Containing the Airwaves - Getting Rolling with Common Wi-Fi Hacks - Hacking Wireless Networks (2015)

Hacking Wireless Networks (2015)

Part II

Getting Rolling

with Common

Wi-Fi Hacks

Chapter 6

Containing the Airwaves

In This Chapter

ᮣ Monitoring link strength and quality

ᮣ Choosing monitoring software

ᮣ Protecting your organization

Many companies expose themselves to attack because they don’t attempt to control the radio signals leaking from their organization. In such cases, a cracker could sit in your parking lot or stand across the street and monitor your network. This chapter shows you how to control your signals. In later chapters, we show you how to monitor frames (Chapter 8), discover networks (Chapters 9 and 10), intercept frames (Chapter 12), deny service (Chapter 13), crack encryption keys (Chapter 14), and beat user authentication (Chapter 15). Before you can try these tests, you need to find radio signals — yours and others.

Signal Strength

A first step to testing your network is to determine the bounds of your network. You can use sophisticated tools like AiroPeek (see Chapter 8) or a spectrum analyzer, but that would really be overkill. All you need are various software programs that supply link-quality information. Several freeware products run on Linux.

Using Linux Wireless Extension

and Wireless Tools

The Linux Wireless Extension and Wireless Tools are an open source project sponsored by Hewlett Packard. The Wireless Extension is a generic application programming interface (API) that gives you information and statistics about the user space. Wireless Tools is a set of tools that use the Wireless Extensions. The Wireless Tools are

12_597302_ch06.qxd 8/4/05 7:01 PM Page 82

82 Part II: Getting Rolling with Common Wi-Fi Hacks

ߜ iwconfig: Changes the basic wireless parameters.

ߜ iwpriv: Changes the Wireless Extensions specific to a driver (private).

ߜ iwlist: Lists addresses, frequencies, and bit rates.

ߜ iwspy: Gets per-node link quality.

We explore these tools in turn in the following sections. For each tool, we provide an illustrative example. If you want to really understand the command and its many parameters, however, please check out the man page for the syntax and other information about any of these commands. If you have a Web browser, you can use Google.

Linux Wireless Extensions are powerful additions to your ethical hacking utility belt. Linux Wireless Extensions are available from http://pcmcia-cs.

sourceforge.net/ftp/contrib. Look for the entry wireless_tools.27.tar.gz near the bottom of the available documents and programs. Wireless Extensions v.14 is bundled in the 2.4.20 kernel, and v.16 is in the 2.4.21 kernel.

iwlist and the others are great tools. They get their information from the standard kernel interface /proc/net/wireless. But these tools provide only a snapshot in time; they do not provide statistics over time. If you favor the Windows platform, you can use a great tool like NetStumbler (we cover this tool in depth in Chapter 9). But when you work with Linux, you want to find a better link-monitoring tool. The other tools in this section provide more functionality than iwconfig, iwpriv, iwlist, and iwspy.

Using iwconfig

You use iwconfig to configure a wireless network interface. If you’re familiar with the ifconfig command, the iwconfig command is similar but works only with wireless interfaces. You use iwconfig to set the network interface parameters, such as frequency. As well, you can use iwconfig to set the wireless parameters and display statistics. The syntax is as follows: iwconfig interface [essid X] [nwid N] [freq F] [channel C]

[sens S] [mode M] [ap A] [nick NN]

[rate R] [rts RT] [frag FT] [txpower T]

[enc E] [key K] [power P] [retry R]

[commit]

iwconfig --help

iwconfig --version

Let’s look at each one of the parameters.

ߜ essid: Use the ESSID parameter to specify the ESSID or Network Name.

