|
|
This section covers all the miscellaneous attacks that don't fit anywhere else. These attacks aren't really problems with the 802.11 protocol, they are simply ways you can interfere with or hack networks by sidestepping the protocol altogether.
|
Popularity: |
3 |
|
Simplicity: |
10 |
|
Impact: |
2 |
|
Risk Rating: |
5 |
FakeAP is a tool by Black Alchemy that generates thousands of APs from a single card. FakeAP is a perl script that basically tells a card being controlled by host-ap to keep switching the SSID it is broadcasting. FakeAP can be used to annoy war-drivers, though not much else. Because FakeAP doesn't actually craft packets itself, it doesn't need any kernel patching to work. The following example creates a new network every quarter second on channel 11:
[root@phoenix:/home/johnycsh/fakeap-0.3.2]$ ifconfig wlan0 up [root@phoenix:/home/johnycsh/fakeap-0.3.2]$ perl ./fakeap.pl --interface wlan0 --channel 3 fakeap 0.3.1 - Wardrivring countermeasures Copyright (c) 2002 Black Alchemy Enterprises. All rights reserved Using interface wlan0: Static channel 3 Using 4 words for ESSID generation Using 2 vendors for MAC generation ------------------------------------------------------------------------- /sbin/iwconfig/sbin/iwconfig/sbin/ifconfig5: ESSID=tsunami chan=03 Pwr=Def WEP=N MAC=00:00:0C:8D:28:63 -------------------------------------------------------------------------
The idea is that your network will be safely camouflaged, hiding among the hundreds of available networks. It might even work against someone using NetStumbler or another active scanner. Anyone using a passive scanner, however, will be able to see right through the smokescreen because nobody will ever push data across a network created by FakeAP.
|
Popularity: |
6 |
|
Simplicity: |
10 |
|
Impact: |
8 |
|
Risk Rating: |
8 |
wzcook is a small program included with the Windows version of aircrack that recovers the WEP/WPA keys from Wireless Zero Configuration. It takes no arguments and creates a text file, c:\wepkeys.txt, that looks like the following:
c:\> type wepkeys.txt ESSID WEP KEY / WPA PMK G-ONLY 00112233445566778899AABBCC00000000000000000000000000000000000000 Radium 9E004DB90E169318FD1D5F4FA89D54C454CFD8E82FDE271110D6585FAB703C00 AirPlus 0102030405000000000000000000000000000000000000000000000000000000
This attack is analogous to cat /etc/wpa_supplicant.conf on Linux and requires administrator access to perform. Legitimate computer users can use this attack to recover WPA/WEP keys that the administrator might not want them to know. An attacker who has compromised a machine via some other means to gain access to the wireless network could also use it.
When this attack recovers the key for a network that uses static WEP or WPA/WPA2 in pre-shared key mode, the attacker can now freely authenticate to the network and read all the traffic. If the network uses WPA with some sort of enterprise authentication, the attacker will be limited to the single compromised workstation, and only for the current session.
|
Popularity: |
4 |
|
Simplicity: |
4 |
|
Impact: |
8 |
|
Risk Rating: |
5 |
Everyone has been in this position at least once. You're at an airport or hotel, and they want to sell you Internet access for $20 a day or $5 an hour. Do you really want to spend $5 to check your e-mail? Well, depending on how well the captive portal is configured, you might not have to. Captive portals work by redirecting all your traffic to the server until you accept the terms of use (which oftentimes means paying with a credit card.) If you plan ahead of time, you might be able to avoid this.
Certain captive portal software is configured not to catch all traffic. Although they will always catch TCP traffic so they can redirect you to the web page, other protocols may slip through. Which ones really depend on the software being used-good guesses are ICMP and DNS.
If a captive portal lets DNS traffic out, you can arrange for a DNS server under your control to let you do IP over DNS. Tools that implement this include NSTX and OzymanDNS. If a portal lets ICMP traffic out, you can use a tool called ICMPTX to do the same thing. ICMPTX is easier to install since it doesn't require a running DNS server.
All of these tools require that you plan ahead and deploy them on a server somewhere before you get stuck behind a captive portal. When using ICMPTX and NSTX, both the servers and the client (your laptop) must be Linux boxes with support for TUN/TAP devices. OzymanDNS doesn't make any explicit requirements of the Linux kernel and can be run on other UNIX operating systems.
|
|