1. Trang chủ >
  2. Công Nghệ Thông Tin >
  3. Quản trị mạng >

Part I: Hacking 802.11 Wireless Technology

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (11.24 MB, 513 trang )


Her First Engagement

Makoto had done her fair share of infrastructure assessments in the past, and she had

managed to “borrow” Wi-Fi from neighbors and unsuspecting businesses in her travels.

This was the first time she had been asked to perform a wireless assessment for a client,

however. She knew the timing couldn’t be worse—it was the middle of the winter, and

the site she was supposed to visit was a remote location known for its legendary snow

storms. Although the weather wasn’t going to be peachy while she was there, she did her

homework to determine the best days to avoid getting snowed in. She also planned all

her equipment needs ahead of time and packed the wireless gear she thought she might

need: an array of wireless cards, long-range directional antennas, and a netbook with an

Atheros-based wireless card. She also brought along a GPS unit in case she got lost and

a cigarette lighter power adapter to keep her laptop alive while war driving. All that gear

earned her suspicious stares from airport security as she went through the security check,

but she managed to get onto her flight without too much hassle.

When she arrived at the hotel the night before the assessment, she asked the front

desk how long it would take to get to her destination in the morning. She’d never been

in the area before and had no idea if there would be any traffic. Better to know ahead of

time, especially with it being winter and any possible road closures.

A Parking Lot Approach

As usual, Makoto arrived at the site a bit early. When she pulled up to the location, she

realized it was a sprawling shipping and receiving facility of large warehouses with

trucks coming in and going out. However, with the different names on the sides of the

trucks as well as the many entrances, she concluded that most likely multiple businesses

used this site. She made a mental note that she had to make absolutely sure any wireless

networks she planned to assess actually belonged to the client, not to one of the

neighboring businesses.

Before she went in, she decided to determine what she could detect from the outside.

She parked in the facility’s lot and opened her laptop. She first searched for wireless

networks using the built-in Windows tools. She knew active scanning was a pretty

limited approach, and anyone with passing knowledge of wireless assessments would

put their wireless card into monitor mode. However, she felt active scanning was

representative of some random person off the street trying to see if any wireless networks

were open, so maybe she would gain useful information. She picked up a few wireless

networks—some “defaults” and some with cryptic names that used a combination of

WEP and WPA. She wasn’t sure if they belonged to the client or the neighboring

businesses, so she simply took note of what she could see and moved on.

Next she performed a more thorough outside test. Makoto plugged in her external

Atheros-based wireless card and attached a high-gain directional antenna. She booted

off a preprepared BackTrack Linux USB key and put the wireless card into monitor mode.



She fired up airodump-ng, part of the Aircrack-ng suite of tools, and pointed the

antenna at the part of the facility owned by the client. Because the antenna was directional,

many of the other wireless networks that she detected earlier did not show up. However,

a new wireless network showed up, this time with a hidden SSID. It was protected by

WEP, and she could see the data count gradually going up. But, without confirming that

it belonged to the client, she decided to only take note of it for now. While she kept the

antenna pointed to the building, someone came and got something out of the car parked

next to her. She could tell that he was trying to be sneaky and pretend not to be checking

out the person in the car with a laptop and an antenna pointed at a building. She smiled

to herself but was glad that she had her site contact’s information handy if that person

alerted security—or even worse the authorities.

Enough for outdoor reconnaissance, she thought, it was time to meet the site contact.

Her contact was the site manager, who had been removed from the information security

team sponsoring this project. He said he knew she was here, as someone came to him

earlier and said there was a suspicious-looking person in the parking lot with a laptop

and antenna. He was actually happy to hear that the employees were alert.

The Robot Invasion

First, she did a walkthrough of the facilities with the site manager as an escort. She took

her little netbook with an Atheros-based mini PCI wireless card set in monitor mode to

look for any wireless access points. As these satellite offices were far from the reach of

corporate headquarters, the existence of wireless access points was one of the things the

information security project sponsor was interested in. Part of Motoko’s activities was to

catalog which access points existed, if any, and to see if any unauthorized wireless access

points (rogue APs) had been installed. The site manager informed Makoto that they had

no wireless here; it was only a shipping and receiving station with minimal IT

infrastructure (or so he thought).

