Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For 802.11 and bluetooth security people alike. Latest trends, attack surface issues, and prevention. How wireless security is becoming the new vector to hacking corporate websites and applications. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Wardriving
Posted by: eyeced
Date: January 15, 2007 06:00PM

Ok, this forum seems abit redundant at the moment, though i'd introduce a new topic. I myself have meddled around with wardriving and wireless networks using linux and an atheros chipset card, the distro i used and still have installed was backtrack, although i played around with different distro's for the different applications and supporting chipsets. I finally settled with backtrack for the reason it had bluetooth applications aswell and after watching a bluesnarfing video i bought a bluetooth adapter and had a play in backtrack to see the exploit working in real life, another reason for using backtrack is that the version of aircrack and other tools supported my chipset aswell i could'nt get void11 to work with my card in other distro's.

I just started this topic incase anyone is interested or wants to learn about wardriving or cracking wireless networks, the different types of encryption and how to go about starting. Im not guru, nor am i claiming to be, i just thought rather than throwing a link to a tutorial at you (probably in notedpad format) which you may or may not read, i'd offer advice (and take advice) as a person that has had experience in this area.

It will not hurt my feelings if nobody cares about wireless security, although if people are interested just ask away.

Options: ReplyQuote
Re: Wardriving
Posted by: id
Date: January 15, 2007 08:16PM

It's a huge hole, most companies don't get the fact that they have a firewall in front doesn't protect them from the guy in the parking lot with a laptop at all.

Want to have some real fun? go to a mall, Most new hand scanners are wireless devices that can't be bothered with encryption (not that it would really matter).

-id

Options: ReplyQuote
Re: Wardriving
Posted by: rsnake
Date: January 15, 2007 09:55PM

I am always interested... eyeced... I think others would be too. As you learn more please feel free to post it!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Wardriving
Posted by: eyeced
Date: January 16, 2007 06:11AM

There are alot of issues when using a wireless network, on the home level. Mr W.driver drives around with his favourite wireless scanner running, say cain for windows, or kismet for linux as both of these can scan continueosly for wireless networks. He then finds a network that is unencrypted simply connects to it, knowing (through kismet) which type of router the wireless network uses he is then able to try connecting to the router, using the default password(s) for that router, therefore not only having network access but the ability to be able to find out there ISP username and password aswell, therefore the attacker could build up a pretty substantial list of ISP details in a day. Having the users address, ISP details, and possible phone number, which could be easily found out with a phone book and knowing where the person lives, a phisher would then be able to make a pretty realistic phone call to the homeowner convincing them that it was the ISP calling and ask for verification of payment information or anything.

Another attack would be ARP poisoning, this can be done very easily through windows using cain, but as cain doesn't support my wireless card i had to use linux, the purpose of ARP poisoning is to be able to sniff traffic or even cause DoS on a switched network, where usually the data is only sent for the intended recipient. This is achieved by sending 'spoofed' arp messages to the router/switch telling them that you are computer A, and to computer A that you are the router, therefore all traffic would go through you. I personally think this a huge danger for both home and business users, as you able to sit outside with all traffic passing through you, if the signal is strong enough you could in effect sit there for hours, just waiting for them to book that family holiday... or check there bank details. Not that i condone that, its just who here can honestly say there ARP tables are static if they are on a wireless network, who takes the time to investigate the possible dangers of the new technologies there using - i sure don't believe that 99.99% of home users do. Or on a business level the attacker could re-route the traffic through themselves, and simply stop all traffic passing to the intended source causing DoS.

Using some of the tools available through security distro's of linux it is possible to cause a great deal of chaos easily on a wireless network, even when encrypted there are techniques such as deauthentication etc.. to generate enough traffic on the network to be able to find the network key by analysis of encrypted traffic. Many home users will feel safe once they have some sort of encryption, not knowing about the different types and there weaknesses. I suggest if you have a wireless network and another computer/laptop, having a play around wireless security and how easily it is circumvented.



Edited 1 time(s). Last edit at 01/16/2007 06:17AM by eyeced.

