From Wikipedia, the free encyclopedia - View original article
Cracking of wireless networks is the defeating of security devices in Wireless local-area networks. Wireless local-area networks(WLANs) – also called Wi-Fi networks are inherently vulnerable to security lapses that wired networks are exempt from.
Cracking is a kind of information network attack that is akin to a direct intrusion. There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.
802.11 networks use data frames, management frames, and control frames. Data frames convey the real data, and are similar to those of Ethernet. Management frames maintain both network configuration and connectivity. Control frames manage access to the ether and prevent access points and clients from interfering with each other in the ether. Some information on management frames will be helpful to better understand what programs for reconnaissance do.
Wardriving is a common method of wireless network reconnaissance. A well-equipped wardriver uses a laptop computer with a wireless card, an antenna mounted on the car, a power inverter, a connected GPS receiver, and can connect to the internet wirelessly. The purpose of wardriving is to locate a wireless network and to collect information about its configuration and associated clients.
The laptop computer and the wireless card must support a mode called monitor or rfmon.
Netstumbler is a network discovery program for Windows. It is free and easy to use. Netstumbler has become one of the most popular programs for wardriving and wireless reconnaissance, although it has a disadvantage. It can be detected easily by most wireless intrusion detection systems, because it actively probes a network to collect information. Netstumbler has integrated support for a GPS unit. With this support, Netstumbler displays GPS coordinate information next to the information about each discovered network, which can be useful for finding specific networks again after having sorted out collected data.
inSSIDer is a Wi-Fi network scanner for the 32-bit and 64-bit versions of Windows XP, Vista, 7, Windows 8 and Android. It is free and open source. The software uses the current wireless card or a wireless USB adapter and supports most GPS devices (namely those that use NMEA 2.3 or higher). Its graphical user interface shows MAC address, SSID, signal strength, hardware brand, security, and network type of nearby Wi-Fi networks. It can also track the strength of the signals and show them in a time graph.
Kismet is a wireless network traffic analyser for OS X, Linux, OpenBSD, NetBSD, and FreeBSD. It is free and open source. Kismet has become the most popular program for serious wardrivers. It offers a rich set of features, including deep analysis of captured traffic.
Wireshark is a packet sniffer and network traffic analyser that can run on all popular operating systems, but support for the capture of wireless traffic is limited. It is free and open source. Decoding and analysing wireless traffic is not the foremost function of Wireshark, but it can give results that cannot be obtained with other programs. Wireshark requires sufficient knowledge of the network protocols to obtain a full analysis of the traffic, however.
AirMagnet Laptop Analyser and AirMagnet Handheld Analyser are wireless network analysis tools made by AirMagnet. The company started with the Handheld Analyser, which was very suitable for surveying sites where wireless networks were deployed as well as for finding rogue access points. The Laptop Analyser was released because the hand-held product was impractical for the reconnaissance of wide areas. These commercial analysers probably offer the best combination of powerful analysis and simple user interface. However, they are not as well adapted to the needs of a wardriver as some of the free programs.
Airopeek is a packet sniffer and network traffic analyser made by Wildpackets. This commercial program supports Windows and works with most wireless network interface cards. It has become the industrial standard for capturing and analysing wireless traffic. However, like Wireshark, Airopeek requires thorough knowledge of the protocols to use it to its ability.
KisMac is a program for the discovery of wireless networks that runs on the OS X operating system. The functionality of KisMac includes GPS support with mapping, SSID decloaking, deauthentication attacks, and WEP cracking.
There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by poor encryption. Poor configuration causes many vulnerabilities. Wireless networks are often put into use with no or insufficient security settings. With no security settings – the default configuration – access is obtained simply by association. With insufficient security settings as cloaking and/or MAC address filtering, security is easily defeated. Poor encryption causes the remaining vulnerabilities. Wired Equivalent Privacy (WEP) is defective and can be defeated in several ways. Wi-Fi Protected Access (WPA) and Cisco's Lightweight Extensible Authentication Protocol (LEAP) are vulnerable to dictionary attacks.