For example, the following specifies that you want to set the ESSID for the wireless adapter to ANY for wardriving.

iwconfig eth0 essid any

12_597302_ch06.qxd 8/4/05 7:01 PM Page 83

Chapter 6: Containing the Airwaves

83

ߜ nwid/domain: Use the Network ID parameter to specify the network ID

or Domain ID. For example, the following specifies that you want to disable Network ID checking.

iwconfig eth0 nwid off

ߜ freq/channel: Use this parameter to set the operating frequency or channel. A value below 1,000 represents the channel number, while a value over is the frequency in Hz. For example, the following specifies that you want to set the frequency to 2.422 GHz.

iwconfig eth0 freq 2.422G

Or for example, the following specifies that you want to use channel three.

iwconfig eth0 channel 3

ߜ sens: Use this parameter to set the sensitivity threshold. For example, the following specifies the level as 80 dBm.

iwconfig eth0 sens -80

ߜ mode: Use this parameter to set the operating mode of the device. The operating mode is one of the following:

Ad-hoc: no Access Point.

Managed: more than one Access Point, with roaming.

Master: synchronization master or an Access Point.

Repeater: node forwards packets between other wireless nodes.

Secondary: node acts as a backup master or repeater.

Monitor: the node acts as a passive monitor and only receives packets.

Auto: self-explanatory.

For example, the following specifies that the network is infrastructure mode.

iwconfig eth0 mode managed

ߜ ap: Use this parameter to force the card to register to the Access Point given by the address. Use off to re-enable automatic mode without changing the current Access Point, or use any or auto to force the card to re-associate with the current best Access Point. For example, the following forces association with the access point with the hardware address of 00:60:1D:01:23:45.

iwconfig eth0 ap 00:60:1D:01:23:45

12_597302_ch06.qxd 8/4/05 7:01 PM Page 84

84 Part II: Getting Rolling with Common Wi-Fi Hacks

ߜ nick[name]: Use this parameter to set the nickname or station name.

For example, the following sets the nickname to Peter Node.

iwconfig eth0 nickname Peter Node

ߜ rate/bit[rate]: Use this parameter to set the bit-rate in bits per second for cards supporting multiple bit rates. For example, the following sets the bit rate to 11 Mbps.

iwconfig eth0 rate 11M

ߜ rts[_threshold]: Use this parameter to turn RTS/CTS on or off. For example, the following turns RTS/CTS off.

iwconfig eth0 rts off

ߜ frag[mentation_threshold]: Use this parameter to turn fragmenta-tion on or off. For example, the following specifies a maximum fragment size of 512K.

iwconfig eth0 frag 512

ߜ key/enc[ryption]: Use this parameter to turn encryption or scrambling keys on or off and to set the encryption mode. For example, the following specifies an encryption key.

iwconfig eth0 key 0123-4567-89

ߜ power: Use this parameter to set the power management scheme and mode. For example, the following disables power management.

iwconfig eth0 power off

ߜ txpower: Use this parameter to set the transmit power in dBm for cards supporting multiple transmit powers. For example, the following set the transmit power to 15 dBm.

iwconfig eth0 txpower 15

If you are unfamiliar with dBM as a measurement, refer to www.atis.org/

tg2k/_dbm.html for a definition.

ߜ retry: Use this parameter to set the maximum number of MAC retransmission retries. For example, the following specifies to retry 16 times.

iwconfig eth0 retry 16

ߜ commit: Use this parameter to force the card to apply all pending changes rather than waiting for the issuance of an ifconfig command.

For example, the following specifies to commit the changes.

iwconfig eth0 commit

12_597302_ch06.qxd 8/4/05 7:01 PM Page 85

Chapter 6: Containing the Airwaves

85

ߜ Link quality: Use this parameter to display the quality of the link.

ߜ Signal level: Use this parameter to show the received signal strength.

ߜ Noise level: Use this parameter to display the background noise level.

ߜ invalid nwid: Use this parameter to detect configuration problems or the existence of an adjacent network.

ߜ invalid crypt: Use this parameter to display the number of packets that the hardware couldn’t decrypt.

ߜ invalid misc: Use this parameter to display other packets lost in relation with specific wireless operations.

There you have it. Remember you can get more information by using the man command.

