Wireless-network complexities
In addition to the various security vulnerabilities we mentioned above, one
of the biggest obstacles to secure wireless networks is their complexity. It’s
not enough to just install a firewall, set strong passwords, and have detailed
access control settings. No, wireless networks are a completely different
beast than their wired counterparts. These days, a plain old AP and wireless
network interface card (NIC) might not seem too complex, but there’s a lot
going on behind the scenes.

The big issues revolve around the 802.11 protocol. This protocol doesn’t just
send and receive information with minimal management overhead (as does,
say, plain old Ethernet). Rather, 802.11 is highly complex — it not only has to
send and receive radio frequency (RF) signals that carry packets of network
data, it also has to perform a raft of other functions such as
- Timing message packets to ensure client synchronization and help avoid data-transmission collisions
- Authenticating clients to make sure only authorized personnel connect to the network
- Encrypting data to enhance data privacy
- Checking data integrity to ensure that the data remains uncorrupted or unmodified

For a lot of great information on wireless-network fundamentals, check out
the book that Peter co-authored — Wireless Networks For Dummies.
In addition to 802.11-protocol issues, there are also complexities associated
with wireless-network design. Try these on for size:
- Placement of APs relative to existing network infrastructure devices, such as routers, firewalls, and switches
- What type of antennae to use and where to locate them
- How to adjust signal-power settings to prevent RF signals from leaking outside your building
- Keeping track of your wireless devices — such as APs, laptops, and personaldigital assistants (PDAs)
- Knowing which device types are allowed on your network and which ones don’t belong
These wireless-network complexities can lead to a multitude of security
weaknesses that simply aren’t present in traditional wired networks.

Getting Your Ducks in a Row
Before going down the ethical-hacking road, it’s critical that you plan everything
in advance. This includes:
- Obtaining permission to perform your tests from your boss, project sponsor, or client
- Outlining your testing goals
- Deciding what tests to run
- Grasping the ethical-hacking methodology (what tests to run, what to look for, how to follow-up, etc.) before you carry out your tests

All the up-front work and formal steps to follow may seem like a lot of hassle
at first. However, we believe that if you’re going to go to all the effort to perform
ethical hacking on your wireless network as a true IT professional, do it
right the first time around. It’s the only way to go.

The law of sowing and reaping applies to the ethical-hacking planning phase.
The more time and effort you put in up front, the more it pays off in the long
run — you’ll be better prepared, have the means to perform a more thorough
wireless-security assessment, and (odds are) you’ll end up with a more
secure wireless network.
Planning everything in advance saves you a ton of time and work in the longterm;
you won’t regret it. Your boss or your client will be impressed to boot!

Gathering the Right Tools
Every job requires the right tools. Selecting and preparing the proper security
testing tools is a critical component of the ethical-hacking process. If
you’re not prepared, you’ll most likely spin your wheels and not get the
desired results.

Just because a wireless hacking tool is designed to perform a certain test,
that doesn’t mean it will. You may have to tweak your settings or find
another tool altogether. Also keep in mind that you sometimes have to take
the output of your tools with a grain of salt. There’s always the potential
for false positives (showing there’s a vulnerability when there’s not) and even
false negatives (showing there’s no vulnerability when there is).
The following tools are some of our favorites for testing wireless networks
and are essential for performing wireless hacking tests:
- Google — yep, this Web site is a great tool
- Laptop computer
- Global Positioning System (GPS) satellite receiver
- Network Stumbler network stumbling software
- AiroPeek network-analysis software
- QualysGuard vulnerability-assessment software
- WEPcrack encryption cracking software

You can’t do without good security-testing tools, but no one of them is “the”
silver bullet for finding and killing off all your wireless network’s vulnerabilities.
A trained eye and a good mix of tools is the best combination for finding
the greatest number of weaknesses in your systems.
It’s critical that you understand how to use your various tools for the specific
tests you’ll be running. This may include something as informal as playing
around with the tools or something as formal as taking a training class. Don’t
worry, we’ll show you how to work the basics when we walk you through specific
tests in Chapters 5 through 16.

To Protect, You Must Inspect
After you get everything prepared, it’s time to roll up your sleeves and get
your hands dirty by performing various ethical hacks against your wireless
network. There are dozens of security tests you can run to see just how vulnerable
your wireless systems are to attack The outcomes
of these tests will show you what security holes can — or cannot —
be fixed to make your wireless network more secure. Not to worry, we won’t
leave you hanging with a bunch of vulnerabilities to fix. We’ll outline various
countermeasures you can use to fix the weaknesses you find.
In the next few sections, we outline the various types of security attacks to
establish the basis for the vulnerability tests you’ll be running against your
wireless network.

Non-technical attacks
These types of attacks exploit various human weaknesses, such as lack of
awareness, carelessness, and being too trusting of strangers. There are also
physical vulnerabilities that can give an attacker a leg up on firsthand access
to your wireless devices. These are often the easiest types of vulnerabilities
to take advantage of — and they can even happen to you if you’re not careful.
These attacks include
- Breaking into wireless devices that users installed on their own and left
unsecured
- Social engineering attacks whereby a hacker poses as someone else and
coaxes users into giving out too much information about your network
- Physically accessing APs, antennae, and other wireless infrastructure
equipment to reconfigure it — or (worse) capture data off it

Network attacks
When it comes to the nitty-gritty bits and bytes, there are a lot of techniques
the bad guys can use to break inside your wireless realm or at least leave it
limping along in a nonworking state. Network-based attacks include
- Installing rogue wireless APs and “tricking” wireless clients into connecting to them
- Capturing data off the network from a distance by walking around, driving by, or flying overhead
- Attacking the networking transactions by spoofing MAC addresses (masquerading as a legitimate wireless user), setting up man-in-the-middle (inserting a wireless system between an AP and wireless client) attacks, and more
- Exploiting network protocols such as SNMP
- Performing denial-of-service (DoS) attacks
- Jamming RF signals

Software attacks
As if the security problems with the 802.11 protocol weren’t enough, we now
have to worry about the operating systems and applications on wireless-client
machines being vulnerable to attack. Here are some examples of software
attacks:
- Hacking the operating system and other applications on wireless-client machines
- Breaking in via default settings such as passwords and SSIDs that are easily determined
- Cracking WEP keys and tapping into the network’s encryption system
- Gaining access by exploiting weak network-authentication systems



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com