In This Chapter
1. Understanding the need to test your wireless systems
2. Wireless vulnerabilities
3. Thinking like a hacker
4. Preparing for your ethical hacks
5. Important security tests to carry out
6. What to do when you’re done testing


Wireless local-area networks — often referred to as WLANs or Wi-Fi
networks — are all the rage these days. People are installing them in
their offices, hotels, coffee shops, and homes. Seeking to fulfill the wireless
demands, Wi-Fi product vendors and service providers are popping up just
about as fast as the dot-coms of the late 1990s. Wireless networks offer convenience,
mobility, and can even be less expensive to implement than wired
networks in many cases. Given the consumer demand, vendor solutions, and
industry standards, wireless-network technology is real and is here to stay.
But how safe is this technology?

Wireless networks are based on the Institute of Electrical and Electronics
Engineers (IEEE) 802.11 set of standards for WLANs. In case you’ve ever wondered,
the IEEE 802 standards got their name from the year and month this
group was formed — February 1980. The “.11” that refers to the wireless LAN
working group is simply a subset of the 802 group. There’s a whole slew of
industry groups involved with wireless networking, but the two main players
are the IEEE 802.11 working group and the Wi-Fi Alliance.

Years ago, wireless networks were only a niche technology used for very specialized
applications. These days, Wi-Fi systems have created a multibilliondollar
market and are being used in practically every industry — and in every
size organization from small architectural firms to the local zoo. But with this
increased exposure comes increased risk: The widespread use of wireless systems
has helped make them a bigger target than the IEEE ever bargained for.
(Some widely publicized flaws such as the Wired Equivalent Privacy (WEP)
weaknesses in the 802.11 wireless-network protocol haven’t helped things,
either.) And, as Microsoft has demonstrated, the bigger and more popular you
are, the more attacks you’re going to receive.

With the convenience, cost savings, and productivity gains of wireless networks
come a whole slew of security risks. These aren’t the common security
issues, such as spyware, weak passwords, and missing patches. Those weaknesses
still exist; however, networking without wires introduces a whole new
set of vulnerabilities from an entirely different perspective.
This brings us to the concept of ethical hacking. Ethical hacking — sometimes
referred to as white-hat hacking — means the use of hacking to test and improve
defenses against unethical hackers. It’s often compared to penetration testing
and vulnerability testing, but it goes even deeper. Ethical hacking involves
using the same tools and techniques the bad guys use, but it also involves
extensive up-front planning, a group of specific tools, complex testing methodologies,
and sufficient follow-up to fix any problems before the bad guys — the
black- and gray-hat hackers — find and exploit them.

Understanding the various threats and vulnerabilities associated with 802.11-
based wireless networks — and ethically hacking them to make them more
secure — is what this book is all about. Please join in on the fun.
In this chapter, we’ll take a look at common threats and vulnerabilities associated
with wireless networks. We’ll also introduce you to some essential wireless
security tools and tests you should run in order to strengthen your airwaves.

Why You Need to TestYour Wireless Systems
Wireless networks have been notoriously insecure since the early days of
the 802.11b standard of the late 1990s. Since the standard’s inception, major
802.11 weaknesses, such as physical security weaknesses, encryption flaws,
and authentication problems, have been discovered. Wireless attacks have
been on the rise ever since. The problem has gotten so bad that two wireless
security standards have emerged to help fight back at the attackers:

- Wi-Fi Protected Access (WPA): This standard, which was developed by
the Wi-Fi Alliance, served as an interim fix to the well-known WEP vulnerabilities
until the IEEE came out with the 802.11i standard.
- IEEE 802.11i (referred to as WPA2): This is the official IEEE standard,
which incorporates the WPA fixes for WEP along with other encryption
and authentication mechanisms to further secure wireless networks.
These standards have resolved many known security vulnerabilities of the
802.11a/b/g protocols. As with most security standards, the problem with these
wireless security solutions is not that the solutions don’t work — it’s that many
network administrators are resistant to change and don’t fully implement them.
Many administrators don’t want to reconfigure their existing wireless systems
and don’t want to have to implement new security mechanisms for fear of
making their networks more difficult to manage. These are legitimate concerns,
but they leave many wireless networks vulnerable and waiting to be
compromised.

Even after you have implemented WPA, WPA2, and the various other wireless
protection techniques described in this book, your network may still be at
risk. This can happen when (for example) employees install unsecured wireless
access points or gateways on your network without you knowing about
it. In our experience — even with all the wireless security standards and
vendor solutions available — the majority of systems are still wide open to
attack. Bottom line: Ethical hacking isn’t a do-it-once-and-forget-it measure.
It’s like an antivirus upgrade — you have to do it again from time to time.
Knowing the dangers your systems face
Before we get too deep into the ethical-hacking process, it will help to define
a couple of terms that we’ll be using throughout this book. They are as follows:

- Threat: A threat is an indication of intent to cause disruption within an
information system. Some examples of threat agents are hackers, disgruntled
employees, and malicious software (malware) such as viruses
or spyware that can wreak havoc on a wireless network.
- Vulnerability: A vulnerability is a weakness within an information
system that can be exploited by a threat. Some examples are wireless
networks not using encryption, weak passwords on wireless access
points or APs (which is the central hub for a set of wireless computers),
and an AP sending wireless signals outside the building. Wireless-network
vulnerabilities are what we’ll be seeking out in this book.
Beyond these basics, quite a few things can happen when a threat actually
exploits the vulnerabilities of a various wireless network. This situation is
called risk. Even when you think there’s nothing going across your wireless
network that a hacker would want — or you figure the likelihood of something
bad happening is very low — there’s still ample opportunity for trouble.
Risks associated with vulnerable wireless networks include

