Publisher : Addison Wesley
Pub Date : June 28, 2004
ISBN : 0-321-20217-1
Pages : 592
The definitive guide to penetrating and defending wireless networks.
Straight from the field, this is the definitive guide to hacking wireless networks. Authored by world-renowned wireless security auditors, this hands-on, practical guide covers everything you need to attack -- or protect -- any wireless network.
The authors introduce the 'battlefield,' exposing today's 'wide open' 802.11 wireless networks and their attackers. One step at a time, you'll master the attacker's entire arsenal of hardware and software tools: crucial knowledge for crackers and auditors alike. Next, you'll learn systematic countermeasures for building hardened wireless 'citadels''including cryptography-based techniques, authentication, wireless VPNs, intrusion detection, and more.
Coverage includes:
Step-by-step walkthroughs and explanations of typical attacks
Building wireless hacking/auditing toolkit: detailed recommendations, ranging from discovery tools to chipsets and antennas
Wardriving: network mapping and site surveying
Potential weaknesses in current and emerging standards, including 802.11i, PPTP, and IPSec
Implementing strong, multilayered defenses
Wireless IDS: why attackers aren't as untraceable as they think
Wireless hacking and the law: what's legal, what isn't
If you're a hacker or security auditor, this book will get you in. If you're a netadmin, sysadmin, consultant, or home user, it will keep everyone else out.
About the Authors
The authors have been active participants in the IT security community for many years and are security testers for leading wireless equipment vendors.
Andrew A. Vladimirov leads the wireless consultancy division at Arhont Ltd, one of the UK's leading security consultants. He was one of the UK's first IT professionals to obtain the coveted CWNA wireless certification.
Konstantin V. Gavrilenko co-founded Arhont Ltd. He has more than 12 years of IT and security experience, and his expertise includes wireless security, firewalls, cryptography, VPNs, and IDS.
Andrei A. Mikhailovsky has more than a decade of networking and security experience and has contributed extensively to Arhont's security research papers.
Why Does Wi-Foo Exist and for Whom Did We Write It?
There are multiple white papers and books available on wireless security (only two years ago you would have hardly found any). Many of them, including this book, are centered around 802.11 standards. Most explain the built-in security features of 802.11 protocols, explain future 802.11 security standards development and requirements, list (and sometimes describe in detail) known security weaknesses of 802.11 networks, and describe the countermeasures that a wireless network manager or system administrator can take to reduce the risks presented by these flaws. However, all books (except this one) do not describe how "hackers" can successfully attack wireless networks and how system administrators can detect and defeat these attacks, step by step, as the actual attack takes place.
We believe that the market needs above all else a hands-on, down-to-earth source on penetration testing of wireless networks. Such a source should come from the field and be based on the practical experience of penetrating a great number of client and testing wireless networks, an experience that many in the underground and few in the information security community possess. As a core of the Arhont wireless security auditing team, we perform wireless penetration testing on an almost daily basis and we hope that our experience will give you a good jump start on practical wireless security assessment and further network hardening.
If you are a curious individual who just got a PCMCIA card and a copy of the Netstumbler, we hope that this book will teach you about real wireless security and show, in the words of one of the main heroes of The Matrix, "how deep the rabbit hole goes." You will, hopefully, understand what is possible to do security-wise with the wireless network and what isn't; what is considered to be legal and what crosses the line. In the second, defense-oriented section of the book, you will see that, despite all the limitations of wireless security, an attacker can be successfully traced and caught. At the same time, we hope that you will see that defending wireless networks can be as thrilling and fascinating as finding and attacking them, and you could easily end up as a local wireless community security guru or even choose a professional path in this area. If you do participate in a wireless community project, you can raise awareness of wireless security issues in the community and help educate and inform others and show them that "open and free" does not mean "exploited and abused." If you run your own home wireless LAN, we take it for granted that it will be far more difficult to break into after you finish reading this book.