Options: ReplyQuote
Re: Wardriving
Posted by: Tribute
Date: January 16, 2007 11:35AM

@eyeced: You mention using ARP on a wireless network although this would only really be useful for viewing SSLd connections as traffic sent over the waves can be listened to by anyone. Using it for a DoS is important though.

I have a Sharp Zaurus PDA running Debian with Kismet and have suceeded on many occasions in DoSing my wireless network (many times) merely by just scanning the network. I have since upgraded that AP. My network used to run a Belkin F5D6231-4 (802.11b) which would lock up and have to be manually rebooted.


On my wireless network I now run a Belkin 54g with WPA-PSK using AES which is secure enough. Ideally though, I'd be running on a 100Mbit wired.

Options: ReplyQuote
Re: Wardriving
Posted by: eyeced
Date: January 16, 2007 05:16PM

ARP poisoning is necessary to sniff traffic on a wireless network if it is encrypted agreed, but it is also necessary to use ARP poisoning on normal traffic if it is a wireless routing device, as packet sniffers even in promiscuous mode cannot pick up traffic meant for another device without ARP poisoning.

DoS'ing wireless networks can be done through ARP poisoning aswell, aswell as de-authenticating devices. Yeah i would agree WPA-PSK is secure enough although obviously not bullet proof, but would take a shit load longer with a decent key.

Are you from England, because on my travels i have seen a LOT of belkin 54g's around... i think at one time they came as the standard wireless router from an ISP.

Options: ReplyQuote
Re: Wardriving
Posted by: id
Date: January 17, 2007 12:02PM

eyeced Wrote:
-------------------------------------------------------
> ARP poisoning is necessary to sniff traffic on a
> wireless network if it is encrypted agreed, but it
> is also necessary to use ARP poisoning on normal
> traffic if it is a wireless routing device, as
> packet sniffers even in promiscuous mode cannot
> pick up traffic meant for another device without
> ARP poisoning.
>

The only time you need to ARP poison something for sniffing is when you're on a switched network and need to have the switch send the packets out a different port. Get wireshark, tcpdump, etc and you can see any wireless broadcast packets, they may be encrypted, but it will have no problem just seeing the packet.

Secondly, on an wireless encrypted network the MAC addresses are encrypted as well, so how would ARP poisoning do anything?

-id

Options: ReplyQuote
Re: Wardriving
Posted by: eyeced
Date: January 17, 2007 04:06PM

-id
>
Secondly, on an wireless encrypted network the MAC addresses are encrypted as well, so how would ARP poisoning do anything?
<

on an encrypted wireless network the AP and connected devices MAC address's aren't encrypted and can easily viewed in Kismet.

Oh and about the ARP over unencrypted networks, it was my card... sorry guys.

Options: ReplyQuote
Re: Wardriving
Posted by: id
Date: January 17, 2007 05:06PM

WPA encrypts the MAC, WEP does not. I should have been more clear. You would need to break the WPA key, at which point ARP spoofing would be trivial in comparison.

-id

Options: ReplyQuote
Re: Wardriving
Posted by: ntp
Date: January 22, 2007 08:18AM

eyeced Wrote:
-------------------------------------------------------
> DoS'ing wireless networks can be done through ARP poisoning as well, as well as de-authenticating devices. Yeah i would agree WPA-PSK is secure enough though obviously not bullet proof, but would take a shit load longer with a decent key.

There was a straight up DoS presented at DEF CON 12 for WPA, dunno if it still works (Shmoo Group did the talk). It didn't require anything special.
Details here [mp3] http://media.defcon.org/dc-12/audio/2004-Defcon_12-v21-Shmoo-Wireless_Weaponry.mp3

EDIT: out of curiosity, i listened to the presentation. Brian Caswell talked about the WPA DoS. not all WPA/WPA2 equipment is vulnerable. it assumes you are already associated - but if you send false MIC protection values to the AP, the AP will dissociate everyone on that AP. they never released the code, but it was supposed to be called "WPA Party Pooper" and consisted of something like 3 lines of perl using libdnet. i have no idea how interesting or valuable this vulnerability was or still is, but there you have it.