She walked around with the site manager inside the large shipping and receiving

floor. It was a veritable menagerie of automated robots moving palettes of goods around,

as well as people driving small forklifts, loading and unloading goods into trucks parked

at the service bay. Except for a small office attached to the warehouse, the site manager

was right in that there appeared to be little IT infrastructure involved. As she walked

around, she still saw the “hidden” wireless signal that she discovered from outside with

her high-gain antenna. The signal was particularly strong using only the built-in antenna

in her netbook, so she was fairly certain it originated from somewhere in this warehouse.

In fact, as she walked around with Kismet running, she noticed the signal strength

fluctuate. The signal was stronger inside the large plant area than it was in the office,

contrary to where she thought a wireless router might be located.

As she walked around, she noticed the robots that were moving palettes. The robots

never seemed to bump into each other, so she deduced they were being controlled by

something. She also noticed that every time they picked up and dropped off a palette of

goods, the robot scanned a large barcode on the side of the palette and the device beeped.

The same thing happened whenever one of the forklift drivers picked up a palette and



moved it into a waiting truck. They would scan the palette with a handheld device.

Could the robots and the barcode scanners be communicating over some type of wireless

network, possibly the WEP-protected wireless signal she saw?

Looking around further, she noticed a large box attached to the rafters of the

warehouse. Some conduit seemed to be running from it, so she thought that maybe it

was the source of the wireless signal. Attaching her high-gain wireless card and directional

antenna, she pointed it around the room and saw the signal jumped considerably when

pointed directly at the box (or somewhere around it due to the dispersion of signal from

the antennas probably built into the box). She determined that the signal might be coming

from there.

With a reasonable degree of confidence that the hidden AP was owned by the client

and not the next door neighbor, she then decided it was time to see what she could do.

The instructions from the client were to try to penetrate whatever wireless infrastructure

she found and see what she could do while on the network. Using the aforementioned

Aircrack-ng toolkit, she put her wireless card into monitor mode, performed a fake

authentication against the hidden AP, and started performing packet injection.

She noticed that every time one of the robots or forklift drivers scanned a palette, the

data counter for that wireless network would increment. She concluded that these robots

and handheld scanners must be using the wireless network to communicate and track

the inventory. That gave her enough useable data to reply back to the router to generate

more IVs via ARP injection.

It only took ten minutes or so to crack the WEP key, a testament to how little protection

WEP provided. After associating with the access point with her PC using the key, she

received an IP via DHCP. She was now on the network that the robots and scanners used.

But what could she do? If the robots in this shipping station were scanning some type of

barcode on each of the palettes, perhaps that information was being tracked somewhere.

Maybe these machines were talking to a backend server. She wrote a little script to ping

each of the IPs in her subnet. After some replies and a few port scans, she realized she

was on the same network segment as the inventory server that all the automated machines

were talking to! She decided it was beyond the scope of the project to try to penetrate

into the server, so the screenshots she took of being able to reach it was enough to prove

she could penetrate it from the wireless network segment. What’s more, she did some

simple network discovery and saw that she could also access the internal domain

controllers within the enterprise and even access the servers located in different regions

of the world!

Final Wrap-Up

She spoke again to the site manager after connecting to and poking around the wireless

infrastructure. She explained that the robots and the handheld scanners connected back

to a backend inventory system via a wireless connection, and that she was able to

associate with the access point after she cracked the WEP key. He explained that the

inventory system that Makoto had compromised was installed about five years ago,

probably before more recent encryption methods were used, and he had no idea that it



communicated over standard 802.11; to him and everyone else with a computer in the

office, it never looked like there was any wireless infrastructure. What’s worse is that,

although Makoto did this while she was in the office, there’s no reason she couldn’t have

done it sitting down the street with a high-powered antenna pointing at the building.

And no one would have known.



This page intentionally left blank































Hacking Exposed Wireless: Wireless Security Secrets & Solutions


elcome to Hacking Exposed Wireless. This first chapter is designed to give you a

brief introduction to 802.11 and help you choose the right 802.11 gear for the

job. By the end of the chapter, you should have a basic understanding of how

802.11 networks operate, as well as answers to common questions, including what sort

of card, GPS, and antenna to buy. You will also understand how wireless discovery tools

such as Kismet work.


The 802.11 standard defines a link-layer wireless protocol and is managed by the Institute

of Electrical and Electronics Engineers (IEEE). Many people think of Wi-Fi when they

hear 802.11, but they are not quite the same thing. Wi-Fi is a subset of the 802.11 standard,

which is managed by the Wi-Fi Alliance. Because the 802.11 standard is so complex, and

the process required to update the standard so involved (it’s run by a committee), nearly

all of the major wireless equipment manufacturers decided they needed a smaller, more

nimble group dedicated to maintaining interoperability among vendors while promoting

the technology through marketing efforts. This resulted in the creation of the Wi-Fi


The Wi-Fi Alliance assures that all products with a Wi-Fi-certified logo work together

for a given set of functions. This way if any ambiguity in the 802.11 standard crops up,

the Wi-Fi Alliance defines the “right thing” to do. The Alliance also allows vendors to

implement important subsets of draft standards (standards that have not yet been ratified).

