Cover image for WarDriving and wireless penetration testing
Title:
WarDriving and wireless penetration testing
Publication Information:
Rockland, MA : Syngress Publishing, 2007
ISBN:
9781597491112
Subject Term:
Wireless communication systems -- Security measures

Wireless LANs -- Security measures

Computer security
Added Author:
Hurley, Chris

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
 30000010141236 TK5103.2 W38 2007 Open Access Book Book
Searching...

On Order

Summary

Summary

Wireless networking has become standard in many business and government networks. This book is the first book that focuses on the methods used by professionals to perform WarDriving and wireless pentration testing.

Unlike other wireless networking and security books that have been published in recent years, this book is geared primarily to those individuals that are tasked with performing penetration testing on wireless networks. This book continues in the successful vein of books for penetration testers such as Google Hacking for Penetration Testers and Penetration Tester's Open Source Toolkit. Additionally, the methods discussed will prove invaluable for network administrators tasked with securing wireless networks. By understanding the methods used by penetration testers and attackers in general, these administrators can better define the strategies needed to secure their networks.


Author Notes

Chris Hurley is a Senior Penetration Tester working in the Washington, DC
Frank Thornton is the President and CEO of Blackthorn Systems
Russ Rogers is the President and CEO of Security Horizon, Inc.
Daniel Connelly is a Penetration Tester working for a federal agency in the Washington, DC
Brian Baker is a Penetration Tester working in the Washington, DC


