About
Wireless Hacking
Wireless networks broadcast their packets
using radio frequency or optical wavelengths. A modern laptop computer can
listen in. Worse, an attacker can manufacture new packets on the fly and
persuade wireless stations to accept his packets as legitimate.
The step by step procedures in wireless
hacking can be explained with help of different topics as follows:-
1) Stations and Access Points :- A wireless network interface card (adapter) is
a device, called a station, providing the network physical layer over a radio
link to another station.
An access point (AP) is a station that provides frame distribution service to
stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32
byte long Service Set Identifier (SSID) that is also commonly called a network
name. The SSID is used to segment the airwaves for usage.
2) Channels :- The stations communicate with each other using radio frequencies
between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two
wireless networks using neighboring channels may interfere with each other.
3) Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption
system used to encrypt packets transmitted between a station and an AP. The WEP
algorithm is intended to protect wireless communication from eavesdropping. A
secondary function of WEP is to prevent unauthorized access to a wireless
network. WEP encrypts the payload of data packets. Management and control frames
are always transmitted in the clear. WEP uses the RC4 encryption algorithm.
4) Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A
(packet) sniffer is a program that intercepts and decodes network traffic
broadcast through a medium. It is easier to sniff wireless networks than wired
ones. Sniffing can also help find the easy kill as in scanning for open access
points that allow anyone to connect, or capturing the passwords used in a
connection session that does not even use WEP, or in telnet, rlogin and ftp
connections.
5 ) Passive Scanning :- Scanning is the act of sniffing by tuning to various
radio channels of the devices. A passive network scanner instructs the wireless
card to listen to each channel for a few messages. This does not reveal the
presence of the scanner. An attacker can passively scan without transmitting at
all.
6) Detection of SSID :- The attacker can discover the SSID of a network usually
by passive scanning because the SSID occurs in the following frame types:
Beacon, Probe Requests, Probe Responses, Association Requests, and
Reassociation Requests. Recall that management frames are always in the clear,
even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning
7) Collecting the MAC Addresses :- The attacker gathers legitimate MAC
addresses for use later in constructing spoofed frames. The source and
destination MAC addresses are always in the clear in all the frames.
8) Collecting the Frames for Cracking WEP :- The goal of an attacker is to
discover the WEP shared-secret key. The attacker sniffs a large number of
frames An example of a WEP cracking tool is AirSnort (
http://airsnort.shmoo.com ).
9) Detection of the Sniffers :- Detecting the presence of a wireless sniffer,
who remains radio-silent, through network security measures is virtually
impossible. Once the attacker begins probing (i.e., by injecting packets), the
presence and the coordinates of the wireless device can be detected.
10) Wireless Spoofing :- There are well-known attack techniques known as
spoofing in both wired and wireless networks. The attacker constructs frames by
filling selected fields that contain addresses or identifiers with legitimate
looking but non-existent values, or with values that belong to others. The
attacker would have collected these legitimate values through sniffing.
11) MAC Address Spoofing :- The attacker generally desires to be hidden. But
the probing activity injects frames that are observable by system
administrators. The attacker fills the Sender MAC Address field of the injected
frames with a spoofed value so that his equipment is not identified.
12) IP spoofing :- Replacing the true IP address of the sender (or, in rare
cases, the destination) with a different address is known as IP spoofing. This
is a necessary operation in many attacks.
13) Frame Spoofing :- The attacker will inject frames that are valid but whose
content is carefully spoofed.
14) Wireless Network Probing :- The attacker then sends artificially constructed
packets to a target that trigger useful responses. This activity is known as
probing or active scanning.
15) AP Weaknesses :- APs have weaknesses that are both due to design mistakes
and user interfaces
16) Trojan AP :- An attacker sets up an AP so that the targeted station
receives a stronger signal from it than what it receives from a legitimate AP.
17) Denial of Service :- A denial of service (DoS) occurs when a system is not
providing services to authorized clients because of resource exhaustion by
unauthorized clients. In wireless networks, DoS attacks are difficult to
prevent, difficult to stop. An on-going attack and the victim and its clients
may not even detect the attacks. The duration of such DoS may range from
milliseconds to hours. A DoS attack against an individual station enables
session hijacking.
18) Jamming the Air Waves :- A number of consumer appliances such as microwave
ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz
radio frequency. An attacker can unleash large amounts of noise using these
devices and jam the airwaves so that the signal to noise drops so low, that the
wireless LAN ceases to function.
19) War Driving :- Equipped with wireless devices and related tools, and
driving around in a vehicle or parking at interesting places with a goal of
discovering easy-to-get-into wireless networks is known as war driving.
War-drivers (http://www.wardrive.net) define war driving as “The benign act of
locating and logging wireless access points while in motion.” This benign act
is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure
because an attacker can listen in without gaining physical access.
Tips for Wireless Home Network Security
1)
Change Default Administrator Passwords (and Usernames)
2) Turn on (Compatible) WPA / WEP Encryption
3) Change the Default SSID
4) Disable SSID Broadcast
5) Assign Static IP Addresses to Devices
6) Enable MAC Address Filtering
7) Turn Off the Network During Extended Periods of Non-Use
8) Position the Router or Access Point Safely
Lets find out how best to protect your system from online
attacks.
a)
First up don’t allow your CCTV system to
respond to a ping request. You don’t want any other internet device to be able
to see if your device can “talk” to it. You will be the only one able to do
this once you log in to your password encrypted software. Turn the option to
receive Pings off in your DVR (digital video recorder) and also in your router.
You can also change the port names on the DVR if allowed.
b)
If this function is not feasible, alter
the router setups to utilize Port Forwarding, so that web traffic on a certain
inbound port number will be sent to the appropriate port of the DVR
on your network.
c)
As mentioned above modify the password on the
CCTV System with lower and uppercase leTter$ + $ymb0ls- THIS IS A NECESSITY. Make it super
complicated.
d)
See to it that you regularly update
the firmware on the CCTV System to keep it up to day with the latest
security threats. Manufactures will regularly update their software to
counteract new threats they have detected.
e)
Configure your router’s Firewall software–
Unless you want to give any person on the web access to your CCTV system. With
the firewall program that comes along with your router you can also ban
particular IP (Internet Protocol) and MAC (computer identification
nodes) addresses from accessing your CCTV system.
The designers made a mistake in setting this type of layout because in
order to get the administrative webpage, the client has to connect to the
network if it is active. Right!. Yes it is. Once a user activates the wireless
connection it gets connected to the same WLAN which has a gateway address of
192.168.0.1 (default for Cradle-point routers). It is hilarious but it is
trivial to subvert the stuff to get the password. Now, the hacker is in the
network, so we can get possible ARP entry which resolute the IP address to the
MAC address (simply ping the gateway) for the router.
As per the documentation, the password has to be 071640. Let’s
try
