Wi-Foo: The Secrets of Wireless Hacking

Paperback | June 28, 2004

byAndrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky

not yet rated|write a review
Introduction"Our first obligation is to keep the Foo Counters turning."--RFC3092Why Does Wi-Foo Exist and for Whom Did We Write It?There are multiple white papers and books available on wireless security only two years ago you would have hardly found any . Many of them, including this book, are centered around 802.11 standards. Most explain the built-in security features of 802.11 protocols, explain future 802.11 security standards development and requirements, list and sometimes describe in detail known security weaknesses of 802.11 networks, and describe the countermeasures that a wireless network manager or system administrator can take to reduce the risks presented by these flaws. However, all books except this one do not describe how "hackers" can successfully attack wireless networks and how system administrators can detect and defeat these attacks, step by step, as the actual attack takes place.We believe that the market needs above all else a hands-on, down-to-earth source on penetration testing of wireless networks. Such a source should come from the field and be based on the practical experience of penetrating a great number of client and testing wireless networks, an experience that many in the underground and few in the information security community possess. As a core of the Arhont wireless security auditing team, we perform wireless penetration testing on an almost daily basis and we hope that our experience will give you a good jump start on practical wireless security assessment and further network hardening.If you are a curious individual who just got a PCMCIA card and a copy of the Netstumbler, we hope that this book will teach you about real wireless security and show, in the words of one of the main heroes of The Matrix, "how deep the rabbit hole goes." You will, hopefully, understand what is possible to do security-wise with the wireless network and what isn't; what is considered to be legal and what crosses the line. In the second, defense-oriented section of the book, you will see that, despite all the limitations of wireless security, an attacker can be successfully traced and caught. At the same time, we hope that you will see that defending wireless networks can be as thrilling and fascinating as finding and attacking them, and you could easily end up as a local wireless community security guru or even choose a professional path in this area. If you do participate in a wireless community project, you can raise awareness of wireless security issues in the community and help educate and inform others and show them that "open and free" does not mean "exploited and abused." If you run your own home wireless LAN, we take it for granted that it will be far more difficult to break into after you finish reading this book.If you are a system administrator or network manager, proper penetration testing of your wireless network is not just the only way to see how vulnerable your network is to both external and internal attackers, but also the only way to demonstrate to your management the need for additional security safeguards, training, and consultants. Leaving the security of your wireless network unattended is asking for trouble, and designing a network with security in mind from the very beginning saves you time, effort, and perhaps your job. Unless the threats are properly understood by top management, you won't be able to implement the security measures you would like to see on your WLAN, or make the best use of the expertise of external auditors and consultants invited to test, troubleshoot, and harden the wireless network. If you decide or are required to tackle wireless security problems yourself, we hope that the defense section of the book will be your lifeline. If the network and company happen to be yours, it might even save you a lot of cash hint: open source .If you are a security consultant working within the wireless security field or expanding your skills from the wired to the wireless world, you might find a lack of structure in the on-line information and lack of practical recommendations down to the command line and configuration files in the currently available literature; this book will fill the vacuum.The most prestigious and essential certification in the wireless security area at the time of writing is the Certified Wireless Security Professional CWSP; see the "Certifications" section at http://www.cwne.com . People who have this certification have shown that they have a sufficient understanding of wireless security problems and some hands-on skills in securing real-life wireless networks. Because the CWSP certification is vendor-independent, by definition the CWSP preparation guide cannot go into specific software installation, configuration, troubleshooting, and use in depth. Thus, this book is a very useful aid in CWSP exam preparation, helping the reader comprehend the studied issues on a "how-to" level. In fact, the structure of this book planned half a year before the release of the official CWSP study guide is similar to the guide structure: The description of attack methods is followed by chapters devoted to the defensive countermeasures. After that, as you will see, the similarities between the books end.Finally, if you are a cracker keen on breaking into a few networks to demonstrate that "sad outside world" your "31337 2k1LLz," our guess is what you are going to read here can be useful for your "h4x0r1ng" explorations, in the same manner that sources like Securityfocus or Packetstorm are. Neither these sites nor this book are designed for your kin, though the three categories of people we had in mind when writing it are listed earlier . We believe in a free flow of information and sensitive open disclosure as, e.g., outlined by a second version of the infamous RFPolicy; see http://www.wiretrip.net/rfp/policy.html . What you do with this information is your responsibility and the problems you might get into while using it the illicit way are yours, and not ours. The literature on martial arts is not banned because street thugs might use the described techniques against their victims, and the same applies to the informational "martial arts" consider this one of the subreasons for the name of this book . In fact, how often are you attacked by the possessors of rightfully earned black belts on streets or in bars without being an offender yourself? Real masters of the arts do not start fights and true experts in information security do not go around defacing Web sites or trying to get "a fatter free pipe for more w4r3z." If you are truly keen on wireless security, you will end up as a wireless security application developer, security system administrator, or consultant. Although it is not an example from the wireless side of the world, take a close look at Kevin Mitnick, or read his recent "The Art of Deception" work. If you remain on the "m3 0wnZ j00" level, you will end up living without the Internet behind bars in some remote prison cell, and no manuals, books, or tools will save you. It's the mindset that puts "getting root by any means to impress my mates and satisfy my ego" before knowledge and understanding that is flawed.What About the Funky Name?All that we describe here we did first for fun and only then for profit. It is an art, in a sense, of informational warfare over the microwave medium that involves continuing effort and passion, on both the attacking and defending sides. Currently the attacking side appears to be more persistent and thus, efficient: new attack tools and methodologies appear on a monthly, if not weekly basis. At the same time, the majority of wireless networks we have observed and evaluated were frankly "foo bar'ed." For a non-geek, that term means, roughly, "messed up beyond human comprehension." There are far more colo