WPA-PSK scanning does not have to take long. By using a cryptographic attack known as a time-memory trade-off (aka rainbow tables), you can get the WPA hash and then compare to a giant list of hashes that are already pre-computed to regular password form. So this attack could still be theoretically possible in a very short amount of time assuming a dictionary word.

More on Rainbow Tables
http://en.wikipedia.org/wiki/Rainbow_Table

For example, using coWPAtty and these rainbow tables (about 7 GB in size, 170K words, done in less than 40 minutes on a Core2Duo or similar)
http://www.churchofwifi.org/Project_Display.asp?PID=87

Or by using specialized hardware mentioned here (100GB in size, 1M words, done in 17 minutes on expensive embedded cards, but certainly not military-grade equipment)
http://openciphers.sourceforge.net/oc/wpa.php



Edited 6 time(s). Last edit at 01/22/2007 10:00AM by ntp.

Options: ReplyQuote
Re: Wardriving
Posted by: rsnake
Date: January 22, 2007 01:24PM

I wanted to write something a while back that did something similar for WEP by hogging all the DHCP addresses. I just never got around to it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Wardriving
Posted by: jacknson
Date: March 31, 2007 02:34PM

eyeced Wrote:
-------------------------------------------------------
>
> Another attack would be ARP poisoning, this can be done very easily through windows using cain, but as cain doesn't support my wireless card i had to
> use linux, the purpose of ARP poisoning is to be able to sniff traffic or even cause DoS on a switched network, where usually the data is only sent for the intended recipient. This is achieved by sending 'spoofed' arp messages to the router/switch telling them that you are computer A, and to computer A that you are the router,therefore all traffic would go through you. I personally think this a huge danger for both home and business users, as you able to sit outside with all traffic passing through you, if the signal is strong enough you could in effect sit there for hours, just waiting for them to book that family holiday... or check there bank details. Not that i condone that, its just who here can honestly say there ARP tables are static if they are on a wireless network, who takes the
> time to investigate the possible dangers of the new technologies there using - i sure don't believe that 99.99% of home users do. Or on a
> business level the attacker could re-route the traffic through themselves, and simply stop all traffic passing to the intended source causing
> DoS.

Hi eyeced,

Could anyone give some more informations on how this is done and how it could be prevented.

Many thanks

Options: ReplyQuote
Re: Wardriving
Posted by: Reiners
Date: April 29, 2007 02:51PM

eyeced Wrote:
-------------------------------------------------------
> as packet sniffers even in promiscuous mode cannot
> pick up traffic meant for another device without
> ARP poisoning.

is this right? I thought thats the whole point in getting a wireless card with promiscuous mode supported. What makes them special then? Because broadcast pakets can also be obtained by "normal" wireless cards ...
please enlighten me :)

Options: ReplyQuote
Re: Wardriving
Posted by: jacknson
Date: April 29, 2007 03:34PM

Reiners Wrote:
-------------------------------------------------------
> eyeced Wrote:
> --------------------------------------------------
> -----
> > as packet sniffers even in promiscuous mode
> cannot
> > pick up traffic meant for another device
> without
> > ARP poisoning.
>
> is this right? I thought thats the whole point in
> getting a wireless card with promiscuous mode
> supported. What makes them special then? Because
> broadcast pakets can also be obtained by "normal"
> wireless cards ...
> please enlighten me :)


Promiscuous mode will capture packets in all directions but need the adapter to associate with a device first.

monitor mode will capture packets in all directions and do not require the adapter to associate with any device

hope this help

JackN

Options: ReplyQuote
Re: Wardriving
Posted by: fogez
Date: May 01, 2007 01:14PM

Catching up here...

You can DoS WPA using MDK2. It runs on BT2 and works just fine...

You can perform ARP attacks on a WPA protected network if you are auth/assoc. The easiest way to do this is to use ettercap. The reason this is significant is because WPA means each user has a unique key so wireless sniffing won't work. However, using network based attacks you can perform sniffing attacks via ARP spoofing.

Options: ReplyQuote


Sorry, only registered users may post in this forum.