Stumbling tools
In the methodology Kevin describes in his book, Hacking For Dummies (Wiley),
and in the OSSTMM and ISSAF methods discussed in Chapter 2, the first step
in ethical hacking is the same: reconnaissance. The best type of tool for reconnaissance
is wardriving software. Programs like NetStumbler and Kismet help
you find access points. Refer to Chapters 9 and 10 for more on the various
stumbling tools.
You got the sniffers?
Stumbling tools help you find the access points, but that’s not enough. You
need to peek into the transmitted frames. If the frames are unencrypted, of
course, then this is an easy task. But when the frames are encrypted, you
need to decrypt the frame before you can look at it. This type of decryption
software is generally called a sniffer.
Many freeware and commercial sniffer products are floating around out there.
Some run on Windows, and others run on Linux. Two of the more popular
sniffers are Ethereal and AiroPeek, which we cover in Chapter 8.

Picking Your Transceiver
Wireless Networks For Dummies (Wiley) provides information on the various
form factors for your clients. You have lots of options to choose from. Picking
your wireless network interface card or transceiver depends on the operating
system you choose. When NetStumbler and Kismet first came out, there were
two chipsets for wireless NICs: Hermes and Prism2. As a general rule, if you
decide to use NetStumbler, you want a card based on the Hermes chipset.

Kismet, on the other hand, works best with a Prism2 (Intersil) card. If you are
prepared to do a kernel modification, then Hermes cards will work with Kismet.

Determining your chipset
Don’t know whether you have a Prism2 chipset or a Hermes chipset? The following
PC Card manufacturers use the Prism2 chipset:
- 3Com
- Addtron
- AiroNet
- Bromax
- Compaq WL100
- D-Link
- Farallon
- GemTek
- Intel
- LeArtery Solutions
- Linksys
- Netgear

Further, if you have a Prism2 chipset, you may see a computer with antenna
icon in the System Tray.
The following PC Card manufacturers use the Hermes (Lucent) chipset:
- Nokia
- Nortel
- Samsung
- Senao
- Siemens
- SMC
- Symbol
- Z-Com
- Zoom Technologies
- 1stWave
- Agere/ORiNOCO/Proxim
- Alvarion
- Apple
- ARtem
- Avaya
- Buffalo
- Cabletron
- Compaq WL110
- Dell
- ELSA
- Enterasys
- HP
- IBM
- SONY
- Toshiba

Much like the Prism2 chipset, if you have a Hermes (Lucent) chipset, you will
see an icon in the System Tray.
To find information for your Hermes chipset, visit www.hpl.hp.com/personal/
Jean_Tourrilhes/Linux/Wireless.html and look for “orinoco.”

Buying a wireless NIC
When purchasing a wireless NIC, look for one that supports an external
antenna. Figure 4-13 depicts an ORiNOCO card with an external antenna connector
on the top. In this figure, the built-in antenna is the black plastic part
on the end.

The ORiNOCO Gold Classic card from either Agere or Lucent is a popular
card with wireless hackers because it has an external antenna connector
and works with both Kismet and NetStumbler. Take care when buying new
ORiNOCO cards. ORiNOCO is now owned by Proxim, which came out with
an ORiNOCO card not based on the Hermes chipset. The Hermes card is still
available, but it is usually sold as the ORiNOCO Gold Classic.

You can find a somewhat dated but useful comparison of the wireless cards
and their chipsets at Seattle Wireless: www.seattlewireless.net/index.
cgi/HardwareComparison.

Extending Your Range
Antennae are generally optional, but if you want to test the boundary of your
wireless signal, they are a must. Many companies that sell PC wireless NIC
cards also sell antennae. But many of these cards do not come equipped with
a jack to plug in the antenna. Many people have resorted to modifying these
PC cards to add jacks or soldering wires to the built-in antennas of their
cards. Check out eBay for examples.

Wave guide cantenna.

Omnidirectional antenna.

Setting up VMware
VMware allows you to run simultaneous operating systems. The VM in
VMware stands for virtual machine. You install a host operating system, such
as Windows XP, and then install VMware Workstation on top of it. Then you
install the guest operating system in VMware. The virtual machine is similar
to your real machine: You can power it on and off, and it boots up just like
the real thing. As a guest operating system, VMware allows you to install anything
that runs on the Intel x86 architecture. This means you can install
Solaris x86, Windows 2003 Server, Red Hat Linux, SUSE Linux, or any other
operating system you choose. Still need to test Windows 98 programs? Use
VMware. The only thing stopping you from running every operating system
known to man is disk space and real memory.

You can download VMware from www.vmware.com. It takes up approximately
21MB.
Hover your cursor over the Products link at the top of the page and select the
VMware Workstation link from the resulting drop-down list. If you click the
red Buy Now button at the top, you go to the VMware Store, where you find
out that VMware Workstation for Windows costs $189. After you use the software
for a while, you’ll agree this is a good price. (You can get a 30-day trial if
you are not convinced.)

After you download VMware, it installs like any Windows application. Just
follow the installation wizard.
During the download process, you might see a warning message to disable
AutoRun. VMware doesn’t like the CD-ROM AutoRun feature. (From a security
standpoint, you shouldn’t either.) Agreeing with VMware and disabling
AutoRun is a good idea.
When the installation is complete, you need to reboot your machine. Now
you are ready to add some guests or virtual machines. Installing new
machines is easy:

1. Start VMware.
You see a window like the one shown in

2. Click the New Virtual Machine icon.
This starts the process of creating your first virtual machine. The New
Virtual Machine wizard appears.

3. Click Next.

4. Select Typical and click Next.
The Select a Guest Operating System window appears.

5. Select the OS you want to install.
You have a choice of the following:
• Microsoft Windows
• Linux
• Novell Netware
• Sun Solaris
• Other
If you select Other, you can install FreeBSD. Many good tools run on BSD.
If you select Linux, you can select a Linux version from the drop-down box.

6. Select the version you have and click Next.

7. Type a name for your guest in the Virtual Machine Name box. Then click Next.
You can create any name you want, so pick one that is meaningful to
you. Also, decide where you want to store the image. Leave the default
unless you have a compelling reason not to do so.

8. Select the Network Type. Click Next.
We suggest that you select Use Bridged Networking because it allows
you to talk to your host operating system.

9. Specify Disk Capacity.
Virtual machines have virtual disks. You can pick any size you want as
long as you have the available space. We recommend you leave the
default of 4GB and leave the two other boxes deselected.

10. Click Finish.
However, you are not quite finished because you don’t have a
system image.

You now have a big choice. You can start the VM and install Red Hat
Linux from a CD-ROM, or you can point to an ISO image. For this exercise,
we’ll do the latter.

