The Wireless Hacking Process (1/2)
In This Chapter
1. Understanding the hacking process
2. The Ten Commandments of Ethical Hacking
3. Understanding the standards
4. Evaluating your results
We teach courses on ethical hacking — and when you’re teaching, you
need an outline. Our teaching outline always starts with the introduction
to the ethical-hacking process that comprises most of this chapter.
Inevitably, when the subject of an ethical hacking process comes up, the class
participants visibly slump into their chairs, palpable disappointment written
all over their faces. They cross their arms across their chests and shuffle
their feet. Some even jump up and run from class to catch up on their phone
calls. Why? Well, every class wants to jump right in and learn parlor tricks
they can use to amaze their friends and boss. But that takes procedure and
practice. Without a defined process, you may waste time doing nonessential
steps while omitting crucial ones. So bear with us for a while; this background
information may seem tedious, but it’s important.
Obeying the Ten Commandments of Ethical Hacking
In his book Hacking For Dummies (Wiley), Kevin discussed the hacker genre
and ethos. In Chapter 1, he enumerated the Ethical Hacking Commandments.
In that book, Kevin listed three commandments. But (as with everything in
networking) the list has grown to fill the available space. Now these commandments
were not brought down from Mount Sinai, but thou shalt follow
these commandments shouldst thou decide to become a believer in the doctrine
of ethical hacking. The Ten Commandments are
1. Thou shalt set thy goals.
2. Thou shalt plan thy work, lest thou go off course.
3. Thou shalt obtain permission.
4. Thou shalt work ethically.
5. Thou shalt work diligently.
6. Thou shalt respect the privacy of others.
7. Thou shalt do no harm.
8. Thou shalt use a scientific process.
9. Thou shalt not covet thy neighbor’s tools.
10. Thou shalt report all thy findings.
Thou shalt set thy goals
When Peter was a kid, he used to play a game at camp called Capture the
Flag. The camp counselors would split all the campers into two teams: one
with a red flag and one with a blue flag. The rules were simple: If you were on
the blue team, then you tried to find the red flag that the red team had hidden
and protected, and vice versa. Despite appearances, this game could get
rough — on the order of, say, Australian Rules Football. It was single-minded:
Capture the flag. This single-mindedness is similar to the goals of a penetration
test, a security test with a defined goal that ends either when the goal is
achieved or when time runs out. Getting access to a specific access point is
not much different from capturing a flag: Your opponent has hidden it and is
protecting it, and you’re trying to circumvent the defenses. Penetration testing
is Capture the Flag without the intense physical exercise.
How does ethical hacking relate to penetration testing? Ethical hacking is a
form of penetration testing originally used as a marketing ploy but has come
to mean a penetration test of all systems — where there is more than one goal.
In either case, you have a goal. Your evaluation of the security of a wireless
network should seek answers to three basic questions:
1. What can an intruder see on the target access points or networks?
2. What can an intruder do with that information?
3. Does anyone at the target notice the intruder’s attempts — or successes?
You might set a simplistic goal, such as finding unauthorized wireless access
points. Or you might set a goal that requires you to obtain information from a
system on the wired network. Whatever you choose, you must articulate
your goal and communicate it to your sponsors.
Involve others in your goal-setting. If you don’t, you will find the planning
process quite difficult. The goal determines the plan. To paraphrase the
Cheshire Cat’s response to Alice: “If you don’t know where you are going, any
path will take you there.” Including stakeholders in the goal-setting process
will build trust that will pay off in spades later on.
Thou shalt plan thy work, lest thou go off course
Few, if any of us, have an unlimited budget. We usually are bound by one or
more constraints. Money, personnel or time may constrain you. Consequently,
it is important for you to plan your testing.
With respect to your plan, you should do the following:
1. Identify the networks you intend to test.
2. Specify the testing interval.
3. Specify the testing process.
4. Develop a plan and share it with all stakeholders.
5. Obtain approval of the plan.
Share your plan. Socialize it with as many people as you can. Don’t worry
that lots of people will know that you are going to hack into the wireless network.
If your organization is like most others, then it’s unlikely they can
combat the organizational inertia to do anything to block your efforts. It is
important, though, to remember that you do want to do your testing under
“normal” conditions.
Thou shalt obtain permission
When it comes to asking for permission, remember the case of the Internal
Auditor who, when caught cashing a payroll check he didn’t earn, replied, “I
wasn’t stealing. I was just testing the controls of the system.” When doing ethical
hacking, don’t follow the old saw that “asking forgiveness is easier than
asking for permission.” Not asking for permission may land you in prison!
You must get your permission in writing. This permission may represent the
only thing standing between you and an ill-fitting black-and-white-striped suit
and a lengthy stay in the Heartbreak Hotel. You must ask for — and get — a
“get out of jail free” card. This card will state that you are authorized to perform
a test according to the plan. It should also say that the organization will
“stand behind you” in case you are criminally charged or sued. This means
they will provide legal and organizational support as long as you stayed
within the bounds of the original plan (see Commandment Two).
Thou shalt work ethically
The term ethical in this context means working professionally and with good
conscience. You must do nothing that is not in the approved plan or that has
been authorized after the approval of the plan.
As an ethical hacker, you are bound to confidentiality and non-disclosure of
information you uncover, and that includes the security-testing results. You
cannot divulge anything to individuals who do not “need-to-know.” What you
learn during your work is extremely sensitive — you must not openly share it.
