Hacking Wireless Clients - Getting Rolling with Common Wi-Fi Hacks - Hacking Wireless Networks (2015)

Hacking Wireless Networks (2015)

Part II

Getting Rolling

with Common

Wi-Fi Hacks

Chapter 7

Hacking Wireless Clients

In This Chapter

ᮣ Exploring what can happen when wireless clients are attacked

ᮣ Port scanning

ᮣ Understanding common vulnerabilities

ᮣ Undergoing basic Linux and Windows vulnerability tests

ᮣ Obtaining insecure WEP keys

ᮣ Implementing host-based defenses to help keep your network secure This book focuses mostly on attacks against wireless networks as a whole —

that is, 802.11-based attacks against encryption, authentication, and other protocol weaknesses. However, it’s important not to forget the reason we have and use networks in the first place — our client systems. When we say client systems, we mean workstations, servers, and even APs that are reachable across the wireless network. If wireless networks are accessible to unauthorized people outside your organization, a lot of information can be gleaned from wireless clients. Many hacks don’t even require the attacker to be authenticated to the client systems.

When you start poking around on your network, you may be surprised at how many of your wireless clients have security vulnerabilities and just what information they can reveal to attackers. That’s why performing security scans on your wireless clients can be so important: It can show you what the bad guys can see if they ever are able to break through your airwaves and gain access to your network hosts.

Think like a hacker — build a mental picture of what’s available to be hacked and determine methods to go about exploiting the vulnerabilities.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 98

98 Part II: Getting Rolling with Common Wi-Fi Hacks

This chapter shows you how to test for some common wireless-client vulnerabilities. We start with how to scope out wireless hosts on the network and then move on to vulnerabilities that are specific to wireless hosts. We also outline some practical countermeasures, so you can make sure that your systems are secure.

For an in-depth look at detailed vulnerabilities across various wireless client operating systems, e-mail, malware, and more, be sure to check out Kevin’s book Hacking For Dummies (Wiley).

What Can Happen

If your wireless systems are breached and a hacker is able to obtain access to your internal computers, several bad things can happen. First off, the attacker can gather information about your systems and their configuration, which can lead to further attacks. Such information includes: ߜ Open ports and available services

ߜ Weak passwords

ߜ WEP keys that are stored locally and not properly secured ߜ Acceptable usage policies and banner page information

ߜ Operating system, application, and firmware versions returned via banners, error messages, or unique system fingerprints

ߜ Operating system and application configuration information The exposure of this information can lead to bigger problems such as: ߜ Leakage of confidential information, including files being copied and private information such as social security numbers and credit-card numbers being stolen

ߜ Passwords being cracked and used to carry out other attacks ߜ Servers being shut down, rebooted, or taken completely offline ߜ Entire databases being copied, corrupted, or deleted

If you discover a surprising number of vulnerabilities in your wireless APs, workstations, and servers (and you likely will), don’t panic. Start by addressing the issues with your most critical systems that will give you the highest payoff once secured.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 99

Chapter 7: Hacking Wireless Clients

99

Although wireless networks are used as a niche solution for many organizations, others are completely dependent on them for all their network connectivity. Either way, wireless networks can serve as an entry point to your workstations, servers, and other wired systems. Therefore, if your wireless client security vulnerabilities aren’t addressed and managed properly, they can pose unnecessary risks to the entire network and organization.

Probing for Pleasure

There’s a method to the madness of ethical hacking, and testing wireless client security is no different. This involves the ethical hacking steps we discussed in Chapter 3:

ߜ Gathering public information such as domain names and IP addresses that can serve as a good starting point

ߜ Mapping your network to get a general idea of the layout ߜ Scanning your systems to see which devices are active and communicating

ߜ Determining what services are running

ߜ Looking for specific vulnerabilities

ߜ Penetrating the system to finish things off

These steps are discussed in greater detail in the sections that follow.

Even without poking and prodding your wireless systems further, you may already have vulnerabilities, so don’t discount what you’ve found just because you’ve gotten this far in the ethical-hacking process. This includes vulnerabilities such as default SSIDs, WEP not being enabled, and critical servers being accessible through the wireless network.

