Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010141236 | TK5103.2 W38 2007 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Wireless networking has become standard in many business and government networks. This book is the first book that focuses on the methods used by professionals to perform WarDriving and wireless pentration testing.
Unlike other wireless networking and security books that have been published in recent years, this book is geared primarily to those individuals that are tasked with performing penetration testing on wireless networks. This book continues in the successful vein of books for penetration testers such as Google Hacking for Penetration Testers and Penetration Tester's Open Source Toolkit. Additionally, the methods discussed will prove invaluable for network administrators tasked with securing wireless networks. By understanding the methods used by penetration testers and attackers in general, these administrators can better define the strategies needed to secure their networks.
Author Notes
Chris Hurley is a Senior Penetration Tester working in the Washington, DC
Frank Thornton is the President and CEO of Blackthorn Systems
Russ Rogers is the President and CEO of Security Horizon, Inc.
Daniel Connelly is a Penetration Tester working for a federal agency in the Washington, DC
Brian Baker is a Penetration Tester working in the Washington, DC
Table of Contents
Chapter 1 Introduction to WarDriving and Penetration Testing | p. 1 |
Introduction | p. 2 |
WarDriving | p. 2 |
The Origins of WarDriving | p. 3 |
Definition | p. 3 |
The Terminology History of WarDriving | p. 3 |
WarDriving Misconceptions | p. 4 |
The Truth about WarDriving | p. 4 |
The Legality of WarDriving | p. 5 |
Tools of the Trade or "What Do I Need?" | p. 5 |
Getting the Hardware | p. 6 |
The Laptop Setup | p. 6 |
The PDA or Handheld Setup | p. 7 |
Choosing a Wireless NIC | p. 8 |
Types of Wireless NICs | p. 9 |
Other Cards | p. 11 |
External Antennas | p. 11 |
Connecting Your Antenna to Your Wireless NIC | p. 12 |
GPS | p. 13 |
Putting It All Together | p. 14 |
Disabling the Transmission Control Protocol/ Internet Protocol Stack in Windows | p. 15 |
Disabling the TCP/IP Stack on an iPAQ | p. 17 |
A Brief History of Wireless Security | p. 19 |
Penetration Testing | p. 20 |
Understanding WLAN Vulnerabilities | p. 21 |
Penetration Testing Wireless Networks | p. 21 |
Target Identification | p. 22 |
Attacks | p. 23 |
Tools for Penetration Testing | p. 25 |
Conclusion and What to Expect From this Book | p. 26 |
Solutions Fast Track | p. 27 |
Frequently Asked Questions | p. 29 |
Chapter 2 Understanding Antennas and Antenna Theory | p. 31 |
Introduction | p. 32 |
Wavelength and Frequency | p. 32 |
Terminology and Jargon | p. 35 |
Radio Signal | p. 36 |
Noise | p. 36 |
Decibels | p. 37 |
Gain | p. 39 |
Attenuation | p. 39 |
Signal-to-noise Ratio | p. 40 |
Multipath | p. 40 |
Diversity | p. 40 |
Impedance | p. 41 |
Polarization | p. 41 |
Cable | p. 42 |
Connectors | p. 43 |
Differences Between Antenna Types | p. 43 |
Omnidirectional Antennas | p. 44 |
Omnidirectional Signal Patterns | p. 44 |
Directional Antennas | p. 46 |
Directional Antenna Types | p. 47 |
Grid | p. 47 |
Panel | p. 48 |
Waveguide | p. 48 |
Bi-Quad | p. 49 |
Yagi Antenna | p. 50 |
Directional Signal Patterns | p. 53 |
Other RF Devices | p. 53 |
RF Amplifiers | p. 53 |
