By familiarizing yourself with following software, you will not only have a better understanding of the vulnerabilities inherent in 802.11 networks, but you will also get a glimpse at how a hacker might exploit them. These tools can even be used when auditing your own network as we will see later.
Most serious hackers and network auditors use the open-source operating system Linux as the platform from which they launch attacks and perform analysis. This section highlights some of the more popular tools, mostly Linux, that can be used to search out and hack wireless networks.
The home page for the free cracking application, AirSnort, plainly states, “AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys.” AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. In even more simplistic terms, AirSnort is a program that listens to the wireless radio transmissions of a network and gathers them into a meaningful manner. After enough time has passed (sometimes in a matter of hours) and data are gathered, analytical tools process the data until the network security is broken. At that point everything that crosses the network can be read in plain text.
The authors of this fully functional encryption-cracking tool have maintained from the first days of release it would expose the true threats of WEP encryption. Jeremy Bruestle, one of two lead programmers for the project, has truly recognized the inherent dangers of WEP. He states during an interview in 2001, “It is not obvious to the layman or the average administrator how vulnerable 802.11b is to attack. It´s too easy to trust WEP.” AirSnort is not the only open-source tool used for wireless cracking but the first publicly recognized freeware to put the power of an intellectually skilled-criminal into the hands of a neighbor, who just got the cheapest deal from the local ISP.
WEPcrack, simultaneously being developed along with AirSnort, is another wireless network cracking tool. It too exploits the vulnerabilities in the RC4 Algorithm, which comprise the WEP security parameters. While WEPcrack is a complete cracking tool, it is actually comprised of three different hacking applications all of which are based on the development language of PERL. The first, WeakIVGen, allows a user to emulate the encryption output of 802.11 networks to weaken the secret key used to encrypt the network traffic. Prism-getIV is the second application that will analyze packets of information until ultimately matching patterns to the one known to decrypt the secret key. Thirdly the WEPcrack application pulls the two other beneficial data outputs together to decipher the network encryption.
Kismet is an extremely useful tool that supports more of an intrusion detection approach to the wireless security. However, Kismet can be used to detect and analyze access points within range of the computer on which it is installed. Among many other things, the software will report the SSID of the access point, whether or not it is using WEP, which channels are being used, and the range of IP addresses employed. Other useful features of Kismet include de-cloaking of hidden wireless networks, and graphical mapping of networks using GPS integration.
Ethereal is a pre-production network capturing utility. Currently capable of identifying and analyzing 530 different network protocols, Ethereal can pose a substantial threat through the discovery and detection of any network communication. One of many network analyzers, this application arguably does the most comprehensive job of seeing and recognizing everything that goes by its sensor.
Known as a packet injection/reception tool, Airjack is an 802.11 device driver is designed to be used with a Prism network card (mainly Linux hardware). Other names include wlan-jack, essid-jack, monkey-jack, and kracker-jack. This tool was originally used as a development tool for wireless applications and drivers to capture, inject, or receive packets as they are transmitted. It’s a fundamental tool used in DoS attacks and Man-in-the-Middle attacks. Its capabilities include being able to inject data packets into a network to wreck havoc on the connections between wireless node and their current access point. A common hacking use for this tool is to kick everyone off of an access point immediately, and keep them logged off for as long as you like. Without the Layer-1, frame level authentication on all 802.11a/b/g networks, a computer running Airjack would passively assume the identity of an access point and then once inside of the channel of communication between node and AP, Airjack would begin sending dissociate or deauthenticate frames sequentially at a high rate. The users’ networks network cards interpret this as their AP and they drop their connection.
HostAP is really nothing more than a firmware for Prism cards to act as an access point in any environment. With multiple scanning, broadcasting, and management options, HostAP can lure disconnected clients into a connection with the HostAP user’s computer and engage into whatever activities suitable to that situation. This is a very common tool used with growing compatibility where it will be ubiquitous with any Open Source OS in the near future.
Dweputils is not one application but a set of applications that together comprise a larger threat to wireless networks of any character. Dweputils is a set of utilities that can completely inspect and lock-down any WEP network. Dwepdump is a packet-gathering tool, which provides the ability to collect WEP encrypted packets. Dwepcrack then gives you the power to deduce WEP keys with a variety of frequently employed technique. Finally dwepkeygen, a 40-bit key generator, can creates keys that aren´t susceptible to the Tim Newsham 221 attack with a variable length seed.
AirSnarf is an access point spoofing tool based off the simplest way to dupe users into handing over their sensitive information to rouge hackers. Quite simply this application mimics a legitimate access point. The method of attack is broken down into recreating an identical logon webpage that would normally be displayed by the AP. The user is bumped off the network and forced to re-login or is caught before they login the first time. The simple trick convinces them into voluntary sending their login information to the hacker who can then use it at their disposal. It is extremely simple yet effective.
All the details of the AP connection are legitimate to the unsuspecting user within their network configuration. They never realize this has happened in some cases as you then authenticate them to the network and allow them to pass through your computer.
This is the primary tool available for Windows users to detect 802.11 networks. It does not have any cracking tools that are inherent in the software package but can be used in conjunction with numerous other tools to find and hack a wireless network. NetStumbler is perhaps the least dangerous application discussed here, but the first challenge of any hack is finding where and what you are hacking.
Also referred to as the “aRe yoU There” network tool, THC-RUT, combines detection, spoofing, masking, and cracking into the same tool. Many see it as the, “first knife used on a foreign network” boasting its brute force all-in-one capabilities. Resources in the tool included spoofing Dynamic Host Configuration Protocol (DHCP), Reverse Address Resolution Protocol (RARP), and Bootstrap Protocol (BOOTP) requests.
Hotspotter is another rouge access point tool that can mimic any access point, dupe users to connecting, and authenticate with the hacker’s tool. This, again, is done with a deauthenticate frame sent to a MS Windows XP user’s computer that would cause the victim’s wireless connection to be switched to a non-preferred connection, AKA a rouge AP. This sort of trick is a passive approach that seeks to identify the probe frame sent by any Windows XP machine looking for its preferred network containing exploitable information.
LEAP stand for Lightweight Extensible Authentication Protocol, which is intellectual property of Cisco Systems, Inc. This is a broadly used protocol for authentication on Cisco Access points with inherent weaknesses. ASLEAP is able to use hashing algorithms to create brute force attacks to recover passwords, and actively deauthenticate users from the AP making them reauthenticate quickly to expedite the process of hacking. This is another tool in the arsenal of hackers with an ever-shrinking learning curve.
IKECrack is an open source IKE/IPSec authentication crack tool. It uses brute force dictionary based attacks searching for password and key combinations to Pre-Shared-Key (PSK) authentication networks. With repetitive attempts at authentication with random passphrases or keys this crack tool undermines the latest WiFi security protocol.
Copyright 2005 Bradley Morgan, invulnerableit.com