Everything you do as an ethical hacker must be aboveboard, and must support
the goals of the organization. You should notify the organization whenever
you change the testing plan, change the source test venue, or detect
high-risk conditions — and before you run any new high-risk or high-traffic
tests, as well as when any testing problems occur.
You must also ensure you are compliant with your organization’s governance
and local laws. Do not perform an ethical hack when your policy expressly
forbids it — or when the law does.
Thou shalt keep records
Major attributes of an ethical hacker are patience and thoroughness. Doing
this work requires hours bent over a keyboard in a darkened room. You may
have to do some off-hours work to achieve your goals, but you don’t have to
wear hacker gear and drink Red Bull. What you do have to do is keep plugging
away until you reach your goal.
In the previous commandment we talked about acting professionally. One
hallmark of professionalism is keeping adequate records to support your
findings. When keeping paper or electronic notes, do the following:
- Log all work performed.
- Record all information directly into your log.
- Keep a duplicate of your log.
- Document — and date — every test.
- Keep factual records and record all work, even when you think you were not successful.
This record of your test design, outcome, and analysis is an important aspect
of your work. Your records will allow you to compile the information needed
for a written or oral report. You should take care in compiling your records.
Be diligent in your work and your documentation.
Thou shalt respect the privacy of others
Treat the information you gather with the utmost respect. You must protect
the secrecy of confidential or personal information. All information you obtain
during your testing — for example, encryption keys or clear text passwords —
must be kept private. Don’t abuse your authority; use it responsibly. This
means you won’t (for example) snoop into confidential corporate records or
private lives. Treat the information with the same care you would give to
your own personal information.
Thou shalt do no harm
The prime directive for ethical hacking is, “Do no harm.” Remember that the
actions you take may have unplanned repercussions. It’s easy to get caught
up in the gratifying work of ethical hacking. You try something, and it works,
so you keep going. Unfortunately, by doing this you may easily cause an
outage of some sort, or trample on someone else’s rights. Resist the urge to
go too far — and stick to your original plan.
Also, you must understand the nature of your tools. Far too often, people jump
in and start using the tools shown in this book without truly understanding the
full implications of the tool. They do not understand that setting up a monkeyin-
the-middle attack, for example, creates a denial of service. Relax, take a deep
breath, set your goals, plan your work, select your tools, and (oh yeah) read
the documentation.
Many of the tools we discuss here allow you to control the depth and breadth
of the tests you perform. Remember this point when you want to run your
tests on the wireless access point where your boss connects!
Thou shalt use a “scientific” process
By this commandment, we don’t mean that you necessarily have to follow
every single step of the scientific process, but rather that you adopt some of
its principles in your work. Adopting a quasi-scientific process provides some
structure and prevents undue chaos (of the sort that can result from a
random-walk through your networks).
For our purposes, the scientific process has three steps:
1. Select a goal and develop your plan.
2. Test your networks and systems to address your goals.
3. Persuade your organization to acknowledge your work.
We address the first two steps in previous commandments, so let’s look at the
third step here. Your work should garner greater acceptance when you adopt
an empirical method. An empirical method has the following attributes:
1. Set quantifiable goals: The essence of selecting a goal (such as capturing
the flag) is that you know when you’ve reached it. You either possess
the flag or you don’t. Pick a goal that you can quantify: associating with
ten access points, broken encryption keys or a file from an internal server.
Time-quantifiable goals, such as testing your systems to see how they
stand up to three days of concerted attack, are also good.
2. Tests are consistent and repeatable: If you scan your network twice and
get different results each time, this is not consistent. You must provide
an explanation for the inconsistency, or the test is invalid. If we repeat
your test, will we get the same results? When a test is repeatable or
replicable, you can conclude confidently that the same result will occur
no matter how many times you replicate it.
3. Tests are valid beyond the “now” time frame: When your results are
true, your organization will receive your tests with more enthusiasm if
you’ve addressed a persistent or permanent problem, rather than a temporary
or transitory problem.
Thou shalt not covet thy neighbor’s tools
No matter how many tools you may have, you will discover new ones. Wireless
hacking tools are rife on the Internet — and more are coming out all the time.
The temptation to grab them all is fierce. Take, for instance, “wardriving” tools.
Early on, your choices of software to use for this “fascinating hobby” were
limited. You could download and use Network Stumbler, commonly called
NetStumbler, on a Windows platform, or you could use Kismet on Linux. But
these days, you have many more choices: Aerosol, Airosniff, Airscanner,
APsniff, BSD-Airtools, dstumbler, Gwireless, iStumbler, KisMAC, MacStumbler,
MiniStumbler, Mognet, PocketWarrior, pocketWiNc, THC-RUT, THC-Scan, THCWarDrive,
Radiate, WarLinux, Wellenreiter WiStumbler, and Wlandump, to name
a few. And those are just the free ones. You also could purchase AirMagnet,
Airopeek, Air Sniffer, AP Scanner, NetChaser, Sniff-em, Sniffer Wireless . . . Well
you get the idea. Should you have unlimited time and budget, you could use
all these tools. But we suggest you pick one tool and stick with it. (We give
you a closer look at some from this list in Chapters 9 and 10.)
Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com