11. From the Commands panel, click Edit Virtual Machine Settings.

12. Click CD-ROM.
If you want to install the operating system from a CD, then skip to Step 14.

13. From the right-hand pane, select Use ISO image.

14. Click the Browse button and find your ISO image. Click OK.

15. Click Start This Virtual Machine from the left-hand pane.
When you do this, you see a familiar display: The VM goes through the
POST routine, does a memory check, and then boots itself.

Cygwin and VMware are wonderful tools, but you need to install them on
your system; they won’t run any other way. If you don’t want to install software
on your system, you can use products like Knoppix and WarLinux that
boot from a diskette or a CD.

Linux distributions on CD
The following solutions are different from the partitioning and emulation
solutions discussed above. What makes them different is that you don’t need
to install them on your system: They boot and run completely from a CD.
Knoppix, for instance, runs from a CD based on the Linux 2.6.x kernel. It is
a free and Open Source GNU/Linux distribution. You don’t need to install
anything on a hard disk; it’s not necessary. Knoppix has automatic hardware
detection and support for many graphics cards, sound cards, SCSI and USB
devices, and other peripherals. It includes recent Linux software, the K Desktop
Environment (KDE), and programs such as OpenOffice, Abiword, The Gimp
(GNU Image Manipulation Program), the Konqueror browser, the Mozilla
browser, the Apache Web server, PHP, MySQL database, and many more quality
open-source programs. Knoppix offers more than 900 installed software
packages with over 2,000 executable user programs, utilities, and games.
You can download Knoppix (it is approximately 700 MB) or you can buy it
from a CD distributor. Knoppix is available for download from www.knoppix.
net/get.php. It’s also included on a DVD in Knoppix For Dummies by Paul
Sery (Wiley).
Knoppix is not the only distribution of Linux that fits on a CD. Consider also
using one of the following Linux CD distributions:
- Cool Linux CD: http://sourceforge.net/project/showfilesphp?group_id=55396&release_id=123430
- DSL (Damn Small Linux): www.damnsmalllinux.org
- GNU/Debian Linux: www.debian.org
- SLAX: http://slax.linux-live.org
- WarLinux: http://sourceforge.net/projects/warlinux

WarLinux is a special Linux distribution made for wardrivers. It is available
on either a disk or bootable CD. The developer of WarLinux
intended systems administrators to use it to audit and evaluate their
wireless network installations.



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com

In This Chapter
1. Choosing your platform: PDAs versus laptops
2. Choosing your software
3. Using software emulators
4. Choosing transceivers, antennae, and GPS
5. Signal jamming

Acyberwar is being waged. Your perimeter is under siege. What makes
the attack especially insidious is that you cannot see your enemy. This
isn’t hand-to-hand combat. Your enemy could be 2 miles from your office and
still access your network and data. Your access point is your first line of
defense in this war. It behooves you, then, to prepare for battle.

One way to prepare for any war is to participate in war games. Real war
games allow you to test your equipment, tactics, and operations. In this case,
war games allow you to test your wireless networks under normal conditions.
Like the Reservist going off to war, you also must receive adequate training
on the latest weapons and tactics. Although the rest of the book focuses on
tactics, this chapter focuses on equipment. You need practice with the tools
the crackers use for real.

You need some hardware and software, but you have choices about what
type of hardware and software you use. This chapter serves as your armory.
If you favor the Windows platform, we have some tools for you. Should you
favor Linux, you will find some tools as well. We don’t leave Apple enthusiasts
out; we have something for you, too.

Choosing Your Hardware
What’s your poison? Laptop or personal digital assistant? The two primary
hardware platforms for wireless hacking are
- Personal digital assistant (PDA) or personal electronic device (PED)
- Portable or laptop

Each platform has its pros and cons. First, a PDA is readily portable so you
can easily carry it from place to place. However, you won’t find as many tools
for the PDA as you will for other platforms — depending on the operating
system you run on your handheld device. If you run the Zaurus operating
system, for example, you have more choices for software than you do if you
choose the Pocket PC operating system.

One thing is safe to say: You don’t want to run wireless-hacking tools on a
desktop. You may want to store NetStumbler files on the desktop, but the
desktop is not really portable. The key thing to think about when choosing
your hardware is portability. When performing hacking tests, you must be
able to walk around your office building or campus, so a desktop is probably
not the best choice. However, we know of people who use mini-towers in
their cars for wardriving (discussed later in this chapter), but we don’t recommend
it!

The personal digital assistant
Because of its portability, a PDA is the perfect platform for wardriving — but
not for tasks requiring processing power. You want to get a PDA that uses
either the ARM, MIPS, or SH3 processor. We recommend the Hewlett-Packard
iPAQ (ARM processor), the Hewlett-Packard Jornada (SH3 processor), or the
Casio MIPS for wardriving. These are handy devices since someone was kind
enough to develop network discovery software for these platforms.

ARM’s processor technology has been licensed by more than 100 parties, so
you should easily find a solution you like. It’s so easy, in fact, that you would
better spend your time choosing the right operating system for your needs. We
tell you more about operating systems in the software section of this chapter.

The portable or laptop
PDAs are great, but, typically, ethical hackers use laptops. Laptops have
dropped dramatically in price the last few years, so they have become more
accessible. You don’t need a lot of processing power, but, to paraphrase Tim
Allen, more power is better. You can use almost any operating system, including
Windows 98, although you will find you get better results when using a
newer and supported operating system. In addition to the laptop, you need
the following components to get maximum results from your ethical hacking:
- Hacking software
- A wireless network interface card (NIC) that can be inserted into your laptop — preferably one with an external antenna jack
- External antenna (directional or omnidirectional) with the proper pigtail cable to connect your external antenna to your wireless NIC
- Portable global positioning system (GPS)
- DC power cable or DC to AC power inverter to power your laptop from your car’s 12-volt DC cigarette lighter plug socket. These are widely available from RadioShack, Kmart, Staples, CompUSA, or Wal-Mart stores.
The next few sections discuss these components in greater detail.

Hacking Software
To do your job properly, you need a selection of freeware and commercial
software. Fortunately, a glut of freeware programs is available, so you don’t
need a champagne budget; a beer budget should suffice. In fact, if you are
prepared to run more than one operating system, you can get by using only
freeware tools. You need the following software to do all the hacking exercises
in this book:
- Partitioning or emulation software
- Signal strength–testing software
- Packet analyzer
- Wardriving software
- Password crackers
- Packet injectors

Using software emulators
In a perfect world, all the tools available would work on the same operating
system. But in the real world, that’s not the case. Many great tools operate on
operating systems that are incompatible with each other. Very few of us, of
course, are conversant with multiple operating systems. Also, few of us have
the money to support duplicate hardware and software. So, how can you use
all these tools? You need to find a solution that allows you to run more than
one operating system on the same machine.

To solve this problem, people often build dual-boot or multi-boot workstations.
You can use a product like Symantec’s PartitionMagic (www.symantec.com/
partitionmagic) to set up partitions for the various operating systems. For
more information about setting up and using PartitionMagic, among other
things, check out Kate Chase’s Norton All-in-One Desk Reference For Dummies
(Wiley). After you set up your partitions, you install the operating systems on
the various partitions.

When everything’s installed, you can select the operating system you want to
use when you boot the system. Say you’re using NetStumbler on Windows XP
and you decide to use WEPcrack — which is available only on Linux — on the
access points you just identified with NetStumbler. You shut down Windows
XP, reboot your system, and select the Red Hat Linux operating system. When
you want to use Windows XP again, you must do the reverse. This isn’t a bad
solution, but flipping back and forth a lot eats up valuable time. And managing
your partitions and trying to make the operating systems coexist on the
same hardware can be challenging.

Enter software emulators. Software emulators allow you to emulate a guest
operating system by running it on top of a host operating system. You can
run Linux emulation on a Windows host, and vice versa. To emulate Windows
or DOS on a Linux host, you can choose one of the following Windows-based
emulators:
- Bochs (http://bochs.sourceforge.net)
- DOSEMU (www.dosemu.org)
- Plex86 (http://savannah.nongnu.org/projects/plex86)
- VMware (www.vmware.com)
- WINE (www.winehq.com)
- Win4Lin (www.netraverse.com)

Alternatively, you can emulate Linux on a Windows host. To do this, choose
one of the following Linux-based emulators:
- Cygwin (http://cygwin.com)
- VMware (www.vmware.com)

Mac lovers can already run most of the UNIX tools under the Mac OS. To
emulate the Windows environment, you can run an emulator like Microsoft
Virtual PC (www.microsoft.com/mac/products/virtualpc/virtualpc.
aspx?pid=virtualpc).
To get you going, the next two sections discuss Cygwin and VMware, two
excellent examples of emulation software.

Setting up Cygwin
Do you use Windows but have software that only runs on Linux? If so, Cygwin
is your answer. Cygwin is a contraction of Cygnus + Windows. It provides a
UNIX-like environment consisting of a Windows dynamically linked library
(cygwin1.dll). Cygwin is a subsystem that runs on Windows and intercepts
and translates UNIX commands. This is transparent to the user. With Cygwin,
you can have the experience of running xterm and executing ls commands
without ever leaving your safe Windows environment.

First, download Cygwin by going to http://cygwin.com. Installing Cygwin is
easy when you follow these steps:

1. On the home page, click the Install or Update Now! (Using setup.exe) link about halfway down the page.
You see a File Download – Security Warning window.
3. Click Run to download Cygwin.
You see the message
4. Click Run to run setup.exe.
You see the Cygwin Setup window

Cygwin setup.

Selecting the packages to install.

Cygwin downloading.

Cygwin window.

Thou shalt report all thy findings
Should the duration of your test extend beyond a week, you should provide
weekly progress updates. People get nervous when they know someone is
attempting to break into their networks or systems — and they don’t hear
from the people who’ve been authorized to do so.
You should plan to report any high-risk vulnerabilities discovered during testing
as soon as they are found. These include
- discovered breaches
- vulnerabilities with known — and high — exploitation rates
- vulnerabilities that are exploitable for full, unmonitored, or untraceableaccess
- vulnerabilities that may put immediate lives at risk

You don’t want someone to exploit a weakness that you knew about and
intended to report. This will not make you popular with anyone.
Your report is one way for your organization to determine the completeness
and veracity of your work. Your peers can review your method, your findings,
your analysis, and your conclusions, and offer constructive criticism or suggestions
for improvement.

If you find that your report is unjustly criticized, following the Ten
Commandments of Ethical Hacking, should easily allow you to defend it.
One last thing: When you find 50 things, report on 50 things. You need not
include all 50 findings in the summary but you must include them in the
detailed narrative. Withholding such information conveys an impression
of laziness, incompetence, or an attempted manipulation of test results.
Don’t do it.

Understanding Standards
Okay, we’ve told you that you need to develop a testing process — here’s
where we give you guidance on how to do so. We wouldn’t keep you hanging
by a wire (this is, after all, a wireless book). The following standards (which
we get friendly with in the upcoming sections) provide guidance on performing
your test:
- ISO 17799
- COBIT
- SSE-CMM
- ISSAF
- OSSTMM

You may find that the methodology you choose is preordained. For instance,
when your organization uses COBIT, you should look to it for guidance. You
don’t need to use all of these methodologies. Pick one and use it. A good
place to start is with the OSSTMM.

Using ISO 17799
The ISO/IEC 17799 is an internationally adopted “code of practice for information
security management” from the International Organization for Standardization
(ISO). The international standard is based on British Standard BS-799.
You can find information about the standard at www.iso.org.
ISO/IEC 17799 is a framework or guideline for your ethical hack — not a true
methodology — but you can use it to help you plan. The document does not
specifically deal with wireless, but it does address network-access control.
The document is a litany of best practices at a higher level than we would
want for a framework for ethical hacking.
One requirement in the document is to control access to both internal and
external networked services. To cover this objective, you need to try to connect
to the wireless access point and try to access any resource on the wired
network.

The document also requires that you ensure there are appropriate authentication
mechanisms for users. You can test this by attempting to connect to a
wireless access point (AP). When there is Open System authentication (see
Chapter 16) you need not do any more work. Obviously no authentication
is not appropriate authentication. APs with shared-key authentication may
require you to use the tools shown in Chapter 15 to crack the key. If the AP is
using WPA security, then you will need to use another tool, such as WPAcrack.
Should the AP implement Extensible Authentication Protocol (EAP), you may
need a tool such as asleap (see Chapter 16).
Bottom line: These guidelines don’t give you a step-by-step recipe for testing,
but they can help you clarify the objectives for your test.

Using COBIT
COBIT is an IT governance framework. Like ISO 17799, this framework will
not provide you with a testing methodology, but it will provide you with the
objectives for your test.
You can find information about COBIT at www.itgi.org/.