Pricing and Purchase Info

$50.31 online
$57.99 list price (save 13%)
In stock online
Ships free on orders over $25
HURRY, ONLY 1 LEFT!

From the Publisher

Introduction"Our first obligation is to keep the Foo Counters turning."--RFC3092Why Does Wi-Foo Exist and for Whom Did We Write It?There are multiple white papers and books available on wireless security only two years ago you would have hardly found any . Many of them, including this book, are centered around 802.11 standards. Most ex...

From the Jacket

The definitive guide to penetrating and defending wireless networks. Straight from the field, this is the definitive guide to hacking wireless networks. Authored by world-renowned wireless security auditors, this hands-on, practical guide covers everything you need to attack -- or protect -- any wireless network. The authors in...

The authors have been active participants in the IT security community for many years and are security testers for leading wireless equipment vendors. Andrew A. Vladimirov leads the wireless consultancy division at Arhont Ltd, one of the UK¿s leading security consultants. He was one of the UK¿s first IT professionals to obtain the ...

other books by Andrew Vladimirov

Assessing Information Security: Strategies, Tactics, Logic and Framework
Assessing Information Security: Strategies, Tactics, Lo...

Kobo ebook|Mar 4 2010

$73.79 online$95.80list price(save 22%)
Assessing Information Security: Strategies, Tactics, Logic and Framework
Assessing Information Security: Strategies, Tactics, Lo...

Kobo ebook|Mar 4 2010

$73.79 online$95.80list price(save 22%)
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
Hacking Exposed Cisco Networks: Cisco Security Secrets ...

Kobo ebook|Jan 1 2006

$58.69 online$76.12list price(save 22%)
see all books by Andrew Vladimirov
Format:PaperbackDimensions:592 pages, 9 × 6.9 × 1.3 inPublished:June 28, 2004Publisher:Pearson EducationLanguage:English

The following ISBNs are associated with this title:

ISBN - 10:0321202171

ISBN - 13:9780321202178

Customer Reviews of Wi-Foo: The Secrets of Wireless Hacking

Reviews

Extra Content

Read from the Book

Introduction   "Our first obligation is to keep the Foo Counters turning." --RFC3092 Why Does Wi-Foo Exist and for Whom Did We Write It? There are multiple white papers and books available on wireless security (only two years ago you would have hardly found any). Many of them, including this book, are centered around 802.11 standards. Most explain the built-in security features of 802.11 protocols, explain future 802.11 security standards development and requirements, list (and sometimes describe in detail) known security weaknesses of 802.11 networks, and describe the countermeasures that a wireless network manager or system administrator can take to reduce the risks presented by these flaws. However, all books (except this one) do not describe how "hackers" can successfully attack wireless networks and how system administrators can detect and defeat these attacks, step by step, as the actual attack takes place. We believe that the market needs above all else a hands-on, down-to-earth source on penetration testing of wireless networks. Such a source should come from the field and be based on the practical experience of penetrating a great number of client and testing wireless networks, an experience that many in the underground and few in the information security community possess. As a core of the Arhont wireless security auditing team, we perform wireless penetration testing on an almost daily basis and we hope that our experience will give you a good jump start on practical wireless security assessment and further network hardening. If you are a curious individual who just got a PCMCIA card and a copy of the Netstumbler, we hope that this book will teach you about real wireless security and show, in the words of one of the main heroes of The Matrix, "how deep the rabbit hole goes." You will, hopefully, understand what is possible to do security-wise with the wireless network and what isn't; what is considered to be legal and what crosses the line. In the second, defense-oriented section of the book, you will see that, despite all the limitations of wireless security, an attacker can be successfully traced and caught. At the same time, we hope that you will see that defending wireless networks can be as thrilling and fascinating as finding and attacking them, and you could easily end up as a local wireless community security guru or even choose a professional path in this area. If you do participate in a wireless community project, you can raise awareness of wireless security issues in the community and help educate and inform others and show them that "open and free" does not mean "exploited and abused." If you run your own home wireless LAN, we take it for granted that it will be far more difficult to break into after you finish reading this book. If you are a system administrator or network manager, proper penetration testing of your wireless network is not just the only way to see how vulnerable your network is to both external and internal attackers, but also the only way to demonstrate to your management the need for additional security safeguards, training, and consultants. Leaving the security of your wireless network unattended is asking for trouble, and designing a network with security in mind from the very beginning saves you time, effort, and perhaps your job. Unless the threats are properly understood by top management, you won't be able to implement the security measures you would like to see on your WLAN, or make the best use of the expertise of external auditors and consultants invited to test, troubleshoot, and harden the wireless network. If you decide (or are required) to tackle wireless security problems yourself, we hope that the defense section of the book will be your lifeline. If the network and company happen to be yours, it might even save you a lot of cash (hint: open source). If you are a security consultant working within the wireless security field or expanding your skills from the wired to the wireless world, you might find a lack of structure in the on-line information and lack of practical recommendations (down to the command line and configuration files) in the currently available literature; this book will fill the vacuum. The most prestigious and essential certification in the wireless security area at the time of writing is the Certified Wireless Security Professional (CWSP; see the "Certifications" section at http://www.cwne.com). People who have this certification have shown that they have a sufficient understanding of wireless security problems and some hands-on skills in securing real-life wireless networks. Because the CWSP certification is vendor-independent, by definition the CWSP preparation guide cannot go into specific software installation, configuration, troubleshooting, and use in depth. Thus, this book is a very useful aid in CWSP exam preparation, helping the reader comprehend the studied issues on a "how-to" level. In fact, the structure of this book (planned half a year before the release of the official CWSP study guide) is similar to the guide structure: The description of attack methods is followed by chapters devoted to the defensive countermeasures. After that, as you will see, the similarities between the books end. Finally, if you are a cracker keen on breaking into a few networks to demonstrate that "sad outside world" your "31337 2k1LLz," our guess is what you are going to read here can be useful for your "h4x0r1ng" explorations, in the same manner that sources like Securityfocus or Packetstorm are. Neither these sites nor this book are designed for your kin, though (the three categories of people we had in mind when writing it are listed earlier). We believe in a free flow of information and sensitive open disclosure (as, e.g., outlined by a second version of the infamous RFPolicy; see http://www.wiretrip.net/rfp/policy.html). What you do with this information is your responsibility and the problems you might get into while using it the illicit way are yours, and not ours. The literature on martial arts is not banned because street thugs might use the described techniques against their victims, and the same applies to the informational "martial arts" (consider this one of the subreasons for the name of this book). In fact, how often are you attacked by the possessors of (rightfully earned) black belts on streets or in bars without being an offender yourself? Real masters of the arts do not start fights and true experts in information security do not go around defacing Web sites or trying to get "a fatter free pipe for more w4r3z." If you are truly keen on wireless security, you will end up as a wireless security application developer, security system administrator, or consultant. Although it is not an example from the wireless side of the world, take a close look at Kevin Mitnick, or read his recent "The Art of Deception" work. If you remain on the "m3 0wnZ j00" level, you will end up living without the Internet behind bars in some remote prison cell, and no manuals, books, or tools will save you. It's the mindset that puts "getting root by any means to impress my mates and satisfy my ego" before knowledge and understanding that is flawed. What About the Funky Name? All that we describe here we did first for fun and only then for profit. It is an art, in a sense, of informational warfare over the microwave medium that involves continuing effort and passion, on both the attacking and defending sides. Currently the attacking side appears to be more persistent and thus, efficient: new attack tools and methodologies appear on a monthly, if not weekly basis. At the same time, the majority of wireless networks we have observed and evaluated were frankly "foo bar'ed." For a non-geek, that term means, roughly, "messed up beyond human comprehension." There are far more colorful definitions of this great and useful term and the curious reader is referred to Google for the deep linguistic investigations of all things foo and bar. Don't forget to stop by http://www.ietf.org/rfc/rfc3092.txt on your journey for truth. The "foo bar" state applies to both real-world wireless security (you would be surprised by the number of completely open wireless networks around, without even minimal available security features enabled) and some other issues. Such issues primarily include radio frequency side misconfigurations--access points transmitting on the same and overlapping channels, incorrectly positioned antennas, incorrectly chosen transmission power level, and so on. Obviously, 802.11-Foo would be a more technically correct name for the book (not every 802.11 device is wireless fidelity-certified) but, admit it, Wi-Foo sounds better :). To comment on the "hacking" part of the title, in the Western world there are two sides constantly arguing about the meaning of this term. Whereas the popular media and the public opinion it fosters identify "hacking" with breaking systems and network security for fun, knowledge, or nefarious aims, old-time programmers and system administrators tend to think that "hacking" is tweaking and tinkering with software and hardware (and not only) to solve various technical problems employing lateral thinking. A good illustration of the second approach to the term is Richard Stallman's "On Hacking" article you can enjoy at http://www.stallman.org/articles/on-hacking.html. In our case it is the second applied to the first with nefarious aims taken away and defense methodologies added. No network is the same and this statement applies to wireless networks far more than their wired counterparts. Have you ever seen a wired network affected by a heavy rain, blossoming trees, or 3D position of the network hosts? Can the security of an Ethernet LAN segment be dependent on the chipsets of network client cards? Although this book tries to be as practical as possible, no solution or technique presented is an absolute, universal truth, and you will find that a lot of tweaking (read: hacking) for the particular network you are working on (both attack and defense-wise) is required. Good luck, and let the packets be with you. How This Book Is Organized Practically every wired or wireless network security book available starts with an outline of the seven Open Systems Interconnection (OSI) layers, probably followed by explaining "the CISSP triad" (confidentiality, integrity, and availability), basic security principles, and an introduction to the technology described. These books also include an introductory chapter on cryptography normally populated by characters called Bob, Alice, Melanie, and of course, Eve, who tends to be an evil private key snatcher. This book is different: We assume that the reader has basic knowledge of the OSI and TCP/IP layers, understands the difference between infrastructure / managed and independent / ad-hoc wireless networks as well as can distinguish between common IEEE 802 standards. Describing the basics of networking or detailed operations of wireless networks will constitute two separate books on their own, and such well-written books are easily found (for 802.11 essentials we strongly recommend the Official CWNA Study Guide and O'Reilly's 802.11 Wireless Networks: The Definitive Guide). However, you'll find a lot of data on 802.11 network standards and operations here when outlining it is appropriate, often in form of the inserted "foundations" boxes. Also, there is a cryptography part that isn't directly related to everything wireless, but is absolutely vital for the proper virtual private network (VPN) deployment, wireless users authentication, and other security practices outlined in the following