|This article's factual accuracy may be compromised due to out-of-date information. (January 2013)|
WEP was the encryption standard firstly available for wireless networks. It can be deployed in 64 and 128 bit strength. 64 bit WEP has a secret key of 40 bits and an initialisation vector of 24 bits, and is often called 40 bit WEP. 128 bit WEP has a secret key of 104 bits and an initialisation vector of 24 bits, and is called 104 bit WEP. Association is possible using a password, an ASCII key, or a hexadecimal key. There are two methods for cracking WEP: the FMS attack and the chopping attack. The FMS attack – named after Fluhrer, Mantin, and Shamir – is based on a weakness of the RC4 encryption algorithm . The researchers found that 9000 of the possible 16 million initialisation vectors can be considered weak, and collecting enough of them allows the determination of the encryption key. To crack the WEP key in most cases, 5 million encrypted packets must be captured to collect about 3000 weak initialisation vectors. (In some cases 1500 vectors will do, in some other cases more than 5000 are needed for success.) The weak initialisation vectors are supplied to the Key Scheduling Algorithm (KSA) and the Pseudo Random Generator (PRNG) to determine the first byte of the WEP key. This procedure is then repeated for the remaining bytes of the key. The chopping attack chops the last byte off from the captured encrypted packets. This breaks the Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). When all 8 bits of the removed byte were zero, the CRC of the shortened packet is made valid again by manipulation of the last four bytes. This manipulation is: result = original XOR certain value. The manipulated packet can then be retransmitted. This method enables the determination of the key by collecting unique initialisation vectors. The main problem with both the FMS attack and the chopping attack is that capturing enough packets can take weeks or sometimes months. Fortunately, the speed of capturing packets can be increased by injecting packets into the network. One or more Address Resolution Protocol (ARP) packets are usually collected to this end, and then transmitted to the access point repeatedly until enough response packets have been captured. ARP packets are a good choice because they have a recognizable size of 28 bytes. Waiting for a legitimate ARP packet can take awhile. ARP packets are most commonly transmitted during an authentication process. Rather than waiting for that, sending a deauthentication frame that pushes a client off the network will require that client to reauthenticate. This often creates an ARP packet.
WPA was developed because of the vulnerabilities of WEP. WPA uses either a pre-shared key (WPA-PSK) or is used in combination with a RADIUS server (WPA-RADIUS). For its encryption algorithm, WPA uses either the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES). WPA2 was developed because of some vulnerabilities of WPA-PSK and to strengthen the encryption further. WPA2 uses both TKIP and AES, and requires not only an encryption piece but also an authentication piece. A form of the Extensible Authentication Protocol (EAP) is deployed for this piece. WPA-PSK can be attacked when the PSK is shorter than 21 characters. Firstly, the four-way EAP Over LAN (EAPOL) handshake must be captured. This can be captured during a legitimate authentication, or a reauthentication can be forced by sending deauthentication packets to clients. Secondly, each word of a word-list must be hashed with the Hashed Message Authentication Code – Secure Hash Algorithm 1 and two so called nonce values, along with the MAC address of the client that asked for authentication and the MAC address of the access point that gave authentication. Word-lists can be found at. LEAP uses a variation of Microsoft Challenge Handshake Protocol version 2 (MS-CHAPv2). This handshake uses the Data Encryption Standard (DES) for key selection. LEAP can be cracked with a dictionary attack. The attack involves capturing an authentication sequence and then comparing the last two bytes of a captured response with those generated with a word-list. WPA-RADIUS cannot be cracked. However, if the RADIUS authentication server itself can be cracked, then the whole network is imperilled. The security of authentication servers is often neglected. WPA2 can be attacked by using the WPA-PSK attack, but is largely ineffective.
Aircrack-ng runs on Windows and Linux, and can crack WEP and WPA-PSK. It can use the Pychkine-Tews-Weinmann and KoreK attacks, both are statistical methods that are more efficient than the traditional FMS attack. Aircrack-ng consists of components. Airmon-ng configures the wireless network card. Airodump-ng captures the frames. Aireplay-ng generates traffic. Aircrack-ng does the cracking, using the data collected by airodump-ng. Finally, airdecap-ng decrypts all packets that were captured. Thus, aircrack-ng is the name of the suite and also of one of the components.
CoWPAtty automates the dictionary attack for WPA-PSK. It runs on Linux. The program is started using a command-line interface, specifying a word-list that contains the passphrase, a dump file that contains the four-way EAPOL handshake, and the SSID of the network.
Void11 is a program that deauthenticates clients. It runs on Linux.