Using SSE-CMM
Ever heard of the CERT? (Give you a hint: It’s not a breath mint or a candy.)
It’s the Computer Emergency Response Team that’s part of the Software
Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh,
Pennsylvania. Well, the SEI is known for something else: It developed a
number of capability maturity models (CMM) — essentially specs that can give
you a handle on whether a particular system capability is up to snuff. The SEI
included a CMM just for security — the Systems Security Engineering CMM
(SSE-CMM for short). Now, the SSE-CMM won’t lay out a detailed method of
ethical hacking, but it can provide a framework that will steer you right. The
SSE-CMM can help you develop a scorecard for your organization that can
measure security effectiveness.
You can find out about SSE-CMM at www.sei.cmu.edu/.
The Computer Emergency Response team also sends out security alerts and
advisories. The CERT has a methodology as well — OCTAVE. OCTAVE stands
for Operationally Critical Threat, Asset, and Vulnerability Evaluation. You can
use OCTAVE as a methodology to build a team, identify threats, quantify vulnerabilities,
and develop an action plan to deal with them.
You can find OCTAVE at www.cert.org/octave.

Using ISSAF
The Open Information System Security Group (www.oissg.org) has published
the Information Systems Security Assessment Framework (ISSAF).
Developed as an initiative by information-security professionals, the ISSAF is
a practical tool — a comprehensive framework you can use to assess how
your security effectiveness. It’s an excellent resource to use as you devise
your test. (Draft 0.1 has, in fact, 23 pages on WLAN security assessment.)
The ISSAF details a process that includes the following steps:
1. Information gathering
a. Scan
b. Audit
2. Analysis and research
3. Exploit and attack
4. Reporting and presentation

These steps correspond to our Ten Commandments of Ethical Hacking. For
each of the steps just given, the document identifies appropriate tasks and
tools. For example, the scanning step lists the following tasks:
1. Detect and identify the wireless network
2. Test for channels and ESSID
3. Test the beacon broadcast frame and recording of broadcast information
4. Test for rogue access points from outside the facility
5. IP address collection of access points and clients
6. MAC address collection of access points and clients
7. Detect and identify the wireless network

The document recommends you use programs such as Kismet, nmap, and
ethereal as tools for Step 1.
You also will find information in the document on the software you can use
and the equipment you will need to build or acquire to do your assessment
of your organization’s wireless-security posture.
The document we reviewed was a beta version, but it shows promise and is
worth watching. You can find the ISSAF at www.oissg.org/issaf.

Using OSSTMM
We do recommend you take a long and hard look at the OSSTMM — the Open
Source Security Testing Methodology Manual (www.osstmm.org). The Institute
for Security and Open Methodologies (ISECOM), an open-source collaborative
community, developed the OSSTMM’s methods and goals much along the
lines of the ISSAF: as a peer-review methodology. Now available as version
3.0, the OSSTMM has been available since January 2001 and is more mature
than the ISSAF.

You’ll find that the OSSTMM gathers the best practices, standard legal issues,
and core ethical concerns of the global security-testing community — but
this document also serves another purpose: consistent definition of terms.
The document provides a glossary that helps sort out the nuances of vulnerability
scanning, security scanning, penetration testing, risk assessment,
security auditing, ethical hacking, and security hacking. The document also
defines white-hat, gray-hat, and black-hat hackers, so that by their metaphorical
hats ye shall know them. But even more importantly (from your viewpoint
as an ethical-hacker-to-be), it provides testing methodologies for wireless
security, distilled in the following bullets:

Posture review: General review of best practices, the organization’s
industry regulations, the organization’s business justifications, the organization’s
security policy, and the legal issues for the organization and
the organization’s regions for doing business.
Electromagnetic radiation (EMR) testing: Testing of the electromagnetic
radiation emitted from wireless devices.
802.11 wireless-networks testing: Testing of access to 802.11 WLANs.
Bluetooth network testing: Testing of Bluetooth ad-hoc networks.
Wireless-input-device testing: Testing of wireless input devices, such as
mice and keyboards.
Wireless-handheld testing: Testing of handheld wireless devices, such
as personal digital assistants and personal electronic devices.
Cordless-communications testing: Testing of cordless communications
communication devices, such as cellular technology.
Wireless-surveillance device testing: Testing of wireless surveillance or
monitoring devices, such as cameras and microphones.
Wireless-transaction device testing: Testing of wireless-transaction
devices, such as uplinks for cash registers and other point of sale
devices in the retail industry.
RFID testing: Testing of RFID (Radio Frequency Identifier) tags.
Infrared testing: Testing of infrared communications communication
devices.
Privacy review: General privacy review of the legal and ethical storage,
transmission, and control of data, based on employee and customer
privacy.

Each step has associated tasks that provide more detail and specific tests. As
well, each step has a table that outlines the expected results. For example,
expected results for Step 3 include these:
1. Verification of the organization’s security policy and practices — and those of its users.
2. Identification of the outermost physical edge of the wireless network.
3. Identification of the logical boundaries of the wireless network.
4. Enumeration of access points that lead into the network.
5. Identification of the IP-range (and possibly DHCP-server) of the wireless network.
6. Identification of the encryption methods used for data transfer.
7. Identification of the authentication methods of exploitable “mobile units” (that is, the clients) and users.
8. Verification of the configuration of all devices.
9. Determination of the flaws in hardware or software that facilitate attacks.

Obviously, you need to cut and paste these tests according to your needs.
For instance, should your organization not have infrared, then you would
skip Step 11.

The OSSTMM is available from www.isecom.org/osstmm/.
With resources like these, you have a methodology — and everything you
need to map out your plan. But rather than leave you hanging there, the rest
of the book shows you how to work through a methodology.



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com

In This Chapter
1. Understanding the hacking process
2. The Ten Commandments of Ethical Hacking
3. Understanding the standards
4. Evaluating your results

We teach courses on ethical hacking — and when you’re teaching, you
need an outline. Our teaching outline always starts with the introduction
to the ethical-hacking process that comprises most of this chapter.
Inevitably, when the subject of an ethical hacking process comes up, the class
participants visibly slump into their chairs, palpable disappointment written
all over their faces. They cross their arms across their chests and shuffle
their feet. Some even jump up and run from class to catch up on their phone
calls. Why? Well, every class wants to jump right in and learn parlor tricks
they can use to amaze their friends and boss. But that takes procedure and
practice. Without a defined process, you may waste time doing nonessential
steps while omitting crucial ones. So bear with us for a while; this background
information may seem tedious, but it’s important.

