߜ Posters in the break room

Several organizations specialize in these security awareness products.

Check out

ߜ www.securityawareness.com

ߜ www.thesecurityawarenesscompany.com

ߜ www.greenidea.com

ߜ www.privacyposters.com

Your best defense is your people, so keep them in the know and make sure you put a positive spin on your security initiatives so you don’t tire them out.

Scan for unauthorized equipment

A great way to help enforce your wireless security policy is to install a centrally managed wireless gateway or IDS system, such as the products offered from Bluesocket (www.bluesocket.com) and AirDefense (www.airdefense.

net). These systems can prevent problems from the get-go through strong authentication or alerts when they detect unauthorized wireless systems, can monitor for malicious wireless behavior, and more. We outline how to get similar functionality out of other tools such as commercial monitoring programs and wireless sniffers in Chapter 11.

Secure your systems from the start

Another great defense against people-related security vulnerabilities on your wireless network is to prevent them in the first place. Set your users and your systems up for success. You should not only make it policy to harden wireless systems but also help users do the hands-on work if possible. Also, ongoing ethical hacks and audits (comparing what is supposed to be done according to policy to what is actually being done) are essential. This can help you make sure that wireless systems haven’t been changed back to include the insecure settings you’re trying so hard to prevent.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 81