MAC address filtering can be used alone as an ineffective security measure, or in combination with encryption. The attack is determining an allowed MAC address, and then changing the MAC address of the attacker to that address. EtherChange is one of the many programs available to change the MAC address of network adapters. It runs on Windows.
Penetration testing of a wireless network is often a stepping stone for penetration testing of the internal network. The wireless network then serves as a so-called entry vector. If WPA-RADIUS is in use at a target site, another entry vector must be investigated.
Finding relevant and reachable IP addresses is the objective of the reconnaissance phase of attacking an organization over the Internet. The relevant IP addresses are determined by collecting as many DNS host names as possible and translating them to IP addresses and IP address ranges. This is called footprinting.
A search engine is the key for finding as much information as possible about a target. In many cases, organizations do not want to protect all their resources from internet access. For instance, a web server must be accessible. Many organizations additionally have email servers, FTP servers, and other systems that must be accessible over the internet. The IP addresses of an organization are often grouped together. If one IP address has been found, the rest probably can be found around it.
Name servers store tables that show how domain names must be translated to IP addresses and vice versa. With Windows, the command NSLookup can be used to query DNS servers. When the word help is entered at NSLookup's prompt, a list of all commands is given. With Linux, the command dig can be used to query DNS servers. It displays a list of options when invoked with the option -h only. And the command host reverses IP addresses to hostnames. The program nmap can be used as a reverse DNS walker: nmap -sL 184.108.40.206-30 gives the reverse entries for the given range.
ARIN, RIPE, APNIC, LACNIC, and AFRINIC are the five Regional Internet Registries that are responsible for the assignment and registration of IP addresses. All have a website with which their databases can be searched for the owner of an IP address. Some of the Registries respond to a search for the name of an organization with a list of all IP address ranges that are assigned to the name. However, the records of the Registries are not always correct and are in most cases useless.
Probably most computers with access to the internet receive their IP address dynamically by DHCP. This protocol has become more popular over the last years because of a decrease of available IP addresses and an increase of large networks that are dynamic. DHCP is particularly important when many employees take a portable computer from one office to another. The router/firewall device that people use at home to connect to the internet probably also functions as a DHCP server.
Nowadays many router/DHCP devices perform Network Address Translation (NAT). The NAT device is a gateway between the local network and the internet. Seen from the internet, the NAT device seems to be a single host. With NAT, the local network can use any IP address space. Some IP address ranges are reserved for private networks. These ranges are typically used for the local area network behind a NAT device, and they are: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255.
The relevant IP addresses must be narrowed down to those that are reachable. For this purpose, the process of scanning enters on the scene.
Once access to a wireless network has been gained, it is helpful to determine the network's topology, including the names of the computers connected to the network. The excellent program Nmap can be used for this, which is available in a Windows and a Linux version. However, Nmap does not provide the user with a network diagram. The network scanner Network View that runs on Windows does. The program asks for one IP address or an IP address range. When the program has finished scanning, it displays a map of the network using different pictures for routers, workstations, servers, and laptops, all with their names added.
The most direct method for finding hosts on a LAN is using the program ping. When using a modern flavour of Unix, shell commands can be combined to produce custom ping-sweeps. When using Windows, the command-line can also be used to create a ping-sweep. Examples are given in the reference.
Ping-sweeps are also known as host scans. Nmap can be used for a host scan when the option -sP is added: nmap -n -sP 10.160.9.1-30 scans the first 30 addresses of the subnet 10.160.9, where the -n option prevents reverse DNS lookups.
Ping packets could reliably determine whether a computer was on line at a specified IP address. Nowadays these ICMP echo request packets are sometimes blocked by the firewall of an operating system. Although Nmap also probes TCP port 80, specifying more TCP ports to probe is recommended when pings are blocked. Consequently, nmap -sP -PS21,22,23,25,80,139,445,3389 10.160.9.1-30 can achieve better results. And by combining various options as in nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM 10.160.9.1-30, superb host scanning is achieved.
Nmap is available for Windows and most Unix operating systems, and offers graphical and command-line interfaces.
The purpose of port scanning is finding the open ports on the computers that were found with a host scan. When a port scan is started on a network without making use of the results of a host scan, much time is wasted when many IP addresses in the address range are vacant.
Most programs that communicate over the internet use either the TCP or the UDP protocol. Both protocols support 65536 so called ports that programs can choose to bind to. This allows programs to run concurrently on one IP address. Most programs have default ports that are most often used. For example, HTTP servers commonly use TCP port 80.