Using iwpriv

iwpriv is the companion tool to iwconfig. Again, you use iwpriv to configure optional (private) parameters for a wireless network interface. You use iwpriv for parameters and settings specific to each driver, as opposed to iwconfig, which deals with generic ones. The syntax is as follows: iwpriv interface private-command [I] [private-parameters]

iwpriv interface –all

iwpriv interface roam {on,off}

iwpriv interface port {ad-hoc,managed,N}

Using the iwpriv command without any parameters lists the available private commands for each interface and the parameters required.

Let’s look at each one of the parameters.

ߜ private-command [I] [private-parameters]: Use the specified private-command on the interface. The I parameter, which stands for an integer, is the integer to pass to the command as a Token Index. Your driver documentation should specify the value for the integer, otherwise leave the value out.

The command may optionally take or require arguments, and may display information. The following paragraphs provide information on the arguments.

ߜ -a/--all: Use this parameter to execute and display all the private commands that don’t require any arguments, for example, read only.

ߜ roam: Use this parameter to enable or disable roaming, when supported.

ߜ port: Use this parameter to read or configure the port type.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 86

86 Part II: Getting Rolling with Common Wi-Fi Hacks

Using iwlist

iwlist allows you to display more detailed information from a wireless interface than you can get with iwconfig. For instance, you can get the ESSID, node name, frequency, signal quality and strength and bit data and error rate.

The syntax is as follows:

iwlist interface scanning

iwlist interface frequency

iwlist interface rate

iwlist interface key

iwlist interface power

iwlist interface txpower

iwlist interface retry

iwlist –-help

iwlist –version

Let’s look at each one of the parameters.

ߜ scan[ning]: Use this parameter to specify the access points and ad-hoc cells in range. For example, the following enables scanning.

iwlist wlan0 scan

Run this command and you may see something like the following: wlan0 Scan completed:

Cell 01 – Address: 00:02:2D:8F:09:8D

ESSID:”pdaconsulting”

Mode:Master

Frequency:2.462GHz

Quality:0/88 Signal level:-50 dBm Noise level:-

092 dBm

Encryption key:off

Bit Rate:1Mb/s

Bit Rate:2Mb/s

Bit Rate:5.5Mb/s

Bit Rate:11Mb/s

ߜ freq[uency]/channel: Use this parameter to specify the list of available frequencies for the device and the number of defined channels.

ߜ rate/bit[rate]: Use this parameter to list the bit-rates supported by the device.

ߜ key/enc[ryption]: Use this parameter to list the supported encryption key sizes and to display all the available encryption keys.

ߜ power: Use this parameter to list the various Power Management attributes and modes of the device.

ߜ txpower: Use this parameter to list the various Transmit Powers available on the device.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 87

Chapter 6: Containing the Airwaves

87

ߜ retry: Use this parameter to list the transmit retry limits and retry life-time on the device.

ߜ --version: Use this parameter to display the version of the tools, as well as the recommended and current Wireless Extensions version for the tool and the various wireless interfaces.

Using iwspy

You use iwspy to get statistics from specific wireless nodes. With iwspy, you can list the addresses associated with a wireless network interface and get link-quality information for each. The syntax is as follows: iwspy interface [+] DNSNAME | IPADDR | HWADDR [...]

iwspy interface off

Let’s look at each one of the parameters.

ߜ DNSNAME | IPADDR: Use this parameter to set an IP address or DNS

name (using the name resolver).

ߜ HWADDR: Use this parameter to set a hardware (MAC) address.

ߜ Plus sign (+): Use this parameter to add a new set of addresses to the end of the current.

ߜ off: Use this parameter to remove the current list of addresses and to disable the spy functionality.

Using Wavemon

Wavemon is an ncurses-based monitor for wireless devices that polls /proc/

net/wireless many times per second. It allows you to watch the signal and noise levels, packet statistics, device configuration, and network parameters of your wireless network hardware. So far, Wavemon has been tested only with the Lucent ORiNOCO series of cards, although it should work (with varying features) with all wireless cards supported by the wireless kernel extensions written by Jean Tourrilhes. You can find Jean’s “Wireless Tools for Linux” Web page at www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html.

