Wi-Foo Logo
 

TABLE OF CONTENTS

Acknowledgements

Introduction

Why does Wi-Foo exist and whom did we write it for?

What about the funky name?

SECTION 1 THE BATTLEFIELD

Chapter I The real world wireless security

Why do we concentrate on the 802.11 security?

Getting a grip on reality: wide open 802.11 networks around us

The future of 802.11 security: is it as bright as it seems?

Chapter II Under the siege

Why are "they" after your wireless network?

Wireless crackers: who are they?

Corporations, SMEs and home users: targets acquired

Target yourself: penetration testing as your first line of defense

SECTION 2 ATTACK

Chapter III Putting the gear together: 802.11 hardware

PDA's vs laptops

PCMCIA and CF wireless cards

Prism chipset

Cisco Aironet chipset

Hermes chipset

Symbol chipset

Atheros chipset

ADM8211 chipset

Other novel chipsets

Selecting or assessing your wireless client card RF characteristics

Antennas

RF Amplifiers

RF cables and connectors

Chapter IV Making the engine run: 802.11 drivers and utilities

OS, Open Source and Close Source

The engine: chipsets, drivers and commands

Making your client card work with Linux and BSD

Getting used to efficient wireless interface configuration

Linux Wireless Extensions

Linux-wlan-ng utilities

Cisco Aironet cards configuration

Configuring wireless client cards on BSD systems

Chapter V Learning to 'wardrive': network mapping and site surveying

Active scanning in wireless network discovery

Monitor mode network discovery and traffic analysis tools

Kismet

Kismet and Gpsdrive integration

Wellenreiter

Airtraf

Gtkskan

Airfart

Mognet

WifiScanner

Miscellaneous command line scripts and utilities

BSD tools for wireless network discovery and traffic logging

Tools that use the iwlist scan command

RF signal strength monitoring tools

Chapter VI Assembling the arsenal: tools of trade

Encryption cracking tools

WEP crackers

AirSnort

Wepcrack

Dweputils

Wep_tools

Wepattack

Tools to retrieve WEP keys stored on the client hosts: LucentRegCrypto

Traffic injection tools used to accelerate WEP cracking

802.1x cracking tools

Asleap-imp and leap

Leapcrack

Wireless frame generating tools

AirJack

File2air

Libwlan

FakeAP

Void11

Wnet

Wireless encrypted traffic injection tools: Wepwedgie

Access points management tools

Chapter VII Planning the attack

The "rig"

Network footprinting

Site survey considerations and planning

Proper attack timing and battery power preservation

Stealth issues in wireless penetration testing

An attack sequence walk-through scheme

Chapter VIII Breaking through

The easiest way to get in

A short fence to climb: bypassing closed ESSIDs, MAC and protocols filtering

Picking a trivial lock: various means of cracking WEP

WEP bruteforcing

The FMS Attack

An improved FMS Attack

Picking the trivial lock in a less trivial way: injecting traffic to accelerate WEP cracking

Field Observations in WEP Cracking

Cracking TKIP: the new menace

The frame of deception: wireless man-in-the-middle attacks and rouge access points deployment

DIY: rogue access points and wireless bridges for penetration testing

Hit or miss: physical layer man-in-the-middle attacks

Phishing in the air: man-in-the-middle attacks combined

Breaking the secure safe

Crashing the doors: authentication systems attacks

Tapping the tunnels: attacks against VPNs

The last resort: wireless DoS attacks

Chapter IX Looting and pillaging: the enemy inside

Step 1 Analyze the network traffic

802.11 frames

Plaintext data transmission and authentication protocols

Network protocols with known insecurities

DHCP, routing and gateway resilience protocols

Syslog and NTP traffic

Protocols that shouldn't be there

Step 2 Associate to WLAN and detect sniffers

Step 3 Identify the hosts present and perform passive OS fingerprinting

Step 4 Scan and exploit vulnerable hosts on WLAN

Step 5 Take the attack to the wired side

Step 6 Check wireless-to-wired gateway egress filtering rules

SECTION 3 DEFENSE

Chapter X Building the Citadel: an introduction to wireless LAN defense

Wireless security policy: the cornerstone

Layer one wireless security basics

The usefulness of WEP, closed ESSIDs, MAC filtering and SSH port forwarding

Secure wireless network positioning and VLANs

Using Cisco Catalyst switches and Aironet access points to optimise secure wireless network design

