Page 232 - StudyBook.pdf
P. 232

216    Chapter 4 • Communication Security: Wireless

             scan and attack any machines local to the network, or use those machines as agents
             to launch attacks on remote hosts.
                 If an attacker finds a network with WEP enabled, they will need to identify
             several items to reduce the time it takes to get onto the wireless network. First, uti-
             lizing the output of NetStumbler or another network discovery tool, the attacker
             will identify the SSID, network, MAC address, and any other packets that might be
             transmitted in cleartext. Generally, NetStumbler results include vendor information,
             which an attacker can use to determine which default keys to attempt on the wire-
             less network.
                 If the vendor information has been changed or is unavailable, the attacker
             might still be able to use the SSID and network name and address to identify the
             vendor or owner of the equipment. (Many people use the same network name as
             the password, or use the company initials or street address as their password.) If the
             SSID and network name and address have been changed from the default setting, a
             final network-based attempt could be to use the MAC address to identify the man-
             ufacturer.
                 If none of these options work, there is still the possibility of a physical review.
             Many public areas are participating in the wireless revolution.An observant attacker
             might be able to use physical and wireless identification techniques such as finding
             antennas,APs, and other wireless devices that are easily identified by the manufac-
             turer’s casing and logo.

             Exploiting Those Weaknesses
             A well-configured wireless AP will not stop a determined attacker. Even if the net-
             work name and SSID are changed and the secret key is manually reconfigured on
             all workstations on a regular basis, the attacker can still take other avenues to com-
             promise the network.
                 If easy physical access is available near the wireless network (for example, a
             parking lot or garage next to the building being attacked), the only thing an
             attacker needs is patience and AirSnort or WEPCrack.When these applications
             have captured enough “weak” packets (IV collisions, for example), the attacker is
             able to determine the secret key currently in use on the network. Quick tests have
             shown that an average home network can be cracked in an overnight session.To
             ensure network protection, the WEP key would have to be changed at least two
             times per day!
                 If none of these network tools help determine which default configurations to
             try, the next step is to scan the traffic for any cleartext information that may be




          www.syngress.com
   227   228   229   230   231   232   233   234   235   236   237