Wi-Foo: The Secrets of Wireless Hacking 107
| Wi-Foo: The Secrets of Wireless Hacking | |
| author | Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky |
| pages | 608 |
| publisher | Addison-Wesley |
| rating | 9 |
| reviewer | Alex Moskalyuk |
| ISBN | 0321202171 |
| summary | Complete guide to wireless attack and defense |
Wi-Foo requires a certain level of expertise, and it's unlikely that the book will be sold left and right or that everyone will want a copy. First of all, to do anything substantial you need to have Linux or FreeBSD operating system installed and know your way around it. Second of all, some knowledge of Perl is required to go through the script source code and enjoy occasional tools that appear on the Internet. The third required bit of knowledge is some familiarity with how wireless networks work and how one can gain advantage of those radio waves that seem to contain pieces of data.
The authors claim that one has little knowledge of wireless security unless he's done some war-driving. So, skipping the first two chapters (which talk about security in general), chapters 3, 4 and 5 take the reader through the hassle of setting up the Linux laptop with all the hardware and software needed to do successful war-driving. The last time I reviewed a book on getting wireless to work with Linux, you guys kept asking what card would work the best with a Linux laptop. To quote p. 28 of Wi-Foo, "if you're serious about 802.11 penetration testing, you should get a decent Prism chipset card. If you plan to base your security audit effort around the BSD platform, you probably cannot do without it. Prism chipset CF and PCMCIA cards are known to be produced by Addtron, Asante, Asus, Belkin, Buffalo, Compaq, Demark, D-Link, Linksys, Netgate, Netgear, Proxim, Senao, SMC, Teletronics, US Robotics, Zcomax and ZoomAir."
What follows could essentially be condensed into a single Web site with links to various Linux tools for network discovery, traffic analysis, encryption cracking, 802.1x cracking, frame generation and traffic injection. Kudos to the authors for providing sometimes detailed instructions on setting up the utility and getting the successful results out of it -- it's obvious that they did not just peruse the Web in search of what's available and provided a list of URLs; they installed, tested and reviewed all the Linux network security utilities listed in the table of contents. As much as many of the products and tools listed complement one another, it was useful for me to see the professionals' take on advantages and disadvantages of free tools out there. Wherever possible, the authors try to stick with free software, which makes the book a pretty useful guide for most enthusiasts out there.
The authors are serious about getting the reader to war-drive at some point, and chapter 8 specifically talks about generating wireless denial-of-service attacks as a last resort for a cracker, who seems to be in the bad mood when other methods of wireless penetration do not work. The books talks about antenna amplifiers and some hardware you might buy to be more successful in wireless hacking. They also discuss the possibilities of war-biking, war-walking and riding a hot air balloon.
By the time you're finished with the chapter 9, if your title includes words like "security" or "administrator," you will probably find yourself quite perplexed. That's where Part 3 (Defense) kicks in, as the authors discuss counter-measures against wireless cracking and possible steps one can take to secure the wireless network. It's not a typical don't-use-WEP-don't-broadcast-your-ID-don't-rely-o n-MAC-filtering preaching one can find in security manuals created for the home user (I am not saying those are bad -- for a home user they do provide necessary guidance in securing a WLAN). This is mostly industrial-level security, which might include multiple levels of protection, such as 802.11i implementation, implementing encryption around the wireless networks, creating hardware Linux-based gateways, deploying VPNs and intrusion detection systems. Setting up honeypots is missing from this list, although one can debate whether this could be considered a worthwhile project outside of academic world.
The book uses clear language and is easy to read. At the same time it takes a while to go through it, as you keep trying out the presented solution on your Linux laptop. The chapters that talk about the philosophical decisions when securing wireless LANs are helpful as well -- the authors occasionally get away from hands-on approach and talk about general principles to consider. Code examples are easy to follow, and every tool that's presented in the title is accompanied by the URL (for some reason Addison-Wesley did not include a CD with Wi-Foo); a large number of them point to sourceforge.net. All the links are available on the book's Web site; see the attack and defense sections.
