Inside the hacker's toolbox

Computerworld -

Hackers—as well as white hat researchers—are notorious for quickly breaking the new security standards soon after the standards are released and they did so again with the standards for wireless LANs. The following are a few examples of the hardware and freeware tools available on the Internet.

• Freeware tools: New WLAN hacking tools are introduced every week and are widely available on the Internet for anyone to download. Rather than wait for a hacker to attack your network, security managers should familiarize themselves with tools and learn how to defend against them. The table on this page gives a few examples of widely available freeware tools.
  
  
  
  










Tool Description NetStumbler Freeware wireless access point identifier – listens for SSIDs & sends beacons as probes searching for access points Kismet Freeware wireless sniffer and monitor – passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds Wellenreiter Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS THC-RUT Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; “your first knife on a foreign network” Ethereal Freeware WLAN analyzer – interactively browse the capture data, viewing summary and detail information for all observed wireless traffic WEPCrack Freeware encryption breaker – Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling AirSnort Freeware encryption breaker – passively monitoring transmissions, computing the encryption key when enough packets have been gathered HostAP Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset)





• Antennas: To connect with WLANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or built easily with cans or cylinders found in a kitchen cupboard and can pick up 802.11 signals from up to 2,000 feet away. The intruders can be in the parking lot or completely out of site.


• Breaking encryption tools: The industry's initial encryption technology, Wired Equivalent Privacy (WEP), was quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP encryption algorithm. WEPCrack and AirSnort passively observe WLAN traffic until they collect enough data to recognize repetitions and break the encryption key.


• Breaking 802.1x authentication tools: The next step in the evolution of WLAN security was the introduction of 802.1x for port-based authentication. However, University of Maryland professor William Arbaugh published a research paper in February 2002 that demonstrated how the newly proposed security standard can be defeated. The IEEE is now working on a new standard, 802.11i, which is expected to be ratified in 2004.


• War driving tools: To locate the physical presence of WLANs, hackers developed scanning and probing tools that introduced the concept of "war driving" -- driving around a city in a car to discover unprotected WLANs. User-friendly Windows-based freeware tools, such as Netstumbler, probe the airwaves in search of access points that broadcasted their service set identifiers (SSID) and offer easy ways to find open networks. More advanced tools, such as Kismet, were then introduced on Linux systems to passively monitor wireless traffic. Both Netstumbler and Kismet work in tandem with a Global Positioning System to map exact locations of the identified WLANs. These maps and data are posted on Web sites such as www.wigle.net and www.wifinder.com where wireless freeloaders and other hackers can locate these open networks.

One of the best ways to study what kind of attacks you can expect and what tools attackers will use is to study what happens at DefCon. At DefCon X in August 2002, AirDefense surveyed the WLAN at the Las Vegas convention for two hours and identified more than 10 previously undocumented methods for wireless attacks. That information showed us that hackers had become a lot more creative in learning how to manipulate 802.11. The result was a new flavors of denial-of-service attacks, identity thefts and man-in-the-middle attacks.

During the two hours of monitoring the conference's WLAN, AirDefense identified eight sanctioned access points, 35 rogue access points and more than 800 different station addresses.

AirDefense's 802.11 security experts estimated that 200 to 300 of the station addresses were fakes because roughly 350 people were in the WLAN network room at a single time.

AirDefense discovered 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours.