Wireless Communications

Find Weak WPA Passphrases But what about WPA (both the original WPA and the later WPA2)? WPA is much more secure than WEP, and there are no statistical attacks that can methodically break WPA in the way that WEP can be broken. But there is a weakness: like any encryption system, you can always carry out a brute force attack trying every possible passphrase in turn to try to find the correct one. In practice this is not possible – it would take billions of years to try every possible passphrase. So all that is practicable it to test whether an "obvious" passphrase has been used, by trying possible passphrases from a word list. If the passphrase is "non-guessable" – ideally a long random string of upper and lower case characters and symbols – then a brute force attack using a word list will not succeed. If the brute force attack does succeed, then it’s time to change the passphrase to something more complex. When a client authenticates with a WPA protected access poin

Audit Wireless Access Points If you find any rogue access points, at this point you can take steps to find their owners and make sure they are closed down. But what about your official ones? How secure are they? Here's how to find out. Firstly, if they wireless networks are secured by WEP, then as mentioned above the answer is "not secure at all." Here's proof: First, make a note of the channel of the WEP protected access point you want to test from the Airodump-ng window. In the case above the channel (CH) is channel 1. Next, quit airodump-ng by doing a control-c , then restart it by typing: airodump-ng -c X -w mycapture ath0 changing the X for the channel number of your access point. This will start capturing data which you will use to crack the WEP key, in a file called mycapture-01.cap in your home directory. Next you'll need to inject some traffic onto the network. To do this you can use Aircrack-ng's packet injection tool, Aireplay-ng, to monitor the net

Capture Packets with Monitor Mode Once you've got the necessary patched drivers installed, the next step is to put the wireless card into monitor (also known as RFMON) mode so that it can capture packets without associating with any particular network. The way to do this varies slightly from one driver to another, but for cards using Madwifi drivers the best way to do this is to become root and from a terminal session type: iwconfig and then: airmon-ng stop ath0 (replacing ath0 with the name of the active wireless interface displayed by iwconfig) and then: airmon-ng start wifi0 Issuing another iwconfig command should confirm a new interface - probably ath0 – has been placed in monitor mode. Now, to scan for access points, type: airodump-ng ath0 This will show you any networks detected, the MAC addresses of the access points (BSSID), the MACs of any computers which are connected to them (STATION), and the wifi channels they are operating on. If the access point is broadcasting its n

Rogue access points and weak passwords are the bane of any network administrator's life: all it takes is one user setting up a consumer-grade wireless router in the cube farm so he or she can use a PDA or whatever and you've got yourself a potentially serious security risk. It’s quite possible that the wireless signal is leaking out into the street, and anyone passing by could get access to your network – even if they are using WEP, WPA or WPA2 encryption. But it’s not just rogue APs that are a worry. If you're not using WPA-Enterprise or WPA-Enterprise (both of which use a RADIUS server) in your organization, then any wireless networks you are running using WEP, WPA or WPA2 are also at risk. That's where Aircrack-ng can be useful. This open source suite of applications can help you locate all the access points in your offices, check that the networks are protected by encryption, and test the strength of the keys or passphrases that are in use. If any networks uses WEP

In The Bourne Ultimatum ( IMDB ), the CIA needs to hack the mail server of a newspaper ( The Guardian UK ) to read the email of a reporter they assassinated. So they turn to Nmap and its new official GUI Zenmap to hack the mail server! Nmap reports that the mail server is running SSH 3.9p1, Posfix smtpd, and a name server (presumably bind). They also make substantial use of Bash, the Bourne-again shell . Congratulations to Roger Chui for being the first to spot this. He also sent a scene transcript and the following HD screen shots: Other movies which have used Nmap include: The Matrix Reloaded , The Listening , Battle Royale , and, uhh, HaXXXor: No Longer Floppy (NSFW). Screens shots of Nmap in all of these movies are available here . Nmap is becomming quite the movie star!

#1 Kismet : A powerful wireless snifferKismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler ), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving . Oh, and also warwalking , warflying , and warskating , ... #2 NetStumbler : Free Windows 802.11 SnifferNetstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such named Ministumbler . The tool is currently free but Windows-only and no source code is provided. It uses a more active