Network scanners try to connect to TCP or UDP ports. When a port accepts a connection, it can be assumed that the commonly bound program is running.
TCP connections begin with a SYN packet being sent from client to server. The server responds with a SYN/ACK packet. Finally, the client sends an ACK packet. When the scanner sends a SYN packet and gets the SYN/ACK packet back, the port is considered open. When a RST packet is received instead, the port is considered closed. When no response is received the port is either considered filtered by a firewall or there is no running host at the IP address.
Scanning UDP ports is more difficult because UDP does not use handshakes and programs tend to discard UDP packets that they cannot process. When an UDP packet is sent to a port that has no program bound to it, an ICMP error packet is returned. That port can then be considered closed. When no answer is received, the port can be considered either filtered by a firewall or open. Many people abandoned UDP scanning because simple UDP scanners cannot distinguish between filtered and open ports.
Although it is most thorough to scan all 65536 ports, this would take more time than scanning only the most common ports. Therefore, Nmap scans 1667 TCP ports by default (in 2007).
The -p option instructs Nmap to scan specified ports, as in nmap -p 21-25,80,100-160 10.150.9.46. Specifying TCP and UDP ports is also possible, as in nmap -pT:21-25,80,U:5000-5500 10.150.9.46.
Nmap always requires the specification of a host or hosts to scan. A single host can be specified with an IP address or a domain name. Multiple hosts can be specified with IP address ranges. Examples are 220.127.116.11, www.company.com, and 10.1.50.1-5,250-254.
Nmap performs a TCP SYN scan by default. In this scan, the packets have only their SYN flag set. The -sS option specifies the default explicitly. When Nmap is started with administrator privileges, this default scan takes effect. When Nmap is started with user privileges, a connect scan is performed.
The -sT option instructs Nmap to establish a full connection. This scan is inferior to the previous because an additional packet must be sent and logging by the target is more likely. The connect scan is performed when Nmap is executed with user privileges or when IPv6 addresses are scanned.
The -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.
The -sU option instructs Nmap to send UDP packets with no data. When an ICMP error is returned, the port can be assumed closed. When no response is received, the port can be assumed open or filtered. No differentiation between open and filtered ports is a severe limitation.
The -sU -sV options instruct Nmap to use application data for application identification. This combination of options can lead to very slow scanning.
When packets are sent to a network faster than it can cope with they will be dropped. This leads to inaccurate scanning results. When an intrusion detection system or intrusion prevention system is present on the target network, detection becomes more likely as speed increases. Many IPS devices and firewalls respond to a storm of SYN packets by enabling SYN cookies that make appear every port to be open. Full speed scans can even wreak havoc on stateful network devices.
Nmap provides five templates for adjusting speed and also adapts itself. The -T0 option makes it wait for 5 minutes before the next packet is sent, the -T1 option makes it wait for 15 seconds, -T2 inserts 0.4 seconds, -T3 is the default (which leaves timing settings unchanged), -T4 reduces time-outs and retransmissions to speed things up slightly, and -T5 reduces time-outs and retransmissions even more to speed things up significantly. Modern IDS/IPS devices can detect scans that use the -T1 option. The user can also define a new template of settings and use it instead of a provided one.
The -sV option instructs Nmap to also determine the version of a running application.
The -O option instructs Nmap to try to determine the operating systems of the targets. Specially crafted packets are sent to open and closed ports and the responses are compared with a database.
A vulnerability is a bug in an application program that affects security. They are made public on places such as the BugTraq and the Full-Disclosure mailing lists. The Computer Emergency Response Team (CERT) brings out a statistical report every year. There were 8064 vulnerabilities counted in 2006 alone.
Vulnerability scanning is determining whether known vulnerabilities are present on a target.
Nessus is probably the best known vulnerability scanner. It is free and has versions for Windows, OS X, Linux, and FreeBSD. Nessus uses plug-ins to find vulnerabilities by sort. Updated plug-ins are regularly released.
Nessus offers a non-intrusive scan, an intrusive scan that can harm the target, and a custom scan. A scan requires the IP addresses or domain names of the targets. Nessus begins with a port scan to identify the programs that are running and the operating systems of the targets. It ends with a report that specifies all open ports and their associated vulnerabilities.
