Академический Документы
Профессиональный Документы
Культура Документы
124
intruding
as
IV.
equipped
with
boundary
as
laptop
diagram reproduced.
in
car
parking lot,
shown.
CONFIGURATION AND
SETUP USED
following configuration:
laptop
Laptop, Processor: Mobile Centrino processor,
Memory/RAM: 256 MB, Hard Disk Capacity: 20 GB with
Onboard wireless network adapter, PCMCIA Wireless
Adapter slot etc. So our laptop had 2 wireless network
adapters. We used one for wireless network detection, using
NetStumbler 0.4.0 software [51 and the other for 802.1 lb/g
packet capturing using Link Ferret 3. 10 software [6].
that
The
we
Make: Acer
fixed
We
CISCO
Aironet
350
series
PCMCIA
Wireless
packet
us
name
absence
encryption
if enabled or the
detected and
highways. As expected, wireless networks
packets were captured from the needed places. The results
were quite revealing.
were
V.
PACKET
CAPTIURIG
AND OBSERVATIONS
Packet
wireless
alerts. It
number of
that quite
quite surprising to
wireless networks were working without encryption. They
simply had no't enabled the WvnEP
option. The packet
for
capturing done in eight different sessions
was
us
were
average
duration
of
around
an
captured
to
to
an
in
we
125
Placket
name
pktl
.cap
pklcp
45
ffb0
pkt3.cap
Petrol Station
(6.87%, 7.60%)
pkt4.cap
Multistoried
Shopping
Complex
(4.25%, 4.70%)
pkt5.cap
(38.04%, 40.50%)
pkt6.cap
(10.43%, 11.10%)
pkt7.cap
Organization!
Government
Office
(4.52%, 4.99%)
Organization/
(7.49%, 8.07%)
Capture Sessions
7.78
aircrack 2.1
2
Got 256947" unique IUs I fudge factor
Elapsed time I08:88:851: tried 11 keys at 132 k/n
KB
depth
8/ 1
0/ 4
votes
15>
16)
18>
26>
25>
15>
89C 184) FP6
CD( 66> 6EC 26>
ESC 129) IC( 22>
67C 13> ASC 12>
AFC 72> 58C 18)
B4C 69> 11< 28>
56C 12?) SEC 18>
8/
8/
v/
8.
1
1
1
8/ 1
8. 1
3/ 6
8/ 1
8/ 1
8/ 1
8/ 2
C8
E9C
15) 68C
4
15)
15)
25)
15)
13)
17)
12)
9)
18)
11)
14)
15)
3)
13)
13)
21)
14)
12)
15>
18)
3FP
ICC
9)
9
AB( 9)
1e
EFP 8>
BSC 11>
11
43( 15)
12
ADC 88> IM
XEYV FOUND! t AIC0I2FSE?9SCDE56?FP456AD I
Press Ctrl-C to exit.
0
1
2
3
4
S
6
7
a
Goverment
Office
.15
4-4754.75
pkt7ncap
22.835
7.737.
(7.44%,
8.02%))
74%80
es35.9
030
v2
pkt8.cap
; 1g4
7|g 4R 7l39.27
CL.
pkt2.cap
Type of Company!
Organization
3C115)
8SC 15>
6C( 25>
8CC 28)
SE( 14)
57( 28>
UC 17
lPC 12)
67< 12)
87C 15)
52C 17)
45> CS( 17)
6CC
SDC
2PC
DSC
F2C
D2C
12(
2B<
43C
EEC
SC
53C
4EC
EA(
FM
PBC
59(
45(
M
S3C
C6<
GAC
6D<
54C
8P<
3>
18>
12>
28)
14)
12>
B3< 15>
96< 9)
11C
8)
9)
M
8)
DP
9)
3X<
C9C 14)
126
direct all the traffic to his laptop and filter all the images. If
image/audio can be filtered, any other files (like .txt, .pdf,
.doc, .htm etc) can be filtered, by writing appropriate
software.
We executed it as ./driftnet -a (adjunct mode of
operation) as shown in figure 4. It then saves all the image
files in the network traffic to a temporary directory
(/tmp/fileLVE4ifI as shown below) which can be processed
later. With a -S option it extracts only MPEG streamed
audio.
w
P.
RN-l' R.R-,`~III I
1/tmp'/f i leLVE4if/driftnet-42c170926b8b4567.gi f
/trip/fi leLVE4if/driftnet-42cl7092327b23c6.9if
t/trp/f ileLVE4 if/driftnet-42cl7093643c9869,gif
I/trip/fiieLVE4i f/driftnet-42c1709366334873 jpe9
l/trip/fi leLVE4if/driftnet-42c1709474bOdc51.jpeg
1/trip/f ileLVE4if/driftnet-42c1709419495cff .gif
f/trnp/fi leLVE4if/drift.net-42cl70952ae8944a,!gif
/tmrp/fi leLVE4if/driftnet-42c17096625558ec.gif
/trp/f i leLVE4 if/driftnet-42cl797238elf29,9if
/tmp/fi leLVE4if/driftnet-42cl709746e87ccd.jpe9
./tnp/fi leLVE4if/driftnet-42cl7O983dlb58ba,!gif
X/trip/f ileLVE4if/driftnet-42cl7O9c5O7ed7ab.gif
127
7) Because the cost of access points has fallen, many Access Point Hunter. It can find and automatically connect
organizations face the threat of rouge APs that joins to whatever wireless network is within range. CDPsniffer by
the company's network. When the company does not Max Moser is a small perl only Cisco discovery protocol
employ authentication techniques like RADIUS, (CDP) decoding sniffer. Chopchop by KoreK is a WEP
VPNs etc. the above scenario can be dangerous. cracker which uses the AP to decipher packets. Easiest ones
Precaution: Intrusion detection or prevention to decipher are ARP packets. CoWPAtty WPA Cracker by
software, monitoring tools (for example, IBM Joshua Wright is designed to audit the pre-shared key (PSK)
Distributed Wireless Security Auditor) should be selection for WPA networks based on the TKIP protocol.
Supply a libpcap file that includes the TKIP four-way
employed to locate the rogue access points.
handshake to mount an offline dictionary attack with a
8) In ARP poisoning, an attacker creates illegitimate supplied wordlist. Ethereal by Gerald Combs et al is a free
packets with a spoofed IP address which claims that network protocol analyzer for Unix and Windows. It allows
IP belongs to his own computer's MAC address.- you to exanine data from a live network or from a capture
Then, all transmissions from hosts that use the file on disk. FakeAP by Black Alchemy Enterprises
"shortcut" method of learning MAC/IP address generates thousands of counterfeit 802.1 lb access points.
combinations will be directed to the attacker's Hotspotter by Max Moser and Joshua Wright passively
computer (thus eavesdrop or manipulate responses). monitors the network for probe request frames to identify the
Precaution: Network Monitoring, denying access to preferred networks of Windows XP clients and to damage
foreign stations or to use a secure-ARP version.
later. Kismet by Mike Kershaw is an 802.11 layer 2 wireless
9) Session hijacking is said to occur when an attacker network detector, sniffer, and intrusion detection system. It
causes the user to lose his connection, and the can be very powerful by identifying clients and not just
attacker assumes his identity and privileges for a access points. MacStumbler by Korben is a utility to display
period. An attacker disables temporarily the user's information about nearby 802.1lb and 802.lIg wireless
system, say by DoS attack or a buffer overflow access points. NetChaser by Michael A. Waldron finds WiFi
exploit. The attacker then takes the identity of the hotspots with your Palm Tungsten C Handheld Computer.
user. The attacker now has all the access that the user NetStumbler by W. Slavin is a windows Utility for 802.1 lb
has. When he is done, he stops the DoS attacks, and based Wireless Network Auditing. Omerta by Mike D.
lets the legitimate user resume. The user may not Schiffman disassociates all 802.11 network connections
detect the interruption if the disruption lasts no more within range on the same channel as the card in the machine.
than a couple of seconds or few minutes. Such SMAC by KLC Consulting is an easy-to-use Windows MAC
hijacking can be achieved by using forged Address Modifying Utility that allows users to change MAC
Disassociation DoS attack. Precaution: Enable address for almost any Network Interface Card (NIC).