If you are a system administrator or network manager, proper penetration testing of your wireless network is not just the only way to see how vulnerable your network is to both external and internal attackers, but also the only way to demonstrate to your management the need for additional security safeguards, training, and consultants. Leaving the security of your wireless network unattended is asking for trouble, and designing a network with security in mind from the very beginning saves you time, effort, and perhaps your job. Unless the threats are properly understood by top management, you won't be able to implement the security measures you would like to see on your WLAN, or make the best use of the expertise of external auditors and consultants invited to test, troubleshoot, and harden the wireless network. If you decide (or are required) to tackle wireless security problems yourself, we hope that the defense section of the book will be your lifeline. If the network and company happen to be yours, it might even save you a lot of cash (hint: open source).
If you are a security consultant working within the wireless security field or expanding your skills from the wired to the wireless world, you might find a lack of structure in the on-line information and lack of practical recommendations (down to the command line and configuration files) in the currently available literature; this book will fill the vacuum.
The most prestigious and essential certification in the wireless security area at the time of writing is the Certified Wireless Security Professional (CWSP; see the "Certifications" section at http://www.cwne.com). People who have this certification have shown that they have a sufficient understanding of wireless security problems and some hands-on skills in securing real-life wireless networks. Because the CWSP certification is vendor-independent, by definition the CWSP preparation guide cannot go into specific software installation, configuration, troubleshooting, and use in depth. Thus, this book is a very useful aid in CWSP exam preparation, helping the reader comprehend the studied issues on a "how-to" level. In fact, the structure of this book (planned half a year before the release of the official CWSP study guide) is similar to the guide structure: The description of attack methods is followed by chapters devoted to the defensive countermeasures. After that, as you will see, the similarities between the books end.
Finally, if you are a cracker keen on breaking into a few networks to demonstrate that "sad outside world" your "31337 2k1LLz," our guess is what you are going to read here can be useful for your "h4x0r1ng" explorations, in the same manner that sources like Securityfocus or Packetstorm are. Neither these sites nor this book are designed for your kin, though (the three categories of people we had in mind when writing it are listed earlier). We believe in a free flow of information and sensitive open disclosure (as, e.g., outlined by a second version of the infamous RFPolicy; see http://www.wiretrip.net/rfp/policy.html). What you do with this information is your responsibility and the problems you might get into while using it the illicit way are yours, and not ours. The literature on martial arts is not banned because street thugs might use the described techniques against their victims, and the same applies to the informational "martial arts" (consider this one of the subreasons for the name of this book). In fact, how often are you attacked by the possessors of (rightfully earned) black belts on streets or in bars without being an offender yourself? Real masters of the arts do not start fights and true experts in information security do not go around defacing Web sites or trying to get "a fatter free pipe for more w4r3z." If you are truly keen on wireless security, you will end up as a wireless security application developer, security system administrator, or consultant. Although it is not an example from the wireless side of the world, take a close look at Kevin Mitnick, or read his recent "The Art of Deception" work. If you remain on the "m3 0wnZ j00" level, you will end up living without the Internet behind bars in some remote prison cell, and no manuals, books, or tools will save you. It's the mindset that puts "getting root by any means to impress my mates and satisfy my ego" before knowledge and understanding that is flawed.
How This Book Is Organized
Practically every wired or wireless network security book available starts with an outline of the seven Open Systems Interconnection (OSI) layers, probably followed by explaining "the CISSP triad" (confidentiality, integrity, and availability), basic security principles, and an introduction to the technology described. These books also include an introductory chapter on cryptography normally populated by characters called Bob, Alice, Melanie, and of course, Eve, who tends to be an evil private key snatcher.
This book is different: We assume that the reader has basic knowledge of the OSI and TCP/IP layers, understands the difference between infrastructure / managed and independent / ad-hoc wireless networks as well as can distinguish between common IEEE 802 standards. Describing the basics of networking or detailed operations of wireless networks will constitute two separate books on their own, and such well-written books are easily found (for 802.11 essentials we strongly recommend the Official CWNA Study Guide and O'Reilly's 802.11 Wireless Networks: The Definitive Guide).
However, you'll find a lot of data on 802.11 network standards and operations here when outlining it is appropriate, often in form of the inserted "foundations" boxes.
Also, there is a cryptography part that isn't directly related to everything wireless, but is absolutely vital for the proper virtual private network (VPN) deployment, wireless users authentication, and other security practices outlined in the following chapters. We skimmed through a lot of cryptographic literature and have been unable to find anything written specifically for system and network administrators and managers to cover practical networking conditions taking into account the access media, bandwidth available, deployed hosts' CPU architecture, and so forth. Chapters 11 and 12 will be such a source and we hope it will help you even if you have never encountered practical cryptography issues at all or aren't an experienced cryptographer, cryptanalytic, or cryptologist.
We have divided the book into two large parts: Attack and Defense. Although the Attack half is self-sufficient if your only aim is wireless security auditing, the Defense part is heavily dependent on understanding who the attackers might be, why they would crack your network, and, most important, how it can be done. Thus, we recommend reading the Attack part first unless you are using Wi-Foo as a reference.
This part begins with a rather nontechnical discussion outlining the wireless security situation in the real world, types of wireless attackers, and their motivations, objectives, and target preferences. It is followed by structured recommendations on selecting and setting up hardware and software needed to perform efficient wireless security testing. We try to stay impartial, do not limit ourselves to a particular group of vendors, and provide many tips on getting the best from the hardware and utilities you might already have. After all, not every reader is capable of devoting his or her resources to building an ultimate wireless hacking machine, and every piece of wireless hardware has its strong and weak sides. When we do advise the use of some particular hardware item, there are sound technical reasons behind any such recommendation: the chipset, radio frequency transceiver characteristics, antenna properties, availability of the driver source code, and so on. The discussion of standard wireless configuration utilities such as Linux Wireless Tools is set to get the most out of these tools security-wise and flows into the description of wireless penetration testing-specific software. Just like the hardware discussion before, this description is structured, splitting all available tools into groups with well-defined functions rather than listing them in alphabetic or random order. These groups include wireless network discovery tools, protocol analyzers, encryption cracking tools, custom 802.11 frame construction kits, and various access point management utilities useful for access point security testing.
Whereas many "network security testing" books are limited to describing what kind of vulnerabilities there are and which tools are available to exploit them, we carry the discussion further, outlining the intelligent planning for a proper audit (or attack) and walking the reader step by step through the different attack scenarios, depending on the protection level of the target network. We outline advanced attack cases, including exploiting possible weaknesses in the yet unreleased 802.11i standard, accelerating WEP cracking, launching sneaky layer 2 man-in-the-middle and denial of service attacks, and even trying to defeat various higher layer security protocols such as PPTP, SSL and IPSec. Finally, the worst case scenario, a cracker being able to do anything he or she wants with a penetrated wireless network, is analyzed, demonstrating how the individual wireless hosts can be broken into, the wired side of the network assaulted, connections hijacked, traffic redirected, and the firewall separating wireless and wired sides bypassed. The Attack chapters demonstrate the real threat of a wireless network being abused by crackers and underline the statement repeated throughout the book many times: Wireless security auditing goes far beyond discovering the network and cracking WEP.
In a similar manner, wireless network hardening goes beyond WEP, MAC address filtering, and even the current 802.11i developments. The later statement would be considered blasphemy by many, but we are entitled to our opinion. As the Attack part demonstrates, the 802.11i standard is not without its flaws and there would be cases in which it cannot be fully implemented for various administrative and financial reasons. Besides, we believe that any network security should be a multilayered process without complete dependence on a single safeguard, no matter how great the safeguard is. Thus, the primary aim of the Defense part of the book is giving readers the choice. Of course, we dwell on the impressive work done by the "i" task force at mitigating the threats to which all pre-802.11i wireless LANs are exposed. Nevertheless, we spend a sufficient amount of time describing defending wireless networks at the higher protocol layers. Such defense methodologies include mutually authenticated IPSec implementations, authentication methods alternative to 802.1x, proper network design, positioning and secure gateway deployment, protocol filtering, SSL/TLS use, and ssh port forwarding. The final chapter in the book is devoted to the last (or first?) line of defense on wireless networks, namely wireless-specific intrusion detection. It demonstrates that wireless attackers are not as untraceable as they might think and gives tips on the development and deployment of affordable do-it-yourself wireless IDS systems and sensors. It also lists some well-known high-end commercial wireless IDS appliances.
Even though we have barely scratched the surface of the wireless security world, we hope that this book will be useful for you as both a wireless attack and defense guide and a reference. We hope to receive great feedback from our audience, mainly in the form of fewer insecure wireless networks in our Kismet output and new exciting wireless security tools, protocols, and methodologies showing up to make the contents of this book obsolete.
Read comments For more Information
ISBN : 0-321-20217-1
Pages : 592
The definitive guide to penetrating and defending wireless networks.
Straight from the field, this is the definitive guide to hacking wireless networks. Authored by world-renowned wireless security auditors, this hands-on, practical guide covers everything you need to attack -- or protect -- any wireless network.
The authors introduce the 'battlefield,' exposing today's 'wide open' 802.11 wireless networks and their attackers. One step at a time, you'll master the attacker's entire arsenal of hardware and software tools: crucial knowledge for crackers and auditors alike. Next, you'll learn systematic countermeasures for building hardened wireless 'citadels''including cryptography-based techniques, authentication, wireless VPNs, intrusion detection, and more.
Coverage includes:
Step-by-step walkthroughs and explanations of typical attacks
Building wireless hacking/auditing toolkit: detailed recommendations, ranging from discovery tools to chipsets and antennas
Wardriving: network mapping and site surveying
Potential weaknesses in current and emerging standards, including 802.11i, PPTP, and IPSec
Implementing strong, multilayered defenses
Wireless IDS: why attackers aren't as untraceable as they think
Wireless hacking and the law: what's legal, what isn't
If you're a hacker or security auditor, this book will get you in. If you're a netadmin, sysadmin, consultant, or home user, it will keep everyone else out.
About the Authors
The authors have been active participants in the IT security community for many years and are security testers for leading wireless equipment vendors.
Andrew A. Vladimirov leads the wireless consultancy division at Arhont Ltd, one of the UK's leading security consultants. He was one of the UK's first IT professionals to obtain the coveted CWNA wireless certification.
Konstantin V. Gavrilenko co-founded Arhont Ltd. He has more than 12 years of IT and security experience, and his expertise includes wireless security, firewalls, cryptography, VPNs, and IDS.
Andrei A. Mikhailovsky has more than a decade of networking and security experience and has contributed extensively to Arhont's security research papers.
Why Does Wi-Foo Exist and for Whom Did We Write It?
There are multiple white papers and books available on wireless security (only two years ago you would have hardly found any). Many of them, including this book, are centered around 802.11 standards. Most explain the built-in security features of 802.11 protocols, explain future 802.11 security standards development and requirements, list (and sometimes describe in detail) known security weaknesses of 802.11 networks, and describe the countermeasures that a wireless network manager or system administrator can take to reduce the risks presented by these flaws. However, all books (except this one) do not describe how "hackers" can successfully attack wireless networks and how system administrators can detect and defeat these attacks, step by step, as the actual attack takes place.
We believe that the market needs above all else a hands-on, down-to-earth source on penetration testing of wireless networks. Such a source should come from the field and be based on the practical experience of penetrating a great number of client and testing wireless networks, an experience that many in the underground and few in the information security community possess. As a core of the Arhont wireless security auditing team, we perform wireless penetration testing on an almost daily basis and we hope that our experience will give you a good jump start on practical wireless security assessment and further network hardening.
If you are a curious individual who just got a PCMCIA card and a copy of the Netstumbler, we hope that this book will teach you about real wireless security and show, in the words of one of the main heroes of The Matrix, "how deep the rabbit hole goes." You will, hopefully, understand what is possible to do security-wise with the wireless network and what isn't; what is considered to be legal and what crosses the line. In the second, defense-oriented section of the book, you will see that, despite all the limitations of wireless security, an attacker can be successfully traced and caught. At the same time, we hope that you will see that defending wireless networks can be as thrilling and fascinating as finding and attacking them, and you could easily end up as a local wireless community security guru or even choose a professional path in this area. If you do participate in a wireless community project, you can raise awareness of wireless security issues in the community and help educate and inform others and show them that "open and free" does not mean "exploited and abused." If you run your own home wireless LAN, we take it for granted that it will be far more difficult to break into after you finish reading this book.
If you are a system administrator or network manager, proper penetration testing of your wireless network is not just the only way to see how vulnerable your network is to both external and internal attackers, but also the only way to demonstrate to your management the need for additional security safeguards, training, and consultants. Leaving the security of your wireless network unattended is asking for trouble, and designing a network with security in mind from the very beginning saves you time, effort, and perhaps your job. Unless the threats are properly understood by top management, you won't be able to implement the security measures you would like to see on your WLAN, or make the best use of the expertise of external auditors and consultants invited to test, troubleshoot, and harden the wireless network. If you decide (or are required) to tackle wireless security problems yourself, we hope that the defense section of the book will be your lifeline. If the network and company happen to be yours, it might even save you a lot of cash (hint: open source).
If you are a security consultant working within the wireless security field or expanding your skills from the wired to the wireless world, you might find a lack of structure in the on-line information and lack of practical recommendations (down to the command line and configuration files) in the currently available literature; this book will fill the vacuum.
The most prestigious and essential certification in the wireless security area at the time of writing is the Certified Wireless Security Professional (CWSP; see the "Certifications" section at http://www.cwne.com). People who have this certification have shown that they have a sufficient understanding of wireless security problems and some hands-on skills in securing real-life wireless networks. Because the CWSP certification is vendor-independent, by definition the CWSP preparation guide cannot go into specific software installation, configuration, troubleshooting, and use in depth. Thus, this book is a very useful aid in CWSP exam preparation, helping the reader comprehend the studied issues on a "how-to" level. In fact, the structure of this book (planned half a year before the release of the official CWSP study guide) is similar to the guide structure: The description of attack methods is followed by chapters devoted to the defensive countermeasures. After that, as you will see, the similarities between the books end.
Finally, if you are a cracker keen on breaking into a few networks to demonstrate that "sad outside world" your "31337 2k1LLz," our guess is what you are going to read here can be useful for your "h4x0r1ng" explorations, in the same manner that sources like Securityfocus or Packetstorm are. Neither these sites nor this book are designed for your kin, though (the three categories of people we had in mind when writing it are listed earlier). We believe in a free flow of information and sensitive open disclosure (as, e.g., outlined by a second version of the infamous RFPolicy; see http://www.wiretrip.net/rfp/policy.html). What you do with this information is your responsibility and the problems you might get into while using it the illicit way are yours, and not ours. The literature on martial arts is not banned because street thugs might use the described techniques against their victims, and the same applies to the informational "martial arts" (consider this one of the subreasons for the name of this book). In fact, how often are you attacked by the possessors of (rightfully earned) black belts on streets or in bars without being an offender yourself? Real masters of the arts do not start fights and true experts in information security do not go around defacing Web sites or trying to get "a fatter free pipe for more w4r3z." If you are truly keen on wireless security, you will end up as a wireless security application developer, security system administrator, or consultant. Although it is not an example from the wireless side of the world, take a close look at Kevin Mitnick, or read his recent "The Art of Deception" work. If you remain on the "m3 0wnZ j00" level, you will end up living without the Internet behind bars in some remote prison cell, and no manuals, books, or tools will save you. It's the mindset that puts "getting root by any means to impress my mates and satisfy my ego" before knowledge and understanding that is flawed.
How This Book Is Organized
Practically every wired or wireless network security book available starts with an outline of the seven Open Systems Interconnection (OSI) layers, probably followed by explaining "the CISSP triad" (confidentiality, integrity, and availability), basic security principles, and an introduction to the technology described. These books also include an introductory chapter on cryptography normally populated by characters called Bob, Alice, Melanie, and of course, Eve, who tends to be an evil private key snatcher.
This book is different: We assume that the reader has basic knowledge of the OSI and TCP/IP layers, understands the difference between infrastructure / managed and independent / ad-hoc wireless networks as well as can distinguish between common IEEE 802 standards. Describing the basics of networking or detailed operations of wireless networks will constitute two separate books on their own, and such well-written books are easily found (for 802.11 essentials we strongly recommend the Official CWNA Study Guide and O'Reilly's 802.11 Wireless Networks: The Definitive Guide).
However, you'll find a lot of data on 802.11 network standards and operations here when outlining it is appropriate, often in form of the inserted "foundations" boxes.
Also, there is a cryptography part that isn't directly related to everything wireless, but is absolutely vital for the proper virtual private network (VPN) deployment, wireless users authentication, and other security practices outlined in the following chapters. We skimmed through a lot of cryptographic literature and have been unable to find anything written specifically for system and network administrators and managers to cover practical networking conditions taking into account the access media, bandwidth available, deployed hosts' CPU architecture, and so forth. Chapters 11 and 12 will be such a source and we hope it will help you even if you have never encountered practical cryptography issues at all or aren't an experienced cryptographer, cryptanalytic, or cryptologist.
We have divided the book into two large parts: Attack and Defense. Although the Attack half is self-sufficient if your only aim is wireless security auditing, the Defense part is heavily dependent on understanding who the attackers might be, why they would crack your network, and, most important, how it can be done. Thus, we recommend reading the Attack part first unless you are using Wi-Foo as a reference.
This part begins with a rather nontechnical discussion outlining the wireless security situation in the real world, types of wireless attackers, and their motivations, objectives, and target preferences. It is followed by structured recommendations on selecting and setting up hardware and software needed to perform efficient wireless security testing. We try to stay impartial, do not limit ourselves to a particular group of vendors, and provide many tips on getting the best from the hardware and utilities you might already have. After all, not every reader is capable of devoting his or her resources to building an ultimate wireless hacking machine, and every piece of wireless hardware has its strong and weak sides. When we do advise the use of some particular hardware item, there are sound technical reasons behind any such recommendation: the chipset, radio frequency transceiver characteristics, antenna properties, availability of the driver source code, and so on. The discussion of standard wireless configuration utilities such as Linux Wireless Tools is set to get the most out of these tools security-wise and flows into the description of wireless penetration testing-specific software. Just like the hardware discussion before, this description is structured, splitting all available tools into groups with well-defined functions rather than listing them in alphabetic or random order. These groups include wireless network discovery tools, protocol analyzers, encryption cracking tools, custom 802.11 frame construction kits, and various access point management utilities useful for access point security testing.
Whereas many "network security testing" books are limited to describing what kind of vulnerabilities there are and which tools are available to exploit them, we carry the discussion further, outlining the intelligent planning for a proper audit (or attack) and walking the reader step by step through the different attack scenarios, depending on the protection level of the target network. We outline advanced attack cases, including exploiting possible weaknesses in the yet unreleased 802.11i standard, accelerating WEP cracking, launching sneaky layer 2 man-in-the-middle and denial of service attacks, and even trying to defeat various higher layer security protocols such as PPTP, SSL and IPSec. Finally, the worst case scenario, a cracker being able to do anything he or she wants with a penetrated wireless network, is analyzed, demonstrating how the individual wireless hosts can be broken into, the wired side of the network assaulted, connections hijacked, traffic redirected, and the firewall separating wireless and wired sides bypassed. The Attack chapters demonstrate the real threat of a wireless network being abused by crackers and underline the statement repeated throughout the book many times: Wireless security auditing goes far beyond discovering the network and cracking WEP.
In a similar manner, wireless network hardening goes beyond WEP, MAC address filtering, and even the current 802.11i developments. The later statement would be considered blasphemy by many, but we are entitled to our opinion. As the Attack part demonstrates, the 802.11i standard is not without its flaws and there would be cases in which it cannot be fully implemented for various administrative and financial reasons. Besides, we believe that any network security should be a multilayered process without complete dependence on a single safeguard, no matter how great the safeguard is. Thus, the primary aim of the Defense part of the book is giving readers the choice. Of course, we dwell on the impressive work done by the "i" task force at mitigating the threats to which all pre-802.11i wireless LANs are exposed. Nevertheless, we spend a sufficient amount of time describing defending wireless networks at the higher protocol layers. Such defense methodologies include mutually authenticated IPSec implementations, authentication methods alternative to 802.1x, proper network design, positioning and secure gateway deployment, protocol filtering, SSL/TLS use, and ssh port forwarding. The final chapter in the book is devoted to the last (or first?) line of defense on wireless networks, namely wireless-specific intrusion detection. It demonstrates that wireless attackers are not as untraceable as they might think and gives tips on the development and deployment of affordable do-it-yourself wireless IDS systems and sensors. It also lists some well-known high-end commercial wireless IDS appliances.
Even though we have barely scratched the surface of the wireless security world, we hope that this book will be useful for you as both a wireless attack and defense guide and a reference. We hope to receive great feedback from our audience, mainly in the form of fewer insecure wireless networks in our Kismet output and new exciting wireless security tools, protocols, and methodologies showing up to make the contents of this book obsolete.
Read comments For more Information