The most well-known example of this is Wi-Fi Protected Access (WPA) or “draft” 802.11n


An expanded version of this introduction, which covers a great deal more detail surrounding the

nuances of the 802.11 specification, is available in Bonus Chapter 1 at the book’s companion website


The Basics

Most people know that 802.11 provides wireless access to wired networks with the use

of an access point (AP). In what is commonly referred to as ad-hoc or Independent Basic

Service Set (IBSS) mode, 802.11 can also be used without an AP. Because those concerned

about wireless security are not usually talking about ad-hoc networks, and because the

details of the 802.11 protocol change dramatically when in ad-hoc mode, this section

covers running 802.11 in infrastructure mode (with an AP), unless otherwise specified.

The 802.11 standard divides all packets into three different categories: data,

management, and control. These different categories are known as the packet type. Data

packets are used to carry higher-level data (such as IP packets). Management packets are

probably the most interesting to attackers; they control the management of the network.

Control packets get their name from the term “media access control.” They are used for

mediating access to the shared medium.


Chapter 1:

Introduction to 802.11 Hacking

Any given packet type has many different subtypes. For instance, Beacons and

Deauthentication packets are both examples of management packet subtypes, and Request

to Send (RTS) and Clear to Send (CTS) packets are different control packet subtypes.

Addressing in 802.11 Packets

Unlike Ethernet, most 802.11 packets have three addresses: a source address, a destination

address, and a Basic Service Set ID (BSSID). The BSSID field uniquely identifies the AP

and its collection of associated stations, and is often the same MAC address as the

wireless interface on the AP. The three addresses tell the packets where they are going,

who sent them, and what AP to go through.

Not all packets, however, have three addresses. Because minimizing the overhead of

sending control frames (such as acknowledgments) is so important, the number of bits

used is kept to a minimum. The IEEE also used different terms to describe the addresses

in control frames. Instead of a destination address, control frames have a receiver address,

and instead of a source address, they have a transmitter address.

The following illustration shows a typical data packet. In this packet, the BSSID and

destination address are the same because the packet was headed to an upstream network,

and the AP was the default gateway. If the packet had been destined for another machine

on the same wireless network, the destination address would be different than the


802.11 Security Primer

If you are reading this book, then you are probably already aware that there are two very

different encryption techniques used to protect 802.11 networks: Wired Equivalency

Protocol (WEP) and Wi-Fi Protected Access (WPA). WEP is the older, extremely vulnerable

standard. WPA is much more modern and resilient. WEP networks (usually) rely on a

static 40- or 104-bit key that is known on each client. This key is used to initialize a stream

cipher (RC4). Many interesting attacks are practical against RC4 in the way it is utilized

within WEP. These attacks are covered in Chapter 3, “Attacking 802.11 Wireless

Networks.” WPA can be configured in two very different modes: pre-shared key (or

passphrase) and enterprise mode. Both are briefly explained next.

WPA Pre-Shared Key WPA Pre-Shared Key (WPA-PSK) works in a similar way to WEP, as

it requires the connecting party to provide a key in order to access the wireless network.




Hacking Exposed Wireless: Wireless Security Secrets & Solutions

However, that’s where the similarities end. Figure 1-1 shows the WPA-PSK authentication

process. This process is known as the four-way handshake.

The pre-shared key (i.e., passphrase) can be anywhere between 8 and 63 printable

ASCII characters long. The encryption used with WPA relies on a pairwise master key

(PMK), which is computed from the pre-shared key and SSID. Once the client has the

PMK, it and the AP negotiate a new, temporary key called the pairwise transient key (PTK).

These temporary keys are created dynamically every time the client connects and are

changed periodically. They are a function of the PMK, a random number (supplied by

the AP, called an A-nonce), another random number (supplied by the client, called an

S-nonce), and the MAC addresses of the client and AP. The reason the keys are created

from so many variables is to ensure they are unique and nonrepeating.