Table of Contents

Chapter 1 Introduction to WarDriving and Penetration Testingp. 1
Introductionp. 2
WarDrivingp. 2
The Origins of WarDrivingp. 3
Definitionp. 3
The Terminology History of WarDrivingp. 3
WarDriving Misconceptionsp. 4
The Truth about WarDrivingp. 4
The Legality of WarDrivingp. 5
Tools of the Trade or "What Do I Need?"p. 5
Getting the Hardwarep. 6
The Laptop Setupp. 6
The PDA or Handheld Setupp. 7
Choosing a Wireless NICp. 8
Types of Wireless NICsp. 9
Other Cardsp. 11
External Antennasp. 11
Connecting Your Antenna to Your Wireless NICp. 12
GPSp. 13
Putting It All Togetherp. 14
Disabling the Transmission Control Protocol/ Internet Protocol Stack in Windowsp. 15
Disabling the TCP/IP Stack on an iPAQp. 17
A Brief History of Wireless Securityp. 19
Penetration Testingp. 20
Understanding WLAN Vulnerabilitiesp. 21
Penetration Testing Wireless Networksp. 21
Target Identificationp. 22
Attacksp. 23
Tools for Penetration Testingp. 25
Conclusion and What to Expect From this Bookp. 26
Solutions Fast Trackp. 27
Frequently Asked Questionsp. 29
Chapter 2 Understanding Antennas and Antenna Theoryp. 31
Introductionp. 32
Wavelength and Frequencyp. 32
Terminology and Jargonp. 35
Radio Signalp. 36
Noisep. 36
Decibelsp. 37
Gainp. 39
Attenuationp. 39
Signal-to-noise Ratiop. 40
Multipathp. 40
Diversityp. 40
Impedancep. 41
Polarizationp. 41
Cablep. 42
Connectorsp. 43
Differences Between Antenna Typesp. 43
Omnidirectional Antennasp. 44
Omnidirectional Signal Patternsp. 44
Directional Antennasp. 46
Directional Antenna Typesp. 47
Gridp. 47
Panelp. 48
Waveguidep. 48
Bi-Quadp. 49
Yagi Antennap. 50
Directional Signal Patternsp. 53
Other RF Devicesp. 53
RF Amplifiersp. 53
Attenuatorsp. 54
How to Choose an Antenna for WarDriving or Penetration Testingp. 55
WarDriving Antennasp. 56
Security Audit/Rogue Hunt and Open Penetration Testingp. 57
"Red Team" Penetration Testp. 57
Where to Purchase WiFi Antennasp. 58
Summaryp. 59
Solutions Fast Trackp. 59
Frequently Asked Questionsp. 60
Chapter 3 WarDriving With Handheld Devices and Direction Findingp. 63
Introductionp. 64
WarDriving with a Sharp Zaurusp. 64
Installing and Configuring Kismetp. 65
Configuring the Wireless Card to Work with Kismetp. 69
Starting Kismet on the Zaurusp. 72
Using a GPS with the Zaurusp. 73
Starting GPSDp. 75
Using a Graphical Front End with Kismetp. 76
Using an External WiFi Card with a Zaurusp. 78
WarDriving with MiniStumblerp. 79
Wireless Ethernet Cards that Work with MiniStumblerp. 80
MiniStumbler Installationp. 81
Running MiniStumblerp. 82
MiniStumbler Menus and Tool Iconsp. 85
Using a GPS with MiniStumblerp. 86
Direction Finding with a Handheld Devicep. 87
Summaryp. 90
Solutions Fast Trackp. 91
Frequently Asked Questionsp. 92
Chapter 4 WarDriving and Penetration Testing with Windowsp. 93
Introductionp. 94
WarDriving with NetStumblerp. 94
How NetStumbler Worksp. 94
NetStumbler Installationp. 96
Running NetStumblerp. 99
NetStumbler Menus and Tool Iconsp. 105
Toolbar Iconsp. 107
Wireless Penetration Testing with Windowsp. 108
AirCrack-ngp. 109
Determining Network Topologyp. 112
Network Viewp. 112
Summaryp. 117
Solutions Fast Trackp. 117
Frequently Asked Questionsp. 118
Chapter 5 WarDriving and Penetration Testing with Linuxp. 119
Introductionp. 120
Preparing Your System to WarDrivep. 120
Preparing the Kernelp. 120
Preparing the Kernel for Monitor Modep. 120
Preparing the Kernel for a Global Positioning Systemp. 123
Installing the Proper Toolsp. 124
Installing Kismetp. 125
Installing GPSDp. 126
Configuring Your System to WarDrivep. 127
WarDriving with Linux and Kismetp. 131
Starting Kismetp. 131
Using the Kismet Interfacep. 133
Understanding the Kismet Optionsp. 133
Using a Graphical Front Endp. 137
Wireless Penetration Testing Using Linuxp. 138
WLAN Discoveryp. 140
WLAN Discovery Using Public Source Informationp. 140
WLAN Encryptionp. 141
Attacksp. 141
Attacks Against WEPp. 141
Attacks Against WPAp. 142
Attacks Against LEAPp. 143
Attacking the Networkp. 144
MAC Address Spoofingp. 144
Deauthentication with Void11p. 145
Cracking WEP with the Aircrack Suitep. 146
Cracking WPA with the CoWPAttyp. 148
Association with the Target Networkp. 148
Summaryp. 150
Solutions Fast Trackp. 151
Frequently Asked Questionsp. 152
Chapter 6 WarDriving and Wireless Penetration Testing with OS Xp. 153
Introductionp. 154
WarDriving with KisMACp. 154
Starting KisMAC and Initial Configurationp. 154
Configuring the KisMAC Preferencesp. 155
Scanning Optionsp. 156
Filter Optionsp. 156
Sound Preferencesp. 157
Trafficp. 160
KisMAC Preferencesp. 160
Mapping WarDrives with KisMACp. 162
Importing a Mapp. 162
WarDriving with KisMACp. 166
Using the KisMAC Interfacep. 167
Penetration Testing with OS Xp. 170
Attacking WLAN Encryption with KisMACp. 171
Attacking WEP with KisMACp. 171
Reinjectionp. 173
Attacking WPA with KisMACp. 174
Other Attacksp. 175
Bruteforce Attacks Against 40-bit WEPp. 175
Wordlist Attacksp. 175
Other OS X Tools for WarDriving and WLAN Testingp. 176
Summaryp. 178
Solutions Fast Trackp. 178
Frequently Asked Questionsp. 180
Chapter 7 Wireless Penetration Testing Using a Bootable Linux Distributionp. 183
Introductionp. 184
Core Technologiesp. 185
WLAN Discoveryp. 185
Choosing the Right Antennap. 186
WLAN Encryptionp. 187