Attenuators | p. 54 |
How to Choose an Antenna for WarDriving or Penetration Testing | p. 55 |
WarDriving Antennas | p. 56 |
Security Audit/Rogue Hunt and Open Penetration Testing | p. 57 |
"Red Team" Penetration Test | p. 57 |
Where to Purchase WiFi Antennas | p. 58 |
Summary | p. 59 |
Solutions Fast Track | p. 59 |
Frequently Asked Questions | p. 60 |
Chapter 3 WarDriving With Handheld Devices and Direction Finding | p. 63 |
Introduction | p. 64 |
WarDriving with a Sharp Zaurus | p. 64 |
Installing and Configuring Kismet | p. 65 |
Configuring the Wireless Card to Work with Kismet | p. 69 |
Starting Kismet on the Zaurus | p. 72 |
Using a GPS with the Zaurus | p. 73 |
Starting GPSD | p. 75 |
Using a Graphical Front End with Kismet | p. 76 |
Using an External WiFi Card with a Zaurus | p. 78 |
WarDriving with MiniStumbler | p. 79 |
Wireless Ethernet Cards that Work with MiniStumbler | p. 80 |
MiniStumbler Installation | p. 81 |
Running MiniStumbler | p. 82 |
MiniStumbler Menus and Tool Icons | p. 85 |
Using a GPS with MiniStumbler | p. 86 |
Direction Finding with a Handheld Device | p. 87 |
Summary | p. 90 |
Solutions Fast Track | p. 91 |
Frequently Asked Questions | p. 92 |
Chapter 4 WarDriving and Penetration Testing with Windows | p. 93 |
Introduction | p. 94 |
WarDriving with NetStumbler | p. 94 |
How NetStumbler Works | p. 94 |
NetStumbler Installation | p. 96 |
Running NetStumbler | p. 99 |
NetStumbler Menus and Tool Icons | p. 105 |
Toolbar Icons | p. 107 |
Wireless Penetration Testing with Windows | p. 108 |
AirCrack-ng | p. 109 |
Determining Network Topology | p. 112 |
Network View | p. 112 |
Summary | p. 117 |
Solutions Fast Track | p. 117 |
Frequently Asked Questions | p. 118 |
Chapter 5 WarDriving and Penetration Testing with Linux | p. 119 |
Introduction | p. 120 |
Preparing Your System to WarDrive | p. 120 |
Preparing the Kernel | p. 120 |
Preparing the Kernel for Monitor Mode | p. 120 |
Preparing the Kernel for a Global Positioning System | p. 123 |
Installing the Proper Tools | p. 124 |
Installing Kismet | p. 125 |
Installing GPSD | p. 126 |
Configuring Your System to WarDrive | p. 127 |
WarDriving with Linux and Kismet | p. 131 |
Starting Kismet | p. 131 |
Using the Kismet Interface | p. 133 |
Understanding the Kismet Options | p. 133 |
Using a Graphical Front End | p. 137 |
Wireless Penetration Testing Using Linux | p. 138 |
WLAN Discovery | p. 140 |
WLAN Discovery Using Public Source Information | p. 140 |
WLAN Encryption | p. 141 |
Attacks | p. 141 |
Attacks Against WEP | p. 141 |
Attacks Against WPA | p. 142 |
Attacks Against LEAP | p. 143 |
Attacking the Network | p. 144 |
MAC Address Spoofing | p. 144 |
Deauthentication with Void11 | p. 145 |
Cracking WEP with the Aircrack Suite | p. 146 |
Cracking WPA with the CoWPAtty | p. 148 |
Association with the Target Network | p. 148 |
Summary | p. 150 |
Solutions Fast Track | p. 151 |
Frequently Asked Questions | p. 152 |
Chapter 6 WarDriving and Wireless Penetration Testing with OS X | p. 153 |
Introduction | p. 154 |
WarDriving with KisMAC | p. 154 |
Starting KisMAC and Initial Configuration | p. 154 |
Configuring the KisMAC Preferences | p. 155 |
Scanning Options | p. 156 |
Filter Options | p. 156 |
Sound Preferences | p. 157 |
Traffic | p. 160 |
KisMAC Preferences | p. 160 |
Mapping WarDrives with KisMAC | p. 162 |
Importing a Map | p. 162 |
WarDriving with KisMAC | p. 166 |