chapters. We skimmed through a lot of cryptographic literature and have been unable to find anything written specifically for system and network administrators and managers to cover practical networking conditions taking into account the access media, bandwidth available, deployed hosts' CPU architecture, and so forth. Chapters 11 and 12 will be such a source and we hope it will help you even if you have never encountered practical cryptography issues at all or aren't an experienced cryptographer, cryptanalytic, or cryptologist. We have divided the book into two large parts: Attack and Defense. Although the Attack half is self-sufficient if your only aim is wireless security auditing, the Defense part is heavily dependent on understanding who the attackers might be, why they would crack your network, and, most important, how it can be done. Thus, we recommend reading the Attack part first unless you are using Wi-Foo as a reference. This part begins with a rather nontechnical discussion outlining the wireless security situation in the real world, types of wireless attackers, and their motivations, objectives, and target preferences. It is followed by structured recommendations on selecting and setting up hardware and software needed to perform efficient wireless security testing. We try to stay impartial, do not limit ourselves to a particular group of vendors, and provide many tips on getting the best from the hardware and utilities you might already have. After all, not every reader is capable of devoting his or her resources to building an ultimate wireless hacking machine, and every piece of wireless hardware has its strong and weak sides. When we do advise the use of some particular hardware item, there are sound technical reasons behind any such recommendation: the chipset, radio frequency transceiver characteristics, antenna properties, availability of the driver source code, and so on. The discussion of standard wireless configuration utilities such as Linux Wireless Tools is set to get the most out of these tools security-wise and flows into the description of wireless penetration testing-specific software. Just like the hardware discussion before, this description is structured, splitting all available tools into groups with well-defined functions rather than listing them in alphabetic or random order. These groups include wireless network discovery tools, protocol analyzers, encryption cracking tools, custom 802.11 frame construction kits, and various access point management utilities useful for access point security testing. Whereas many "network security testing" books are limited to describing what kind of vulnerabilities there are and which tools are available to exploit them, we carry the discussion further, outlining the intelligent planning for a proper audit (or attack) and walking the reader step by step through the different attack scenarios, depending on the protection level of the target network. We outline advanced attack cases, including exploiting possible weaknesses in the yet unreleased 802.11i standard, accelerating WEP cracking, launching sneaky layer 2 man-in-the-middle and denial of service attacks, and even trying to defeat various higher layer security protocols such as PPTP, SSL and IPSec. Finally, the worst case scenario, a cracker being able to do anything he or she wants with a penetrated wireless network, is analyzed, demonstrating how the individual wireless hosts can be broken into, the wired side of the network assaulted, connections hijacked, traffic redirected, and the firewall separating wireless and wired sides bypassed. The Attack chapters demonstrate the real threat of a wireless network being abused by crackers and underline the statement repeated throughout the book many times: Wireless security auditing goes far beyond discovering the network and cracking WEP. In a similar manner, wireless network hardening goes beyond WEP, MAC address filtering, and even the current 802.11i developments. The later statement would be considered blasphemy by many, but we are entitled to our opinion. As the Attack part demonstrates, the 802.11i standard is not without its flaws and there would be cases in which it cannot be fully implemented for various administrative and financial reasons. Besides, we believe that any network security should be a multilayered process without complete dependence on a single safeguard, no matter how great the safeguard is. Thus, the primary aim of the Defense part of the book is giving readers the choice. Of course, we dwell on the impressive work done by the "i" task force at mitigating the threats to which all pre-802.11i wireless LANs are exposed. Nevertheless, we spend a sufficient amount of time describing defending wireless networks at the higher protocol layers. Such defense methodologies include mutually authenticated IPSec implementations, authentication methods alternative to 802.1x, proper network design, positioning and secure gateway deployment, protocol filtering, SSL/TLS use, and ssh port forwarding. The final chapter in the book is devoted to the last (or first?) line of defense on wireless networks, namely wireless-specific intrusion detection. It demonstrates that wireless attackers are not as untraceable as they might think and gives tips on the development and deployment of affordable do-it-yourself wireless IDS systems and sensors. It also lists some well-known high-end commercial wireless IDS appliances. Even though we have barely scratched the surface of the wireless security world, we hope that this book will be useful for you as both a wireless attack and defense guide and a reference. We hope to receive great feedback from our audience, mainly in the form of fewer insecure wireless networks in our Kismet output and new exciting wireless security tools, protocols, and methodologies showing up to make the contents of this book obsolete.

