The definitive guide to penetrating and defending wireless networks.
Straight from the field, this is the definitive guide to hacking wireless networks. Authored by world-renowned wireless security auditors, this hands-on, practical guide covers everything you need to attack -- or protect -- any wireless network.
The authors introduce the 'battlefield,' exposing today's 'wide open' 802.11 wireless networks and their attackers. One step at a time, you'll master the attacker's entire arsenal of hardware and software tools: crucial knowledge for crackers and auditors alike. Next, you'll learn systematic countermeasures for building hardened wireless 'citadels''including cryptography-based techniques, authentication, wireless VPNs, intrusion detection, and more.
If you're a hacker or security auditor, this book will get you in. If you're a netadmin, sysadmin, consultant, or home user, it will keep everyone else out.
Download the Sample
Chapter related to this title.
1. Real World Wireless Security.
Why Do We Concentrate on 802.11 Security?
Getting a Grip on Reality: Wide Open 802.11 Networks Around Us.
The Future of 802.11 Security: Is It as Bright as It Seems?
2. Under Siege.
Why Are “They” After Your Wireless Network?
Wireless Crackers: Who Are They?
Corporations, Small Companies, and Home Users: Targets Acquired.
Target Yourself: Penetration Testing as Your First Line of Defense.
3. Putting the Gear Together: 802.11 Hardware.
PDAs Versus Laptops.
PCMCIA and CF Wireless Cards.
Selecting or Assessing Your Wireless Client Card Chipset.
Cisco Aironet Chipset.
Other Chipsets That Are Common in Later Models of 802.11-Compatible Devices.
Selecting or Assessing Your Wireless Client Card RF Characteristics.
RF Cables and Connectors.
4. Making the Engine Run: 802.11 Drivers and Utilities.
Operating System, Open Source, and Closed Source.
The Engine: Chipsets, Drivers, and Commands.
Making Your Client Card Work with Linux and BSD.
Getting Used to Efficient Wireless Interface Configuration.
Linux Wireless Extensions.
Cisco Aironet Configuration.
Configuring Wireless Client Cards on BSD Systems.
5. Learning to WarDrive: Network Mapping and Site Surveying.
Active Scanning in Wireless Network Discovery.
Monitor Mode Network Discovery and Traffic Analysis Tools.
Kismet and GpsDrive Integration.
Miscellaneous Command—Line Scripts and Utilities.
BSD Tools for Wireless Network Discovery and Traffic Logging.
Tools That Use the iwlist scan Command.
RF Signal Strength Monitoring Tools.
6. Assembling the Arsenal: Tools of the Trade.
Encryption Cracking Tools.
Tools to Retrieve WEP Keys Stored on the Client Hosts.
Traffic Injection Tools Used to Accelerate WEP Cracking.
802.1x Cracking Tools.
Asleap-imp and Leap.
Wireless Frame-Generating Tools.
Wireless Encrypted Traffic Injection Tools: Wepwedgie.
Access Point Management Utilities.
7. Planning the Attack.
Site Survey Considerations and Planning.
Proper Attack Timing and Battery Power Preservation.
Stealth Issues in Wireless Penetration Testing.
An Attack Sequence Walk-Through.
8. Breaking Through.
The Easiest Way to Get in.
A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering.
Picking a Trivial Lock: Various Means of Cracking WEP.
The FMS Attack.
An Improved FMS Attack.
Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking.
Field Observations in WEP Cracking.
Cracking TKIP: The New Menace.
The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment.
DIY: Rogue Access Points and Wireless Bridges for Penetration Testing.
Hit or Miss: Physical Layer Man-in-the-Middle Attacks.
Phishing in the Air: Man-in-the-Middle Attacks Combined.
Breaking the Secure Safe.
Crashing the Doors: Authentication Systems Attacks.
Tapping the Tunnels: Attacks Against VPNs.
The Last Resort: Wireless DoS Attacks.
1. Physical Layer Attacks or Jamming.
2. Spoofed Deassociation and Deauthentication Frames Floods.
3. Spoofed Malformed Authentication Frame Attack.
4. Filling Up the Access Point Association and Authentication Buffers.
5. Frame Deletion Attack.
6. DoS Attacks Based on Specific Wireless Network Settings.
7. Attacks Against 802.11i Implementations.
9. Looting and Pillaging: The Enemy Inside.
Step 1: Analyze the Network Traffic.
Plaintext Data Transmission and Authentication Protocols.
Network Protocols with Known Insecurities.
DHCP, Routing, and Gateway Resilience Protocols.
Syslog and NTP Traffic.
Protocols That Shouldn’t Be There.
Step 2: Associate to WLAN and Detect Sniffers.
Step 3: Identify the Hosts Present and Perform Passive Operating System Fingerprinting.
Step 4: Scan and Exploit Vulnerable Hosts on WLAN.
Step 5: Take the Attack to the Wired Side.
Step 6: Check Wireless-to-Wired Gateway Egress Filtering Rules.
10. Building the Citadel: An Introduction to Wireless LAN Defense.
Wireless Security Policy: The Cornerstone.