Port scanning

A port scanner is a software tool that scans the network to see who is accessing the network and what applications are running. Using a port scanner can help you identify the following:

ߜ Active hosts on the network

ߜ IP addresses of the hosts discovered

13_597302_ch07.qxd 8/4/05 7:02 PM Page 100

100 Part II: Getting Rolling with Common Wi-Fi Hacks

ߜ MAC addresses of the hosts found

ߜ Services or applications that the hosts may be running ߜ Unauthorized hosts or applications

The big-picture view from port scanners often uncovers security issues that may otherwise go unnoticed. Port scanners are easy to use and can test systems regardless of what operating systems and applications are running. The tests can be performed very quickly without having to touch individual network hosts, which would be a real pain otherwise.

A good way to get a quick overview of which systems are alive and kicking on the network is to perform a ping sweep. A ping sweep is when you send out ping requests (that is, ICMP echo requests) and see if echo replies are received back. Free port scanner programs such as Foundstone’s SuperScan (www.foundstone.com/resources/proddesc/superscan.htm) and SoftPerfect’s Network Scanner (www.softperfect.com/products/network scanner), as shown in Figure 7-1, often have ping sweep capabilities built in, and are all you need to get started.

Figure 7-1:

Using

SoftPerfect’s

Network

Scanner to

find live

wireless

hosts.

Network Scanner also performs ARP lookups and displays each host’s MAC

address. This capability is especially handy when testing wireless network security — practically every other tool refers to wireless hosts by their MAC

address (or BSSID). The MAC address enables you to easily match up systems you find using NetStumbler, Kismet, or your favorite wireless sniffer with their actual hostnames and IP addresses without having to perform cumbersome reverse-ARP lookups.

Looking for open ports to see what’s listening and running on each system is also important. SuperScan is a great tool to use for this because it’s easy to use, and it’s free! Kevin’s partial to SuperScan version 3, as shown in Figure 7-2, because he’s been using it for so long, and it simply works.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 101

Chapter 7: Hacking Wireless Clients

101

Figure 7-2:

Using

Found-

stone’s

SuperScan

to probe

wireless

systems for

open ports.

When performing your network scans, be sure to look for commonly hacked ports, such as those in Table 7-1. Hackers look for these ports, too.

Table 7-1

Commonly Hacked Wireless Network Ports

Port Numbers

Service

Protocols

20

FTP data (File Transfer Protocol)

TCP

21 FTP

control

TCP

22

SSH

TCP

23

Telnet

TCP

25

SMTP (Simple Mail Transfer Protocol)

TCP

53

DNS (Domain Name System)

UDP

80

HTTP (HyperText Transfer Protocol)

TCP

(continued)

13_597302_ch07.qxd 8/4/05 7:02 PM Page 102

102 Part II: Getting Rolling with Common Wi-Fi Hacks

Table 7-1 (continued)

Port Numbers

Service

Protocols

110

POP3 (Post Office Protocol version 3)

TCP

135

RPC/DCE end point mapper for

TCP, UDP

Microsoft networks

137, 138, 139

NetBIOS over TCP/IP

TCP, UDP

161

SNMP (Simple Network

TCP, UDP

Management Protocol)

443

HTTPS (HTTP over SSL)

TCP

512, 513, 514

Berkeley r commands (such

TCP

as rsh, rexec, and rlogin)

1433

Microsoft SQL Server

TCP, UDP

1434

Microsoft SQL Monitor

TCP, UDP

3389

Windows Terminal Server

TCP

Notice in Figure 7-2 that TCP port 22 (SSH) is open on host 10.11.12.154, which is the access point (AP) on the network. To find out if it’s an AP, you can run a NetStumbler, Wellenreiter, or another wireless discovery tool and match the MAC address found there with what Network Scanner finds.

After performing a generic sweep of the network, you can dig deeper into specific hosts you’ve found. Hmmmm — perhaps a few SSH login attempts on the AP in Figure 7-2 above could get us somewhere?

Using VPNMonitor

A common security measure used to protect wireless data in transit — above and beyond WEP — is to use a Virtual Private Network (VPN). If you installed or manage the VPNs in your organization, you probably know which clients are using them. Then again, if your network is fairly complex, you may not. A free tool you can use to discover whether or not VPNs are being used where they’re supposed to be — and thus, whether or not policy is being adhered to — is VPNMonitor (http://sourceforge.net/projects/vpnmonitor).