If you should decide to take up a career as a wireless security consultant, Appendix G includes a variety of checklists and templates that the authors recommend for the corporate environment. Chapter 8 -- Breaking Through is available for free in PDF format. Overall I liked this book a lot. It seemed to concentrate on what's necessary without going into fluff and chapters like "History of radio" or "Linux on laptops for beginners." It's informative and easy to read; if you're an enthusiast, try out the free chapter and see if you like the authors' style, but if you're network admin or security professional, this book is almost a must. It's a combo of Exploiting Software and Hacking Exposed with specialization on wireless LANs.
You can purchase Wi-Foo from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
unwelcome visitors (Score:4, Interesting)
Re:unwelcome visitors (Score:5, Interesting)
What we need is a book for router manus that teaches them how to not enable default SSIDs and admin passwords for wireless networks. My neighbor would probably thank them.
Re:unwelcome visitors (Score:2)
This is exactly what I do, I set up PPTP VPN with 128 bit encryption and forced encrypted passwords. I used PPTP so I could support Win98 clients, but I'm getting ready to get ipsec going too. I don't bother with WEP but I do use MAC whitelisting - sure you can spoof 'em but it will keep the casual lusers away.
Also it doesn't have to be a performance hit but if it isn't it's goi
That makes a good quote (Score:5, Funny)
Re:That makes a good quote (Score:5, Funny)
Boy: Do not try and hack the AP. That's impossible. Instead only try to realize the truth.
Neo: What truth?
Boy: There is no password.
Neo: There is no password?
Boy: Then you'll see that it is not the password thats exploitable, it is yourself.
Re:That makes a good quote (Score:5, Funny)
Morpheus: No, Neo. I'm trying to tell you that when you're ready, you won't have to.
I think I just lost the Matrix quoting competition.
Re:That makes a good quote (Score:1, Funny)
Re:Bad Name (Score:5, Interesting)
Kung Foo is programming skill.
Therefore Wifi Foo is skill at hacking/securing wifi networks.
You overthought this one.
Re:Bad Name (Score:2)
Re:Bad Name (Score:3, Funny)
Greeeat (Score:4, Interesting)
Of the few exploit/hacking books I've read they seem more like "This is how much I (the author) know, that you don't" instead of informative, factual exchange of security-minded information.
I may jump on this one, if not just to see if they laid the hubris on heavy this time...and, well, also because of the simple fact that the future is going to be completely wireless.
Re:Greeeat (Score:1)
Same here. It isn't too often that a Linux/*BSD book comes along that I will actually buy. Usually, anything F/OSS related can be found online, or in one of the bigass "sysadmin bible" type books I bought when I first got into Linux. However, wireless is one area that isn't too well covered in my bigass books, and it might be nice to have all this info in one place. I could probably find a lot of this online, but it's always good to have a starting point that doesn't require that
Re:Greeeat (Score:2)
home based wireless lan's (Score:2, Insightful)
Re:home based wireless lan's (Score:5, Funny)
More accurately...
*AirSnort*
Re:home based wireless lan's (Score:4, Informative)
Re:home based wireless lan's (Score:1, Interesting)
Re:home based wireless lan's (Score:2)
Re:home based wireless lan's (Score:5, Insightful)
Normally when you add a single bit, it doubles the time for brute force attacks. Instead of being TWICE as difficult when going from 40 to 41 bits, it's only 1/40'th more difficult.
You need to collect about 2GB of data to recover a 104 bit key, on the average.
Now... that all said, it's arguable that if you even use a 40 bit key that you are proclaiming your network PRIVATE, where unauthorized use is actually a criminal offense. In other words, any use of it requires actually attacking the network, not just turning on your computer, which typically meets or surpasses any implied consent requirements. You will discourage anyone that wants to "ethically" borrow wireless by setting a WEP key.
It's kind of like locking your screen door. It's easy to get past, but pretty obvious it's breaking and entering.
If you're interested in providing an open network but with a "I won't break your network or the law" agreement, check out NoCat. [nocat.net]
Re:home based wireless lan's (Score:5, Insightful)
Sure it is. Unless you have specific enemies, or you are next door to someone that has nothing better to do than try to illegally break into your network (not too bright to commit a federal felony just to save a little on the cable modem bill), then WEP is more than enough. Sure, it isn't unbreakable. But it will get anyone mobile looking to get free access or check out someone's computers to move down the block to the unencrypted one.
