Wifi security phần 8
- 16 trang
- file .pdf
4.2. GATHERING INFORMATION ON A VICTIM 61
to induce action from the attached clients. WEPWedgie is the software tool which
has implemented the attacks.
There is no point in scanning for wireless hosts since they are already known by
eavesdropping on wireless traffic. In addition to wireless hosts, all wired hosts which
have communicated with a wireless hosts are also known by their MAC address in
the header of a frame.
Scanning by inserting random MAC addresses as destinations and waiting for
responses is useless as there are 248 different MAC addresses. Not all MAC addresses
can belong to a physical network card, but the amount is still too much. Sending
out a frame for each of the 248 possible MAC addresses would take somewhere in
the area of 3,000 years if frames are sent out at a rate of 2,900 frames/second. If a
packet for each possible IP address is attempted: the time it takes is roughly 3 years.
Fortunatly for a hacker, the number of unused IP addresses is running out. To rectify
the problem on a temporary basis, Network Address Translation (NAT) is utilized
in most multi-computer homes and small to medium size offices. With NAT, most
computers are assigned IP addresses in the ranges 10.0.0.0/24 and 192.168.0.0/16.
Sending frames to the entire 192.168.0.0/16 range takes a minimum of 23 seconds at
2900 frames/second.
Since the replies are sent to the wireless client and the replies are encrypted, there
is a difficulty to determine which reply was to which request. The solution used by
WEPWedgie and illustrated in Figure 4.2 is to utilize an Internet return channel;
a “helping host”. ICMP echo requests are injected with the source address of the
helping host. If the destination address of the request exists, that computer will
reply to the request, but send the reply to the helping host. The helping host can
view the reply with e.g. tcpdump, and will see the IP address of the client behind the
firewall. However, when scanning for computers IP addresses, the attack will only
work when NAT is not used. If NAT is used, the helping host will only see the IP
address of the NAT router.
A much better solution, not found to be described anywhere else, is to encode a
serial number on the ICMP echo request in the form of the size of the ICMP echo
data. The number of possible serial numbers increases with size of the available key
sequence. With a full key sequence, almost 1,500 unique serial numbers can be used.
The hacker can inject circa 1,500 requests, each with the data size incremeted by 1
byte, and with the source address of the wireless client. The requests can be injected
as fast as possible. If a request is replied to, the reply is exactly the same size as
the request, thus it is very probable that it is the reply to the ICMP echo request,
and the fact that the IP address is used on the network is real. Unfortunatly the IP
address of the wireless client which receives the replies must be known or guessed in
advance for the attack to work.
While as mentioned above the use of NAT will help identify ranges of IP addresses
that are likely to be found, there are other methods that may be useful if the network
62 CHAPTER 4. EXPLOITING ACCESS TO WI-FI NETWORKS
does not utilize NAT. IP addresses are assign to organizations in blocks. In other
words, if one machine on a network has the IP address 129.177.16.3, it is highly likely
that other machines operate with IPs near by. As an example, the University of
Bergen occupies most if not all of the 129.177.0.0/16 range.
An purely dumb example execution of this attack is available below in Listings
4.1 and 4.2. Here the network is a small one with three computers/IPs 192.168.1.1,
192.168.1.10, and 192.168.1.11. The address 192.168.1.10 is utilized as a helping
host to discover the other two through a fourth computer that only injects ICMP
echo request packets to the Wi-Fi network. Listing 4.1 shows WEPWedgie doing
the network scanning. -h c0:a8:01:0a specifies the helping hosts IP in hex notation,
-t c0:a8:01:00 instructs WEPWedgie to target the 192.168.1.0 network for scanning,
-S 3 is the parameter used to select ping scanning, and -i eth3 is used to make
WEPWedgie use the eth3 network interface. By default WEPWedgie uses a key
sequence stored in the file prgafile.dat. The lines in the output of the WEPWedgie
program display the BSSID and MAC address the injected frames will operate with.
Every IP address WEPWedgie transmits a ping to is displayed.
Listing 4.1: Attacking machine.
apuk :/ home / hallvar / Tools / wepwedgie - alpha -0.1.0# ./ wepwedgie -h c0 : a8 :01:0 a - t
c0 : a8 :01:00 -S 3 -i eth3
P i n g s c a n n i n g Selected
Reading prgafile . dat
BSSID : 00:13:10:9 b :47: f1
Source MAC : 00:0 e :35: a3 :0 f :56
IV : 40:2 c : bc :00
Pingscan
Injecting Ping ....192.16 8 .1 . 10 - >192.168.1. 0
Injecting Ping ....192.16 8 .1 . 10 - >192.168.1. 1
Injecting Ping ....192.16 8 .1 . 10 - >192.168.1. 2
...