dynamic WEPITKP encryption, RADIUS StumbVerter by Michael Puchol and Sonar Security is a
authentication that is mutual and network monitoring. standalone application that allows you to import Network
Stumbler's summary files into Microsoft's MapPoint 2004
10) WPA Passive dictionary attack can be launched maps. voidl I by Reyk Floeter is a free implementation of
against a WPA-PSK (with 4-way handshake) setup in some basic 802.1 lb attacks. WellenReiter by Michael Lauer
802.1 Ig networks using a dictionary file of words is a wireless network discovery and auditing tool.
[I8]. Precaution: Avoid dictionary words for the pass WEPCrack by Anton Rager and Paul Danckaert is a tool that
phrase during AP configuration.
cracks 802.11 WEP encryption keys using the discovered
weakness of RC4 key scheduling. WEPWedgie by Anton
Rager is a toolkit for determining 802.11 WEP key streams
XI. ANALYSIS OF FREE HACKER TOOLS
and injecting traffic with known key streams. WPA Cracker
A brief analysis of WLAN hacker tools that are available by Takehiro Takahashi is a dictionary/brute-force attacker
free on the Intemet is given below as a list of tools [191. against WiFi Protected Access (WPA). Wscan by Portland
There are many more that are left out.
State University is a X-l I/visual 802.11 wireless signalThey are as follows: Aerosol by Sniph is easy to use strength display tool (version 2.0 includes AP scanning
wardriving software for PRISM2 Chipset, ATMEL USB and mode).
WaveLAN Wireless cards on Windows. AirCrack by
AirCrack Team is a 802.11 WEP key cracker. It implements
XI]. SECURITY MEASURES THAT CAN BE TAKEN
the so-called Fluhrer - Mantin - Shanmr (FMS) attack, along
Wireless
networks can never be security-risk-free. But we
with some new attacks by a talented hacker named KoreK.
Airfart by Dave Smith is a wireless tool created to detect can try our best, to minimize the possible attacks. Some
wireless devices, calculate their signal strengths, and present useful security steps are listed below [21, 1201, 1211.
them to the user in an easy-to-understand fashion. AirJack
1) To start with, WEP 104 bit encryption should be
by abaddon is a device driver (or suit of device drivers) for
enabled, with possible rotation of keys. WPA with
802.1 l(a/b/g) raw frame injection and reception. AirSnort by
TKIP/AES options can be enabled or CCMP/AES (in
The Shmoo Group is a wireless LAN (WLAN) tool which
future). Upgrade the firmware on AP to prevent the
recovers encryption keys by passively monitoring
use of weak IV WEP keys. This is the first line of
transmissions. AirTraf by Elixar, Inc. is a wireless sniffer
defense.
that can detect and determine exactly what is being
2) Ensure that mutual authentication is done through
transmitted over 802.11 wireless networks. AP Hopper by
IEEE802. lx protocol. Client and AP should both
Matthew Davidson and Jeffrey Strube is a program that
authenticate to each other. Implementing IEEE802. lx
automatically hops between access points of different
port based authentication with RADIUS server (like
wireless networks. It checks for DHCP and Internet Access
PEAP/MS-Chapv2) can be a second level of defense.
on all the networks found. APhunter by Jim Carter is an
128
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
[31 Adam Stubblefield, John lonnidis, and Aviel D. Rubin, "Using the
151
http:Hwwwv.networkchemistr.comlproducts/packetvzer/
1111 Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker,
Security flaws in 802.1 1 data link protocols, Communications of the
ACM, May 2003.
[121 Nikita Borisov, lan Goldberg and David Wagner, "Intercepting
Mobile Comnmunications: The Insecurity of 802.11", ACM
S!GMOBILE, 2001
[131 Cyrus Peikari, and Seth Forgie, "Maximum wireless security",
Cracking WEP, Samst, 2003. Also available:
http://wwwv.airscanner.com/pubslwep.pdf
[141 Green P. "Eastern Europe's foray into m-commnerce", The New York
Times. pp3.8, 2000.
[201 Mike Hurton and Clinton Mugge, "Hack notes -Network security
portable reference", McGraw-Hill/Osborne, 2003, pp. 107-118.
[211 Paul Campbell, Ben Calvert and Steven Boswell, 'Security+ Guide to
network security fundamentals", Thomson Course Technology, 2003.
129