Results 1 to 5 of 5

Thread: Wireless LAN 101 - stuff you ever have looked for

  1. #1

    Default Wireless LAN 101 - stuff you ever have looked for

    hi security fellows,
    this is a quick summary of the wonderful world of WiFi and all great stuff you can play around with
    and it's NOT another tutorial to explain the attacks over and over again, instead it will provide you
    some general background and puts all existing resources together, to finally understand the full picture!

    ### Wireless Kung-Foo ####

    ___Understand the Basics___ <<<<!! good summary of all attacks !!>>>>> <<<!!quick overview of various attacks/tools!!>>>

    BackTrack4: /pentest/wireless
    aircrack-ng, kismet-newcore,mdk3, msf3+karma, wifizoo, gerix-wifi-cracker-ng, (c)pyrit
    airdrop-ng (will get more it closely)

    .Driver issues and wifi hardware compatibility
    unfortunately, for most users, using the correct combination of supported linux hardware+working drivers are the biggest issue. Currently 802.11n drivers don't support reliable injection and therefore stick with 802.11a/b/g - as it will still be in use for some years. Don't forget to get a card supporting 802.11a, so that you also can cover the 5GHz spectrum (many companies separate their 2.4/5GHz for special purposes, like WLAN mesh or for special devices and coverage. There are tons of online discussions, but the conclusion is simply: GET A CARD, which is 100% supported by the aircrack-ng suite:
    -Alfa Networks AWUS036H b/g support (the newer one AWUS050NH has experimental injection support!)
    -Ubiquiti SRC300mW a/b/g (there is an USB or Cardbus version, the new one SR71 (n support) similar issue like with 50h)

    Notes on Linux Wifi drivers:
    general intent of original drivers was to have wifi client access and not playing around with injection or listen for the complete 802.11 traffic, therfore any legacy drivers do need some kind of patching to support these type of attacks. On Microsoft OS platforms the only chance to get this done, is using the extremely expensive airpcap drivers/hardware, besides in Vista (starting with NDIS 6 you can use vistarfmon) you can enable monitor mode, but not inject anything. You have to remember, putting an interface in monitor mode, it will catch up a lot of traffic and therefore it's almost impossible to send/inject traffic over the same card, therefore for any reliable attack testing, you should always use 2 wifi cards!
    Also be aware, through the sometimes strange driver behavior, if you have enabled monitor mode, always completley remove the driver module and re-insert it again, to ensure testing reliability (rmmod / modprobe you should know about it, don't reboot - you are using Linux ;-)

    -MadWifi driver can not be used for atheros based USB cards (madwifi will/is replaced by ath5k/ath9k)
    -Newer 2.6.x kernels use a complete new wireless subsystem, after years of messing with wifi drivers - this subsystem is called mac80211 stack

    another great tool from the aircrack-ng-suite, simple to use & understanding output is straight forward through the fact it also supports the kismet format + reading gps data, this is really all you need, like using airgraph-ng to create some cool graphs from your wifi dumps

    kismet has a long history and is really an amazing tool, unfortunately for the average wifi novice, difficult to navigate in the GUI and quite overwhelming features. Therefore many times the power of kismet is overlooked. Channel hopping is quite poweful and I'd recommend again two use two cards within kismet, one for channel hopping and second one for locking the channel hopper for interesting networks. The plugin feature is also quite useful and with the optional DECT module, you can also monitor DECT RF, besides that ZigBee/802.15.4 is already in progress as well - so get more familar with this tool!

    Web Gui based and creates nice graphs (bssid,client relations etc), definitely worthwhile to check out!

    ___RF Attacks____
    .I'm not getting to each individual attack, there are tons of online videos,discussion etc available, BUT you have to
    understand the basics, so get familar with it - HIGHLY recommended reading(s): <<<<!! good summary of all attacks !!>>>>>

    .Easy start, use a simple GUI - great work done by the Gerix team:
    python /pentest/wireless/gerix-wifi-cracker-ng/

    .airoscript (various attacks)
    very good script, just run airopdate to download & compile latest version
    Script is self-explaining (if you've never used it before, don't use airserv-ng, answer question with no)

    .wessid-ng (effective for obtaining in a short time-frame a WEP key)

    ___WPA/WPA2 Bruteforce___
    .Getting wordlists and rainbow tables

    .Read the basics
    General: <<<WPA Crack Pyrit Aircrack>>> <<<tons of good WLAN attack videos>>>