Injecting Ping ....192.1 68 . 1 .1 0 - >192.168. 1 .2 5 2
Injecting Ping ....192.1 68 . 1 .1 0 - >192.168. 1 .2 5 3
Injecting Ping ....192.1 68 . 1 .1 0 - >192.168. 1 .2 5 4
In Listing 4.2 are the ICMP echo replies as displayed by tcpdump (-e icmp mean
tcpdump will only display ICMP packets). Notice there is no request since the request
was the injected packet from the attacking computer. Also notice how 192.168.1.11
came in first even though 192.168.1.1 was pinged first, which shows the need of syn-
chronous operation in case there is no helping host. The end result is that the at-
tacker now knows there are at least two machines reachable from the wireless network:
192.168.1.1 and 192.168.1.11.
Listing 4.2: Helping host.
s a n t a s h e l p e r :/ home / hallvar # tcpdump -i eth1 -e icmp
tcpdump : verbose output suppressed , use - v or - vv for full protocol decode
listening on eth1 , link - type EN10MB ( Ethernet ) , capture size 96 bytes
1 5 : 2 2 : 3 6 . 6 1 8 5 3 9 00:13:10:9 b :47: ef ( oui Unknown ) > 00:0 e :35: a3 :0 f :56 ( oui
Unknown ) , ethertype IPv4 (0 x0800 ) , length 50: 1 9 2 . 1 6 8 . 1 . 1 1 >
1 9 2 . 1 6 8 . 1 . 1 0 : ICMP echo reply , id 257 , seq 257 , length 12
4.2. GATHERING INFORMATION ON A VICTIM 63
1 5 : 2 2 : 3 6 . 6 4 8 5 3 6 00:0 a : cd :07:70:3 e ( oui Unknown ) > 00:0 e :35: a3 :0 f :56 ( oui
Unknown ) , ethertype IPv4 (0 x0800 ) , length 64: 192.168.1 . 1 >
1 9 2 . 1 6 8 . 1 . 1 0 : ICMP echo reply , id 257 , seq 257 , length 12
Port scanning a computer is similar, substitute -S 3 with -S 2 and -t c0:a8:01:00
with -t c0:a8:01:01 to port scan 192.168.1.1. With port scanning there is the need for
a helping host, since it is much more difficult, perhaps impossible, to provide a unique
encoding that is transferred outside of encryption. The way the helping host will
identify open ports is by looking at the source port of the TCP frame. Unfortunatly
NAT replaces the source port when translating the communication. NAT uses the
source port to identify commnuication circuits, and uses the source port as a unique
identification number. Thus port scanning is only useful when there is no NAT. One
solution is to scan the ports synchronously; send a request to a port and wait for a
reply before sending the next request.
4.2.1.2 NMap—The Network Mapper
NMap is a “network mapper”, which can be used to port scan computers and scan the
network to find as much possible information on the network structure and services.
Searching for machines:
Listing 4.3: NMap scanning a network.
# nmap - sP 1 9 2 . 1 6 8 . 0 . 0 / 1 6
Starting nmap 3.75 ( http :// www . insecure . org / nmap / ) at 2004 -11 -05 07:17 CET
Host 192.168.1 . 0 seems to be a subnet broadcast address ( returned 2 extra pings ) .
Host ********* ( 1 9 2 . 1 6 8 . 1 . 1 ) appears to be up .
Host ********* ( 1 9 2 . 1 6 8 . 1 . 2 ) appears to be up .
MAC Address : 00:0 C :76:20:18: 5 E ( Micro - star I n t e r n a t i o n a l CO .)
Host ********** ( 1 9 2 . 1 6 8 . 1 . 3 ) appears to be up .
MAC Address : 00:40:63: C9 :78: BA ( VIA T e c h n o l o g i e s )
Host 1 9 2 . 1 6 8 . 1 . 2 5 5 seems to be a subnet broadcast address ( returned 2 extra pings ) .
Host ********** ( 1 9 2 . 1 6 8 . 2 . 1 ) appears to be up .
In Listing 4.3, NMap tries to send ICMP echo requests to every IP address under
192.168.0.0/24, a total of 65,536 IP addresses. The scan finishes in a matter of
minutes. Four computers have replied to the ping packets.
Listing 4.4: NMap port scanning a computer.
# nmap -O -A 1 2 9 . 1 7 7 . 4 8 . 1 1
Starting nmap 3.75 ( http :// www . insecure . org / nmap / ) at 2005 -03 -02 16:43 CET
Interest in g ports on tunnel -48 -11. vpn . uib . no ( 1 2 9 . 1 7 7 . 4 8 . 1 1 ) :
( The 1644 ports scanned but not shown below are in state : closed )
PORT STATE SERVICE VERSION
22/ tcp open ssh OpenSSH 3.8.1 p1 ( protocol 2.0)
53/ tcp open domain ISC Bind 9.2.4
80/ tcp open http Apache httpd 2.0.53 \ left ( Debian GNU / Linux ) DAV /2 SVN
/1.1.3 mod_ssl /2.0.53 OpenSSL /0.9.7 e )
111/ tcp open rpcbind 2 ( rpc #100000)
135/ tcp filtered msrpc
64 CHAPTER 4. EXPLOITING ACCESS TO WI-FI NETWORKS
136/ tcp filtered profile
137/ tcp filtered netbios - ns
138/ tcp filtered netbios - dgm
139/ tcp filtered netbios - ssn
143/ tcp open imap ?
389/ tcp open ldap ( Anonymous bind OK )
443/ tcp open ssl / http Apache httpd 2.0.53 \ left ( Debian GNU / Linux ) DAV /2 SVN
/1.1.3 mod_ssl /2.0.53 OpenSSL /0.9.7 e )
445/ tcp filtered microsoft - ds
676/ tcp open status 1 ( rpc #100024)
973/ tcp open mountd 1 -3 ( rpc #100005)
993/ tcp open ssl / unknown
1723/ tcp open pptp ?
2049/ tcp open nfs 2 -4 ( rpc #100003)
5432/ tcp open postgres ?
Device type : general purpose
Running : Linux 2.4. X |2.5. X |2.6. X
OS details : Linux 2.4.18 - 2.6.7
Uptime 19.916 days ( since Thu Feb 10 18:49:09 2005)
From the port scan in Listing 4.4, it is fair to assume there is no firewall to
protect the computer because of the amount of open and reachable ports. Some of
the interesting things found in the port scan:
IMAP on port 143 is usually not encrypted so this gives a good opportunity to
obtain usernames and passwords.
The Lightweight Directory Access Protocol (LDAP) server seems open for any-
one to read at least parts of it, perhaps it has password hashes?
Point-to-Point Tunneling Protocol (PPTP) is a VPN solution from Microsoft
[8] which may use no encryption at all or it may use Microsoft Point-to-Point
Encryption (MPPE) [15] which is vulnerable to an offline dictionary attack [33].
4.2.2 Monitor the Network Traffic
4.2.2.1 Ettercap
Ettercap is a user friendly packet sniffer. It gives a great overview over the connections
in the network and may display the network traffic. Several plug-ins have been
developed to do a number of attacks. In its current incarnation it requires the network
card to associate with the access point in order to show live network traffic. However
it may display pre-captured data, even if it is WEP encrypted, although the WEP
key must be provided to it.
In Figure 4.3 a session with Ettercap is depicted. Ettercap can display a number
of screens, in the figure it displays all live connections in the network with their
source and destination IP address, and port numbers. The lower part of the screen is
a console where interesting information that Ettercap finds will be displayed to the
user.
4.3. SUMMARY 65
Figure 4.3: Ettercap under Linux.
4.2.3 Accessing the Computers
After probing the network and monitoring the traffic several opportunities may present
themselves. Passwords may have been captured, open file shares discovered, etc.
4.3 Summary
Vulnerable Wi-Fi networks give rise to a huge variety of possible further malicious
exploitation. With the Tor network a “good” intruder can even protect himself from
malicious Wi-Fi network owners, or other intruders. This chapter only mentioned
a few scenarios, reading e-mail, reporting spy activities, breaking into computers on
the network, monitoring users of the network, and a couple more.
If anyone still wants to keep their Wi-Fi connection unsecured after reading this
chapter they should read it again.
Chapter 5
Summary and Conclusions
5.1 Summary
The security vulnerabilities of Wi-Fi networks have been extensively covered in this
thesis. Technologies and equipment related to wireless communication in general was
introduced in Chapter 2 this because it involves knowledge that is not normally as-
sociated with a computer scientist. Yet it is important for any scientist interested in
pratical wireless communication to understand the physical aspects of Wi-Fi technol-
ogy.
This thesis provides a more or less complete overview of the status of Wi-Fi
security up to the point of IEEE 802.11i.
5.2 Conclusions
Old Wi-Fi products, still occupying a large share of the network installations, are not
by any means secure. Even equipment that can be configured to be secure, are left
unsecured, many times due to the increased complexity of access point setups. The
attention vulnerable Wi-Fi networks receive from hackers is tremendous, vulnerabil-
ities are not only discovered, but they are refined by others and implemented and
combined by a whole on-line community.
A compromised network is a great utility for several parties. Neighbors get free
broadband access to the Internet, malicious hackers retain strong anonymity, and
mobile users get free Internet almost anywhere. Malicious hackers can monitor the
users of a network, giving the hackers many opportunities to cause havoc.
The risk of getting a visit from someone with bad intentions is currently fairly low,
but as it is rather easy to obtain enough knowledge and equipment to compromise
a Wi-Fi network, the risks will only rise. The fact that more and more networks
become secure, means that the remaining insecure network, will be hunted down by
67
68 CHAPTER 5. SUMMARY AND CONCLUSIONS
malicious hackers and abused.
5.3 Further Work
Denial-of-service attacks have not been studied in this thesis. They can be equally
severe as the other vulnerabilities and do deserve some attention.
5.3.1 WEP
WEP has been extensively studied by many people from across the world, attacks
have been implemented, some of which have been available to the public and open-
sourced. All that can be done is make the tools even easier to use than they are now.
Optimizations of the attacks are not really necessary as a network can be compromised
in just a few minutes.
5.3.2 WPA
As WPA still provides a level of privacy, it would be a great achievement to prove
otherwise.
Acronyms & Abbreviations
ACK Acknowledgement
AP Access Point
API Application Programming Interface
ARP Address Resolution Protocol
ASCII American Standards Character
BS Base Station
BSD Berkeley Software Distribution
BSS Basic Service Set
BSSID Basic Service Set Identifier
CF Contention-Free
CRC Cyclic Redundency Check
CTS Clear To Send
dB Decibel
dBi Decibel Gain Related to an Isotropic Radiator
DCF Distributed Coordination Function
DGPS Differential Global Positioning System
DHCP Dynamic Host Configuration Protocol
DIFS Inter-Frame Spacing
DNS Dynamic Name Resolution
69
70 CHAPTER 5. SUMMARY AND CONCLUSIONS
DSSS Direct Sequence Spread Spectrum
EIRP Effective Isotropic Radiated Power
EIV Extended Initialization Vector
ESS Extended Service Set
ESSID Extended Service Set Identifier
FCC Federal Communications Commission
FCS Frame Check Sequence
FMS Fiat, M, and Shamir
FTP File Transfer Protocol
GPS Global Positioning System
HTTP Hyper Text Transport Protocol
IBSS Independant Basic Service Set
ICMP Internet Control Message Protocol
ICV Integrity Check Value
IP Internet Protocol
IEEE Institute of Eletrical and Electronics Engineers
IMAP Internet Message Access Protocol
IR Infrared
ISM Industrial, Scientific, and Medical
IV Initialization Vector
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LLC Link Layer Control
MAC Medium Access Control
MadWiFi Multiband Atheros Driver for WiFi
5.3. FURTHER WORK 71
Mbps Mega bits per second
MD5 Message Digest, version 5
MIC Message Integrity Code
mini-PCI Miniature Peripheral Component Interconnect
MPDU MAC Protocol Data Unit
MPPE Microsoft Point-to-Point Encryption
MS Mobile Station
mW Milli Watt
NAT Network Address Translation
NMEA National Marine Electronics Association
PAN Personal Area Network
PCF Point Coordination Function
PC-Card Peripheral Component Interconnect Card
PCMCIA Personal Computer Memory Card International Association
PGP Pretty Good Privacy
PIFS Inter-Frame Spacing
PKI Public Key Infrastructure
PLCP Physical Layer Convergence Protocol
PMK Pairwise Master Key
PPTP Point-to-Point Tunneling Protocol
PRGA Pseudo Random Number Generator Algorithm
PRNG Pseudo Random Number Generator
PRGN Pseudo Random Number Generator Number
PS Power Save
PSK Pre-Shared Key
72 CHAPTER 5. SUMMARY AND CONCLUSIONS
PTK Pairwise Transient Key
QoS Quality of Service
RC4 Rivest Cipher 4, or Ron’s Code
RF Radio Frequency
RSA Rivest, Shamir, & Adleman
RSN IE Robust Security Network Information Element
RSN Robust Security Network
RTS Request To Send
SNAP Subnetwork Access Protocol
SSID Service Set Identity
TCP Transport Control Protocol
TCP/IP Transport Control Procotol/Internet Protocol
TKIP Temporal Key Integrity Protocol
U.FL Highrose Connector
U-NII Unlicensed National Information Structure
UDP Universal Datagram Protocol
URI Universal Resource Identifier
USB Universal Serial Bus
VPN Virtual Private Network
W Watt
WDS Wireless Distribution System
WEP Wired Equivalent Privacy
Wi-Fi Wireless-Fidelity
WLAN Wireless Local Area Network
WPA Wi-Fi Protected Access
to induce action from the attached clients. WEPWedgie is the software tool which
has implemented the attacks.
There is no point in scanning for wireless hosts since they are already known by
eavesdropping on wireless traffic. In addition to wireless hosts, all wired hosts which
have communicated with a wireless hosts are also known by their MAC address in
the header of a frame.
Scanning by inserting random MAC addresses as destinations and waiting for
responses is useless as there are 248 different MAC addresses. Not all MAC addresses
can belong to a physical network card, but the amount is still too much. Sending
out a frame for each of the 248 possible MAC addresses would take somewhere in
the area of 3,000 years if frames are sent out at a rate of 2,900 frames/second. If a
packet for each possible IP address is attempted: the time it takes is roughly 3 years.
Fortunatly for a hacker, the number of unused IP addresses is running out. To rectify
the problem on a temporary basis, Network Address Translation (NAT) is utilized
in most multi-computer homes and small to medium size offices. With NAT, most
computers are assigned IP addresses in the ranges 10.0.0.0/24 and 192.168.0.0/16.
Sending frames to the entire 192.168.0.0/16 range takes a minimum of 23 seconds at
2900 frames/second.
Since the replies are sent to the wireless client and the replies are encrypted, there
is a difficulty to determine which reply was to which request. The solution used by
WEPWedgie and illustrated in Figure 4.2 is to utilize an Internet return channel;
a “helping host”. ICMP echo requests are injected with the source address of the
helping host. If the destination address of the request exists, that computer will
reply to the request, but send the reply to the helping host. The helping host can
view the reply with e.g. tcpdump, and will see the IP address of the client behind the
firewall. However, when scanning for computers IP addresses, the attack will only
work when NAT is not used. If NAT is used, the helping host will only see the IP
address of the NAT router.
A much better solution, not found to be described anywhere else, is to encode a
serial number on the ICMP echo request in the form of the size of the ICMP echo
data. The number of possible serial numbers increases with size of the available key
sequence. With a full key sequence, almost 1,500 unique serial numbers can be used.
The hacker can inject circa 1,500 requests, each with the data size incremeted by 1
byte, and with the source address of the wireless client. The requests can be injected
as fast as possible. If a request is replied to, the reply is exactly the same size as
the request, thus it is very probable that it is the reply to the ICMP echo request,
and the fact that the IP address is used on the network is real. Unfortunatly the IP
address of the wireless client which receives the replies must be known or guessed in
advance for the attack to work.
While as mentioned above the use of NAT will help identify ranges of IP addresses
that are likely to be found, there are other methods that may be useful if the network
62 CHAPTER 4. EXPLOITING ACCESS TO WI-FI NETWORKS
does not utilize NAT. IP addresses are assign to organizations in blocks. In other
words, if one machine on a network has the IP address 129.177.16.3, it is highly likely
that other machines operate with IPs near by. As an example, the University of
Bergen occupies most if not all of the 129.177.0.0/16 range.
An purely dumb example execution of this attack is available below in Listings
4.1 and 4.2. Here the network is a small one with three computers/IPs 192.168.1.1,
192.168.1.10, and 192.168.1.11. The address 192.168.1.10 is utilized as a helping
host to discover the other two through a fourth computer that only injects ICMP
echo request packets to the Wi-Fi network. Listing 4.1 shows WEPWedgie doing
the network scanning. -h c0:a8:01:0a specifies the helping hosts IP in hex notation,
-t c0:a8:01:00 instructs WEPWedgie to target the 192.168.1.0 network for scanning,
-S 3 is the parameter used to select ping scanning, and -i eth3 is used to make
WEPWedgie use the eth3 network interface. By default WEPWedgie uses a key
sequence stored in the file prgafile.dat. The lines in the output of the WEPWedgie
program display the BSSID and MAC address the injected frames will operate with.
Every IP address WEPWedgie transmits a ping to is displayed.
Listing 4.1: Attacking machine.
apuk :/ home / hallvar / Tools / wepwedgie - alpha -0.1.0# ./ wepwedgie -h c0 : a8 :01:0 a - t
c0 : a8 :01:00 -S 3 -i eth3
P i n g s c a n n i n g Selected
Reading prgafile . dat
BSSID : 00:13:10:9 b :47: f1
Source MAC : 00:0 e :35: a3 :0 f :56
IV : 40:2 c : bc :00
Pingscan
Injecting Ping ....192.16 8 .1 . 10 - >192.168.1. 0
Injecting Ping ....192.16 8 .1 . 10 - >192.168.1. 1
Injecting Ping ....192.16 8 .1 . 10 - >192.168.1. 2
...
Injecting Ping ....192.1 68 . 1 .1 0 - >192.168. 1 .2 5 2
Injecting Ping ....192.1 68 . 1 .1 0 - >192.168. 1 .2 5 3
Injecting Ping ....192.1 68 . 1 .1 0 - >192.168. 1 .2 5 4
In Listing 4.2 are the ICMP echo replies as displayed by tcpdump (-e icmp mean
tcpdump will only display ICMP packets). Notice there is no request since the request
was the injected packet from the attacking computer. Also notice how 192.168.1.11
came in first even though 192.168.1.1 was pinged first, which shows the need of syn-
chronous operation in case there is no helping host. The end result is that the at-
tacker now knows there are at least two machines reachable from the wireless network:
192.168.1.1 and 192.168.1.11.
Listing 4.2: Helping host.
s a n t a s h e l p e r :/ home / hallvar # tcpdump -i eth1 -e icmp
tcpdump : verbose output suppressed , use - v or - vv for full protocol decode
listening on eth1 , link - type EN10MB ( Ethernet ) , capture size 96 bytes
1 5 : 2 2 : 3 6 . 6 1 8 5 3 9 00:13:10:9 b :47: ef ( oui Unknown ) > 00:0 e :35: a3 :0 f :56 ( oui
Unknown ) , ethertype IPv4 (0 x0800 ) , length 50: 1 9 2 . 1 6 8 . 1 . 1 1 >
1 9 2 . 1 6 8 . 1 . 1 0 : ICMP echo reply , id 257 , seq 257 , length 12
4.2. GATHERING INFORMATION ON A VICTIM 63
1 5 : 2 2 : 3 6 . 6 4 8 5 3 6 00:0 a : cd :07:70:3 e ( oui Unknown ) > 00:0 e :35: a3 :0 f :56 ( oui
Unknown ) , ethertype IPv4 (0 x0800 ) , length 64: 192.168.1 . 1 >
1 9 2 . 1 6 8 . 1 . 1 0 : ICMP echo reply , id 257 , seq 257 , length 12
Port scanning a computer is similar, substitute -S 3 with -S 2 and -t c0:a8:01:00
with -t c0:a8:01:01 to port scan 192.168.1.1. With port scanning there is the need for
a helping host, since it is much more difficult, perhaps impossible, to provide a unique
encoding that is transferred outside of encryption. The way the helping host will
identify open ports is by looking at the source port of the TCP frame. Unfortunatly
NAT replaces the source port when translating the communication. NAT uses the
source port to identify commnuication circuits, and uses the source port as a unique
identification number. Thus port scanning is only useful when there is no NAT. One
solution is to scan the ports synchronously; send a request to a port and wait for a
reply before sending the next request.
4.2.1.2 NMap—The Network Mapper
NMap is a “network mapper”, which can be used to port scan computers and scan the
network to find as much possible information on the network structure and services.
Searching for machines:
Listing 4.3: NMap scanning a network.
# nmap - sP 1 9 2 . 1 6 8 . 0 . 0 / 1 6
Starting nmap 3.75 ( http :// www . insecure . org / nmap / ) at 2004 -11 -05 07:17 CET
Host 192.168.1 . 0 seems to be a subnet broadcast address ( returned 2 extra pings ) .
Host ********* ( 1 9 2 . 1 6 8 . 1 . 1 ) appears to be up .
Host ********* ( 1 9 2 . 1 6 8 . 1 . 2 ) appears to be up .
MAC Address : 00:0 C :76:20:18: 5 E ( Micro - star I n t e r n a t i o n a l CO .)
Host ********** ( 1 9 2 . 1 6 8 . 1 . 3 ) appears to be up .
MAC Address : 00:40:63: C9 :78: BA ( VIA T e c h n o l o g i e s )
Host 1 9 2 . 1 6 8 . 1 . 2 5 5 seems to be a subnet broadcast address ( returned 2 extra pings ) .
Host ********** ( 1 9 2 . 1 6 8 . 2 . 1 ) appears to be up .
In Listing 4.3, NMap tries to send ICMP echo requests to every IP address under
192.168.0.0/24, a total of 65,536 IP addresses. The scan finishes in a matter of
minutes. Four computers have replied to the ping packets.
Listing 4.4: NMap port scanning a computer.
# nmap -O -A 1 2 9 . 1 7 7 . 4 8 . 1 1
Starting nmap 3.75 ( http :// www . insecure . org / nmap / ) at 2005 -03 -02 16:43 CET
Interest in g ports on tunnel -48 -11. vpn . uib . no ( 1 2 9 . 1 7 7 . 4 8 . 1 1 ) :
( The 1644 ports scanned but not shown below are in state : closed )
PORT STATE SERVICE VERSION
22/ tcp open ssh OpenSSH 3.8.1 p1 ( protocol 2.0)
53/ tcp open domain ISC Bind 9.2.4
80/ tcp open http Apache httpd 2.0.53 \ left ( Debian GNU / Linux ) DAV /2 SVN
/1.1.3 mod_ssl /2.0.53 OpenSSL /0.9.7 e )
111/ tcp open rpcbind 2 ( rpc #100000)
135/ tcp filtered msrpc
64 CHAPTER 4. EXPLOITING ACCESS TO WI-FI NETWORKS
136/ tcp filtered profile
137/ tcp filtered netbios - ns
138/ tcp filtered netbios - dgm
139/ tcp filtered netbios - ssn
143/ tcp open imap ?
389/ tcp open ldap ( Anonymous bind OK )
443/ tcp open ssl / http Apache httpd 2.0.53 \ left ( Debian GNU / Linux ) DAV /2 SVN
/1.1.3 mod_ssl /2.0.53 OpenSSL /0.9.7 e )
445/ tcp filtered microsoft - ds
676/ tcp open status 1 ( rpc #100024)
973/ tcp open mountd 1 -3 ( rpc #100005)
993/ tcp open ssl / unknown
1723/ tcp open pptp ?
2049/ tcp open nfs 2 -4 ( rpc #100003)
5432/ tcp open postgres ?
Device type : general purpose
Running : Linux 2.4. X |2.5. X |2.6. X
OS details : Linux 2.4.18 - 2.6.7
Uptime 19.916 days ( since Thu Feb 10 18:49:09 2005)
From the port scan in Listing 4.4, it is fair to assume there is no firewall to
protect the computer because of the amount of open and reachable ports. Some of
the interesting things found in the port scan:
IMAP on port 143 is usually not encrypted so this gives a good opportunity to
obtain usernames and passwords.
The Lightweight Directory Access Protocol (LDAP) server seems open for any-
one to read at least parts of it, perhaps it has password hashes?
Point-to-Point Tunneling Protocol (PPTP) is a VPN solution from Microsoft
[8] which may use no encryption at all or it may use Microsoft Point-to-Point
Encryption (MPPE) [15] which is vulnerable to an offline dictionary attack [33].
4.2.2 Monitor the Network Traffic
4.2.2.1 Ettercap
Ettercap is a user friendly packet sniffer. It gives a great overview over the connections
in the network and may display the network traffic. Several plug-ins have been
developed to do a number of attacks. In its current incarnation it requires the network
card to associate with the access point in order to show live network traffic. However
it may display pre-captured data, even if it is WEP encrypted, although the WEP
key must be provided to it.
In Figure 4.3 a session with Ettercap is depicted. Ettercap can display a number
of screens, in the figure it displays all live connections in the network with their
source and destination IP address, and port numbers. The lower part of the screen is
a console where interesting information that Ettercap finds will be displayed to the
user.
4.3. SUMMARY 65
Figure 4.3: Ettercap under Linux.
4.2.3 Accessing the Computers
After probing the network and monitoring the traffic several opportunities may present
themselves. Passwords may have been captured, open file shares discovered, etc.
4.3 Summary
Vulnerable Wi-Fi networks give rise to a huge variety of possible further malicious
exploitation. With the Tor network a “good” intruder can even protect himself from
malicious Wi-Fi network owners, or other intruders. This chapter only mentioned
a few scenarios, reading e-mail, reporting spy activities, breaking into computers on
the network, monitoring users of the network, and a couple more.
If anyone still wants to keep their Wi-Fi connection unsecured after reading this
chapter they should read it again.
Chapter 5
Summary and Conclusions
5.1 Summary
The security vulnerabilities of Wi-Fi networks have been extensively covered in this
thesis. Technologies and equipment related to wireless communication in general was
introduced in Chapter 2 this because it involves knowledge that is not normally as-
sociated with a computer scientist. Yet it is important for any scientist interested in
pratical wireless communication to understand the physical aspects of Wi-Fi technol-
ogy.
This thesis provides a more or less complete overview of the status of Wi-Fi
security up to the point of IEEE 802.11i.
5.2 Conclusions
Old Wi-Fi products, still occupying a large share of the network installations, are not
by any means secure. Even equipment that can be configured to be secure, are left
unsecured, many times due to the increased complexity of access point setups. The
attention vulnerable Wi-Fi networks receive from hackers is tremendous, vulnerabil-
ities are not only discovered, but they are refined by others and implemented and
combined by a whole on-line community.
A compromised network is a great utility for several parties. Neighbors get free
broadband access to the Internet, malicious hackers retain strong anonymity, and
mobile users get free Internet almost anywhere. Malicious hackers can monitor the
users of a network, giving the hackers many opportunities to cause havoc.
The risk of getting a visit from someone with bad intentions is currently fairly low,
but as it is rather easy to obtain enough knowledge and equipment to compromise
a Wi-Fi network, the risks will only rise. The fact that more and more networks
become secure, means that the remaining insecure network, will be hunted down by
67
68 CHAPTER 5. SUMMARY AND CONCLUSIONS
malicious hackers and abused.
5.3 Further Work
Denial-of-service attacks have not been studied in this thesis. They can be equally
severe as the other vulnerabilities and do deserve some attention.
5.3.1 WEP
WEP has been extensively studied by many people from across the world, attacks
have been implemented, some of which have been available to the public and open-
sourced. All that can be done is make the tools even easier to use than they are now.
Optimizations of the attacks are not really necessary as a network can be compromised
in just a few minutes.
5.3.2 WPA
As WPA still provides a level of privacy, it would be a great achievement to prove
otherwise.
Acronyms & Abbreviations
ACK Acknowledgement
AP Access Point
API Application Programming Interface
ARP Address Resolution Protocol
ASCII American Standards Character
BS Base Station
BSD Berkeley Software Distribution
BSS Basic Service Set
BSSID Basic Service Set Identifier
CF Contention-Free
CRC Cyclic Redundency Check
CTS Clear To Send
dB Decibel
dBi Decibel Gain Related to an Isotropic Radiator
DCF Distributed Coordination Function
DGPS Differential Global Positioning System
DHCP Dynamic Host Configuration Protocol
DIFS Inter-Frame Spacing
DNS Dynamic Name Resolution
69
70 CHAPTER 5. SUMMARY AND CONCLUSIONS
DSSS Direct Sequence Spread Spectrum
EIRP Effective Isotropic Radiated Power
EIV Extended Initialization Vector
ESS Extended Service Set
ESSID Extended Service Set Identifier
FCC Federal Communications Commission
FCS Frame Check Sequence
FMS Fiat, M, and Shamir
FTP File Transfer Protocol
GPS Global Positioning System
HTTP Hyper Text Transport Protocol
IBSS Independant Basic Service Set
ICMP Internet Control Message Protocol
ICV Integrity Check Value
IP Internet Protocol
IEEE Institute of Eletrical and Electronics Engineers
IMAP Internet Message Access Protocol
IR Infrared
ISM Industrial, Scientific, and Medical
IV Initialization Vector
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LLC Link Layer Control
MAC Medium Access Control
MadWiFi Multiband Atheros Driver for WiFi
5.3. FURTHER WORK 71
Mbps Mega bits per second
MD5 Message Digest, version 5
MIC Message Integrity Code
mini-PCI Miniature Peripheral Component Interconnect
MPDU MAC Protocol Data Unit
MPPE Microsoft Point-to-Point Encryption
MS Mobile Station
mW Milli Watt
NAT Network Address Translation
NMEA National Marine Electronics Association
PAN Personal Area Network
PCF Point Coordination Function
PC-Card Peripheral Component Interconnect Card
PCMCIA Personal Computer Memory Card International Association
PGP Pretty Good Privacy
PIFS Inter-Frame Spacing
PKI Public Key Infrastructure
PLCP Physical Layer Convergence Protocol
PMK Pairwise Master Key
PPTP Point-to-Point Tunneling Protocol
PRGA Pseudo Random Number Generator Algorithm
PRNG Pseudo Random Number Generator
PRGN Pseudo Random Number Generator Number
PS Power Save
PSK Pre-Shared Key
72 CHAPTER 5. SUMMARY AND CONCLUSIONS
PTK Pairwise Transient Key
QoS Quality of Service
RC4 Rivest Cipher 4, or Ron’s Code
RF Radio Frequency
RSA Rivest, Shamir, & Adleman
RSN IE Robust Security Network Information Element
RSN Robust Security Network
RTS Request To Send
SNAP Subnetwork Access Protocol
SSID Service Set Identity
TCP Transport Control Protocol
TCP/IP Transport Control Procotol/Internet Protocol
TKIP Temporal Key Integrity Protocol
U.FL Highrose Connector
U-NII Unlicensed National Information Structure
UDP Universal Datagram Protocol
URI Universal Resource Identifier
USB Universal Serial Bus
VPN Virtual Private Network
W Watt
WDS Wireless Distribution System
WEP Wired Equivalent Privacy
Wi-Fi Wireless-Fidelity
WLAN Wireless Local Area Network
WPA Wi-Fi Protected Access