VPNMonitor sniffs the network and looks for specific signatures belonging to IPsec, PPTP, SSH, and HTTPS traffic. Figure 7-3 shows a basic capture of some VPN traffic, including an SSH connection to the AP at 10.11.12.154, which is denoted by a red line in VPNMonitor.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 103

Chapter 7: Hacking Wireless Clients

103

Figure 7-3:

Using

VPNMonitor

to look for

VPN traffic

on the

network.

Wireless networks use a shared communications medium, so it’s trivial to capture this type of traffic off the airwaves. However, if you’d like to use VPNMonitor to check for VPN traffic going across your wired network, you can either plug in to a monitor or span port on an Ethernet switch or use a tool such as Ettercap to perform ARP poisoning to make your switch(es) act like a hub. Just be careful because a tool such as Ettercap can take your entire network down if your switch is overly sensitive to ARP poisoning. We cover Ettercap and ARP poisoning in Chapter 12.

Looking for General Client Vulnerabilities

After you find out which wireless systems are alive on your network, you can take your testing a step further and see which vulnerabilities really stand out.

There are various freeware, open source, and commercial tools to help you along with your efforts including:

ߜ LanSpy (www.lantricks.com): LanSpy is a Windows-based freeware tool for enumerating Windows systems.

ߜ Amap (http://thc.org/thc-amap): Amap is an open source Linux-and Windows-based application mapping tool.

ߜ Nessus (www.nessus.org): This is an open source network and OS vulnerability-assessment tool that runs on Linux and Windows.

ߜ GFI LANguard Network Security Scanner (www.gfi.com/lannetscan): This is a Windows-based commercial tool for performing network and OS vulnerability assessments.

ߜ QualysGuard (www.qualys.com): QualysGuard is an application service, provider-based commercial tool for performing network and OS

vulnerability assessments.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 104

104 Part II: Getting Rolling with Common Wi-Fi Hacks

Keep in mind that you’ll need more than one security-testing tool. No single tool can do everything.

The presence of these vulnerabilities is why it’s so important to run personal firewall and IPS software, such as BlackICE for Windows (http://blackice.

iss.net) and GNOME-Lokkit (www.gnome.org), for Linux systems.

Again, we want to remind you that the tests and vulnerabilities we outline here are just the tip of the iceberg, so check out Hacking For Dummies for more details.

Common AP weaknesses

Your wireless APs are wireless clients with operating systems and insecure programs just like any other computer. One of the best ways to check for AP

vulnerabilities is to use an all-in-one vulnerability-assessment program, such as Nessus, LANguard Network Security Scanner, or QualysGuard. (QualysGuard is shown in Figure 7-4.)

Figure 7-4:

Using

Qualys-

Guard to dig

out vulnera-

bilities in a

Cisco AP.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 105

Chapter 7: Hacking Wireless Clients

105

Notice in Figure 7-4 how the AP contains common vulnerabilities such as: ߜ SNMP issues (Vulnerabilities section)

ߜ Weak version of SSH (Potential Vulnerabilities section) ߜ Open UDP and TCP services (Information Gathered section) ߜ SSH banner information (Information Gathered section)

Many of these vulnerabilities are not critical, but at least these vulnerabilities need to be addressed because they can likely lead to further AP and network compromise.

Linux application mapping

When it comes to Linux client security, a common attack is against applications with known security vulnerabilities. These applications include FTP, telnet, sendmail, and Apache. Vulnerabilites in these applications can be determined through application mapping. A nice — and regularly maintained — tool you can use for application mapping is Amap.

Amap is a very fast application scanner that can grab banners that include version information and even can detect applications that are configured to run on nonstandard ports, such as when Apache is running on port 1711

instead of its default 80. The output of an Amap scan run against a local host is shown in Figure 7-5.

Figure 7-5:

Using Amap

to check

application

versions.

Notice that SSH, telnet, and FTP servers were discovered. As is the case here, by perusing the support sites of the applications you discover with Amap, you’ll likely find that they’ve been updated with newer versions to fix various security problems.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 106

106 Part II: Getting Rolling with Common Wi-Fi Hacks

Windows null sessions

A well-known vulnerability within Windows can map an anonymous connection (null session) to a hidden share called IPC$ (interprocess communication). This attack method can be used to gather Windows information such as user IDs and share names and even allow an attacker to edit parts of the remote computer’s registry.

