Hacking Wireless Networks (2015)
Part II
Getting Rolling
with Common
Wi-Fi Hacks
Chapter 8
Discovering Default Settings
In This Chapter
ᮣ Collecting information using a sniffer
ᮣ Grabbing and cracking passwords
ᮣ Gathering IP addresses
ᮣ Gathering SSIDs
ᮣ Protecting yourself
Afirst step in testing your wireless network is to glean as much information as you can from “normal” operations. This chapter will introduce you to tools that you can use to look for default settings, sniff traffic, grab passwords, find IP addresses, and discern SSIDs. All information that you can use to further test the security of your wireless network.
Collecting Information
Because your data is traversing the air, anyone with the right tools can sniff the data. In Chapter 2, we introduced you to network or packet analyzers, popularly named sniffers. When it comes to sniffers, you can spend money and buy tools like AiroPeek or CommView for WiFi, or you can save your coin and use some of the excellent free tools exemplified by AirTraf or Ethereal. The next few sections discuss these tools and more.
Are you for Ethereal?
Ethereal, released under the open source license, has many features and compares favorably with commercial products. It works on the UNIX/Linux and Windows platforms, but you must have a pcap library installed. So you may even want to use the tool set in your production environment. Ethereal allows you to capture data from a wired or wireless network. For example, with Ethereal you can read data from IEEE 802.11, Ethernet, Token-Ring, FDDI, and PPP. Not only does it support those media, but it supports 683 protocols. For instance, it can decode 802.11 MGT, 802.11 Radiotap, ARP/RARP, AVS WLAN-CAP, BER, BOOTP/DHCP, CDP, DNS, DOCSIS, EAP, EAPOL, ECHO, Ethernet, 14_597302_ch08.qxd 8/4/05 7:04 PM Page 114
114 Part II: Getting Rolling with Common Wi-Fi Hacks
GNUTELLA, GSS-API, HTTP, ICMP, ICQ, IEEE 802.11, IMAP, IP, IRC, ISAKMP, ISDN, KRB5, L2TP, LANMAN, LDAP, LLC,, LSA, LWAPP, LWAPP-CNTL, LWAPP-L3, LWRES, MAPI, NFS, PKCS-1, POP, PPP, PPTP, RPC_NETLOGON, RRAS, RSH, SMB_NETLOGON, SNA, SSH, SSL, Socks, TACACS, TACACS+, TCP, TELNET, TFTP, UDP, VNC, X509AF, X509CE, X509IF, and X509SAT. Fortunately, you can save, print, or filter data.
UNIX/Linux users need the GIMP Toolkit (GTK) for the user interface, whereas the GTK DLLs come bundled with the Windows binary.
You also can use Ethereal as a graphical front-end for packet-capture programs such as Sniffer, tcpdump, WinDump, and many other freeware and commercial packet analyzers.
To use Ethereal on a previously created file, you type tcpdump –w capture.dump (or WinDump should you wish).
Ethereal is available from www.ethereal.com.
This is AirTraf control, you
are cleared to sniff
AirTraf was one of the first wireless 802.11b network analyzers. As a wireless sniffer it is a good tool, but does not support wired networks like Ethereal does. It is a passive packet-sniffing tool — it captures and tracks all wireless activity in the coverage area, decodes the frames, and stores the acquired information. AirTraf can record packet count, byte information, related bandwidth, as well as the signal strength of the nodes. You can also run AirTraf in Server Mode, which allows you to have one system that periodically polls other stations to retrieve active wireless data. This is beneficial when you have a large area you want to analyze. You can place AirTraf network analyzers throughout your organization. In this manner, you can consolidate wireless information for your entire organization into a single data store.
AirTraf is Linux open source, and distributed under the GPL license. It is compatible with the 2.4. x series of kernels. AirTraf works only with a limited number of wireless adapters. Check the AirTraf Web site to make sure it works with yours.
You can find the freeware AirTraf at http://airtraf.sourceforge.net/.