Table of Contents

Introduction.

1. Real World Wireless Security.

    Why Do We Concentrate on 802.11 Security?

    Getting a Grip on Reality: Wide Open 802.11 Networks Around Us.

    The Future of 802.11 Security: Is It as Bright as It Seems?

    Summary.

2. Under Siege.

    Why Are “They” After Your Wireless Network?

    Wireless Crackers: Who Are They?

   Corporations, Small Companies, and Home Users: Targets Acquired.

    Target Yourself: Penetration Testing as Your First Line of Defense.

    Summary.

3. Putting the Gear Together: 802.11 Hardware.

    PDAs Versus Laptops.

    PCMCIA and CF Wireless Cards.

      Selecting or Assessing Your Wireless Client Card Chipset.

        Prism Chipset.

        Cisco Aironet Chipset.

        Hermes Chipset.

        Symbol Chipset.

        Atheros Chipset.

        ADM8211 Chipset.

      Other Chipsets That Are Common in Later Models of 802.11-Compatible Devices.

      Selecting or Assessing Your Wireless Client Card RF Characteristics.

    Antennas.

    RF Amplifiers.

    RF Cables and Connectors.

    Summary.

4. Making the Engine Run: 802.11 Drivers and Utilities.

    Operating System, Open Source, and Closed Source.

    The Engine: Chipsets, Drivers, and Commands.

      Making Your Client Card Work with Linux and BSD.

    Getting Used to Efficient Wireless Interface Configuration.

      Linux Wireless Extensions.

      Linux-wlan-ng Utilities.

      Cisco Aironet Configuration.

     Configuring Wireless Client Cards on BSD Systems.

    Summary.

5. Learning to WarDrive: Network Mapping and Site Surveying.

    Active Scanning in Wireless Network Discovery.

    Monitor Mode Network Discovery and Traffic Analysis Tools.

      Kismet.

        Kismet and GpsDrive Integration.

      Wellenreiter.

      Airtraf.

      Gtkskan.

      Airfart.

      Mognet.

      WifiScanner.

      Miscellaneous Command—Line Scripts and Utilities.

      BSD Tools for Wireless Network Discovery and Traffic Logging.

    Tools That Use the iwlist scan Command.

     RF Signal Strength Monitoring Tools.

    Summary.

6. Assembling the Arsenal: Tools of the Trade.

    Encryption Cracking Tools.

      WEP Crackers.

        AirSnort.

        Wepcrack.

        Dweputils.

        Wep_tools.

        WepAttack.

      Tools to Retrieve WEP Keys Stored on the Client Hosts.

      Traffic Injection Tools Used to Accelerate WEP Cracking.

      802.1x Cracking Tools.

        Asleap-imp and Leap.

        Leapcrack.

    Wireless Frame-Generating Tools.

      AirJack.

       File2air.

      Libwlan.

      FakeAP.

      Void11.

      Wnet.

    Wireless Encrypted Traffic Injection Tools: Wepwedgie.

    Access Point Management Utilities.

    Summary.

7. Planning the Attack.

    The “Rig”.

    Network Footprinting.

    Site Survey Considerations and Planning.

    Proper Attack Timing and Battery Power Preservation.

    Stealth Issues in Wireless Penetration Testing.

    An Attack Sequence Walk-Through.

    Summary.

8. Breaking Through.

    The Easiest Way to Get in.

     A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering.

    Picking a Trivial Lock: Various Means of Cracking WEP.

      WEP Brute-Forcing.

      The FMS Attack.

      An Improved FMS Attack.

    Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking.

    Field Observations in WEP Cracking.

    Cracking TKIP: The New Menace.

    The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment.

      DIY: Rogue Access Points and Wireless Bridges for Penetration Testing.

      Hit or Miss: Physical Layer Man-in-the-Middle Attacks.

      Phishing in the Air: Man-in-the-Middle Attacks Combined.

    Breaking the Secure Safe.

      Crashing the Doors: Authentication Systems Attacks.

      Tapping the Tunnels: Attacks Against VPNs.