WEPp. 188
WPA/WPA2p. 188
EAPp. 189
VPNp. 189
Attacksp. 189
Attacks Against WEPp. 189
Attacks Against WPAp. 191
Attacks Against LEAPp. 191
Attacks Against VPNp. 192
Open Source Toolsp. 193
Footprinting Toolsp. 193
Intelligence Gathering Toolsp. 194
User's Network Newsgroupsp. 194
Google (Internet Search Engines)p. 194
Scanning Toolsp. 195
Wellenreiterp. 195
Kismetp. 198
Enumeration Toolsp. 200
Vulnerability Assessment Toolsp. 201
Exploitation Toolsp. 203
MAC Address Spoofingp. 203
Deauthentication with Void11p. 203
Cracking WEP with the Aircrack Suitep. 205
Cracking WPA with CoWPAttyp. 208
Case Studyp. 208
Case Study Cracking WEPp. 209
Case Study: Cracking WPA-PSKp. 212
Further Informationp. 214
Additional GPSMap Map Serversp. 215
Solutions Fast Trackp. 215
Frequently Asked Questionsp. 217
Chapter 8 Mapping WarDrivesp. 219
Introductionp. 220
Using the Global Positioning System Daemon with Kismetp. 220
Installing GPSDp. 220
Starting GPSDp. 223
Starting GPSD with Serial Data Cablep. 223
Starting GPSD with USB Data Cablep. 225
Configuring Kismet for Mappingp. 226
Enabling GPS Supportp. 226
Mapping WarDrives with GPSMAPp. 227
Creating Maps with GPSMAPp. 227
Mapping WarDrives with StumbVerterp. 231
Installing StumbVerterp. 231
Generating a Map With StumbVerterp. 235
Exporting NetStumbler Files for Use with StumbVerterp. 235
Importing Summary Files to MapPoint with StumbVerterp. 237
Saving Maps with StumbVerterp. 242
Summaryp. 244
Solutions Fast Trackp. 245
Frequently Asked Questionsp. 246
Chapter 9 Using Man-in-the-Middle Attacks to Your Advantagep. 247
Introductionp. 248
What is a MITM Attack?p. 248
MITM Attack Designp. 248
The Target-AP(s)p. 248
The Victim-Wireless Client(s)p. 248
The MITM Attack Platformp. 249
MITM Attack Variablesp. 249
Hardware for the Attack-Antennas, Amps, WiFi Cardsp. 250
The Laptopp. 251
Wireless Network Cardsp. 251
Choosing the Right Antennap. 252
Amplifying the Wireless Signalp. 253
Other Useful Hardwarep. 254
Identify and Compromise the Target Access Pointp. 255
Identify the Targetp. 255
Compromising the Targetp. 255
The MITM Attack Laptop Configurationp. 257
The Kernel Configurationp. 258
Obtaining the Kernel Sourcep. 258
Configure and Build the Kernelp. 258
Setting Up the Wireless Interfacesp. 261
wlan0 - Connecting to the Target Networkp. 261
wlan1 - Setting up the APp. 261
IP Forwarding and NAT Using Iptablesp. 262
Installing Iptables and IP Forwardingp. 263
Establishing the NAT Rulesp. 264
Dnsmasqp. 265
Installing Dnsmasqp. 265
Configuring Dnsmasqp. 265
Apache Hypertext Preprocessor and Virtual Web Serversp. 267
Clone the Target Access Point and Begin the Attackp. 269
Establish Wireless Connectivity and Verify Services are Startedp. 269
Start the Wireless Interfacep. 269
Verify Connectivity to the Target Access Pointp. 270
Verify Dnsmasq is Runningp. 270
Verify Iptables is Started and View the Running Rule Setsp. 271
Deauthenticate Clients Connected to the Target Access Pointp. 272
Wait for the Client to Associate to Your Access Pointp. 272
Identify Target Web Applicationsp. 273
Spoof the Applicationp. 274
Using wget to Download the Target Web Pagep. 274
Modify the Pagep. 274
Redirect Web Traffic Using Dnsmasqp. 276
Summaryp. 278
Solutions Fast Trackp. 278
Frequently Asked Questionsp. 281
Chapter 10 Using Custom Firmware for Wireless Penetration Testingp. 283
Choices for Modifying the Firmware on a Wireless Access Pointp. 284
Software Choicesp. 284
Hyper WRTp. 284
DD-WRTp. 284
OpenWRTp. 284
Hardware Choicesp. 285
Installing OpenWRT on a Linksys WRT54Gp. 285
Downloading the Sourcep. 286
Installation and How Not to Create a Brickp. 287
Installation via the Linksys Web Interfacep. 288
Installation via the TFTP Serverp. 290
Command Syntax and Usagep. 293
Configuring and Understanding the OpenWRT Network Interfacesp. 296
Installing and Managing Software Packages for OpenWRTp. 298
Finding and Installing Packagesp. 299
Uninstalling Packagesp. 302
Enumeration and Scanning from the WRT54Gp. 302
Nmapp. 302
Netcatp. 304
Tcpdumpp. 304
Installation and Configuration of a Kismet Dronep. 306
Installing the Packagep. 306
Configuring the Kismet Dronep. 307
Making the Connection and Scanningp. 307
Installing Aircrack to Crack a WEP Keyp. 310
Mounting a Remote File Systemp. 310
Installing the Aircrack Toolsp. 311
Summaryp. 314
Solutions Fast Trackp. 315
Frequently Asked Questionsp. 318
Chapter 11 Wireless Video Testingp. 319
Introductionp. 320
Why Wireless Video?p. 320
Let's Talk Frequencyp. 320
Let's Talk Formatp. 320
Let's Talk Termsp. 321
Wireless Video Technologiesp. 321
Video Baby Monitorsp. 322
Security Camerasp. 324
X10.comp. 324
D-Linkp. 325
Othersp. 326
Tools for Detectionp. 327
Finding the Signalp. 327
Scanning Devicesp. 328
ICOM IC-R3p. 329
X10 Accessoriesp. 334
WCS-99p. 336
The Spy Finderp. 338
Summaryp. 339
Solutions Fast Trackp. 339
Frequently Asked Questionsp. 341
Appendix A Solutions Fast Trackp. 343
Appendix B Device Driver Auditingp. 361
Introductionp. 362
Why Should You Carep. 363
What is a Device Driver?p. 366
Windowsp. 367
OS Xp. 367
Linuxp. 368
Setting Up a Test Enviromentp. 368
WiFip. 369
Bluetoothp. 370
Testing the Driversp. 371
WiFip. 372
Bluetoothp. 378
Looking to the Futurep. 380
Summaryp. 383
Indexp. 385