Let me AiroPeek at your data
AiroPeek NX is a Windows-based wireless sniffer that offers some enhanced capabilities, including the ability to detect rogue access, risky device 14_597302_ch08.qxd 8/4/05 7:04 PM Page 115
Chapter 8: Discovering Default Settings
115
configurations, Denial-of-Service attacks, Man-in-the-Middle attacks, and intrusions. We have used AiroPeek and highly recommend it. There is one drawback to AiroPeek: It is a commercial product. However, after you use it we think you’ll agree that it is money well spent. This is one tool we would recommend that you spend your hard-earned money on if you’re going to do more than one ethical hack.
AiroPeek NX comes with a Security Audit Template that creates a capture window and then triggers a notification when any packet matches a specifically designed security filter. This allows the administrator to search for applications like Telnet and access points that use default — therefore not secure — configurations.
If you are using Network Authentication with protocols such as Telnet and FTP, you can use AiroPeek to look for failed authentications. These failures might represent an attempted access by an unauthorized person. Once you start to look at the data you are collecting, you can dream up all sorts of similar tests using a sniffer or packet analyzer.
You can find AiroPeek NX at www.wildpackets.com.
Another CommView of your data
Another wireless sniffer is CommView for WiFi, which is specific to wireless networks and offers many capabilities besides packet sniffing, such as statistical analysis. By doing statistical analysis, you might find a pattern of unauthorized usage. CommView allows you to grab frames, store the information, and analyze it. CommView for WiFi is a commercial product. You’ll find it’s not as expensive as AiroPeek but (obviously) more costly than the free Gulpit and Ethereal programs.
When CommView for WiFi is running on your machine, it places your wireless adaptor in passive mode. Your wireless interface can only capture all the packets when it is in passive mode. You will find the installation fairly straightforward since it uses the Windows installer process. Once you install it, you will find many options as shown in Figure 8-1.
You can find Tamosoft CommView for WiFi at www.tamos.com/products/
commview/.
You cannot obtain data from an access point using WEP or WPA unless you have the appropriate key. You can add key information to CommView for WiFi by selecting Settings➪WEP/WPA Keys and then entering the keys in the areas provided.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 116
116 Part II: Getting Rolling with Common Wi-Fi Hacks
Start icon
Figure 8-1:
Viewing the
CommView
for WiFi
main menu.
To start using all the tabs shown in Figure 8-1, you need to begin capturing packets so you can obtain some actual data. After you identify and input the proper keys, you need to start the capture process. Simply follow these steps: 1. Start the CommView program.
2. Click the Start icon.
Alternatively, select File➪Start.
3. From the Scanner section that appears in the new window, click on Start Scanning.
The program will start scanning all channels for wireless signals and display them under the Access Points and Hosts section.
4. Select one of the networks displayed to produce details about that network under the term Details.
The Details are shown in Figure 8-2.
5. Choose one of the networks and click the Capture button.
CommView begins to capture packets.
6. To view the current bandwidth load for a network, Select View➪Statistics.
7. To run a report, use the Report tab and select either HTML format or comma-delimited format.
This report provides a report on overall performance of your network.
8. Select File➪Stop Capture to shut down CommView.
Look through the frames you gather for potentially useful information such as login frames.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 117
Chapter 8: Discovering Default Settings
117
Figure 8-2:
Viewing the
CommView
for WiFi
Scanner
page.
Gulpit
Gulpit is based on Trinux and does not require an operating system. You don’t even really need a hard drive to use it. Gulpit boots from a CD-ROM
(of course, you must set up your BIOS to boot from your CD-ROM first).
Gulpit is released as open source.
Gulpit will turn your laptop with an ORiNOCO 802.11b wireless card (or any OEM clones such as Agere and Proxim) into a packet sniffer for your wired and wireless networks. Gulpit is a packet gulper. A packet gulper is nothing more than a really good packet sniffer. Packet sniffers read essentially all the information and control structures on a wired or wireless network.
You will find that only certain cards support radio-monitor mode. ORiNOCO
cards obviously work. You’ll find that Prism II cards generally work. Cards that do not support radio monitor mode will work with tcpdump and tethe real but not Kismet. You can read the Gulpit documentation to find out what wireless cards it does support.
It sniffs Ethernet frames as well as wireless 802.11b frames. The wireless frames are sniffed in the radio monitor mode so you see just about all the traffic on the air regardless of its protocol.
Starting Gulpit is as easy as the following steps.
1. Open your laptop CD-ROM bay.
2. Power down Windows or Linux or whatever operating system you are using.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 118
118 Part II: Getting Rolling with Common Wi-Fi Hacks
3. Insert the Gulpit CD-ROM into the drive and close it.
4. Power up the computer and watch Gulpit boot.
If this is the first time you have used Gulpit, interrupt the boot process and enter the BIOS set-up program. Make sure that your system will boot from the CD-ROM before the hard drive and disable your floppy controller when it is enabled. Obviously the exact method for doing this depends on your hardware manufacturer and the BIOS you are using, but look at the screen and follow the instructions to enter the set-up program. Once set, you won’t need to do this again.
You must disable your floppy in your BIOS settings to use Gulpit.
5. You will see a Gulpit splash screen with license and credit information.
Gulpit will then pause temporarily at a boot: prompt. Hit Return (or Enter) at this time — or just wait a few seconds and Gulpit will continue on its own.
Whenever you want to use Gulpit, just put the disc in the drive and turn on the power. When you’re finished with Gulpit, remove the Gulpit CD-ROM and reboot. Your system will boot whatever operating system from your hard drive (assuming you have set it up that way).
Gulpit installs itself and a complete Linux 2.4.5 kernel on a ramdisk and executes in RAM. Gulpit has complete PCMCIA support and is ideally run on a laptop computer. Gulpit will not make a mark on your hard drive unless you want to store data there. In that case, Gulpit has support for fat, ntfs (read-only) and vfat as well as minix and ext2 file systems.
Gulpit has three tools for packet sniffing. Each one has its own capabilities and limitations:
ߜ Kismet: Gulpit is set up to start Kismet automatically in “radio monitor”
and frequency hopping mode. This will log all the traffic from nearby transmitters. If you don’t want to start Kismet, or you wish to operate Kismet in the single channel mode, just hit ctrl-C as the boot process completes and as Kismet starts. This will cleanly shut down Kismet. You can learn more about Kismet in Chapter 10.
ߜ Tethereal: Tethereal collects and decodes a multitude of protocols.
Tethereal is the curses (text based) version of Ethereal. Tethereal supports packet capture in the radio monitor mode. Tethereal will sniff wireless as well as wired packets. Ethereal has a nice graphical display for tethereal and Ethereal collected packets as well as those collected by tcpdump and Kismet.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 119
Chapter 8: Discovering Default Settings
119
ߜ Tcpdump: Tcpdump also collects and decodes a multitude of protocols.
It is basically like Tethereal but does not work with wireless networks because it does not work in radio monitor mode.
You can find Gulpit at www.crak.com/gulpit.htm.
The developer of Gulpit recommends you check out Auditor Linux at http://new.remote-exploit.org/index.php/Auditor_main or
download it from http://mirror.switch.ch/ftp/mirror/auditor/
auditor-120305-01.iso.zip. Auditor is also a bootable version of Linux with many of the wireless tools built in.
That’s Mognet not magnet
Mognet is a simple, lightweight 802.11b sniffer written in Java and available under the GNU Public License (GPL). It was designed for handheld devices like the iPAQ, but will run on a desktop or laptop. Mognet features real-time capture output, support for all 802.11b generic and frame-specific headers, easy display of frame contents in hexadecimal or ASCII, text mode capture for GUI-less devices, and loading/saving capture sessions in libpcap format.