    The Last Resort: Wireless DoS Attacks.

      1. Physical Layer Attacks or Jamming.

      2. Spoofed Deassociation and Deauthentication Frames Floods.

      3. Spoofed Malformed Authentication Frame Attack.

      4. Filling Up the Access Point Association and Authentication Buffers.

      5. Frame Deletion Attack.

      6. DoS Attacks Based on Specific Wireless Network Settings.

      7. Attacks Against 802.11i Implementations.

    Summary.

9. Looting and Pillaging: The Enemy Inside.

    Step 1: Analyze the Network Traffic.

      802.11 Frames.

      Plaintext Data Transmission and Authentication Protocols.

      Network Protocols with Known Insecurities.

      DHCP, Routing, and Gateway Resilience Protocols.

      Syslog and NTP Traffic.

      Protocols That Shouldn’t Be There.

    Step 2: Associate to WLAN and Detect Sniffers.

    Step 3: Identify the Hosts Present and Perform Passive Operating System Fingerprinting.

    Step 4: Scan and Exploit Vulnerable Hosts on WLAN.

    Step 5: Take the Attack to the Wired Side.

    Step 6: Check Wireless-to-Wired Gateway Egress Filtering Rules.

    Summary.

10. Building the Citadel: An Introduction to Wireless LAN Defense.

    Wireless Security Policy: The Cornerstone.

      1. Device Acceptability, Registration, Update, and Monitoring.

      2. User Education and Responsibility.

      3. Physical Security.

      4. Physical Layer Security.

      5. Network Deployment and Positioning.

      6. Security Countermeasures.

      7. Network Monitoring and Incident Response.

      8. Network Security and Stability Audits.

    Layer 1 Wireless Security Basics.

    The Usefulness of WEP, Closed ESSIDs, MAC Filtering, and SSH Port Forwarding.

    Secure Wireless Network Positioning and VLANs.

      Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design.

    Deploying a Linux-Based, Custom-Built Hardened Wireless Gateway.

    Proprietary Improvements to WEP and WEP Usage.

    802.11i Wireless Security Standard and WPA: The New Hope.

      Introducing the Sentinel: 802.1x.

      Patching the Major Hole: TKIP and CCMP.

    Summary.

11. Introduction to Applied Cryptography:Symmetric Ciphers.

    Introduction to Applied Cryptography and Steganography.

    Modern-Day Cipher Structure and Operation Modes.

      A Classical Example: Dissecting DES.

      Kerckhoff’s Rule and Cipher Secrecy.

      The 802.11i Primer: A Cipher to Help Another Cipher.

      There Is More to a Cipher Than the Cipher: Understanding Cipher Operation Modes.

    Bit by Bit: Streaming Ciphers and Wireless Security.

    The Quest for AES.

      AES (Rijndael).

      MARS.

      RC6.

      Twofish.

      Serpent.

     Between DES and AES: Common Ciphers of the Transition Period.

      3DES.

      Blowfish.

      IDEA.

    Selecting a Symmetric Cipher for Your Networking or Programming Needs.

    Summary.

12. Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms.

    Cryptographic Hash Functions.

    Dissecting an Example Standard One-Way Hash Function.

    Hash Functions, Their Performance, and HMACs.

      MIC: Weaker But Faster.

      Asymmetric Cryptography: A Different Animal.

       The Examples of Asymmetric Ciphers: ElGamal, RSA, and Elliptic Curves.

      Practical Use of Asymmetric Cryptography: Key Distribution, Authentication, and Digital Signatures.

    Summary.

13. The Fortress Gates: User Authentication in Wireless Security.

    RADIUS.

      Basics of AAA Framework.

        Authentication.

        Authorization.

        Accounting.

      An Overview of the RADIUS Protocol.

      RADIUS Features.

      Packet Formats.

      Packet Types.

    Installation of FreeRADIUS.

      Configuration.

        clients.conf.

        naslist.

        radiusd.conf.

        realms.

        users.

    User Accounting.

    RADIUS Vulnerabilities.

      Response Authenticator Attack.

      Password Attribute-Based Shared Secret Attack.

      User Password-Based Attack.