The AP verifies the client actually has the PMK by checking the Message Integrity Code

(MIC) field during the authentication exchange. The MIC is a cryptographic hash of the

packet that is used to prevent tampering and to verify that the client has the key. If the

MIC is incorrect, that means the PTK and the PMK are incorrect because the PTK is

derived from the PMK.








(passphrase, SSID, ssidLength, 4096, 256)


(passphrase, SSID, ssidLength, 4096, 256)

256-bit pairwise

master key


256-bit pairwise

master key



Derive PTK

S-nonce, MIC

Derive PTK,

check MIC

OK, install the key, MIC

Check MIC

Key installed, MIC

Install key,

begin encrypting

Install key,

begin encrypting

Figure 1-1 A successful four-way handshake


Chapter 1:

Introduction to 802.11 Hacking

When attacking WPA, you are most interested in recovering the PMK. If the network

is set up in pre-shared key mode, the PMK allows you to read all the other clients’ traffic

(with some finagling) and to authenticate yourself successfully.

Although WPA-PSK has similar use cases as traditional WEP deployments, it should

only be used in home or small offices. Since the pre-shared key is all that’s needed to

connect to the network, if an employee on a large network leaves the company, or a

device is stolen, the entire network must be reconfigured with a new key. Instead, WPA

Enterprise should be used in most organizations, as it provides individual authentication,

which allows greater control over who can connect to the wireless network.

A Rose by Any Other Name: WPA, WPA2, 802.11i, and 802.11-2007

Astute readers may have noticed that we are throwing around the term WPA when,

in fact, WPA was an interim solution created by the Wi-Fi alliance as a subset 802.11i

before it was ratified. After 802.11i was ratified and subsequently merged into the

most recent 802.11 specification, technically speaking, most routers and clients now

implement the enhanced security found in 802.11-2007. Rather than get bogged

down in the minutiae of the differences among the versions, or redundantly referring

to the improved encryption as “the improved encryption previously known as

WPA/802.11i,” we will just keep using the WPA terminology.

WPA Enterprise

When authenticating to a WPA-based network in enterprise mode, the PMK is created

dynamically every time a user connects. This means that even if you recover a PMK, you

could impersonate a single user for a specific connection.

In WPA Enterprise, the PMK is generated at the authentication server and then

transmitted down to the client. The AP and the authentication server speak over a

protocol called RADIUS. The authentication server and the client exchange messages

using the AP as a relay. The server ultimately makes the decision to accept or reject the

user whereas the AP is what facilitates the connection based on the authentication

server’s decision. Since the AP acts as a relay, it is careful to forward only packets from

the client that are for authentication purposes and will not forward normal data packets

until the client is properly authenticated.

Assuming authentication is successful, the client and the authentication server both

derive the same PMK. The details of how the PMK is created vary depending on the

authentication type, but the important thing is that it is a cryptographically strong random

number both sides can compute. The authentication server then tells the AP to let the user

connect and also sends the PMK to the AP. Because the PMKs are created dynamically, the

AP must remember which PMK corresponds to which user. Once all parties have the

PMK, the AP and client engage in the same four-way handshake illustrated in Figure 1-1.

This process confirms the client and AP have the correct PMKs and can communicate

properly. Figure 1-2 shows the enterprise-based authentication process.




Hacking Exposed Wireless: Wireless Security Secrets & Solutions

EAP and 802.1X

In Figure 1-2, you probably noticed that many packets have EAP in them. EAP stands for

Extensible Authentication Protocol. Basically, EAP is a protocol designed to carry arbitrary

authentication protocols—sort of an authentication meta-protocol. EAP allows devices,

such as APs, to be ignorant of specific authentication protocol details.

IEEE 802.1X is a protocol designed to authenticate users on wired LANs. 802.1X

leverages EAP for authentication, and WPA uses 802.1X. When the client sends

authentication packets to the AP, it uses EAPOL (EAP over LAN), a standard specified in



EAP Request Identity



Messages from the AP to the RADIUS

server are transmitted inside

RADIUS packets.

EAP Response Identity

EAP Request Identity

Messages from the client to the AP

are transmitted in EAP over LAN packets.

EAP Request 1

EAP Request 1

EAP Response 1

EAP Response 1

Any number of Auth-specific-type


EAP Request N

EAP Request N

EAP Response N

EAP Response N

EAP Success

EAP Success


This message is unique. It does not get

forwarded to the supplicant. This is the

RADIUS server delivering the PMK to the AP.

Four-way handshake

with PMK follows

Figure 1-2 Enterprise-based WPA authentication


Xem Thêm
Tải bản đầy đủ (.pdf) (513 trang)