Security: Tools of the Trade – Wi-Fi
by Steve Ragan - Apr 28 2008, 18:38Security experts will all agree on the same thing, to get the job done right you need the right set of tools. Tools to an Ethical Hacker, Pentester, or simple security admin will vary from job to job. This article will cover some of the more well-known tools to discover and access wireless networks.
This is not a full or complete list, far from it. The truth is these tools are so common everyone has them. Criminals will use these tools as quickly as an IT employee would. Basement hackers or simply a security buff will use these as well. There are countless tools available for the wireless network. This list will cover the popular ones and explain what they do and where you can get them.
Sniffing:
When you read security articles, you will see this term. Sniffing is short for Packet Sniffing, sometimes referred to as network sniffing (protocol analyzing), the general description from Wikipedia works well, “…computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.”
The Wikipedia article links to several good sources of information and is highly recommended for research usage: http://en.wikipedia.org/wiki/Packet_sniffer
Wireshark
Wireshark is the new name for another tool, Ethereal. Several books have been written on this tool, and it is hard to find an IT department, school, or security person who has not heard of it.
Wireshark, now in version 1.0.0, is a free tool for UNIX, Linux, and Windows systems. It offers the ability to capture packets, and browse them live or offline. Packets from both wireless and wired (Ethernet) networks can be captured. Wireshark can then decrypt any of the following protocols:
IPsec
ISAKMP
Kerberos
SNMPv3
SSL/TLS
WEP
WPA/WPA2
Download it here: http://www.wireshark.org/download.html
Kismet
Kismet is console based sniffer. Calling this tool powerful really does not do it justice. When testing the security of a wireless network, or using it to discover wireless networks you need this tool. Available for several platforms such as Linux, UNIX, OS X, and Windows there isn’t a professional or IT department who cant install and use this tool.
Note: Please remember not to confuse Kismet with KisMAC. KisMAC is a GUI based stumbler and was around long before Kismet was ported to OS X. KisMac uses many of the same features as Kismet, but they are different tools. (KisMac: http://kismac.de/)
To cover some of the features of Kismet, this tool offers passive wireless network identification, de-cloaking of hidden wireless networks, detection of IP blocks, and logs captured traffic in a format that Wireshark can read. (IP block discovery is accomplished by sniffing out TCP, UDP, ARP, and DHCP protocols, which is why in another feature on wireless you were told that disabling DHCP as a security feature was worthless.)
NetStumbler
NetStumbler is tool for Windows that became popular when WarDriving took off. Use this tool to discover wireless networks running 802.11a/b/g. The tool is small and there is a port to run on Windows CE.
Network discovery, verification of network connections, coverage discovery (good for locating spots with poor Wi-Fi coverage), and detection of “rogue” access points are just some of the features and uses.
http://www.netstumbler.com/downloads/
NMAP and TCPDump
These two tools are classics. The original applications in the tool kit of many network watchers. TCPDump is the grandfather of Wireshark. While slightly outdated, the tool is relevant, and still gets usage to this day. (WinDump is the Windows port of TCPDump)
It should also get a mention that TCPDump is the source of Libpcap and WinPcap, which are utilized in the next tool, Nmap.
TCPDump: http://www.tcpdump.org/
WinDump: http://tinyurl.com/5uucw3
Nmap (Network Mapper) is a free utility that is great for exploring your network. It is designed to work on larger networks, but will work well on small ones too. It can map any network, no matter if it is filled with several appliances such as IP filters, firewalls, or routers. Port scanning, ping sweeps, OS detection, version detection, and dozens of other options are available.
Accessing the wireless network:
Using the previous listed tools, you can get a solid map of the wireless network. Once you have this information, you know how the wireless network is designed and working, and as an IT admin you can see where it is weak.
Now the trick is to take this information and access the network. Criminals do this using the same tools, so there is no reason why legitimate testing cannot be performed using the same tool set.
Aircrack-ng and aircrack-ptw
Aircrack-ng is newest version of Arrack. The tool offers better documentation and support, as well as better coverage for existing wireless cards. Other new features include better OS support, fragmentation attack, improved WEP cracking speed, new WEP attack (PTW), new dictionary attacks (brute forcing the password), and better capture with multi card support.
Aircrack-ng targets WEP protected networks and makes short work of WEP keys. With improvements to dictionary attacks, and the increase in performance making cracking faster, Aircrack-ng is the suite pretty much any wireless security testers have at their disposal.
http://www.aircrack-ng.org/doku.php
The tool, aircrack-ptw, is a proof-of-concept tool used in recovering WEP keys. “Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets,” the developers state.
“For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.”
http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
coWPAtty
CoWPAtty is designed to crack WPA-PSK protection. Designed for Linux/UNIX systems, you need to supply a Libpcap file that supports the TKIP four-way handshake and with a personal wordlist launch a dictionary attack.
http://wirelessdefence.org/Contents/coWPAttyMain.htm
There are so many tools for the wireless network; from an auditing standpoint, it would be impossible to list them all. Here are two links that will give you a sampling of some of the best.
http://sectools.org/
http://www.wardrive.net/wardriving/tools/
Comment on this Story