Obeying the Ten Commandments of Ethical Hacking
In his book Hacking For Dummies (Wiley), Kevin discussed the hacker genre
and ethos. In Chapter 1, he enumerated the Ethical Hacking Commandments.
In that book, Kevin listed three commandments. But (as with everything in
networking) the list has grown to fill the available space. Now these commandments
were not brought down from Mount Sinai, but thou shalt follow
these commandments shouldst thou decide to become a believer in the doctrine
of ethical hacking. The Ten Commandments are
1. Thou shalt set thy goals.
2. Thou shalt plan thy work, lest thou go off course.
3. Thou shalt obtain permission.
4. Thou shalt work ethically.
5. Thou shalt work diligently.
6. Thou shalt respect the privacy of others.
7. Thou shalt do no harm.
8. Thou shalt use a scientific process.
9. Thou shalt not covet thy neighbor’s tools.
10. Thou shalt report all thy findings.

Thou shalt set thy goals
When Peter was a kid, he used to play a game at camp called Capture the
Flag. The camp counselors would split all the campers into two teams: one
with a red flag and one with a blue flag. The rules were simple: If you were on
the blue team, then you tried to find the red flag that the red team had hidden
and protected, and vice versa. Despite appearances, this game could get
rough — on the order of, say, Australian Rules Football. It was single-minded:
Capture the flag. This single-mindedness is similar to the goals of a penetration
test, a security test with a defined goal that ends either when the goal is
achieved or when time runs out. Getting access to a specific access point is
not much different from capturing a flag: Your opponent has hidden it and is
protecting it, and you’re trying to circumvent the defenses. Penetration testing
is Capture the Flag without the intense physical exercise.

How does ethical hacking relate to penetration testing? Ethical hacking is a
form of penetration testing originally used as a marketing ploy but has come
to mean a penetration test of all systems — where there is more than one goal.
In either case, you have a goal. Your evaluation of the security of a wireless
network should seek answers to three basic questions:
1. What can an intruder see on the target access points or networks?
2. What can an intruder do with that information?
3. Does anyone at the target notice the intruder’s attempts — or successes?

You might set a simplistic goal, such as finding unauthorized wireless access
points. Or you might set a goal that requires you to obtain information from a
system on the wired network. Whatever you choose, you must articulate
your goal and communicate it to your sponsors.
Involve others in your goal-setting. If you don’t, you will find the planning
process quite difficult. The goal determines the plan. To paraphrase the
Cheshire Cat’s response to Alice: “If you don’t know where you are going, any
path will take you there.” Including stakeholders in the goal-setting process
will build trust that will pay off in spades later on.

Thou shalt plan thy work, lest thou go off course
Few, if any of us, have an unlimited budget. We usually are bound by one or
more constraints. Money, personnel or time may constrain you. Consequently,
it is important for you to plan your testing.
With respect to your plan, you should do the following:
1. Identify the networks you intend to test.
2. Specify the testing interval.
3. Specify the testing process.
4. Develop a plan and share it with all stakeholders.
5. Obtain approval of the plan.

Share your plan. Socialize it with as many people as you can. Don’t worry
that lots of people will know that you are going to hack into the wireless network.
If your organization is like most others, then it’s unlikely they can
combat the organizational inertia to do anything to block your efforts. It is
important, though, to remember that you do want to do your testing under
“normal” conditions.

Thou shalt obtain permission
When it comes to asking for permission, remember the case of the Internal
Auditor who, when caught cashing a payroll check he didn’t earn, replied, “I
wasn’t stealing. I was just testing the controls of the system.” When doing ethical
hacking, don’t follow the old saw that “asking forgiveness is easier than
asking for permission.” Not asking for permission may land you in prison!
You must get your permission in writing. This permission may represent the
only thing standing between you and an ill-fitting black-and-white-striped suit
and a lengthy stay in the Heartbreak Hotel. You must ask for — and get — a
“get out of jail free” card. This card will state that you are authorized to perform
a test according to the plan. It should also say that the organization will
“stand behind you” in case you are criminally charged or sued. This means
they will provide legal and organizational support as long as you stayed
within the bounds of the original plan (see Commandment Two).

Thou shalt work ethically
The term ethical in this context means working professionally and with good
conscience. You must do nothing that is not in the approved plan or that has
been authorized after the approval of the plan.

As an ethical hacker, you are bound to confidentiality and non-disclosure of
information you uncover, and that includes the security-testing results. You
cannot divulge anything to individuals who do not “need-to-know.” What you
learn during your work is extremely sensitive — you must not openly share it.
Everything you do as an ethical hacker must be aboveboard, and must support
the goals of the organization. You should notify the organization whenever
you change the testing plan, change the source test venue, or detect
high-risk conditions — and before you run any new high-risk or high-traffic
tests, as well as when any testing problems occur.

You must also ensure you are compliant with your organization’s governance
and local laws. Do not perform an ethical hack when your policy expressly
forbids it — or when the law does.

Thou shalt keep records
Major attributes of an ethical hacker are patience and thoroughness. Doing
this work requires hours bent over a keyboard in a darkened room. You may
have to do some off-hours work to achieve your goals, but you don’t have to
wear hacker gear and drink Red Bull. What you do have to do is keep plugging
away until you reach your goal.
In the previous commandment we talked about acting professionally. One
hallmark of professionalism is keeping adequate records to support your
findings. When keeping paper or electronic notes, do the following:
- Log all work performed.
- Record all information directly into your log.
- Keep a duplicate of your log.
- Document — and date — every test.
- Keep factual records and record all work, even when you think you were not successful.

This record of your test design, outcome, and analysis is an important aspect
of your work. Your records will allow you to compile the information needed
for a written or oral report. You should take care in compiling your records.
Be diligent in your work and your documentation.

Thou shalt respect the privacy of others
Treat the information you gather with the utmost respect. You must protect
the secrecy of confidential or personal information. All information you obtain
during your testing — for example, encryption keys or clear text passwords —
must be kept private. Don’t abuse your authority; use it responsibly. This
means you won’t (for example) snoop into confidential corporate records or
private lives. Treat the information with the same care you would give to
your own personal information.

Thou shalt do no harm
The prime directive for ethical hacking is, “Do no harm.” Remember that the
actions you take may have unplanned repercussions. It’s easy to get caught
up in the gratifying work of ethical hacking. You try something, and it works,
so you keep going. Unfortunately, by doing this you may easily cause an
outage of some sort, or trample on someone else’s rights. Resist the urge to
go too far — and stick to your original plan.

Also, you must understand the nature of your tools. Far too often, people jump
in and start using the tools shown in this book without truly understanding the
full implications of the tool. They do not understand that setting up a monkeyin-
the-middle attack, for example, creates a denial of service. Relax, take a deep
breath, set your goals, plan your work, select your tools, and (oh yeah) read
the documentation.

Many of the tools we discuss here allow you to control the depth and breadth
of the tests you perform. Remember this point when you want to run your
tests on the wireless access point where your boss connects!