1. Device Acceptability, Registration, Update, and Monitoring.
2. User Education and Responsibility.
3. Physical Security.
4. Physical Layer Security.
5. Network Deployment and Positioning.
6. Security Countermeasures.
7. Network Monitoring and Incident Response.
8. Network Security and Stability Audits.
Layer 1 Wireless Security Basics.
The Usefulness of WEP, Closed ESSIDs, MAC Filtering, and SSH Port Forwarding.
Secure Wireless Network Positioning and VLANs.
Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network Design.
Deploying a Linux-Based, Custom-Built Hardened Wireless Gateway.
Proprietary Improvements to WEP and WEP Usage.
802.11i Wireless Security Standard and WPA: The New Hope.
Introducing the Sentinel: 802.1x.
Patching the Major Hole: TKIP and CCMP.
11. Introduction to Applied Cryptography:Symmetric Ciphers.
Introduction to Applied Cryptography and Steganography.
Modern-Day Cipher Structure and Operation Modes.
A Classical Example: Dissecting DES.
Kerckhoff’s Rule and Cipher Secrecy.
The 802.11i Primer: A Cipher to Help Another Cipher.
There Is More to a Cipher Than the Cipher: Understanding Cipher Operation Modes.
Bit by Bit: Streaming Ciphers and Wireless Security.
The Quest for AES.
Between DES and AES: Common Ciphers of the Transition Period.
Selecting a Symmetric Cipher for Your Networking or Programming Needs.
12. Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms.
Cryptographic Hash Functions.
Dissecting an Example Standard One-Way Hash Function.
Hash Functions, Their Performance, and HMACs.
MIC: Weaker But Faster.
Asymmetric Cryptography: A Different Animal.
The Examples of Asymmetric Ciphers: ElGamal, RSA, and Elliptic Curves.
Practical Use of Asymmetric Cryptography: Key Distribution, Authentication, and Digital Signatures.
13. The Fortress Gates: User Authentication in Wireless Security.
Basics of AAA Framework.
An Overview of the RADIUS Protocol.
Installation of FreeRADIUS.
Response Authenticator Attack.
Password Attribute-Based Shared Secret Attack.
User Password-Based Attack.
Request Authenticator-Based Attacks.
Replay of Server Responses.
Shared Secret Issues.
802.1x: The Gates to Your Wireless Fortress.
Basics of EAP-TLS.
Windows 2000 and Windows XP.
An Example of Access Point Configuration: Orinoco AP-2000.
What Is a Directory Service?
What Is LDAP?
How Does LDAP Work?
Installation of OpenLDAP.
Configuration of OpenLDAP.
Populating the LDAP Database.
Centralizing Authentication with LDAP.
Mobile Users and LDAP.
NoCat: An Alternative Method of Wireless User Authentication.
Installation and Configuration of NoCat Gateway.
Installation and Configuration of Authentication Server.
14. Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs.
Why You Might Want to Deploy a VPN.
VPN Topologies Review: The Wireless Perspective.
Common VPN and Tunneling Protocols.
Alternative VPN Implementations.
The Main Player in the Field: IPSec Protocols, Operations, and Modes Overview.
IPSec Key Exchange and Management Protocol.
Phase 1 Modes of Operation.
Phase 2 Mode of Operation.
Perfect Forward Secrecy.
Dead Peer Discovery.
IPSec Road Warrior.
Deploying Affordable IPSec VPNs with FreeS/WAN.
X.509 Certificate Generation.
Network-to-Network VPN Topology Setting.
Host-to-Network VPN Topology Setting.
Windows 2000 Client Setup.
Windows 2000 IPSec Client Configuration.
15. Counterintelligence: Wireless IDS Systems.
Categorizing Suspicious Events on WLANs.
1. RF/Physical Layer Events.
2. Management/Control Frames Events.
3. 802.1x/EAP Frames Events.
4. WEP-Related Events.
5. General Connectivity/Traffic Flow Events.
6. Miscellaneous Events.
Examples and Analysis of Common Wireless Attack Signatures.
Radars Up! Deploying a Wireless IDS Solution for Your WLAN.
Commercial Wireless IDS Systems.
Open Source Wireless IDS Settings and Configuration.
A Few Recommendations for DIY Wireless IDS Sensor Construction.
Appendix A. Decibel—Watts Conversion Table.
Appendix B. 802.11 Wireless Equipment.
Appendix C. Antenna Irradiation Patterns.
Appendix D. Wireless Utilities Manpages.
Appendix E. Signal Loss for Obstacle Types .
Appendix F. Warchalking Signs.
Proposed New Signs.
Appendix G. Wireless Penetration Testing Template.
Arhont Ltd Wireless Network Security and Stability Audit Checklist Template.
1 Reasons for an audit.
2 Preliminary investigations.
3 Wireless site survey.
4 Network security features present.
5 Network problems / anomalies detected.
6 Wireless penetration testing procedure .
7 Final recommendations.
Appendix H. Default SSIDs for Several Common 802.11 Products.