Hacking Exposed 5th Edition
| ||
| ||
|
Following the Hacking Exposed attack methodology, the second and third stages of properly targeting and penetrating a system are scanning and enumeration. As you probably know by now, wireless technology is significantly different from most other technologies you have learned about in this book. Hence, it is the only technology that can be compromised without jumping on the wire. Wireless scanning and enumeration are combined in the sense that, in general, these stages of penetration are conducted simultaneously . Remember, the goal of the scanning and enumeration phases is to determine a method to gain system access.
After you have gone war-driving, identified target access points, and captured loads of WEP-encrypted and non-encrypted packets, it is time to start the next stage of the penetration process. Although installing the antenna may be the most difficult stage in preparing to war-drive, packet analysis is the most technically demanding aspect of wireless hacking because it requires you to be able to use and understand a packet sniffer and, in some cases, decipher the transmission itself.
During the initial war-driving expedition you must first undergo, you will have identified access points and some pertinent information about them. Such information could include an AP's SSID, MAC address, WEP usage, IP address, and different network transmissions. As with any attack, the more information you have at the onset of attempted penetration, the higher the probability of success and the more predictable the outcome of the attack.
Initially the single most important piece of data you should have about your identified access point is its SSID. In just about all cases this is how you will reference the identified AP. After you gain the SSID, the next goal is to determine and classify the types of data you've sniffed off the WLAN. The data can be logically divided by access point and then further subdivided by AP client. During packet analysis, you will quickly notice if the data you received from the initial war-drive is encrypted. If so, you must determine whether the data is encrypted via a WEP-implementation schema or an additional layered schema, such as SSL over HTTP. If a WEP-based encryption schema is being used, the next step is identifying the length of the key. In most cases, the length is either 40 or 128, but some implementations allow for stronger keys, such as 256, 1024, or 2048.
The initial step of scanning and enumerating a wireless network involves passively sniffing traffic and conducting analysis for further aggressive probes and attacks.
Wireless Sniffers
A preface for this chapter: Wireless sniffers are no different from "wired" sniffers when it comes to actual packet deciphering and analysis. The only difference is the wireless sniffer can read and categorize the wireless packet structure with 802.11 headers, IVs, and so on. Sniffers capable of capturing 802.11 packets will be heavily used within this section. If you have never used a sniffer or conducted packet analysis (or it has been a while since you have), it is highly recommended that you brush up your skills before moving on to this section.
Packet Capture and Analysis Resources
The following resources, when used together, provide a thorough overview of the techniques and technical "know-how" behind packet-capturing and analysis:
-
http://www.robertgraham.com/pubs/sniffing-faq.html A comprehensive site that could probably answer just about all your questions. Make this your first stop for information.
-
http://grc.com/oo/packetsniff.htm A great source for specific packet analysis, commercial sniffers, identifying promiscuous-mode nodes, and thwarting unauthorized sniffers.
-
http://cs.ecs.baylor.edu/~donahoo/tools/sniffer/sniffingFAQ.htm A good introductory site covering the basics of packet sniffing and the overall architecture requirements of a sniffer.
Many network sniffers exist for promiscuous card packet capturing, yet very few exist for the wireless side of the world due to the age of the technology. Basically, you have three different setups you can run with, depending on your platform of choice: Windows, Linux, and OpenBSD. Granted, if you are a pro, you may be able to write your own drivers and sniffer modules to get your sniffer software to work under different platforms, but these three are currently the most supported via drivers and tools.
Flipping (a.k.a. switching) your wireless card into promiscuous mode is completely automated under Windows; however, under Linux it is a bit more complicated, which is exactly why we have included a guide for getting sniffer software working under Linux. Configuring the OpenBSD kernel and software is similar, so we apologize for not listing the redundancies. If you would like OpenBSD-specific information, go to http://www.dachb0den.com.
Configuring Linux Wireless Cards for Promiscuous Mode
If you follow these instructions, it should be rather simple for you to set up your Linux laptop and get to wireless sniffing in under an hour (not including tool and file download time).
Step 1: Get Prepared First and foremost, you will need a wireless PCMCIA network card with the Prism2 chipset. Now that you have your card, as with any new installation it is recommended that you back up your important data in case something were to cause your files to be irretrievable. Although this is not an overly risky installation, precautions should be taken. The following are examples of wireless cards that use the Prism2 Chipset:
-
Compaq WL100
-
SMC2632
-
Linksys WPC11
Step 2: Get the Files When you have completed the first step and are ready to start, you will need to download a few files if you don't already have them on your system. If the following links become broken because of new releases, it should not be difficult to find any of them via a Google search:
Linux PCMCIA Card Services Package | http:// pcmcia-cs . sourceforge .net |
Linux WLAN Package (linux-wlan-ng-0.1.10) | http://www.linux-wlan.com/linux-wlan |
Prismdump Utility | http://developer.axis.com/download/tools |
CVS PCAP and CVS TCPDUMP | http://cvs.tcpdump.org |
WLAN Drivers Patch (Tim Newsham's Patch) | http://www.lava.net/~newsham/wlan |
Ethereal (optional but highly recommended) | http://www.ethereal.com |
Step 3: Compile and Configure Once you have downloaded the preceding files, you are ready to actually start configuring your system. In general, most apps use the ./configure && make && make install installation setup, but for specific compilation instructions, refer to the individual Readme files for each of the applications.
Note | It is extremely important that you execute the WLAN Drivers Patch (a.k.a. Newsham's Patch) before you compile the WLAN package on your system. It will not function properly otherwise . |
Step 4: Flip the Card After compilation, you need to restart all your card services and ensure that all the modifications have been implemented. Most wireless sniffing and cracking tools have built-in functionality for flipping (changing) your card into promiscuous mode; however, you may wish to simply capture the packets without automated cracking or other features included within the tools. Whatever the case may be, the command to flip your card (enable sniffing) is shown here:
%root%> wlanctl-ng wlan0 lnxreq_wlansniff channel=# enable=true
Here's the command to use to disable sniffing:
%root%> wlanctl-ng wlan0 lnxreq_wlansniff channel=# enable=false
You should understand that when your card is in promiscuous mode, it is unable to send packets. Therefore, it is disallowed from communicating on a wired or wireless network.
Note | The pound sign (#) equals the channel number on which you wish to sniff packets. Most access points default to channels 6 and 10, meaning you will probably capture the most traffic while sniffing these channels. |
Step 5: Start Sniffing The last step for manual wireless sniffing is to start capturing the packets to ensure you have completed the setup correctly. A simple tool you can use to test this is Prismdump, a tool you should have downloaded and compiled in Steps 2 and 3. Prismdump simply manipulates the captured packets into the industry-standard format, PCAP. PCAP (a.k.a. the Packet Capture format) is often used as a common format for saving raw packet data.
To run Prismdump, use the following command:
%root%> prismdump > wlan_packets
A quick no-brainer: When your wlan_packets file is over 1 byte in size , you know you have started to capture 802.11 packets, which means you may start to use your WEPcracking software or packet-analysis software, such as Ethereal.
Mognet
Popularity: | 4 |
Simplicity: | 7 |
Impact: | 2 |
Risk Rating: | 5 |
Mognet, shown in Figure 8-8, is a straightforward 802.11b wireless sniffer written completely in Java by Sean Whalen (sean@node99.org). A few of its key features include near real-time capture output via the Java pane. The output includes the packet type, source MAC address, destination MAC address, and the corresponding SSID if known or included. The FF FF FF FF FF FF destination MAC address is a broadcast address sent out from the wireless access point, which is one method for initially starting a wireless access point-to-communication stream.
The Java interface can also load and save captured wireless sessions in libpcap format (a.k.a. PCAP). The only requirement for Mognet is an installed JDK (1.3 or higher) or a C compiler in case you wish to compile a local binary. Mognet is released under the GNU Public License (GPL) and can be downloaded from http://www.node99.org/projects/mognet.
Wireless Monitoring Tools
Wireless monitoring tools, as previously stated, are extremely similar to their wired "counterparts." Most of the tools are relatively easy to install and run with the analysis being the complicated aspect of the tool. Additional information on the presented tools can be found at their respective home pages.
Prism2dump
Popularity: | 3 |
Simplicity: | 5 |
Impact: | 7 |
Risk Rating: | 5 |
Prism2dump (http://www.dachb0den.com/projects/prism2dump.html) comes with the BSD-Airtools suite and works with Prism2 chipset cards. It will output 802.11 frames with three levels of details, specified by the -v flag.
To use Prism2dump, you'll need to have a Prism2 kernel driver that supports monitormode operation. Newer BSD versions such as OpenBSD 3.2 will support this in the default kernel, but others will need the kernel patches included in the BSD-Airtools package.
To use Prism2dump, first place your card in monitor mode with prism2ctl <interface> -m , as shown here:
foo# prism2ctl wi0 -m
After the command is issued, you can check the status by running prism2ctl and only specifying the interface. In the following example, the line for monitor mode indicates it is active:
foo# prism2ctl wi0 Sleep mode: [ Off ] Suppress post back-off delay: [ Off ] Suppress Tx Exception: [ Off ] Monitor mode: [ On ] LED Test: [ ] Continuous Tx: [ ] Continuous Rx: [ Off ] Signal State: [ ] Automatic level control: [ Off ]
Once monitor mode is enabled, run Prism2dump by specifying the interface name and level of verbosity requested . Here, we are using the wi0 interface and -v 2, which prints all 802.11 protocol information.
The dump results show an 802.11 Management Probe Response from an access point with an SSID of APPLE on channel 6:
foo# prism2dump wi0 -v 2 prism2dump: listening on wi0 - [0:5:5d:a7:36:53 <- 0:30:65:1d:f1:0 <- 0:30:65:1d:f1:0] - port: 7 ts: 151.143336 1:81 20:0 - sn: 3200 (d4:ec:cc:dc:8c:4c) len: 36 - ** mgmt-proberesp ** ts: 17.605513 int: 100 capinfo: ess priv + ssid: [APPLE] + rates: 1.0 2.0 5.5 11.0 + ds ch: 6
tcpdump
Popularity: | 7 |
Simplicity: | 6 |
Impact: | 7 |
Risk Rating: | 7 |
tcpdump (http://www.tcpdump.org) is a standard UNIX network monitoring tool that, in newer versions, supports decoding 802.11 frame information. Because basic tcpdump usage is covered elsewhere in this book, we won't describe general information here, just the 802.11-specific items. To use tcpdump to decode 802.11 traffic, you'll need to install versions of libpcap and tcpdump that support it. As of this writing, the "current" rev of each package supports decoding 802.11 frames. Usage on wireless networks is basically the same as other types of networks, but you will need to place your card in monitor mode first to read the management frames. Outside of the various commands for each card and OS, the easiest way to flip the card to monitor mode is using the kismet_monitor script included with Kismet. Using tcpdump on a wireless network without putting the card in monitor mode will show broadcasts and traffic destined for the localhost, like a switched Ethernet network.
One option to note is -e, which will print out the frame-control fields, the packet length, and all the addresses in the 802.11 header that show the BSSID and destination MAC address. Also for parsing purposes, "wlan" can be used in place of " ether " for arguments such as wlan protocol ip . In the following example, we have already enabled monitor mode on the wireless card and are running tcpdump by specifying the wireless interface ( -i eth1 ), getting the extra 802.11 information ( -e ), and printing out hex and ASCII data from the packets ( -X ):
[root@localhost root]# tcpdump -i eth1 -e -X
In the following packet, you can see that the BSSID is 00:60:b3:67:6c:40, the DA (or destination) is the broadcast address (FF:FF:FF:FF:FF:FF), and the source address is the same as the BSSID (the MAC address of the access point). The frame type is a Beacon, and it's using an SSID of proxim. The access point is capable of establishing an 802.11 link at speeds of 1, 2, 5.5, and 11 Mbps on channel 6.
16:13:52.974207 BSSID:00:60:b3:67:6c:40 DA:Broadcast SA:00:60:b3:67: 6c:40 Beacon (proxim) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 6 0x0000 18e2 3540 1300 0000 6400 0100 0006 7072 ..5@....d.....pr 0x0010 6f78 696d 0104 0284 0b16 0301 0605 0400 oxim............ 0x0020 0300 00 ...
Ethereal
Popularity: | 9 |
Simplicity: | 6 |
Impact: | 7 |
Risk Rating: | 8 |
Ethereal (http://www.ethereal.com) is a UNIXand Windows-based network monitoring tool. Although not specifically designed for 802.11 analysis, it does support capturing and decoding 802.11 packets with libpcap on UNIX systems. For Windows systems, it does not have the ability to directly capture 802.11 packets, but it can read the same capture file format that is generated by the UNIX versions of tcpdump or Ethereal. This means you could gather the data on a UNIX system and then later analyze it on your Windows machine.
We'll use Ethereal for most of the enumeration section because it does offer good filtering capabilities and is cross-platform enough to the degree that we can view packet data the same way across UNIX and Windows systems.
Ethereal requires drivers capable of monitor-mode operation. It also requires that the card be placed in monitor mode before you start capturing packets.