    ___Fun Stuff___

    .Fake AP:
    the most stable & coolest one: jasager/karma on the fon
    Very powerful client side/social engineeering attack weapon and works very combination
    with metasploit+hamster&ferret+sslstrip a very,very powerful tool!!

    besides jasager, you can do a cheaper setup with airbase+metasploit+karmetasploit support.
    BTW: in many, many videos you'll see all these great automated client-side browser attacks and how easy it is to 0wn a client - I've to dissapoint you, in real-life running latest patched MS client and using web-aware malware/antivirus, you will be not very successful with these iframe attacks. Therefore go the social-engineering-way, think about the typical hotspot-user-usage, just create a simple trap and let him just download a little malicious PDF with his 'current bill' or whatever (jpg/flash/quicktime) - then you will get more success out of it with this kind of attack type. THIS IS ILLEGAL - therefore it should only be done in 'controlled environments' long: thanks, to German hacker paragraph :-()

    .Wifi Fuzzing (beacons are your best friends..and also vendor specific extensions ;-)
    read some basics, from Mr. HDM himself:
    even if it's from 2006, still a must-read if you wanna start seriously fuzzing 802.11
    also you need a good knowledge about the protocol and frame types itself:

    use metasploit+lorcon module
    Install latest lorcon source:
    $ cd /tmp
    $ svn co lorcon
    $ cd lorcon
    $ ./configure --prefix=/usr && make && sudo make install
    Install msf3 ruby lorcon
    $ cd /opt/metasploit3/msf3/external/ruby-lorcon
    $ ruby extconf.rb
    $ make && make install

    Start msf3 & look for the included 802.11 fuzzer's
    $ cd /opt/metasploit3/msf3 && svn update
    $ ./msfconsole
    $ msf > search auxilary wireless

    Other recommended 802.11 fuzzing tools:
    -file2air, zulu or our best friend: scapy, codenomicon 802.11 test suite

    .Play with 'managed access point/lightweight access point' environments
    many times overlooked, but in the average enterprise you will always find a centralized aka controller-based Access Point infrastructure.

    Like the German guys at the Shmoocon '10 just have presented (Cisco WLCCP) - these types of protocols are usually vendor propritary, not really well documented and a lot of different management components are involved. I've done some private research 4 years ago on LWAPP and not too much have changed in CAPWAP/WLCCP ;-)
    Playing with Cisco CCX-extensions are quite interesting as well.
    Think about this:
    'simple web application attack to the central management front-end (YES, all of the using web front-ends and all vendors care about feature sets NOT security - look for the most basic web attack vectors!!): all access points are nice sorted within the GUI (of course in a lame-setuped SQL-server environment!!), managed through profiles.
    >>So what happens if you get access to these configuration profiles or getting access on WLAN controllers & client-roaming pre-auth credentials

    ...let's share your thoughts....

    Last edited by brtw2003; 02-15-2010 at 05:05 PM.

  2. #2
    Junior Member nightlybuild's Avatar
    Join Date
    Feb 2010

    Default Re: Wireless LAN 101 - stuff you ever have looked for

    Thanks for this, I'm going to take a look at everything, looks like there's some good stuff that I never heard of before.
    If you get tired of listening to your music... cat /vmlinuz > /dev/audio
    Macbook 2.4Ghz Dual Core, 4GB Ram, Edimax EW-7318USG, BT4

  3. #3
    Junior Member
    Join Date
    Jan 2010

    Default Re: Wireless LAN 101 - stuff you ever have looked for

    Just wanted to say thanks for all the usefull info, gave me some things to look into over the next few weeks when im done with my current project.

  4. #4
    Join Date
    Mar 2010
    SO CAL

    Default Re: Wireless LAN 101 - stuff you ever have looked for

    Thanks for you support.
    Stand up and be counted as a linux user.

  5. #5
    Junior Member WolverineOD's Avatar
    Join Date
    Apr 2010
    Infront of Screen

    Default Re: Wireless LAN 101 - stuff you ever have looked for

    Some very good reads here. You have increased my knowledge base. Cheers

Similar Threads

  1. Weird wicd autorun stuff
    By al_Alamm in forum Beginners Forum
    Replies: 4
    Last Post: 01-20-2010, 05:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts