Wi-Foo: The Secrets of Wireless Hacking

"This is an excellent book. It contains the 'in the trenches' coverage that the enterprise administrator needs to know to deploy wireless networks securely." --Robert Haskins, Chief Technology Officer, ZipLink Wi-Foo: The Secrets of Wireless Hacking is the first practical and realistic book about 802.11 network penetration testing and hardening. Unlike other books, it is based on a daily experience of breaking into and securing wireless LANs. Rather than collecting random wireless security news, tools, and methodologies, Wi-Foo presents a systematic approach to wireless security threats and countermeasures starting from the rational wireless hardware selection for security auditing and finishing with how to choose the optimal encryption ciphers for the particular network you are trying to protect.

Table of Contents:
Introduction. 1. Real World Wireless Security.     Why Do We Concentrate on 802.11 Security?     Getting a Grip on Reality: Wide Open 802.11 Networks Around Us.     The Future of 802.11 Security: Is It as Bright as It Seems?     Summary. 2. Under Siege.     Why Are “They” After Your Wireless Network?     Wireless Crackers: Who Are They?    Corporations, Small Companies, and Home Users: Targets Acquired.     Target Yourself: Penetration Testing as Your First Line of Defense.     Summary. 3. Putting the Gear Together: 802.11 Hardware.     PDAs Versus Laptops.     PCMCIA and CF Wireless Cards.       Selecting or Assessing Your Wireless Client Card Chipset.         Prism Chipset.         Cisco Aironet Chipset.         Hermes Chipset.         Symbol Chipset.         Atheros Chipset.         ADM8211 Chipset.       Other Chipsets That Are Common in Later Models of 802.11-Compatible Devices.       Selecting or Assessing Your Wireless Client Card RF Characteristics.     Antennas.     RF Amplifiers.     RF Cables and Connectors.     Summary. 4. Making the Engine Run: 802.11 Drivers and Utilities.     Operating System, Open Source, and Closed Source.     The Engine: Chipsets, Drivers, and Commands.       Making Your Client Card Work with Linux and BSD.     Getting Used to Efficient Wireless Interface Configuration.       Linux Wireless Extensions.       Linux-wlan-ng Utilities.       Cisco Aironet Configuration.      Configuring Wireless Client Cards on BSD Systems.     Summary. 5. Learning to WarDrive: Network Mapping and Site Surveying.     Active Scanning in Wireless Network Discovery.     Monitor Mode Network Discovery and Traffic Analysis Tools.       Kismet.         Kismet and GpsDrive Integration.       Wellenreiter.       Airtraf.       Gtkskan.       Airfart.       Mognet.       WifiScanner.       Miscellaneous Command—Line Scripts and Utilities.       BSD Tools for Wireless Network Discovery and Traffic Logging.     Tools That Use the iwlist scan Command.      RF Signal Strength Monitoring Tools.     Summary. 6. Assembling the Arsenal: Tools of the Trade.     Encryption Cracking Tools.       WEP Crackers.         AirSnort.         Wepcrack.         Dweputils.         Wep_tools.         WepAttack.       Tools to Retrieve WEP Keys Stored on the Client Hosts.       Traffic Injection Tools Used to Accelerate WEP Cracking.       802.1x Cracking Tools.         Asleap-imp and Leap.         Leapcrack.     Wireless Frame-Generating Tools.       AirJack.        File2air.       Libwlan.       FakeAP.       Void11.       Wnet.     Wireless Encrypted Traffic Injection Tools: Wepwedgie.     Access Point Management Utilities.     Summary. 7. Planning the Attack.     The “Rig”.     Network Footprinting.     Site Survey Considerations and Planning.     Proper Attack Timing and Battery Power Preservation.     Stealth Issues in Wireless Penetration Testing.     An Attack Sequence Walk-Through.     Summary. 8. Breaking Through.     The Easiest Way to Get in.      A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering.     Picking a Trivial Lock: Various Means of Cracking WEP.       WEP Brute-Forcing.       The FMS Attack.       An Improved FMS Attack.     Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking.     Field Observations in WEP Cracking.     Cracking TKIP: The New Menace.     The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment.       DIY: Rogue Access Points and Wireless Bridges for Penetration Testing.       Hit or Miss: Physical Layer Man-in-the-Middle Attacks.       Phishing in the Air: Man-in-the-Middle Attacks Combined.     Breaking the Secure Safe.       Crashing the Doors: Authentication Systems Attacks.       Tapping the Tunnels: Attacks Against VPNs.     The Last Resort: Wireless DoS Attacks.       1. Physical Layer Attacks or Jamming.       2. Spoofed Deassociation and Deauthentication Frames Floods.       3. Spoofed Malformed Authentication Frame Attack.       4. Filling Up the Access Point Association and Authentication Buffers.       5. Frame Deletion Attack.       6. DoS Attacks Based on Specific Wireless Network Settings.       7. Attacks Against 802.11i Implementations.     Summary. 9. Looting and Pillaging: The Enemy Inside.     Step 1: Analyze the Network Traffic.       802.11 Frames.       Plaintext Data Transmission and Authentication Protocols.       Network Protocols with Known Insecurities.       DHCP, Routing, and Gateway Resilience Protocols.       Syslog and NTP Traffic.       Protocols That Shouldn’t Be There.     Step 2: Associate to WLAN and Detect Sniffers.     Step 3: Identify the Hosts Present and Perform Passive Operating System Fingerprinting.     Step 4: Scan and Exploit Vulnerable Hosts on WLAN.     Step 5: Take the Attack to the Wired Side.     Step 6: Check Wireless-to-Wired Gateway Egress Filtering Rules.     Summary. 10. Building the Citadel: An Introduction to Wireless LAN Defense.     Wireless Security Policy: The Cornerstone.       1. Device Acceptability, Registration, Update, and Monitoring.       2. User Education and Responsibility.       3. Physical Security.       4. Physical Layer Security.       5. Network Deployment and Positioning.       6. Security Countermeasures.       7. Network Monitoring and Incident Response.       8. Network Security and Stability Audits.     Layer 1 Wireless Security Basics.     The Usefulness of WEP, Closed ESSIDs, MAC Filtering, and SSH Port Forwarding.     Secure Wireless Network Positioning and VLANs.       Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design.     Deploying a Linux-Based, Custom-Built Hardened Wireless Gateway.     Proprietary Improvements to WEP and WEP Usage.     802.11i Wireless Security Standard and WPA: The New Hope.       Introducing the Sentinel: 802.1x.       Patching the Major Hole: TKIP and CCMP.     Summary. 11. Introduction to Applied Cryptography:Symmetric Ciphers.     Introduction to Applied Cryptography and Steganography.     Modern-Day Cipher Structure and Operation Modes.       A Classical Example: Dissecting DES.       Kerckhoff’s Rule and Cipher Secrecy.       The 802.11i Primer: A Cipher to Help Another Cipher.       There Is More to a Cipher Than the Cipher: Understanding Cipher Operation Modes.     Bit by Bit: Streaming Ciphers and Wireless Security.     The Quest for AES.       AES (Rijndael).       MARS.       RC6.       Twofish.       Serpent.      Between DES and AES: Common Ciphers of the Transition Period.       3DES.       Blowfish.       IDEA.     Selecting a Symmetric Cipher for Your Networking or Programming Needs.     Summary. 12. Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms.     Cryptographic Hash Functions.     Dissecting an Example Standard One-Way Hash Function.     Hash Functions, Their Performance, and HMACs.       MIC: Weaker But Faster.       Asymmetric Cryptography: A Different Animal.        The Examples of Asymmetric Ciphers: ElGamal, RSA, and Elliptic Curves.       Practical Use of Asymmetric Cryptography: Key Distribution, Authentication, and Digital Signatures.     Summary. 13. The Fortress Gates: User Authentication in Wireless Security.     RADIUS.       Basics of AAA Framework.         Authentication.         Authorization.         Accounting.       An Overview of the RADIUS Protocol.       RADIUS Features.       Packet Formats.       Packet Types.     Installation of FreeRADIUS.       Configuration.         clients.conf.         naslist.         radiusd.conf.         realms.         users.     User Accounting.     RADIUS Vulnerabilities.       Response Authenticator Attack.       Password Attribute-Based Shared Secret Attack.       User Password-Based Attack.       Request Authenticator-Based Attacks.       Replay of Server Responses.       Shared Secret Issues.     RADIUS-Related Tools.     802.1x: The Gates to Your Wireless Fortress.       Basics of EAP-TLS.           Packet Format.             Creating Certificates.       FreeRADIUS Integration.            radiusd.conf.         users.       Supplicants.         Linux.         Windows 2000 and Windows XP.       An Example of Access Point Configuration: Orinoco AP-2000.     LDAP.       Overview.         What Is a Directory Service?         What Is LDAP?         How Does LDAP Work?       Installation of OpenLDAP.         Satisfying Dependencies.       Configuration of OpenLDAP.       Testing LDAP.       Populating the LDAP Database.       Centralizing Authentication with LDAP.       Mobile Users and LDAP.       LDAP-Related Tools.         Directory Administrator.         LdapExplorer.         YALA.         LDAP Tool.     NoCat: An Alternative Method of Wireless User Authentication.        Installation and Configuration of NoCat Gateway.       Installation and Configuration of Authentication Server.     Summary. 14. Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs.     Why You Might Want to Deploy a VPN.     VPN Topologies Review: The Wireless Perspective.       Network-to-Network.       Host-to-Network.       Host-to-Host.       Star.       Mesh.     Common VPN and Tunneling Protocols.       IPSec.       PPTP.       GRE.       L2TP.     Alternative VPN Implementations.       cIPe.       OpenVPN.       VTun.     The Main Player in the Field: IPSec Protocols, Operations, and Modes Overview.       Security Associations.       AH.       ESP.       IP Compression.       IPSec Key Exchange and Management Protocol.       IKE.         Phase 1 Modes of Operation.         Phase 2 Mode of Operation.       Perfect Forward Secrecy.       Dead Peer Discovery.       IPSec Road Warrior.       Opportunistic Encryption.     Deploying Affordable IPSec VPNs with FreeS/WAN.       FreeS/WAN Compilation.       FreeS/WAN Configuration.         Key Generation.         X.509 Certificate Generation.         Ipsec.conf Organization.       Network-to-Network VPN Topology Setting.       Host-to-Network VPN Topology Setting.       Windows 2000 Client Setup.       Windows 2000 IPSec Client Configuration.     Summary. 15. Counterintelligence: Wireless IDS Systems.     Categorizing Suspicious Events on WLANs.       1. RF/Physical Layer Events.       2. Management/Control Frames Events.       3. 802.1x/EAP Frames Events.       4. WEP-Related Events.       5. General Connectivity/Traffic Flow Events.       6. Miscellaneous Events.     Examples and Analysis of Common Wireless Attack Signatures.     Radars Up! Deploying a Wireless IDS Solution for Your WLAN.       Commercial Wireless IDS Systems.       Open Source Wireless IDS Settings and Configuration.       A Few Recommendations for DIY Wireless IDS Sensor Construction.     Summary.     Afterword. Appendix A. Decibel—Watts Conversion Table. Appendix B. 802.11 Wireless Equipment. Appendix C. Antenna Irradiation Patterns.     Omni-Directionals.     Semi-Directionals.     Highly-Directionals. Appendix D. Wireless Utilities Manpages.     1. Iwconfig.     2. Iwpriv.     3. Iwlist.     4. Wicontrol.     5. Ancontrol. Appendix E. Signal Loss for Obstacle Types . Appendix F. Warchalking Signs.     Original Signs.     Proposed New Signs. Appendix G. Wireless Penetration Testing Template.     Arhont Ltd Wireless Network Security and Stability Audit Checklist Template.     1 Reasons for an audit.     2 Preliminary investigations.     3 Wireless site survey.     4 Network security features present.     5 Network problems / anomalies detected.     6 Wireless penetration testing procedure .     7 Final recommendations. Appendix H. Default SSIDs for Several Common 802.11 Products. Glossary. Index. .  

About the Author :
The authors have been active participants in the IT security community for many years and are security testers for leading wireless equipment vendors. Andrew A. Vladimirov leads the wireless consultancy division at Arhont Ltd, one of the UK¿s leading security consultants. He was one of the UK¿s first IT professionals to obtain the coveted CWNA wireless certification. Konstantin V. Gavrilenko co-founded Arhont Ltd. He has more than 12 years of IT and security experience, and his expertise includes wireless security, fire-walls, cryptography, VPNs, and IDS. Andrei A. Mikhailovsky has more than a decade of networking and security experience and has contributed extensively to Arhont¿s security research papers.