More Fun With Wireless Hacking (2600 03/04)
After going through the archives of the old site, I decided to start posting the various tutorials that were there, and have yet to become obsolete. One is “More Fun With Wireless Hacking”, which was published in <span style=”text-decoration:underline”>2600 Hacker’s Quarterly</span> in 2003. Since the practice of wireless hacking, and security has yet to change, I present you with the original article I wrote 5 years ago. Enjoy.
As the prices go down, wireless becomes more and more common. While many people ignore the
vulnerabilities that wifi holds, it’s an easy way for anyone to enter the network. Even setting WEP
keys will not hold a determined hacker from compromising the wifi AP (access point) or router.
Many tools are available for various operating systems to do such tasks. NetStumbler for Windows,
MacStumbler for MacOS, Wellenreiter for Linux, and BSD-Airtools for Free/Open/NetBSD are wifi
network stumblers to help find APs. Most of these applications can use a GPS to map the access
points detected while scanning. Such stumbling tools are what make wireless hacking such a threat.
Using these tools are quite simple and straight to the point. Each will detect the APs from stray
signals, detect WEP transmissions, channel, signal strength, and MAC address. While they also
determine the Manufacturer by the MAC address, some entries can be incorrectly identified.
Finding the exact manufacturer by MAC address can be found on the page
http://standards.ieee.org/regauth/oui/oui.txt . Every MAC address and manufacturer is listed.
This brings us to another key to entering the network. Sometimes you can enter the network
easily by using DHCP, but not all networks have DHCP available. In such a case, there are
a few ways to obtain the address of the AP.
The first way to acquire the IP is to use the default IP that the wireless device is set to. For
instance, D-Link routers use 192.168.0.1, and their access points use 192.168.0.50. On the
other hand LinkSys uses 192.168.1.1, and Netgear uses 192.168.0.1. If the default IP is not
the IP of the AP, then you can use a sniffing utility to capture packets coming from wifi signal.
Once you have gained the IP, and enabled a associated connection to the AP, it’s time to
connect elsewhere. Even though you might have a connection, WEP might be holding you
back. WEP is a encryption used for wireless networking stated in the IEEE standard for 802.11a/b.
When they made this standard, they did not think of what could be done to crack it. Every minute
a small amount of WEP broadcasts are sent over the network. Each broadcast frame is the same
allowing these frames to be captured easily and decrypted without worrying about the packet
changing. With WEP tools like WEPCrack, AirSnort, and BSD-Airtools’ Dweputils, cracking a
WEP dump can be decrypted within a few minutes. Some 104-bit (128-bit) keys can take up to 36
hours depending on the speed of your system, but logging your hits or using a GPS can show
you where that network was when you first found it so that you can go back after breaking
Once this is all done, the network is in your control. From here you don’t have to worry about
the router blocking your system from anything, and sometimes receiving a SNMP log or two.
If you know the default password the specific AP, you can always go for that first off. If you do
not know the defaults for wifi devices, go to the manufacturer site, and look up a model, or the
specific model to find the documents with the defaults.
Another way is to use a terminal service like Remote Desktop for Windows, rdesktop for Linux/UNIX
to connect to a Windows desktop (Remember, most people do not set a password for the Admin
or Administrator account in Windows). From there you can use the local browser, and see if any
cookies were used in the past to log into the AP.
Remember, even though taking a backdoor into the network, logs can still show your existence.
Clearing router logs, or entering the network with a MiTM (Man-in-The-Middle) attack, or
spoofed MAC will look like normal activity on the network. Providing a backdoor from the router,
and placing a route to a service on another system to get in can do a vast amount of good for
your final compromize.
These particular methods are slowly becoming obsolete. The new 802.11g’s encryption 802.11i
(WPA) provides better authentication, and stops the repeating frame encryption packets. Many
wireless devices are now starting to have the option to disable signal broadcasting, disallowing
signals to be “stumbled” upon. Even though this new technology is being offered does not mean
the weak link in any network is becoming any smarter, or that people are even upgrading. Rather
if you plan to secure your wifi network, or conquer another, signals will always be monitored.
Thanx to: The error between the chair and the computer, FBSDHN, SE, and all those other people.