      Request Authenticator-Based Attacks.

      Replay of Server Responses.

      Shared Secret Issues.

    RADIUS-Related Tools.

    802.1x: The Gates to Your Wireless Fortress.

      Basics of EAP-TLS.

          Packet Format.

            Creating Certificates.

      FreeRADIUS Integration.

           radiusd.conf.

        users.

      Supplicants.

        Linux.

        Windows 2000 and Windows XP.

      An Example of Access Point Configuration: Orinoco AP-2000.

    LDAP.

      Overview.

        What Is a Directory Service?

        What Is LDAP?

        How Does LDAP Work?

      Installation of OpenLDAP.

        Satisfying Dependencies.

      Configuration of OpenLDAP.

      Testing LDAP.

      Populating the LDAP Database.

      Centralizing Authentication with LDAP.

      Mobile Users and LDAP.

      LDAP-Related Tools.

        Directory Administrator.

        LdapExplorer.

        YALA.

        LDAP Tool.

    NoCat: An Alternative Method of Wireless User Authentication.

       Installation and Configuration of NoCat Gateway.

      Installation and Configuration of Authentication Server.

    Summary.

14. Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs.

    Why You Might Want to Deploy a VPN.

    VPN Topologies Review: The Wireless Perspective.

      Network-to-Network.

      Host-to-Network.

      Host-to-Host.

      Star.

      Mesh.

    Common VPN and Tunneling Protocols.

      IPSec.

      PPTP.

      GRE.

      L2TP.

    Alternative VPN Implementations.

      cIPe.

      OpenVPN.

      VTun.

    The Main Player in the Field: IPSec Protocols, Operations, and Modes Overview.

      Security Associations.

      AH.

      ESP.

      IP Compression.

      IPSec Key Exchange and Management Protocol.

      IKE.

        Phase 1 Modes of Operation.

        Phase 2 Mode of Operation.

      Perfect Forward Secrecy.

      Dead Peer Discovery.

      IPSec Road Warrior.

      Opportunistic Encryption.

    Deploying Affordable IPSec VPNs with FreeS/WAN.

      FreeS/WAN Compilation.

      FreeS/WAN Configuration.

        Key Generation.

        X.509 Certificate Generation.

        Ipsec.conf Organization.

      Network-to-Network VPN Topology Setting.

      Host-to-Network VPN Topology Setting.

      Windows 2000 Client Setup.

      Windows 2000 IPSec Client Configuration.

    Summary.

15. Counterintelligence: Wireless IDS Systems.

    Categorizing Suspicious Events on WLANs.

      1. RF/Physical Layer Events.

      2. Management/Control Frames Events.

      3. 802.1x/EAP Frames Events.

      4. WEP-Related Events.

      5. General Connectivity/Traffic Flow Events.

      6. Miscellaneous Events.

    Examples and Analysis of Common Wireless Attack Signatures.

    Radars Up! Deploying a Wireless IDS Solution for Your WLAN.

      Commercial Wireless IDS Systems.

      Open Source Wireless IDS Settings and Configuration.

      A Few Recommendations for DIY Wireless IDS Sensor Construction.

    Summary.

    Afterword.

Appendix A. Decibel—Watts Conversion Table.

Appendix B. 802.11 Wireless Equipment.

Appendix C. Antenna Irradiation Patterns.

    Omni-Directionals.

    Semi-Directionals.

    Highly-Directionals.

Appendix D. Wireless Utilities Manpages.

    1. Iwconfig.

    2. Iwpriv.

    3. Iwlist.

    4. Wicontrol.

    5. Ancontrol.

Appendix E. Signal Loss for Obstacle Types .

Appendix F. Warchalking Signs.

    Original Signs.

    Proposed New Signs.

Appendix G. Wireless Penetration Testing Template.

    Arhont Ltd Wireless Network Security and Stability Audit Checklist Template.

    1 Reasons for an audit.

    2 Preliminary investigations.

    3 Wireless site survey.

    4 Network security features present.

    5 Network problems / anomalies detected.

    6 Wireless penetration testing procedure .

    7 Final recommendations.

Appendix H. Default SSIDs for Several Common 802.11 Products.

Glossary.

Index.

.