Wi-Foo: The Secrets of Wireless Hacking

prostoalex writes "Wireless LANs seem to be enjoying the tremendous amount of interest lately, if you judge by the number of book covers and articles written on the topic. It's no wonder that this year the sales of WLAN equipment will grow 20% and generate $2.1 billion - everyone seems to be installing a wireless network in their office, their apartment complex or their own backyard. With extending the network into the radio world one is always extending the opportunities for unwelcome visitors to become part of the network. This book is a hands-on guide on hacking wireless networks followed by the recipes and principles to protect WLANs." Read on for the rest of prostoalex's review of Wi-Foo . Wi-Foo: The Secrets of Wireless Hacking author Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky pages 608 publisher Addison-Wesley rating 9 reviewer Alex Moskalyuk ISBN 0321202171 summary Complete guide to wireless attack and defense

Wi-Foo requires a certain level of expertise, and it's unlikely that the book will be sold left and right or that everyone will want a copy. First of all, to do anything substantial you need to have Linux or FreeBSD operating system installed and know your way around it. Second of all, some knowledge of Perl is required to go through the script source code and enjoy occasional tools that appear on the Internet. The third required bit of knowledge is some familiarity with how wireless networks work and how one can gain advantage of those radio waves that seem to contain pieces of data.

The authors claim that one has little knowledge of wireless security unless he's done some war-driving. So, skipping the first two chapters (which talk about security in general), chapters 3, 4 and 5 take the reader through the hassle of setting up the Linux laptop with all the hardware and software needed to do successful war-driving. The last time I reviewed a book on getting wireless to work with Linux, you guys kept asking what card would work the best with a Linux laptop. To quote p. 28 of Wi-Foo, "if you're serious about 802.11 penetration testing, you should get a decent Prism chipset card. If you plan to base your security audit effort around the BSD platform, you probably cannot do without it. Prism chipset CF and PCMCIA cards are known to be produced by Addtron, Asante, Asus, Belkin, Buffalo, Compaq, Demark, D-Link, Linksys, Netgate, Netgear, Proxim, Senao, SMC, Teletronics, US Robotics, Zcomax and ZoomAir."

What follows could essentially be condensed into a single Web site with links to various Linux tools for network discovery, traffic analysis, encryption cracking, 802.1x cracking, frame generation and traffic injection. Kudos to the authors for providing sometimes detailed instructions on setting up the utility and getting the successful results out of it -- it's obvious that they did not just peruse the Web in search of what's available and provided a list of URLs; they installed, tested and reviewed all the Linux network security utilities listed in the table of contents. As much as many of the products and tools listed complement one another, it was useful for me to see the professionals' take on advantages and disadvantages of free tools out there. Wherever possible, the authors try to stick with free software, which makes the book a pretty useful guide for most enthusiasts out there.

The authors are serious about getting the reader to war-drive at some point, and chapter 8 specifically talks about generating wireless denial-of-service attacks as a last resort for a cracker, who seems to be in the bad mood when other methods of wireless penetration do not work. The books talks about antenna amplifiers and some hardware you might buy to be more successful in wireless hacking. They also discuss the possibilities of war-biking, war-walking and riding a hot air balloon.

By the time you're finished with the chapter 9, if your title includes words like "security" or "administrator," you will probably find yourself quite perplexed. That's where Part 3 (Defense) kicks in, as the authors discuss counter-measures against wireless cracking and possible steps one can take to secure the wireless network. It's not a typical don't-use-WEP-don't-broadcast-your-ID-don't-rely-o n-MAC-filtering preaching one can find in security manuals created for the home user (I am not saying those are bad -- for a home user they do provide necessary guidance in securing a WLAN). This is mostly industrial-level security, which might include multiple levels of protection, such as 802.11i implementation, implementing encryption around the wireless networks, creating hardware Linux-based gateways, deploying VPNs and intrusion detection systems. Setting up honeypots is missing from this list, although one can debate whether this could be considered a worthwhile project outside of academic world.

The book uses clear language and is easy to read. At the same time it takes a while to go through it, as you keep trying out the presented solution on your Linux laptop. The chapters that talk about the philosophical decisions when securing wireless LANs are helpful as well -- the authors occasionally get away from hands-on approach and talk about general principles to consider. Code examples are easy to follow, and every tool that's presented in the title is accompanied by the URL (for some reason Addison-Wesley did not include a CD with Wi-Foo); a large number of them point to sourceforge.net. All the links are available on the book's Web site; see the attack and defense sections.

If you should decide to take up a career as a wireless security consultant, Appendix G includes a variety of checklists and templates that the authors recommend for the corporate environment. Chapter 8 -- Breaking Through is available for free in PDF format. Overall I liked this book a lot. It seemed to concentrate on what's necessary without going into fluff and chapters like "History of radio" or "Linux on laptops for beginners." It's informative and easy to read; if you're an enthusiast, try out the free chapter and see if you like the authors' style, but if you're network admin or security professional, this book is almost a must. It's a combo of Exploiting Software and Hacking Exposed with specialization on wireless LANs.

You can purchase Wi-Foo from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

home based wireless lan's

[Stypen]

WEP.. simple, easy, mostly effective.

Re:home based wireless lan's

[bugnuts]

The issue with WEP is that there are predictable packets where you can slowly derive information, and eventually obtain complete key recovery, and increasing the keylength only increases the difficulty LINEARLY, not exponentially.

Normally when you add a single bit, it doubles the time for brute force attacks. Instead of being TWICE as difficult when going from 40 to 41 bits, it's only 1/40'th more difficult.

You need to collect about 2GB of data to recover a 104 bit key, on the average.

Now... that all said, it's arguable that if you even use a 40 bit key that you are proclaiming your network PRIVATE, where unauthorized use is actually a criminal offense. In other words, any use of it requires actually attacking the network, not just turning on your computer, which typically meets or surpasses any implied consent requirements. You will discourage anyone that wants to "ethically" borrow wireless by setting a WEP key.

It's kind of like locking your screen door. It's easy to get past, but pretty obvious it's breaking and entering.

If you're interested in providing an open network but with a "I won't break your network or the law" agreement, check out NoCat.

Re:home based wireless lan's

[bbdd]

i agree with the parent, and i found these comments to be very interesting. if you are up to date on firmware patches, wep might be enough for you.

if you are trying to protect missile launch codes, i might look elsewhere, but for day-to-day crap...

Re:home based wireless lan's

[AK+Marc]

WEP by itself sometimes is not enough,

Sure it is. Unless you have specific enemies, or you are next door to someone that has nothing better to do than try to illegally break into your network (not too bright to commit a federal felony just to save a little on the cable modem bill), then WEP is more than enough. Sure, it isn't unbreakable. But it will get anyone mobile looking to get free access or check out someone's computers to move down the block to the unencrypted one.

Your security doesn't have to be foolproof. It just has to be good enough so that the people looking to break in move to the next target.

with MAC protection

Uh, speaking of poor security, it takes all of one captured packed to defeat this. Find the MAC of a card that is on the network (in the headers, easy to get), and manually set your card to that MAC. You'll run into fewer problems if you don't try to get on at the same time they are on, though. Again, that will only keep out the stupid and uncommitted, and can be cracked with inspection of a single packet. For something so utterly useless compared to even the flawed WEP, I'm surprised it even made your list. I don't know of a single person capable of cracking WEP that wouldn't get through your MAC filter in less than 30 seconds (and that's people capable of breaking WEP, not just people who say they've seen some tool available somewhere that may capture packets or something).

Oh, and even if you don't broadcast your SSID, it is included in the packets. There are tools that will scan more than just the beacon packets and will be able to pull the SSID out. Again, someone that knows what they are doing will be much more inconvenienced by WEP than all the other things you mentioned combined. Sure, it improves security. It's like locking the door handle when you have already locked the deadbolt. If someone can defeat a deadbolt, they can easily defeat the handle lock as well.

Of course, there is always the slashdot crowd to prove me wrong...

Not prove you wrong. You are right. It is harder to break into a network that also has MAC filtering enabled and SSID broadcasts disabled. But, even as easy as it is to set up, even easier to break those than it was to set them up (assuming that someone capable of cracking WEP is moderately familiar with the concepts). So, though correct, I'd put it in the FUD category.

Re:EAP-TLS

[rworne]

IIRC, at the time the paper was written, EAP-TTLS and PEAP leaked the least amount of info to a possible attacker and had no known exploits at the time. Check the link offered in the bibliography, it explains it in more detail.

The key point of that section (as miserably brief as it was, I admit) was to point out there are developments helping the situation, but the overall opinion is that wireless networks are not secure and people need to be aware of the traffic that is sent over them and what this traffic might reveal to an attacker.

Frankly, I needed another semester to work on the thesis, but schedules are a pain.