Thou shalt use a “scientific” process
By this commandment, we don’t mean that you necessarily have to follow
every single step of the scientific process, but rather that you adopt some of
its principles in your work. Adopting a quasi-scientific process provides some
structure and prevents undue chaos (of the sort that can result from a
random-walk through your networks).

For our purposes, the scientific process has three steps:
1. Select a goal and develop your plan.
2. Test your networks and systems to address your goals.
3. Persuade your organization to acknowledge your work.

We address the first two steps in previous commandments, so let’s look at the
third step here. Your work should garner greater acceptance when you adopt
an empirical method. An empirical method has the following attributes:
1. Set quantifiable goals: The essence of selecting a goal (such as capturing
the flag) is that you know when you’ve reached it. You either possess
the flag or you don’t. Pick a goal that you can quantify: associating with
ten access points, broken encryption keys or a file from an internal server.
Time-quantifiable goals, such as testing your systems to see how they
stand up to three days of concerted attack, are also good.

2. Tests are consistent and repeatable: If you scan your network twice and
get different results each time, this is not consistent. You must provide
an explanation for the inconsistency, or the test is invalid. If we repeat
your test, will we get the same results? When a test is repeatable or
replicable, you can conclude confidently that the same result will occur
no matter how many times you replicate it.

3. Tests are valid beyond the “now” time frame: When your results are
true, your organization will receive your tests with more enthusiasm if
you’ve addressed a persistent or permanent problem, rather than a temporary
or transitory problem.

Thou shalt not covet thy neighbor’s tools
No matter how many tools you may have, you will discover new ones. Wireless
hacking tools are rife on the Internet — and more are coming out all the time.
The temptation to grab them all is fierce. Take, for instance, “wardriving” tools.
Early on, your choices of software to use for this “fascinating hobby” were
limited. You could download and use Network Stumbler, commonly called
NetStumbler, on a Windows platform, or you could use Kismet on Linux. But
these days, you have many more choices: Aerosol, Airosniff, Airscanner,
APsniff, BSD-Airtools, dstumbler, Gwireless, iStumbler, KisMAC, MacStumbler,
MiniStumbler, Mognet, PocketWarrior, pocketWiNc, THC-RUT, THC-Scan, THCWarDrive,

Radiate, WarLinux, Wellenreiter WiStumbler, and Wlandump, to name
a few. And those are just the free ones. You also could purchase AirMagnet,
Airopeek, Air Sniffer, AP Scanner, NetChaser, Sniff-em, Sniffer Wireless . . . Well
you get the idea. Should you have unlimited time and budget, you could use
all these tools. But we suggest you pick one tool and stick with it. (We give
you a closer look at some from this list in Chapters 9 and 10.)



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com

Wireless-network complexities
In addition to the various security vulnerabilities we mentioned above, one
of the biggest obstacles to secure wireless networks is their complexity. It’s
not enough to just install a firewall, set strong passwords, and have detailed
access control settings. No, wireless networks are a completely different
beast than their wired counterparts. These days, a plain old AP and wireless
network interface card (NIC) might not seem too complex, but there’s a lot
going on behind the scenes.

The big issues revolve around the 802.11 protocol. This protocol doesn’t just
send and receive information with minimal management overhead (as does,
say, plain old Ethernet). Rather, 802.11 is highly complex — it not only has to
send and receive radio frequency (RF) signals that carry packets of network
data, it also has to perform a raft of other functions such as
- Timing message packets to ensure client synchronization and help avoid data-transmission collisions
- Authenticating clients to make sure only authorized personnel connect to the network
- Encrypting data to enhance data privacy
- Checking data integrity to ensure that the data remains uncorrupted or unmodified

For a lot of great information on wireless-network fundamentals, check out
the book that Peter co-authored — Wireless Networks For Dummies.
In addition to 802.11-protocol issues, there are also complexities associated
with wireless-network design. Try these on for size:
- Placement of APs relative to existing network infrastructure devices, such as routers, firewalls, and switches
- What type of antennae to use and where to locate them
- How to adjust signal-power settings to prevent RF signals from leaking outside your building
- Keeping track of your wireless devices — such as APs, laptops, and personaldigital assistants (PDAs)
- Knowing which device types are allowed on your network and which ones don’t belong
These wireless-network complexities can lead to a multitude of security
weaknesses that simply aren’t present in traditional wired networks.

Getting Your Ducks in a Row
Before going down the ethical-hacking road, it’s critical that you plan everything
in advance. This includes:
- Obtaining permission to perform your tests from your boss, project sponsor, or client
- Outlining your testing goals
- Deciding what tests to run
- Grasping the ethical-hacking methodology (what tests to run, what to look for, how to follow-up, etc.) before you carry out your tests

All the up-front work and formal steps to follow may seem like a lot of hassle
at first. However, we believe that if you’re going to go to all the effort to perform
ethical hacking on your wireless network as a true IT professional, do it
right the first time around. It’s the only way to go.

The law of sowing and reaping applies to the ethical-hacking planning phase.
The more time and effort you put in up front, the more it pays off in the long
run — you’ll be better prepared, have the means to perform a more thorough
wireless-security assessment, and (odds are) you’ll end up with a more
secure wireless network.
Planning everything in advance saves you a ton of time and work in the longterm;
you won’t regret it. Your boss or your client will be impressed to boot!

Gathering the Right Tools
Every job requires the right tools. Selecting and preparing the proper security
testing tools is a critical component of the ethical-hacking process. If
you’re not prepared, you’ll most likely spin your wheels and not get the
desired results.

Just because a wireless hacking tool is designed to perform a certain test,
that doesn’t mean it will. You may have to tweak your settings or find
another tool altogether. Also keep in mind that you sometimes have to take
the output of your tools with a grain of salt. There’s always the potential
for false positives (showing there’s a vulnerability when there’s not) and even
false negatives (showing there’s no vulnerability when there is).
The following tools are some of our favorites for testing wireless networks
and are essential for performing wireless hacking tests:
- Google — yep, this Web site is a great tool
- Laptop computer
- Global Positioning System (GPS) satellite receiver
- Network Stumbler network stumbling software
- AiroPeek network-analysis software
- QualysGuard vulnerability-assessment software
- WEPcrack encryption cracking software

You can’t do without good security-testing tools, but no one of them is “the”
silver bullet for finding and killing off all your wireless network’s vulnerabilities.
A trained eye and a good mix of tools is the best combination for finding
the greatest number of weaknesses in your systems.
It’s critical that you understand how to use your various tools for the specific
tests you’ll be running. This may include something as informal as playing
around with the tools or something as formal as taking a training class. Don’t
worry, we’ll show you how to work the basics when we walk you through specific
tests in Chapters 5 through 16.

To Protect, You Must Inspect
After you get everything prepared, it’s time to roll up your sleeves and get
your hands dirty by performing various ethical hacks against your wireless
network. There are dozens of security tests you can run to see just how vulnerable
your wireless systems are to attack The outcomes
of these tests will show you what security holes can — or cannot —
be fixed to make your wireless network more secure. Not to worry, we won’t
leave you hanging with a bunch of vulnerabilities to fix. We’ll outline various
countermeasures you can use to fix the weaknesses you find.
In the next few sections, we outline the various types of security attacks to
establish the basis for the vulnerability tests you’ll be running against your
wireless network.

Non-technical attacks
These types of attacks exploit various human weaknesses, such as lack of
awareness, carelessness, and being too trusting of strangers. There are also
physical vulnerabilities that can give an attacker a leg up on firsthand access
to your wireless devices. These are often the easiest types of vulnerabilities
to take advantage of — and they can even happen to you if you’re not careful.
These attacks include
- Breaking into wireless devices that users installed on their own and left
unsecured
- Social engineering attacks whereby a hacker poses as someone else and
coaxes users into giving out too much information about your network
- Physically accessing APs, antennae, and other wireless infrastructure
equipment to reconfigure it — or (worse) capture data off it

Network attacks
When it comes to the nitty-gritty bits and bytes, there are a lot of techniques
the bad guys can use to break inside your wireless realm or at least leave it
limping along in a nonworking state. Network-based attacks include
- Installing rogue wireless APs and “tricking” wireless clients into connecting to them
- Capturing data off the network from a distance by walking around, driving by, or flying overhead
- Attacking the networking transactions by spoofing MAC addresses (masquerading as a legitimate wireless user), setting up man-in-the-middle (inserting a wireless system between an AP and wireless client) attacks, and more
- Exploiting network protocols such as SNMP
- Performing denial-of-service (DoS) attacks
- Jamming RF signals

Software attacks
As if the security problems with the 802.11 protocol weren’t enough, we now
have to worry about the operating systems and applications on wireless-client
machines being vulnerable to attack. Here are some examples of software
attacks:
- Hacking the operating system and other applications on wireless-client machines
- Breaking in via default settings such as passwords and SSIDs that are easily determined
- Cracking WEP keys and tapping into the network’s encryption system
- Gaining access by exploiting weak network-authentication systems



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com

In This Chapter
1. Understanding the need to test your wireless systems
2. Wireless vulnerabilities
3. Thinking like a hacker
4. Preparing for your ethical hacks
5. Important security tests to carry out
6. What to do when you’re done testing


Wireless local-area networks — often referred to as WLANs or Wi-Fi
networks — are all the rage these days. People are installing them in
their offices, hotels, coffee shops, and homes. Seeking to fulfill the wireless
demands, Wi-Fi product vendors and service providers are popping up just
about as fast as the dot-coms of the late 1990s. Wireless networks offer convenience,
mobility, and can even be less expensive to implement than wired
networks in many cases. Given the consumer demand, vendor solutions, and
industry standards, wireless-network technology is real and is here to stay.
But how safe is this technology?

Wireless networks are based on the Institute of Electrical and Electronics
Engineers (IEEE) 802.11 set of standards for WLANs. In case you’ve ever wondered,
the IEEE 802 standards got their name from the year and month this
group was formed — February 1980. The “.11” that refers to the wireless LAN
working group is simply a subset of the 802 group. There’s a whole slew of
industry groups involved with wireless networking, but the two main players
are the IEEE 802.11 working group and the Wi-Fi Alliance.

Years ago, wireless networks were only a niche technology used for very specialized
applications. These days, Wi-Fi systems have created a multibilliondollar
market and are being used in practically every industry — and in every
size organization from small architectural firms to the local zoo. But with this
increased exposure comes increased risk: The widespread use of wireless systems
has helped make them a bigger target than the IEEE ever bargained for.
(Some widely publicized flaws such as the Wired Equivalent Privacy (WEP)
weaknesses in the 802.11 wireless-network protocol haven’t helped things,
either.) And, as Microsoft has demonstrated, the bigger and more popular you
are, the more attacks you’re going to receive.

With the convenience, cost savings, and productivity gains of wireless networks
come a whole slew of security risks. These aren’t the common security
issues, such as spyware, weak passwords, and missing patches. Those weaknesses
still exist; however, networking without wires introduces a whole new
set of vulnerabilities from an entirely different perspective.
This brings us to the concept of ethical hacking. Ethical hacking — sometimes
referred to as white-hat hacking — means the use of hacking to test and improve
defenses against unethical hackers. It’s often compared to penetration testing
and vulnerability testing, but it goes even deeper. Ethical hacking involves
using the same tools and techniques the bad guys use, but it also involves
extensive up-front planning, a group of specific tools, complex testing methodologies,
and sufficient follow-up to fix any problems before the bad guys — the
black- and gray-hat hackers — find and exploit them.

Understanding the various threats and vulnerabilities associated with 802.11-
based wireless networks — and ethically hacking them to make them more
secure — is what this book is all about. Please join in on the fun.
In this chapter, we’ll take a look at common threats and vulnerabilities associated
with wireless networks. We’ll also introduce you to some essential wireless
security tools and tests you should run in order to strengthen your airwaves.

Why You Need to TestYour Wireless Systems
Wireless networks have been notoriously insecure since the early days of
the 802.11b standard of the late 1990s. Since the standard’s inception, major
802.11 weaknesses, such as physical security weaknesses, encryption flaws,
and authentication problems, have been discovered. Wireless attacks have
been on the rise ever since. The problem has gotten so bad that two wireless
security standards have emerged to help fight back at the attackers:

- Wi-Fi Protected Access (WPA): This standard, which was developed by
the Wi-Fi Alliance, served as an interim fix to the well-known WEP vulnerabilities
until the IEEE came out with the 802.11i standard.
- IEEE 802.11i (referred to as WPA2): This is the official IEEE standard,
which incorporates the WPA fixes for WEP along with other encryption
and authentication mechanisms to further secure wireless networks.
These standards have resolved many known security vulnerabilities of the
802.11a/b/g protocols. As with most security standards, the problem with these
wireless security solutions is not that the solutions don’t work — it’s that many
network administrators are resistant to change and don’t fully implement them.
Many administrators don’t want to reconfigure their existing wireless systems
and don’t want to have to implement new security mechanisms for fear of
making their networks more difficult to manage. These are legitimate concerns,
but they leave many wireless networks vulnerable and waiting to be
compromised.