Wavemon continuously updates the statistics. While looking at the statistics, you can press F2 to bring up the Level Histogram. This display gives you a running history of the level of connectivity.

Because Wavemon uses a terminal session, you can simultaneously run more than one instance. You could use each instance to monitor a different link simultaneously.

Wavemon is available from www.janmorgenstern.de/wavemon-current.

tar.gz.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 88

88 Part II: Getting Rolling with Common Wi-Fi Hacks

Using Wscan

Wscan is a UNIX/X-based link-monitoring application intended for Lucent cards, Linux/x86, Linux/iPaq, or FreeBSD.

The application has two windows. One shows the signal strength. The other window shows details (including ESSID, signal strength, quality, and noise) on a source you select from the signal strength window.

Wscan is available from www.handhelds.org/download/packages/wscan.

Using Wmap

Wmap is a tool for creating log files about the reachability of wireless access points with signal strength and GPS coordinates.

Wmap is available from www.datenspuren.org/wmap.

Using XNetworkStrength

XNetworkStrength shows signal strength. It’s a small application (10.5 KB), is extremely fast, and uses only the X11 API. Oh, and it’s free.

XNetworkStrength is available from http://gabriel.bigdam.net/

home/xnetstrength.

Using Wimon

Wimon is a curses-based wireless connection monitor that shows a real-time graph of a wireless connection’s status. It runs on NetBSD, FreeBSD, and OpenBSD. Following is the syntax for Wimon.

wimon -i <iface> [-s <scale>] [-d delay in microsec] [-w]

Wimon is available from http://imil.net/wimon.

Other link monitors

We cover a few tools for monitoring the link quality, but the list of potential tools is long. Following is a list of other link monitors: 12_597302_ch06.qxd 8/4/05 7:01 PM Page 89

Chapter 6: Containing the Airwaves

89

ߜ aphunter (www.math.ucla.edu/~jimc/mathnet_d/download.html): Link monitor and site survey tool.

ߜ E-Wireless (www.bitshift.org/wireless.shtml): Enlightenment link monitor.

ߜ Gkrellm wireless plug-in (http://gkrellm.luon.net/gkrellm wireless.phtml): GKrellM monitoring system plug-in.

ߜ Gnome Wireless Applet (http://freshmeat.net/projects/gwifi applet): Gnome link monitor.

ߜ Gtk-Womitor (www.larsen-b.com/Article/174.html ): Applet that shows signal strength.

ߜ GWireless (http://gwifiapplet.sourceforge.net): Yet another Gnome link monitor.

ߜ Kifi (http://kifi.staticmethod.net): KDE link monitor.

ߜ KOrinoco (http://korinoco.sourceforge.net): ORiNOCO-specific link monitor.

ߜ KWaveControl (http://kwavecontrol.sourceforge.net): KDE

link monitor.

ߜ KWiFiManager (http://kwifimanager.sourceforge.net): KDE link monitor and successor to KOrinoco.

ߜ Mobydik.tk (www.cavone.com/services/mobydik_tk.aspx): TCL

link monitor.

ߜ NetworkControl (www.arachnoid.com/NetworkControl/index.html): Monitor interfaces.

ߜ NetworkManager (http://people.redhat.com/dcbw/Network Manager): Red Hat/Fedora link monitor.

ߜ QWireless (www.uv-ac.de/qwireless): iPaq/Zaurus WLAN analyzer.

ߜ WaveSelect (www.kde-apps.org/content/show.php?content=19152): Another KDE link monitor.

ߜ wmifinfo (www.zevv.nl/wmifinfo): Applet to display available interface information.

ߜ WMWave (www.schuermann.org/~dockapps): Window Maker link monitor.