Windows XP and Server 2003 don’t allow null session connections by default, but Windows 2000 and NT systems do, so to protect yourself don’t forget to test all your wireless clients.

Mapping

To map a null session, follow these steps for each Windows computer to which you want to map a null session:

1. At a command prompt from your test computer, enter the following command. Format the basic net command like this:

net use \\host_name_or_IP_address\ipc$ “” “/user:”

The net command to map null sessions requires these parameters:

• net (the built-in Windows network command) followed by the use command

• IP address of the system to which you want to map a null connection

• A blank password and username

The blanks are why it’s called a null connection.

2. Press Enter to make the connection.

Figure 7-6 shows an example of the complete command when mapping a null session. After you map the null session, you should see the message The command completed successfully.

Figure 7-6:

Mapping

a null

session to a

Windows

2000 server.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 107

Chapter 7: Hacking Wireless Clients

107

To confirm that the sessions are mapped, enter this command at the command prompt:

net use

As shown in Figure 7-6, you should see the mappings to the IPC$ share on each computer to which you successfully made a null session connection.

Gleaning information

With a null session connection, you can use other utilities to remotely gather critical Windows information. Dozens of tools can gather this type of information. You — like a hacker — can take the output of these enumeration programs and attempt (as an unauthorized user) to try to glean information in the following manners:

ߜ Cracking the passwords of the users found. Be sure to check out Hacking For Dummies for a detailed look at password attacks. This chapter can also be downloaded for free at http://searchsecurity.tech target.com/searchSecurity/downloads/HackingforDummiesCh07.

pdf.

ߜ Mapping drives to the network shares to gain access to files, databases, and more.

You can use Foundstone’s SuperScan version 4 to perform automated null session connections and Windows system enumeration as shown in Figure 7-7.

Foundstone’s SuperScan version 4 can be found at www.foundstone.com/

resources/proddesc/superscan.htm.

Keep in mind that Windows XP and Server 2003 are much more secure than their predecessors against such system enumeration vulnerabilities and null session attacks. If such systems are in their default configuration, it should be secure; however, you should still perform these tests against your Windows XP and Server 2003 systems to be sure.

Snooping for Windows shares

Windows shares — the available network drives that show up when browsing the network in My Network Places — are often misconfigured, allowing more people to have access to them than necessary. How this works (that is, the default share permission) depends on the Windows system version, as follows:

13_597302_ch07.qxd 8/4/05 7:02 PM Page 108

108 Part II: Getting Rolling with Common Wi-Fi Hacks

ߜ Windows NT and 2000: When creating shares, the group Everyone is given Full Control access in the share by default for all files to browse, read, and write files. Anyone who maps to the IPC$ connection with a null session is automatically made part of the Everyone group! This means that remote hackers can automatically gain browse, read, and write access to a Windows NT or 2000 server if they establish a null session.

ߜ Windows XP and 2003 Server: The Everyone group is given only Read access to shares. This is definitely an improvement over the defaults in Windows 2000 and NT, but it’s not the best setting for the utmost security. You may not even want the Everyone group to have Read access to a share.

Tools such as Legion (http://packetstormsecurity.nl/groups/rhino9/

legionv21.zip), LanSpy, and LANguard Network Security Scanner can enumerate shares on Windows systems. Imagine the fun a hacker could have with the shares found in the results shown in Figure 7-8!

Figure 7-7:

Using

Super-

Scan to

auto-

matically

create a null

session and

enumerate

a Windows

host.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 109

Chapter 7: Hacking Wireless Clients

109

Figure 7-8:

Using

LANguard

Network

Security

Scanner to

find shares

on a remote

Windows

system.

Ferreting Out WEP Keys

Many client vulnerabilities are specific to wireless networks. Standard security tools aren’t likely to discover such vulnerabilities. To find these weaknesses, you can use hacking tools that have been created to look for wireless-network vulnerabilities. We discuss such tools below.

Some wireless-specific vulnerabilities require physical access to the computer.

It’s easy to become complacent and believe that wireless clients are safe because of this physical security requirement, but laptops are lost and stolen quite often, so it’s not unreasonable to believe this could occur — especially if users don’t report their wireless NICs or laptops stolen. Some vulnerabilities, such as the ORiNOCO WEP key vulnerability, can be exploited by an attacker connecting to the remote computer’s registry!

One serious vulnerability affects wireless clients who use the ORiNOCO wireless card. Older versions of the ORiNOCO Client Manager software stores encrypted WEP keys in the Windows registry — even for multiple networks —

as shown in Figure 7-9.

You can crack the key by using the Lucent ORiNOCO Registry Encryption/

Decryption program found at www.cqure.net/tools.jsp?id=3. Make sure that you use the -d command line switch and put quotes around the encrypted key, as shown in Figure 7-10. This program comes in handy if you forget your key, but it can also be used against you.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 110

110 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 7-9:

Encrypted

WEP key

of an

ORiNOCO

wireless

card stored

in the

Windows

Registry.

Figure 7-10:

Cracking a

WEP key

stored in the

Windows

registry with

the Lucent

ORiNOCO

Registry

Encryption/

Decryption

program.

If hackers are able to gain remote access to a wireless client through the Connect Network Registry in the Windows Registry editing tool, regedit, they can obtain these keys, crack them, and be on your network in a jiffy.

Wireless NICs from Dell, Intel, and others have all been affected by WEP key storage vulnerabilities — some of which not only store WEP keys in the Windows registry but also store them in plain text!

To find other wireless-specific client vulnerabilities, enter WEP into the following vulnerability search engines and compare the results to the wireless hardware and software you may be running.

ߜ US-CERT Vulnerability Notes Database (www.kb.cert.org/vuls) ߜ NIST ICAT Metabase (http://icat.nist.gov/icat.cfm)

ߜ Common Vulnerabilities and Exposures (http://cve.mitre.org/cve) Although most of these vulnerabilities are a few years old, you just may find a few weaknesses you weren’t expecting.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 111

Chapter 7: Hacking Wireless Clients

111

Wireless Client Countermeasures

Securing all your wireless clients can be quite a task, but you can do some things to keep your systems secure without having to spend a lot of money or effort. At a minimum, ensure the following countermeasures are in place: ߜ Secure your Linux and Windows operating systems.

You can find a ton of great Internet resources for doing this including:

• The Center for Internet Security Benchmark and Scoring Tool for Linux (www.cisecurity.org/bench_linux.html)

• SANS Securing Linux-A Survival Guide for Linux Security (https://store.sans.org/store_item.php?item=83)

• Bastille Linux (www.bastille-linux.org)

• The Center for Internet Security Benchmark and Scoring Tool for Windows 2000, XP, and 2003 (www.cisecurity.org/bench_win 2000.html)

• SANS Securing Windows 2000: Step-by-Step (https://store.

sans.org/store_item.php?item=22)

• Microsoft Threats and Countermeasures Guide (www.microsoft.

com/technet/Security/topics/hardsys/tcg/tcgch00.mspx)

Also, check out Hacking For Dummies and Network Security For Dummies for good information on this subject.

ߜ Prevent null sessions. You can

• Upgrade your Windows operating systems to XP and Server 2003.

• Block NetBIOS by preventing TCP ports 139 and 445 from passing through your firewall(s).

• Disable File and Print Sharing for Microsoft Networks in the Properties tab of the machine’s network connection.

• Create a new DWORD registry key in HKEY_LOCAL_MACHINE\

SYSTEM\CurrentControlSet\Control\LSA called Restrict-

Anonymous=1 in the registry for your Windows NT and 2000

systems or setting Do Not Allow Enumeration of SAM Accounts and Shares or No Access without Explicit Anonymous Permissions in the local security policy or group policy.

13_597302_ch07.qxd 8/4/05 7:02 PM Page 112

112 Part II: Getting Rolling with Common Wi-Fi Hacks

The No Access without Explicit Anonymous Permissions security setting is not without drawbacks. High security creates problems for domain controller communication and network browsing and the high security setting isn’t available in Windows NT.

ߜ Install (and require) personal firewall software for every wireless computer.

ߜ Disable unnecessary services and protocols on your APs.

ߜ Apply the latest firmware patches for your APs and wireless NICs as well as for your client management software.

ߜ Regularly perform vulnerability assessments on your wireless workstations as well as your other network hosts.

ߜ Apply the latest vendor security patches and enforce strong user passwords.

ߜ Use antivirus software and antispyware software.

14_597302_ch08.qxd 8/4/05 7:04 PM Page 113