Your security doesn't have to be foolproof. It just has to be good enough so that the people looking to break in move to the next target.
with MAC protection
Uh, speaking of poor security, it takes all of one captured packed to defeat this. Find the MAC of a card that is on the network (in the headers, easy to get), and manually set your card to that MAC. You'll run into fewer problems if you don't try to get on at the same time they are on, though. Again, that will only keep out the stupid and uncommitted, and can be cracked with inspection of a single packet. For something so utterly useless compared to even the flawed WEP, I'm surprised it even made your list. I don't know of a single person capable of cracking WEP that wouldn't get through your MAC filter in less than 30 seconds (and that's people capable of breaking WEP, not just people who say they've seen some tool available somewhere that may capture packets or something).
Oh, and even if you don't broadcast your SSID, it is included in the packets. There are tools that will scan more than just the beacon packets and will be able to pull the SSID out. Again, someone that knows what they are doing will be much more inconvenienced by WEP than all the other things you mentioned combined. Sure, it improves security. It's like locking the door handle when you have already locked the deadbolt. If someone can defeat a deadbolt, they can easily defeat the handle lock as well.
Of course, there is always the slashdot crowd to prove me wrong...
Not prove you wrong. You are right. It is harder to break into a network that also has MAC filtering enabled and SSID broadcasts disabled. But, even as easy as it is to set up, even easier to break those than it was to set them up (assuming that someone capable of cracking WEP is moderately familiar with the concepts). So, though correct, I'd put it in the FUD category.
Re:home based wireless lan's (Score:1)
Re:home based wireless lan's (Score:2)
As for whether bypassing MAC security is illegal, that is for the courts to decide (and they will probably do so poorly, as they do with most technical issues). The SSID is an invitation to join a network. Pulling a MAC
Re:home based wireless lan's (Score:2)
Re:home based wireless lan's (Score:4, Interesting)
Wanna tell me how you're gonna grab 5 million packets (not counting SSID broadcasts) from a single network whist wardriving? You need quite a few users going for a long time to generate that much traffic.
Yes WPA is bettter, and it's nice to see it becoming a standard. But despite the FUD, WEP is not some disgustingly horribly insecure protocol that's gonna get hacked in 15 seconds by any script kiddie with a wifi card. It takes a *long-ass time* to gather the amount of data needed to crack WEP. There's far easier ways into a network. But then again, it's so much fun to play baby seal and arp away about WEP totally sucking ass.
Try a capture on a home network and see how long it takes. My own net is four machines, including two always-on boxes. It still takes days to generate enough traffic to make an attempt at cracking WEP.
For home (house) use, 128-bit WEP will work just fine. For office environments or apartment buildings, you should still crank things up a notch with MAC whitelisting etc.
Re:home based wireless lan's (Score:3, Insightful)
if you are trying to protect missile launch codes, i might look elsewhere, but for day-to-day crap...
Re:home based wireless lan's (Score:4, Informative)
Re:home based wireless lan's (Score:2, Informative)
http://asleap.sourceforge.net/
Not just wireless (Score:5, Informative)
Hmmmm...Packets (Score:2, Funny)
Re:Hmmmm...Packets (Score:2, Funny)
One word... (Score:2)
Windows, BSD, Linux -- whatever...
Re:One word... (Score:2)
A combination of WAP/WEP MAC address allow lists and not broadcasting the network name will keep pretty much everyone out. Why would soemone bother breaking in when there are several open wireless networks on every street. (at least in my suburb)
Re:One word... (Score:2)
Re:One word... (Score:2)
You don't know enough -- it does. My NAT-ing gateway will not talk to you, nor will anything else on my network. You will not be able to read, what my network talks about, nor will you be able to use the Internet through my uplink.
Slow internet... (Score:4, Funny)
Factory settings, gotta love 'em (Score:3, Interesting)
WPA-PSK? (Score:4, Informative)
Missing anything? (Score:3, Interesting)
Steps to securing my WLAN:
1.Change default router login password
2.Enabled firewall
3.Mac address filtering
4.AES encryption with non-dictionary 15 charcter passphrase
5.Disabled SSID broadcast
6.Updated to latest firmware
7.Disabled remote router login
8.Enabled 802.11g only
9.Updated to latest wirelss network card drivers
Am I missing anything really obvious?