- Full access to files being transmitted or even sitting on the server
- Stolen passwords
- Intercepted e-mails
- Back-door entry points into your wired network
- Denial-of-service attacks causing downtime and productivity losses
- Violations of state, federal, or international laws and regulations relating to privacy, corporate financial reporting, and more
- “Zombies” — A hacker using your system to attack other networks making you look like the bad guy
- Spamming — A spammer using your e-mail server or workstations to send out spam, spyware, viruses, and other nonsense e-mails

We could go on and on, but you get the idea. The risks on wireless networks
are not much different from those on wired ones. Wireless risks just have a
greater likelihood of occurring — that’s because wireless networks normally
have a larger number of vulnerabilities.

The really bad thing about all this is that without the right equipment and
vigilant network monitoring, it can be impossible to detect someone hacking
your airwaves — even from a couple of miles away! Wireless-network compromises
can include a nosy neighbor using a frequency scanner to listen in
on your cordless phone conversations — or nosy co-workers overhearing
private boardroom conversations. Without the physical layer of protection
we’ve grown so accustomed to with our wired networks, anything is possible.

Understanding the enemy
The wireless network’s inherent vulnerabilities, in and of themselves, aren’t
necessarily bad. The true problem lies with all the malicious hackers out
there just waiting to exploit these vulnerabilities and make your job — and
life — more difficult. In order to better protect your systems, it helps to
understand what you’re up against — in effect, to think like a hacker. Although
it may be impossible to achieve the same malicious mindset as the cyberpunks,
you can at least see where they’re coming from technically and how
they work.

For starters, hackers are likely to attack systems that require the least
amount of effort to break into. A prime target is an organization that has just
one or two wireless APs. Our findings show that these smaller wireless networks
help stack the odds in the hackers’ favor, for several reasons:
- Smaller organizations are less likely to have a full-time network administrator keeping tabs on things.
- Small networks are also more likely to leave the default settings on theirwireless devices unchanged, making them easier to crack into.
- Smaller networks are less likely to have any type of network monitoring, in-depth security controls such as WPA or WPA2, or a wireless intrusiondetection system (WIDS). These are exactly the sorts of things that smart hackers take into consideration.

However, small networks aren’t the only vulnerable ones. There are various
other weaknesses hackers can exploit in networks of all sizes, such as the
following:
- The larger the wireless network, the easier it may be to crack Wired Equivalent Privacy (WEP) encryption keys. This is because larger networks likely receive more traffic, and an increased volume of packets to be captured thus leads to quicker WEP cracking times.
- Most network administrators don’t have the time or interest in monitoring their networks for malicious behavior.
- Network snooping will be easier if there’s a good place such as a crowded parking lot or deck to park and work without attracting attention.
- Most organizations use the omnidirectional antennae that come standard on APs — without even thinking about how these spread RF signals around outside the building.
- Because wireless networks are often an extension of a wired network, where there’s an AP, there’s likely a wired network behind it. Given this, there are often just as many treasures as the wireless network, if not more.
- Many organizations attempt to secure their wireless networks with routine security measures — say, disabling service-set-identifier (SSID) broadcasts (which basically broadcasts the name of the wireless network to any wireless device in range) and enabling media-access control (MAC) address filtering (which can limit the wireless hosts that can attach to your network) — without knowing that these controls are easily circumvented.
- SSIDs are often set to obvious company or department names that can give the intruders an idea which systems to attack first.

Throughout this book, we point out ways the bad guys work when they’re
carrying out specific hacks. The more cognizant you are of the hacker mindset,
the deeper and broader your security testing will be — which leads to
increased wireless security.

Many hackers don’t necessarily want to steal your information or crash your
systems. They often just want to prove to themselves and their buddies that
they can break in. This likely creates a warm fuzzy feeling that makes them feel
like they’re contributing to society somehow. On the other hand, sometimes
they attack simply to get under the administrator’s skin. Sometimes they are
seeking revenge. Hackers may want to use a system so they can attack other
people’s networks under disguise. Or maybe they’re bored, and just want to
see what information is flying through the airwaves, there for the taking.
The “high-end” uberhackers go where the money is — literally. These are the
guys who break into online banks, e-commerce sites, and internal corporate
databases for financial gain. What better way to break into these systems than
through a vulnerable wireless network, making the real culprit harder to trace?
One AP or vulnerable wireless client is all it takes to get the ball rolling.
Whatever the reasons are behind all of these hacker shenanigans,
the fact is that your network, your information,
and (heaven forbid) your job are at risk.

There’s no such thing as absolute security on any network — wireless or not.
It’s basically impossible to be completely proactive in securing your systems
since you cannot defend against an attack that hasn’t already happened.
Although you may not be able to prevent every type of attack, you can prepare,
prepare, and prepare some more — to deal with attacks more effectively
and minimize losses when they do occur.

Information security is like an arms race — the attacks and countermeasures
are always one-upping each other. The good thing is that for every new attack,
there will likely be a new defense developed. It’s just a matter of timing. Even
though we’ll never be able to put an end to the predatory behavior of unethical
cyber thugs, it’s comforting to know that there are just as many ethical
security professionals working hard every day to combat the threats.



Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com