To use Ethereal to capture 802.11 packets, place your card into monitor mode with kismet_monitor or the card-specific command and then start Ethereal. Press CTRL-K or select the Capture Start menu to bring up the Capture Options window (shown next). Check the drop-down adapter list for your wireless interface (if it is not present, type in the interface name). You can configure the rest of the options as per your needs. Note that you do not need to be concerned with the "Capture packets in promiscuous mode" box. The card is placed in monitor mode before Ethereal is run, so this switch will not have an effect on the captured results.
The Ethereal interface is divided into three panes, as shown in Figure 8-9. The top window is the packet list pane and provides a summarized list of the packets captured. The middle pane shows a detailed breakdown of the packet selected in the packet list, and the bottom pane is a raw hex and ASCII dump called the data view pane.
You've probably used Ethereal to view packets on Ethernet networks before. Using it on 802.11 networks is similar, but you are given some new options to the existing Ethereal filtering rules using the wlan category.
Consult the Ethereal documentation for a complete listing of the wlan filter subcategories .
Airfart
Popularity: | 8 |
Simplicity: | 8 |
Impact: | 4 |
Risk Rating: | 5 |
Started as a mere project for a college-level computer science class by Dave Smith, Evan McNabb, and Kendee Jones, and furthered contributed to by Michael Golden, Airfart became a wireless security tool created to identify and analyze wireless access points (see Figure 8-10). Comically named Airfart, for a combination of "Air" and "Traf" backwards (Traf being short for "traffic," if you already haven't figured it out,) this tool's back end is written in C and C++, with the front end entirely composed of GTK.
The Airfart tool supports all Prism2 drivers and can be utilized with any standard Prism2 chipset-compatible wireless card. The Linux- borne GTK interface of Airfart displays the MAC address of the identify AP, its SSID, the corresponding manufacturer (as correlated by the MAC), the signal strength, the number of packets received, and whether it's still active or not. Installation and usage is simple and on par with most Linux and UNIX make/make install utilities. The Airfart source can be downloaded from SourceForge at http://airfart.sourceforge.net.
AiroPeek NX
Popularity: | 4 |
Simplicity: | 8 |
Impact: | 7 |
Risk Rating: | 6 |
AiroPeek NX (http://www.wildpackets.com) is a commercial 802.11 monitoring and analysis tool available for Windows 2000 and XP. A few other commercial solutions for 802.11 packet captures are available on Windows, but AiroPeek NX is the most usable and is priced the lowest . Unfortunately, there are no free tools available to perform packet capturing on Windows operating systems, so if you are stuck in Windows, using AiroPeek NX or another commercial product is your only option. AiroPeek supports Lucent and Cisco 802.11b cards and also has support for some of the newer 802.11a cards. AiroPeek NX is primarily designed for wireless network troubleshooting and analysis, but it does have some security friendly options as well (see Figure 8-11).
AiroPeek NX supports channel scanning at a user -defined interval as well as decrypting traffic on the fly with a provided WEP key. AiroPeek NX's filtering is also very easy to configure, and you can save off filter combinations to template files. This gives you the ability to quickly switch between filter groups you may use for network discovery and other groups you may use for in-depth analysis. AiroPeek NX also provides a useful Nodes view, which groups detected stations by their MAC address and will also show IP addresses and protocols observed for each. The Peer Map view presents a matrix of all hosts discovered on the network by their connections to each other. This can make it very easy to visualize access point and client relationships.
Note | Another excellent tool that be utilized for packet sniffing and traffic analysis purposes is THC-Wardrive, from The Hacker's Choice (THC). THC is a group of security professionals who commonly create useful penetration testing tools. Their home page is located at http://www.thc.org. |
WifiScanner
Popularity: | 4 |
Simplicity: | 5 |
Impact: | 2 |
Risk Rating: | 4 |
WifiScanner is a 802.11b wireless network scanner that identifies wireless access points. It is a rough interface written for Linux platforms utilizing the Prism2 card chipset. Information that is presented to users includes the AP's MAC address, SSID, channel, encryption strength (if any), number of packets received, and whether the AP is still active (see Figure 8-12).
Each packet that is captured is displayed to a scrolling screen, as shown in Figure 8-12. The list will continue to scroll as long as packets are retrieved. The top window of WifiScanner is similar to an executive dashboard, providing high-level information about the access points. Airfart was created with the same idea in mind, and the interface is much cleaner. WifiScanner can be downloaded from its SourceForge home page at http://wifiscanner.sourceforge.net.