ߜ WmWiFi (http://wmwifi.digitalssg.net/?sec=1): Wireless Monitor for Window Maker.

ߜ xosview (http://open-linux.de/index.html.en): Xosview modification to monitor link quality.

Of course, we should mention that the utility that comes with your wireless NIC usually has a link monitor. This is a low-cost, low-fuss solution.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 90

90 Part II: Getting Rolling with Common Wi-Fi Hacks

If you have the budget, you might want to consider using a spectrum analyzer like the ones offered by Anritsu (www.anritsu.co.jp/E/Products/

Appli/Wlan) or Rohde & Schwarz (www.rohde-schwarz.com). However, some freeware spectrum analyzers are available — for example, the Waterfall Spectrum Analyzer (http://freshmeat.net/projects/waterfallspectrum analyzer). A RF Spectrum Analyzer is a device that receives a chosen range of signals, in our case 2.4 GHz and 5 GHz, and displays the relative signal strength on a logarithmic display, usually a cathode ray oscilloscope.

Network Physical Security

Countermeasures

Radio waves travel. This means that crackers don’t need to physically attach to your network. Most likely you have locks on your doors. You might even have an alarm system to protect your physical perimeter. Unfortunately, the radio waves don’t respect your perimeter security measures. Consequently, you need to walk your perimeter whether you’re an individual wanting to protect your access point or a large organization wanting to protect its wired network. While walking the perimeter, monitor the quality of the signal using the tools discussed in this chapter. When you find the signal in places where you don’t want it, then turn down the power or move the access point to shape the cell shape.

Other than checking for leakage, you can monitor access points for unauthorized clients.

Checking for unauthorized users

Most access points allow you to view either the DHCP clients or the cache of MAC addresses. This is a good feature for a small network. You can review the cache from time to time to make sure that only your clients are using the access point. If you have only five clients, but you see six MAC addresses, then it just doesn’t add up. After you figure out the one that doesn’t belong, you can use MAC filtering to block that client.

For a large network, this feature is not very useful. Keeping track of all the MAC addresses in your organization is too difficult. As well, someone running a packet analyzer or sniffer could grab packets and get legitimate MAC

addresses. A hacker could then use a MAC address changer like SMAC (www.

klcconsulting.net/smac), which allows him to set the hardware or MAC

address for any interface, say your wireless adapter or Ethernet network interface card (NIC). Figure 6-1 shows the SMAC interface. All you do is put in the hardware address you want and restart the system (or simply disable and re-enable your NIC). Your interface will have the new hardware address.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 91

Chapter 6: Containing the Airwaves

91

Figure 6-1:

SMAC

interface.

An organization can do any number of things to limit its exposure from the escaping radio waves. The controls are not really technical but rather commonsense. For example, you can change your antenna type.

Antenna type

When placing your access point, you must understand the radiation pattern of the antenna type you choose. The type of antenna you choose directly affects your network’s performance, as well as its security.

Before you purchase your antenna, try to obtain a sample radiation pattern.

Most antenna vendors supply the specifications for their equipment. You can see a representative radiation pattern and specification for a SuperPass 8 dBi 2.4 GHz antenna at www.superpass.com/SPDG16O.html. You can use the specification to determine how far a signal may travel from a particular antenna before becoming unusable; it’s just a matter of mathematics.

By understanding the radiation pattern of the antenna you choose, you can do RF signal shaping to “directionalize” the RF signals emitted from your access point. You could switch from an omnidirectional antenna to a semidi-rectional antenna to control the radiation pattern. Remember, not controlling your signal is equivalent to pulling your UTP cable to the parking lot and letting anyone use it.