Using the KisMAC Interface | p. 167 |
Penetration Testing with OS X | p. 170 |
Attacking WLAN Encryption with KisMAC | p. 171 |
Attacking WEP with KisMAC | p. 171 |
Reinjection | p. 173 |
Attacking WPA with KisMAC | p. 174 |
Other Attacks | p. 175 |
Bruteforce Attacks Against 40-bit WEP | p. 175 |
Wordlist Attacks | p. 175 |
Other OS X Tools for WarDriving and WLAN Testing | p. 176 |
Summary | p. 178 |
Solutions Fast Track | p. 178 |
Frequently Asked Questions | p. 180 |
Chapter 7 Wireless Penetration Testing Using a Bootable Linux Distribution | p. 183 |
Introduction | p. 184 |
Core Technologies | p. 185 |
WLAN Discovery | p. 185 |
Choosing the Right Antenna | p. 186 |
WLAN Encryption | p. 187 |
WEP | p. 188 |
WPA/WPA2 | p. 188 |
EAP | p. 189 |
VPN | p. 189 |
Attacks | p. 189 |
Attacks Against WEP | p. 189 |
Attacks Against WPA | p. 191 |
Attacks Against LEAP | p. 191 |
Attacks Against VPN | p. 192 |
Open Source Tools | p. 193 |
Footprinting Tools | p. 193 |
Intelligence Gathering Tools | p. 194 |
User's Network Newsgroups | p. 194 |
Google (Internet Search Engines) | p. 194 |
Scanning Tools | p. 195 |
Wellenreiter | p. 195 |
Kismet | p. 198 |
Enumeration Tools | p. 200 |
Vulnerability Assessment Tools | p. 201 |
Exploitation Tools | p. 203 |
MAC Address Spoofing | p. 203 |
Deauthentication with Void11 | p. 203 |
Cracking WEP with the Aircrack Suite | p. 205 |
Cracking WPA with CoWPAtty | p. 208 |
Case Study | p. 208 |
Case Study Cracking WEP | p. 209 |
Case Study: Cracking WPA-PSK | p. 212 |
Further Information | p. 214 |
Additional GPSMap Map Servers | p. 215 |
Solutions Fast Track | p. 215 |
Frequently Asked Questions | p. 217 |
Chapter 8 Mapping WarDrives | p. 219 |
Introduction | p. 220 |
Using the Global Positioning System Daemon with Kismet | p. 220 |
Installing GPSD | p. 220 |
Starting GPSD | p. 223 |
Starting GPSD with Serial Data Cable | p. 223 |
Starting GPSD with USB Data Cable | p. 225 |
Configuring Kismet for Mapping | p. 226 |
Enabling GPS Support | p. 226 |
Mapping WarDrives with GPSMAP | p. 227 |
Creating Maps with GPSMAP | p. 227 |
Mapping WarDrives with StumbVerter | p. 231 |
Installing StumbVerter | p. 231 |
Generating a Map With StumbVerter | p. 235 |
Exporting NetStumbler Files for Use with StumbVerter | p. 235 |
Importing Summary Files to MapPoint with StumbVerter | p. 237 |
Saving Maps with StumbVerter | p. 242 |
Summary | p. 244 |
Solutions Fast Track | p. 245 |
Frequently Asked Questions | p. 246 |
Chapter 9 Using Man-in-the-Middle Attacks to Your Advantage | p. 247 |
Introduction | p. 248 |
What is a MITM Attack? | p. 248 |
MITM Attack Design | p. 248 |
The Target-AP(s) | p. 248 |
The Victim-Wireless Client(s) | p. 248 |
The MITM Attack Platform | p. 249 |
MITM Attack Variables | p. 249 |
Hardware for the Attack-Antennas, Amps, WiFi Cards | p. 250 |
The Laptop | p. 251 |
Wireless Network Cards | p. 251 |
Choosing the Right Antenna | p. 252 |
Amplifying the Wireless Signal | p. 253 |
Other Useful Hardware | p. 254 |
Identify and Compromise the Target Access Point | p. 255 |
Identify the Target | p. 255 |
Compromising the Target | p. 255 |
The MITM Attack Laptop Configuration | p. 257 |
The Kernel Configuration | p. 258 |
Obtaining the Kernel Source | p. 258 |
Configure and Build the Kernel | p. 258 |
Setting Up the Wireless Interfaces | p. 261 |
wlan0 - Connecting to the Target Network | p. 261 |