Deploying a Linux-based custom-built hardened wireless gateway

Proprietary improvements to WEP and WEP usage

802.11i wireless security standard and WPA: the new hope

Introducing the sentinel: 802.1x

Patching the major hole: TKIP and CCMP

Chapter XI Introduction to applied cryptography: symmetric ciphers

The introduction to applied cryptography and steganography

Modern day ciphers structure and operation modes

A classical example: dissecting DES

Kerckhoff's rule and cipher secrecy

The 802.11i primer: a cipher to help another cipher

There is more to a cipher than the cipher: understanding cipher operation modes

Bit-by-bit: streaming ciphers and wireless security

The quest for AES

AES (Rijndael)

MARS

RC6

Twofish

Serpent

Between DES and AES: common ciphers of the "transition period"

3DES

Blowfish

IDEA

Selecting a symmetric cipher for your networking or programming needs

Chapter XII Cryptographic data integrity protection, key exchange and user authentication mechanisms

Cryptographic hash functions

Dissecting an example standard one-way function

Hash functions, their performance and HMACs

Michael (MIC): weaker but faster

Asymmetric cryptography: a different animal

The examples of asymmetric ciphers: ElGamal, RSA and the elliptic curves

Practical use of asymmetric cryptography: key distribution, authentication and digital signatures

Chapter XIII The fortress gates: user authentication in wireless security

Basics of AAA framework

An overview of RADIUS protocol

RADIUS features

Packet Formats

Packet Types

Installation of FreeRADIUS

Configuration

User Accounting

RADIUS vulnerabilities

RADIUS related tools

802.1x: the gates to your wireless fortress

Basics of EAP/TLS

Creating Certificates

FreeRADIUS integration

Supplicants

An example of access point configuration: Orinoco AP-2000

LDAP protocol and wireless authentication

What is LDAP?

How does LDAP work?

Installation of OpenLDAP

Configuration of OpenLDAP

Testing LDAP

Populating LDAP database

Centralizing Authentication with LDAP

Mobile users and LDAP

LDAP related tools

NoCat: an alternative method of wireless users authentication

Installation and Configuration of NoCat Gateway

Installation and Configuration of Authentication Server

Chapter XIV Guarding the airwaves: deploying higher layers wireless VPNs

Why you may want to deploy a VPN ?

VPN topologies review: the wireless perspective

Network-to-network

Host-to-network

Host-to-host

Star

Mesh

Common VPN and tunneling Protocols

IPSec

PPTP

GRE

L2TP

Alternative VPN implementations

cIPe

OpenVPN

Vtun

The main player in the field: IPSec protocols, operations and modes overview

Security Associations

Authentication Header

Encapsulated Security Payload

IP Compression

IPSec Key Exchange and Management Protocol

Internet Key Exchange

Phase 1 mode of operation

Phase 2 mode of operation

Perfect Forward Secrecy

Dead Peer Discovery

IPSec Road Warrior

Opportunistic Encryption

Deploying affordable IPSec VPNs with FreeS/WAN

FreeS/WAN compilation

FreeS/WAN configuration

Keys Generation

X509 Certificate generation

Ipsecconf organization

Network to Network VPN topology setting

Host to network VPN topology setting

Windows 2000 client setting

Windows 2000 IPSec client configuration

Chapter XV The counter-intelligence: wireless IDS systems

Introducing wireless intrusion detection

Categorizing suspicious events on wireless LANs

The examples and analysis of common wireless attack signatures

Radars up! Deploying a wireless IDS solution for your WLAN

Commercial wIDS

Open Source wIDS settings and configuration

Few recommendations on DIY wireless IDS sensors construction

Appendixes

Appendix A Decibel - Watts conversion table

Appendix B 802.11 Wireless Equipment

Appendix C Antenna Types

Appendix D Wireless utilities manpages

Appendix E Signal Loss for type of obstacles

Appendix F Warchalking Signs

Appendix G Penetration testing template

Appendix H Default SSIDs for several common 802.11 Access Point and PCMCIA card Products

Glossary

Index

Bibliography