Four basic types of antennas are commonly used in 802.11 wireless networks: ߜ Parabolic grid

ߜ Yagi

ߜ Dipole

ߜ Omnidirectional

12_597302_ch06.qxd 8/4/05 7:01 PM Page 92

92 Part II: Getting Rolling with Common Wi-Fi Hacks

These are discussed in greater detail in the following sections. Figures 6-2

through 6-5 are simplistic depictions of the radiation patterns for the four types of antennae. Each antenna has a unique radiation pattern determined by its construction. We are limited by the print medium, so remember that the radiation pattern is three-dimensional. You may have trouble picturing this; picture a directional antenna as a conical pattern of coverage that radiates in the direction that you point the antenna, while an omnidirectional antenna’s pattern of coverage is shaped more like a doughnut around the antenna.

Parabolic grid

Parabolic grid antennae are primarily used for site-to-site applications. A parabolic grid antenna may look like a satellite TV dish or like a wire grid without a solid central core. The parabolic antenna is a unidirectional antenna, meaning that it transmits in one specific direction — the direction that you point the antenna. Figure 6-2 depicts the radiation pattern of a parabolic grid antenna.

Radiation pattern

Figure 6-2:

Parabolic

dish or grid

antenna

radiation

pattern.

Yagi

A yagi antenna focuses the beam, but not as much as the parabolic antenna.

It’s suitable for site-to-site applications in which the distance does not require a parabolic grid. Like the parabolic antenna, a yagi antenna is unidirectional. Figure 6-3 depicts the radiation pattern of a yagi antenna.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 93

Chapter 6: Containing the Airwaves

93

Radiation patte

Radiation patt

Radiation patter

e n

r

Figure 6-3:

Yagi

antenna

radiation

pattern.

Dipole

A dipole is a bidirectional antenna, hence the use of the suffix di-. You generally use a dipole antenna to support client connections rather than site-to-site applications. Figure 6-4 depicts the radiation pattern from the dipole antenna in two directions outward.

Radiation pattern

Figure 6-4:

Dipole

antenna

radiation

pattern.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 94

94 Part II: Getting Rolling with Common Wi-Fi Hacks

Omnidirectional

An omnidirectional antenna is one that radiates in all directions, losing power as the distance increases. Figure 6-5 depicts the radiation pattern extending in all directions outward. Many wireless base stations come with a small omnidirectional antenna.

Radiation pattern

Figure 6-5:

Omnidi-

rectional

antenna

radiation

pattern.

Adjusting your signal strength

If you find your signals are bleeding over beyond your perimeter, the first thing you need to do is to reduce the signal strength by adjusting the power settings on your access point. By doing this, you can do some cell sizing and cell shaping. Any access point not meant for the mass home market should allow you to tweak the power. Consider reducing the power of your access point to weaken the signal so that it travels a shorter distance and doesn’t go where you don’t want it. If you have a Cisco Aironet 340, for example, you can drop the power output from 30 mW to 5 mW.

If you adjust the power and the signal is still too strong, you need to introduce some loss through the use of an attenuator. You can pick up an attenuator at any good electronics store or find them on the Web. Coaxicom (www.coaxicom.com) is a good place to look for attenuators.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 95

Chapter 6: Containing the Airwaves

95

Finally, if changing the antenna type or reducing the power doesn’t work, try something simple like moving the access point around your floor. If you have the antenna near an outside wall, the signal will likely seep outside the building. Moving it to an interior location may result in the signal being unusable outside the exterior wall. (You should have found this out when you did your site survey. If your organization did not perform a formal site survey, you might want to get a wireless networking book and read up on site surveys.

Wireless Networks For Dummies (Wiley) provides everything you need to know to perform your site survey and discusses software to do RF prediction.) You can also change radiation patterns of your wireless network devices by changing the location of your access points and antennas in relation to large metal objects such as filing cabinets and metal doors. Because radio waves (especially very high frequencies and microwave signals) are easily reflected by metal objects, shadowing, blocking, and reflection of radio signals can be accomplished by the placement of your access points and antennas.

12_597302_ch06.qxd 8/4/05 7:01 PM Page 96

96 Part II: Getting Rolling with Common Wi-Fi Hacks

13_597302_ch07.qxd 8/4/05 7:02 PM Page 97