Nikto is a web scanner that can identify vulnerable applications and dangerous files. It is open source software and has versions for Windows and Linux. The program uses a command-line interface of the operating system.
An exploit takes advantage of a bug in an application. This can take effect in the execution of arbitrary commands by inserting them in the execution path of the program. Escalation of privileges, bypass of authentication, or infringement of confidentiality can be the result.
The Metasploit framework was released in 2003. This framework provided for the first time:
The basic procedure of using Metasploit is: choose an exploit, choose a payload, set the IP address and port of the target, start the exploit, evaluate, and stop or repeat the procedure.
Metasploit 3.0 provides the following payloads:
VNC connections need a relatively large bandwidth to be usable, and if someone is in front of the compromised computer then any interaction will be seen very quickly. The command-line interfaces of Linux and OS X are powerful, but that of Windows is not. The Meterpreter payload remedies these shortcomings. The reference gives a list of Meterpreter commands.
The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so-called rootkit on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords that are travelling over it. Rootkits may also give the means to change the very operating system of the computer it is installed on.
The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet, that has been configured to operate with a port number that is not customary.
The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.
The purpose of a back door is to maintain a communication channel and having methods to control a host that has been gained entry to. These methods include those for file transfer and the execution of programs. It is often important to make sure that the access or communication remains secret. And access control is desirable in order to prevent others from using the back door.
Back Orifice 2000 was designed as a back door. The server runs on Windows, and there are clients for Windows, Linux and other operating systems. The server is configured easily with a utility. After configuration, the server needs to be uploaded to the target and then started. Back Orifice 2000 supports file transfer, file execution, logging of keystrokes, and control of connections. There is also an AES plug-in for traffic encryption and an STCPIO plug-in for further obfuscation of the traffic. The first plug-in adds security and the combination of these plug-ins makes it much harder for an IDS to relate the traffic to a back door. More information can be found at http://www.bo2k.com.
Rootkits specialize in hiding themselves and other programs.
Hacker Defender (hxdef) is an open source rootkit for Windows. It can hide its files, its process, its registry entries, and its port in multiple DLLs. Although it has a simple command-line interface as a back door, it is often better to use its ability to hide a more appropriate tool.
An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following:
WEP has been criticized by security experts. Most experts regard it as ineffective by now.
In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.
Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped. MAC filtering can be attacked because a MAC address can be faked easily.
In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.
Returning to encryption, the WEP specification at any encryption strength is unable to withstand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.
A network scanner or sniffer is an application program that makes use of a wireless network interface card. It repeatedly tunes the wireless card successively to a number of radio channels. With a passive scanner this pertains only to the receiver of the wireless card, and therefore the scanning cannot be detected.
An attacker can obtain a considerable amount of information with a passive scanner, but more information may be obtained by sending crafted frames that provoke useful responses. This is called active scanning or probing. Active scanning also involves the use of the transmitter of the wireless card. The activity can therefore be detected and the wireless card can be located.
Detection is possible with an intrusion detection system for wireless networks, and locating is possible with suitable equipment.
Wireless intrusion detection systems are designed to detect anomalous behaviour. They have one or more sensors that collect SSIDs, radio channels, beacon intervals, encryption, MAC addresses, transmission speeds, and signal-to-noise ratios. Wireless intrusion detection systems maintain a registry of MAC addresses with which unknown clients are detected.
Making use of someone else's wireless access point or wireless router to connect to the internet – without the owner's consent in any way – is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.
There is consensus that computer attackers can be divided in the following groups.
The term hacker was originally used for someone who could modify a computer for his or her own purposes. Hacking is a term that refers to an intrusion combined with direct alteration of the security or data structures of the breached system. The word hacking is often confused with cracking in popular media discourse, and obfuscates the fact that hacking is less about eavesdropping and more related to interference and alteration. However, because of the consistent abuse by the news media, in 2007 the term hacker was commonly used for someone who accesses a network or a computer without authorization of the owner.
In 2011, Collins Dictionary stated that the word hacker can mean a computer fanatic, in particular one who by means of a personal computer breaks into the computer system of a company, government, or the like. It also denoted that in that sense the word hacker is slang. Slang words are not appropriate in formal writing or speech.
Computer experts reserve the word hacker for a very clever programmer. They call someone who breaks into computers an intruder, attacker, or cracker.