You can find Mognet at www.l0t3k.net/tools/Wireless/Mognet-1.16.
tar.gz.
Other analyzers
Not fond of any of the programs discussed so far, well don’t despair. There are plenty of alternatives. Following is a list of wireless packet analyzers: ߜ AirMagnet (www.airmagnet.com/): Commercial product ߜ AirScanner Mobile Sniffer (http://airscanner.com/downloads/
sniffer/sniffer.html): Freeware product
ߜ Capsa (www.colasoft.com/products/capsa/index.php?id=75430g): Commercial product
ߜ CENiffer (www.epiphan.com/products_ceniffer.html): Commercial product
ߜ KisMAC (www.binaervarianz.de/projekte/programmieren/
kismac/): Freeware product
ߜ Kismet (www.kismetwireless.net/): Freeware product 14_597302_ch08.qxd 8/4/05 7:04 PM Page 120
120 Part II: Getting Rolling with Common Wi-Fi Hacks
ߜ LANfielder (www.wirelessvalley.com/): Commercial product ߜ LinkFerret (www.baseband.com/): Commercial product ߜ ngrep (www.remoteassessment.com/?op=pub_archive_search& query=wireless): Freeware product
ߜ Observer (www.networkinstruments.com/): Commercial product ߜ Packetyzer (www.networkchemistry.com/): Commercial product ߜ Sniffer Netasyst (www.sniffer-netasyst.com/): Commercial product ߜ Sniffer Wireless (www.networkgeneral.com/Products_details.
aspx?PrdId=20046178370181): Commercial product
ߜ SoftPerfect Network Protocol Analyzer (www.softperfect.com/
products/networksniffer/): Commercial product
Should you not find anything above, again don’t despair because you can find information about wireless sniffers at either www.personaltelco.net/
index.cgi/WirelessSniffers, www.winnetmag.com/Files/25953/
25953.pdf, or www.blacksheepnetworks.com/security/resources/
wireless-sniffers.html.
Cracking Passwords
After you are connected at Layer 2, you’ll want to sniff some passwords and crack them. There are lots of wonderful tools to do this, and we have selected two of the better ones for you: Cain & Abel, a.k.a. Cain and dsniff.
Using Cain & Abel
Cain & Abel is a freeware password recovery tool that runs on a Microsoft platform. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. This tool covers some security weaknesses present in the protocols, authentication methods and caching mechanisms.
Cain & Abel was developed for network administrators, security consultants or professionals, forensic staff, security-software vendors, and professional penetration testers.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 121
Chapter 8: Discovering Default Settings
121
Should you use Cain & Abel, be very careful. First, you should understand that when using a password cracker, you may violate any number of wiretapping laws or put your organization in a precarious position. If you know passwords are weak and you don’t immediately change them, you might have difficulty proving due diligence in a court of law. So ensure that you are on the right side of the law before you touch a key. Second, there is the remote possibility that you could cause damage or the loss of data when using this software or similar tools. These tools intercept packets and may damage these packets. Ensure that you know how the tool works and what it could do — and that good recent backups of system data exist.
The latest version is faster and contains a lot of new features like APR (ARP
Poison Routing) that facilitates the sniffing of switched LANs and Man-in-the-Middle attacks. You can use Cain to analyze encrypted protocols such as SSH-1
and HTTPS and to capture credentials from a wide range of authentication mechanisms. It also provides routing protocols authentication monitors and route extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calcula-tors, cryptanalysis attacks, password decoders, and some not so common utilities related to network and system security. This is indeed the Swiss Army knife for password crackers. Figure 8-3 shows the main window of Cain.
Figure 8-3:
Cain main
window.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 122
122 Part II: Getting Rolling with Common Wi-Fi Hacks
Cain & Abel is actually two different programs. Cain has the following features:
ߜ Protected Storage Password Manager: Reveals locally stored passwords of Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer, and MSN Explorer.
ߜ Credential Manager Password Decoder: Reveals passwords stored in Enterprise and Local Credential Sets on Windows XP/2003.
ߜ LSA Secrets Dumper: Dumps the contents of the Local Security Authority Secrets.
ߜ Dialup Password Decoder: Reveals passwords stored by Windows “Dial-Up Networking” component.
ߜ APR (ARP Poison Routing): Enables sniffing on switched networks and Man-in-the-Middle attacks.
ߜ Route Table Manager: Provides the same functionality of the Windows tool route.exe with a GUI front-end.
ߜ SID Scanner: Extracts usernames associated with Security Identifiers (SIDs) on a remote system.
ߜ Network Enumerator: Retrieves, where possible, the user names, groups, shares, and services running on a machine.
ߜ Service Manager: Allows you to stop, start, pause, continue, or remove a service.
ߜ Sniffer: Captures passwords, hashes, and authentication information during transmission on the network. Includes several filters for application specific authentications and routing protocols. The VoIP filter enables the capture of voice conversations transmitted with the SIP/RTP
protocol saved later as WAV files.
ߜ Routing Protocol Monitors: Monitors messages from various routing protocols (HSRP, VRRP, RIPv1, RIPv2, EIGRP, OSPF) to capture authentications and shared route tables.
ߜ Full SSH-1 sessions sniffer for APR (APR-SSH-1): Allows you to capture all data sent in a HTTPS session on the network.
ߜ Full HTTPS sessions sniffer for APR (APR-HTTPS): Allows you to capture all data sent in a HTTPS session on the network.
ߜ Certificates Collector: Grabs certificates from HTTPS Web sites and prepares them for use by APR-HTTPS.
ߜ MAC Address Scanner with OUI fingerprint: Using OUI fingerprint, makes an informed guess about the device based on the MAC address.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 123
Chapter 8: Discovering Default Settings
123
ߜ Promiscuous-mode Scanner based on ARP packets: Identifies sniffers and network intrusion detection systems present on the LAN.
ߜ Wireless Scanner: Scans for wireless networks signal within range. This feature is based on NetStumbler that we discuss in Chapter 9.
ߜ Access (9x/2000/XP) Database Passwords Decoder: Decodes the stored encrypted passwords for Microsoft Access Database files.
ߜ Base64 Password Decoder: Decodes Base64 encoded strings.
ߜ Cisco Type-7 Password Decoder: Decodes Cisco Type-7 passwords used in router and switches configuration files.
ߜ VNC Password Decoder: Decodes encrypted VNC passwords from the registry.
ߜ Enterprise Manager Password Decoder: Decodes passwords used by Microsoft SQL Server Enterprise Manager (SQL 7.0 and 2000 supported).
ߜ Remote Desktop Password Decoder: Decodes passwords in Remote Desktop Profiles (.RPD files).
ߜ PWL Cached Password Decoder: Allows you to view all cached resources and relative passwords in clear text either from locked or unlocked password list files.
ߜ Password Crackers: Enables the recovery of clear text passwords scrambled using several hashing or encryption algorithms. All crackers support Dictionary and Brute-Force attacks.
ߜ Cryptanalysis attacks: Enables password cracking using the “Faster Cryptanalytic time – memory trade off” method introduced by Philippe Oechslin. This cracking technique uses a set of large tables of pre-calculated encrypted passwords, called Rainbow Tables, to improve the trade-off methods known today and to speed up the recovery of cleartext passwords.
ߜ NT Hash Dumper + Password History Hashes (works with Syskey enabled): Retrieves the NT password hash from the SAM file regardless of whether Syskey is enabled or not.
ߜ Microsoft SQL Server 2000 Password Extractor via ODBC: Connects to an SQL server via ODBC and extracts all users and passwords from the master database.
ߜ Box Revealer: Shows passwords hidden behind asterisks in password dialog boxes.
ߜ RSA SecurID Token Calculator: Calculates the RSA key given the tokens
.ASC file.
ߜ Hash Calculator: Produces the hash values of a given text.
ߜ TCP/UDP Table Viewer: Shows the state of local ports (like netstat).
14_597302_ch08.qxd 8/4/05 7:04 PM Page 124
124 Part II: Getting Rolling with Common Wi-Fi Hacks
ߜ TCP/UDP/ICMP Traceroute with DNS resolver and WHOIS client: An improved traceroute that can use TCP, UDP and ICMP protocols and provides whois client capabilities.
ߜ Cisco Config Downloader/Uploader (SNMP/TFTP): Downloads or uploads the configuration file from/to a specified Cisco device (IP or hostname) given the SNMP read/write community string.
Abel provides the following features:
ߜ Remote Console: Provides a remote system shell on the remote machine.
ߜ Remote Route Table Manager: Manages the route table of the remote system.
ߜ Remote TCP/UDP Table Viewer: Shows the state of local ports (like netstat) on the remote system.
ߜ Remote NT Hash Dumper + Password History Hashes (works with Syskey enabled): Retrieves the NT password hash from the SAM file regardless of whether Syskey is enabled or not; works on the Abel-side.
ߜ Remote LSA Secrets Dumper: Dumps the contents of the Local Security Authority Secrets present on the remote system.
Cain & Abel is a must-have for your ethical-hacking toolkit. You can find Cain
& Abel at www.oxid.it/cain.html.
Using dsniff
dsniff is a collection of freeware tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (for example, passwords, e-mail, and files). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (due to Layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad hoc PKI. The author of dsniff tested it himself on OpenBSD, Red Hat Linux, and Solaris, while other individuals have run dsniff on FreeBSD, Debian Linux, Slackware Linux, AIX, and HP-UX.
To use dsniff, you also will need Berkeley DB, OpenSSL, libpcap, libnet, and libnids. OpenBSD already incorporates the first three packages into the base system, leaving only libnet and libnids as additional dependencies.
You can download the latter two from the OpenBSD FTP site. You will find the other OS will require a little more work. dsniff is a simple password sniffer that handles authentication information from the following sources: 14_597302_ch08.qxd 8/4/05 7:04 PM Page 125
Chapter 8: Discovering Default Settings
125
FTP
IRC
Telnet
AIM
HTTP
CVS
POP
ICQ
NNTP
Napster
IMAP
Citrix ICA
SNMP
Symantec
pcAnywhere
LDAP
NAI Sniffer
Rlogin
Microsoft SMB
NFS
Oracle SQL*Net
SOCKS
X11
dsniff benefits the user because it minimally parses each application protocol, saving only the “interesting” data. This speeds up processing.
dsniff is really easy to use. Just start it, and it starts listening on the interface you select for passwords.
Mailsnarf outputs all messages sniffed from SMTP traffic in Berkeley mbox format, suitable for offline browsing with a mail reader, such as pine. Urlsnarf outputs all requested URLs sniffed from HTTP traffic in Common Log Format, used by almost all Web servers, suitable for offline post-processing with a Web log-analysis tool, such as analog or wwwstat. Webspy sends URLs sniffed from a client to a Netscape browser. Filesnarf outputs NFS, SMB, and AFS.
Msgsnarf outputs ICQ, AIM, and IRC.
As well, you can use dsniff to perform a monkey-in-the-middle attack using sshmitm and webmitm to sniff HTTPS and SSH traffic and to capture login information.
You can find dsniff at www.monkey.org/~dugsong/dsniff/. A Windows port is available from www.datanerds.net/~mike/dsniff.html, and a MacOS X port is available at http://blafasel.org/~floh/ports/
dsniff-2.3.osx.tgz.
Gathering IP Addresses
Crackers want targets, and IP addresses are targets. Also, if the wireless administrator is using MAC filtering, then you’ll need to gather some IP
addresses. You can ping every host on a subnet to get a list of MAC to IP
14_597302_ch08.qxd 8/4/05 7:04 PM Page 126
126 Part II: Getting Rolling with Common Wi-Fi Hacks
addresses. But this is a tedious task at best. Instead, you can ping the broadcast of the subnet, which in turn will ping every host on the local subnet.
This is what the arping tool does for you.
On Windows and some other operating systems, the arp command provides access to the local ARP cache. In Windows, for example, typing arp -a at the command prompt will display all of the entries in that computer’s ARP cache.
The ARP cache stores previously resolved hardware or MAC addresses for requested software or IP addresses.
An almost unknown command, arping is similar to ping, but different in that it works at the Ethernet layer. While ping tests the reachability of an IP address, arping reports the reachability and round-trip time of an IP
address hosted on the local network.
Arping works on Linux, FreeBSD, NetBSD, OpenBSD, MacOS X, Solaris, and Windows. Below is the help information for arping.
Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device]
[-s source]
destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don’t go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use (eth0)
-s source : source ip address
destination : ask for what ip address
There are several ways you can use arping. Under normal operation, arping displays the Ethernet and IP address of the target as well as the time elapsed between the arp request and the arp reply. Or, you can use the -U option to send a broadcast arp and gather IP addresses.
You can find arping at www.habets.pp.se/synscan/programs.php?
prog=arping.
Gathering SSIDs
In the next two chapters, we will show you tools that will assist you in gathering SSIDs. To connect to an access point, you need to know the SSID.
Contrary to what some people think, a SSID is not a password, and you should not use it as such.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 127
Chapter 8: Discovering Default Settings
127
Using essid_jack
In Chapter 10, we talk about passive and active network discovery. At this point, you just need to know that NetStumbler is an active scanner. Many people suggest that you can defeat those nosy people running NetStumbler out there by disabling SSID broadcast. This indeed does make NetStumbler ineffective; however, you have other options such as Kismet and essid_
jack. You will learn more in Chapter 10 about Kismet, so let’s look at essid_
jack now. You can use essid_jack to report the SSID of an access point to you. essid_jack is part of a open source suite of tools labeled air-jack (http://sourceforge.net/projects/airjack/).
The reason essid_jack works even when you disable the SSID is simple: The access point will eventually send the SSID in cleartext when a legitimate client attempts to connect to the access point. Most crackers are impatient, though, and don’t want to wait until someone attempts to connect. In effect, essid_ jack impersonates an access point by spoofing its MAC address.
It then sends a disassociate frame to the clients causing them to disassociate from the access point. The clients then attempt to reassociate with the access point, and in so doing they transmit an association request with the access point’s SSID in cleartext. Presto! — essid_jack captures the SSID.
# ./essid_jack –h
Essid Jack: Proof of concept so people will stop calling an ssid a password.
Usage: ./essid_jack –b <bssid> | [ -d <destination mac> ]
[ -c <channel number> ] [ -i <interface name> ]
-b: bssid, the mac address of the access point (e.g.
00:de:ad:be:ef:00)
-d: destination mac address, defaults to broadcast
address.
-c: channel number (1-14) that the access point is
on, defaults to current.
-i: the name of the AirJack interface to use
(defaults to aj0).
Now you know how to use it. So let’s try it on a MAC address on channel 6:
#./essid_jack –b 00:0c:6e:9f:3f:a6 – c 6
Got it, the essid is (escape characters are c style):
“pdaconsulting”
You can find essid_jack by downloading air_jack from http://
sourceforge.net/projects/airjack/.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 128
128 Part II: Getting Rolling with Common Wi-Fi Hacks
Using SSIDsniff
SSIDsniff is a curses-based tool that allows an intruder to identify, classify, and data-capture wireless networks. The SSIDsniff interface will look familiar if you’ve ever used the UNIX top utility.
Currently it works under Linux and is distributed under the GPL license. You will need libpcap and curses or ncurses as well. SSIDsniff supports Cisco Aironet and some Prism2 cards.
You can find SSIDsniff at www.bastard.net/~kos/wifi/ssidsniff-0.
40.tar.gz.
Default-Setting Countermeasures
Okay, even though this chapter introduces you to some very powerful tools, you must not put your head in the sand; just knowing about these tools (and what hackers can do with them) won’t make them go away. They are here to stay — and their friends are moving in. Two things we know for sure from the short history of the Internet: These (and other, more insidious tools) prolifer-ate, and they come at you at an ever-increasing pace. Your plan of defense must include ferreting out and trying these tools — as well as their next-generation kid brothers — from here on in. It’s an arms race — you must know what the enemy is using, and be prepared to escalate.
The good news is: Some of the countermeasures are decidedly low-tech.
There’s really no excuse for not implementing them.
Change SSIDs
When you get a new system, you must ensure that you change the default SSID. We know Linksys uses Linksys as a default SSID (obvious, much?), and we know others as well. When picking a new SSID — as long as we’re talking obvious (but vital) here — don’t select one that’s easy to guess. Even though the SSID is most emphatically not a password, there is no reason to select an easy-to-guess one.
If you don’t know what the default SSID is for a particular access point, you can find it out at one of the following Web sites:
ߜ www.cirt.net/cgi-bin/passwd.pl
ߜ www.phenoelit.de/dpl/dpl.html
ߜ http://new.remote-exploit.org/index.php/Wlan_defaults
ߜ www.thetechfirm.com/wireless/ssids.htm
14_597302_ch08.qxd 8/4/05 7:04 PM Page 129
Chapter 8: Discovering Default Settings
129
Don’t broadcast SSIDs
In this chapter, we showed you that even when you don’t broadcast your SSID, others can derive it. But that doesn’t mean you shouldn’t disable it.
When someone roams your neighborhood running NetStumbler, make it more difficult for them. Disable your SSID broadcasting and make them come back running Kismet. You may not have defeated them (yet), but you’ve at least made things more difficult for them.
Using pong
Older readers probably think pong is a video game. If you are a computer virus researcher or fighter, then you probably think pong is a nasty Trojan. Well, this pong is neither, but rather a tool to check the vulnerability of your wireless access point. If your access point is running vulnerable firmware, pong will give you access to all relevant details such as the admin password, WEP keys, allowed MAC addresses, and more. Should pong work successfully against your network, then you’ll need to upgrade your firmware to protect yourself.
Pong is a DOS program and is easy to use, just type c:\> pong [-r] in a command shell. The -r option provides additional raw output of all received data. When pong finds an access point from the following list, you will get a list of all relevant parameters:
ߜ 4MBO
ߜ Airstation
ߜ D-Link DWL-900AP+
ߜ Linksys
ߜ Melco
ߜ US Robotics
ߜ Wisecom
You can find pong at http://mobileaccess.de/wlan/index.html?go=
technik&sid=. Praemonitus, praemunitus. (Or for those of you who don’t still speak Latin, that’s forewarned, forearmed. ) Detecting sniffers
At Layer 2, you can run LBL’s arpwatch (www.securityfocus.com/tools/
142) to detect changes in ARP mappings on the local network, such as those caused by arpspoof or macof.
14_597302_ch08.qxd 8/4/05 7:04 PM Page 130
130 Part II: Getting Rolling with Common Wi-Fi Hacks
At Layer 3, you can use a tool such as AiroPeek, CommView for WiFi, or any other programmable sniffer (say, NFR) to look for either the obvious network anomalies or the second-order effects of some of dsniff’s active attacks. If you want to learn how to use a packet analyzer for security, try one of Laura Chappell’s network analysis or troubleshooting books that you can download for a fee from www.packet-level.com/books.htm.
Also, anti-sniffing programs such as l0pht’s AntiSniff (http://packet stormsecurity.nl/sniffers/antisniff/) can uncover dsniff’s passive monitoring tools.
15_597302_ch09.qxd 8/4/05 7:03 PM Page 131