Re:Missing anything? (Score:5, Informative)
* Change the Key monthly or otherwise periodically.
* Even with all this, run encrypted protocols as much as possible SSH, SSL, etc. No clear text protocols
* Run a monitor on your access point to monitor against your MAC Address filtering list, send a trap when an unkown Mac address connects. By definition if you have a Mac address allow list you should be able to do this easily.
Re:Missing anything? (Score:2)
If the MAC address is the kind of information that you can glean from captured packets, then you might want to consider also cycling the MAC addresses of your devices on a regular basis as well. I mean, for the utmost in security. It depends, I suppose, on how much somebody wants to get inside your network and whether or not you know about it...
Re:Missing anything? (Score:1, Offtopic)
???
Profit!
Re:Missing anything? (Score:3, Funny)
10. A tin-foil hat [wikipedia.org]?
-jim
Re:Missing anything? (Score:1)
2. Enabled firewall - you forgot to mention that it has to be properly configured
3. Mac address filtering - takes seconds to bypass, by sniffing the air.
4.AES encryption with non-dictionary 15 charcter passphrase - are we talking about 802.11i ???
6 Disabled SSID broadcast - NOT TRUE. the SSID is sniffable in the air
5. Updated to latest firmware & 9. Updated to latest wi
Re:Missing anything? (Score:1)
Assign yourself static addresses.
Re:Missing anything? (Score:2)
* SSID broadcast OFF
* DHCP OFF and static address in a non-obvious non-routable range (not 192.168.0.x, 192.168.1.x, 192.168.2.x or 192.168.254.x. Most routers default to these ranges and so does Windows Internet Connection Sharing)
* MAC address whitelisting
* WEP key
all they'll
Re:Missing anything? (Score:2)
Re:Missing anything? (Score:2, Interesting)
20 = 0
1=9 = face value
10=A
11=B
12=C
13=D
14=E
15=F
16-19= r e-roll.
The advantage of this method is it produces a key that is immune to a dictionary attack as it is highly unlikely that any pass phrase corresponds to it. Every bit has an equal chance of being set or
wireless boosting? (Score:1, Offtopic)
Re:wireless boosting? (Score:2)
Re:wireless boosting? (Score:1)
Homebrew it. (Score:2)
Read mine for free (Score:5, Interesting)
Mainly I looked at various tools and how effective they were. I also looked at setups in the surrounding neighborhood and pwn3d (with permission) the campus VPN via the wireless network.
EAP-TLS (Score:2)
Re:EAP-TLS (Score:3, Insightful)
The key point of that section (as miserably brief as it was, I admit) was to point out there are developments helping the situation, but the overall opinion is that wireless networks are not secure and people need to be aware of the traffic that is sent over them and what this traff
wep is secure? (Score:1)
Re:wep is secure? (Score:2)
Wanna try something fun? Use a 40-bit WEP key and try Newsham's attack, that's scary.
Re:wep is secure? (Score:2)
Wireless Protected Access (Score:1)
Wireless Protected Access (WPA) with TKIP or AES is all you need to stop the author and any of his readers. Someone mentioned WPA-PSK - end of drama. [No weak passphrase, of course] If you have a RADIUS server running anyway, or nee
Re:Wireless Protected Access (Score:1)
Imagine, basing my comments on the actual contents of the book. You have nothing to complain about here, I think. From what I've seen, I'm not going to waste my $35 for the whole book.
Pretty much every topic you can think of is covered on the Internet, so what?!
Usually a book presents more and better organization than what is found on amatuer w
Re:Wireless Protected Access (Score:1)
Excuse me, WEP was a known vulnerability even before it was released. WPA and RSN are looking forward to provided a sufficient number of years of protection before future processing power is able to defeat it.
Anyway, there was a fat report claiming that only 22 % of WPAv1-enable devices from different vendors can interoperate.
I hadn't heard, but this was probably before Wi-Fi certification became so commonplace. Anything with a Wi-Fi logo suppor
Wireless has made the internet free for me. (Score:1)
I have 2 or 3 open wireless networks to to tap into at anytime, right from the office.
I love my free internet.
Re:Cracking a pswd (Score:3, Funny)