Even after you have implemented WPA, WPA2, and the various other wireless
protection techniques described in this book, your network may still be at
risk. This can happen when (for example) employees install unsecured wireless
access points or gateways on your network without you knowing about
it. In our experience — even with all the wireless security standards and
vendor solutions available — the majority of systems are still wide open to
attack. Bottom line: Ethical hacking isn’t a do-it-once-and-forget-it measure.
It’s like an antivirus upgrade — you have to do it again from time to time.
Knowing the dangers your systems face
Before we get too deep into the ethical-hacking process, it will help to define
a couple of terms that we’ll be using throughout this book. They are as follows:

- Threat: A threat is an indication of intent to cause disruption within an
information system. Some examples of threat agents are hackers, disgruntled
employees, and malicious software (malware) such as viruses
or spyware that can wreak havoc on a wireless network.
- Vulnerability: A vulnerability is a weakness within an information
system that can be exploited by a threat. Some examples are wireless
networks not using encryption, weak passwords on wireless access
points or APs (which is the central hub for a set of wireless computers),
and an AP sending wireless signals outside the building. Wireless-network
vulnerabilities are what we’ll be seeking out in this book.
Beyond these basics, quite a few things can happen when a threat actually
exploits the vulnerabilities of a various wireless network. This situation is
called risk. Even when you think there’s nothing going across your wireless
network that a hacker would want — or you figure the likelihood of something
bad happening is very low — there’s still ample opportunity for trouble.
Risks associated with vulnerable wireless networks include

- Full access to files being transmitted or even sitting on the server
- Stolen passwords
- Intercepted e-mails
- Back-door entry points into your wired network
- Denial-of-service attacks causing downtime and productivity losses
- Violations of state, federal, or international laws and regulations relating to privacy, corporate financial reporting, and more
- “Zombies” — A hacker using your system to attack other networks making you look like the bad guy
- Spamming — A spammer using your e-mail server or workstations to send out spam, spyware, viruses, and other nonsense e-mails

We could go on and on, but you get the idea. The risks on wireless networks
are not much different from those on wired ones. Wireless risks just have a
greater likelihood of occurring — that’s because wireless networks normally
have a larger number of vulnerabilities.

The really bad thing about all this is that without the right equipment and
vigilant network monitoring, it can be impossible to detect someone hacking
your airwaves — even from a couple of miles away! Wireless-network compromises
can include a nosy neighbor using a frequency scanner to listen in
on your cordless phone conversations — or nosy co-workers overhearing
private boardroom conversations. Without the physical layer of protection
we’ve grown so accustomed to with our wired networks, anything is possible.

Understanding the enemy
The wireless network’s inherent vulnerabilities, in and of themselves, aren’t
necessarily bad. The true problem lies with all the malicious hackers out
there just waiting to exploit these vulnerabilities and make your job — and
life — more difficult. In order to better protect your systems, it helps to
understand what you’re up against — in effect, to think like a hacker. Although
it may be impossible to achieve the same malicious mindset as the cyberpunks,
you can at least see where they’re coming from technically and how
they work.

For starters, hackers are likely to attack systems that require the least
amount of effort to break into. A prime target is an organization that has just
one or two wireless APs. Our findings show that these smaller wireless networks
help stack the odds in the hackers’ favor, for several reasons:
- Smaller organizations are less likely to have a full-time network administrator keeping tabs on things.
- Small networks are also more likely to leave the default settings on theirwireless devices unchanged, making them easier to crack into.
- Smaller networks are less likely to have any type of network monitoring, in-depth security controls such as WPA or WPA2, or a wireless intrusiondetection system (WIDS). These are exactly the sorts of things that smart hackers take into consideration.

However, small networks aren’t the only vulnerable ones. There are various
other weaknesses hackers can exploit in networks of all sizes, such as the
following:
- The larger the wireless network, the easier it may be to crack Wired Equivalent Privacy (WEP) encryption keys. This is because larger networks likely receive more traffic, and an increased volume of packets to be captured thus leads to quicker WEP cracking times.
- Most network administrators don’t have the time or interest in monitoring their networks for malicious behavior.
- Network snooping will be easier if there’s a good place such as a crowded parking lot or deck to park and work without attracting attention.
- Most organizations use the omnidirectional antennae that come standard on APs — without even thinking about how these spread RF signals around outside the building.
- Because wireless networks are often an extension of a wired network, where there’s an AP, there’s likely a wired network behind it. Given this, there are often just as many treasures as the wireless network, if not more.
- Many organizations attempt to secure their wireless networks with routine security measures — say, disabling service-set-identifier (SSID) broadcasts (which basically broadcasts the name of the wireless network to any wireless device in range) and enabling media-access control (MAC) address filtering (which can limit the wireless hosts that can attach to your network) — without knowing that these controls are easily circumvented.
- SSIDs are often set to obvious company or department names that can give the intruders an idea which systems to attack first.

Throughout this book, we point out ways the bad guys work when they’re
carrying out specific hacks. The more cognizant you are of the hacker mindset,
the deeper and broader your security testing will be — which leads to
increased wireless security.

Many hackers don’t necessarily want to steal your information or crash your
systems. They often just want to prove to themselves and their buddies that
they can break in. This likely creates a warm fuzzy feeling that makes them feel
like they’re contributing to society somehow. On the other hand, sometimes
they attack simply to get under the administrator’s skin. Sometimes they are
seeking revenge. Hackers may want to use a system so they can attack other
people’s networks under disguise. Or maybe they’re bored, and just want to
see what information is flying through the airwaves, there for the taking.
The “high-end” uberhackers go where the money is — literally. These are the
guys who break into online banks, e-commerce sites, and internal corporate
databases for financial gain. What better way to break into these systems than
through a vulnerable wireless network, making the real culprit harder to trace?
One AP or vulnerable wireless client is all it takes to get the ball rolling.
Whatever the reasons are behind all of these hacker shenanigans,
the fact is that your network, your information,
and (heaven forbid) your job are at risk.

There’s no such thing as absolute security on any network — wireless or not.
It’s basically impossible to be completely proactive in securing your systems
since you cannot defend against an attack that hasn’t already happened.
Although you may not be able to prevent every type of attack, you can prepare,
prepare, and prepare some more — to deal with attacks more effectively
and minimize losses when they do occur.

Information security is like an arms race — the attacks and countermeasures
are always one-upping each other. The good thing is that for every new attack,
there will likely be a new defense developed. It’s just a matter of timing. Even
though we’ll never be able to put an end to the predatory behavior of unethical
cyber thugs, it’s comforting to know that there are just as many ethical
security professionals working hard every day to combat the threats.



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com