wlan1 - Setting up the AP | p. 261 |
IP Forwarding and NAT Using Iptables | p. 262 |
Installing Iptables and IP Forwarding | p. 263 |
Establishing the NAT Rules | p. 264 |
Dnsmasq | p. 265 |
Installing Dnsmasq | p. 265 |
Configuring Dnsmasq | p. 265 |
Apache Hypertext Preprocessor and Virtual Web Servers | p. 267 |
Clone the Target Access Point and Begin the Attack | p. 269 |
Establish Wireless Connectivity and Verify Services are Started | p. 269 |
Start the Wireless Interface | p. 269 |
Verify Connectivity to the Target Access Point | p. 270 |
Verify Dnsmasq is Running | p. 270 |
Verify Iptables is Started and View the Running Rule Sets | p. 271 |
Deauthenticate Clients Connected to the Target Access Point | p. 272 |
Wait for the Client to Associate to Your Access Point | p. 272 |
Identify Target Web Applications | p. 273 |
Spoof the Application | p. 274 |
Using wget to Download the Target Web Page | p. 274 |
Modify the Page | p. 274 |
Redirect Web Traffic Using Dnsmasq | p. 276 |
Summary | p. 278 |
Solutions Fast Track | p. 278 |
Frequently Asked Questions | p. 281 |
Chapter 10 Using Custom Firmware for Wireless Penetration Testing | p. 283 |
Choices for Modifying the Firmware on a Wireless Access Point | p. 284 |
Software Choices | p. 284 |
Hyper WRT | p. 284 |
DD-WRT | p. 284 |
OpenWRT | p. 284 |
Hardware Choices | p. 285 |
Installing OpenWRT on a Linksys WRT54G | p. 285 |
Downloading the Source | p. 286 |
Installation and How Not to Create a Brick | p. 287 |
Installation via the Linksys Web Interface | p. 288 |
Installation via the TFTP Server | p. 290 |
Command Syntax and Usage | p. 293 |
Configuring and Understanding the OpenWRT Network Interfaces | p. 296 |
Installing and Managing Software Packages for OpenWRT | p. 298 |
Finding and Installing Packages | p. 299 |
Uninstalling Packages | p. 302 |
Enumeration and Scanning from the WRT54G | p. 302 |
Nmap | p. 302 |
Netcat | p. 304 |
Tcpdump | p. 304 |
Installation and Configuration of a Kismet Drone | p. 306 |
Installing the Package | p. 306 |
Configuring the Kismet Drone | p. 307 |
Making the Connection and Scanning | p. 307 |
Installing Aircrack to Crack a WEP Key | p. 310 |
Mounting a Remote File System | p. 310 |
Installing the Aircrack Tools | p. 311 |
Summary | p. 314 |
Solutions Fast Track | p. 315 |
Frequently Asked Questions | p. 318 |
Chapter 11 Wireless Video Testing | p. 319 |
Introduction | p. 320 |
Why Wireless Video? | p. 320 |
Let's Talk Frequency | p. 320 |
Let's Talk Format | p. 320 |
Let's Talk Terms | p. 321 |
Wireless Video Technologies | p. 321 |
Video Baby Monitors | p. 322 |
Security Cameras | p. 324 |
X10.com | p. 324 |
D-Link | p. 325 |
Others | p. 326 |
Tools for Detection | p. 327 |
Finding the Signal | p. 327 |
Scanning Devices | p. 328 |
ICOM IC-R3 | p. 329 |
X10 Accessories | p. 334 |
WCS-99 | p. 336 |
The Spy Finder | p. 338 |
Summary | p. 339 |
Solutions Fast Track | p. 339 |
Frequently Asked Questions | p. 341 |
Appendix A Solutions Fast Track | p. 343 |
Appendix B Device Driver Auditing | p. 361 |
Introduction | p. 362 |
Why Should You Care | p. 363 |
What is a Device Driver? | p. 366 |
Windows | p. 367 |
OS X | p. 367 |
Linux | p. 368 |
Setting Up a Test Enviroment | p. 368 |
WiFi | p. 369 |
Bluetooth | p. 370 |
Testing the Drivers | p. 371 |
WiFi | p. 372 |
Bluetooth | p. 378 |
Looking to the Future | p. 380 |
Summary | p. 383 |
Index | p. 385 |