Page 240 - StudyBook.pdf
P. 240
224 Chapter 4 • Communication Security: Wireless
If the attacker spoofs as the default gateway or a specific host on the network,
all machines trying to get to the network or the spoofed machine will connect to
the attacker’s machine instead of to the gateway or host to which they intended to
connect. If the attacker is clever, they will only use this to identify passwords and
other necessary information and route the rest of the traffic to the intended recip-
ients. If they do this, the end users will have no idea that this “man-in-the-
middle” has intercepted their communications and compromised their passwords
and information.
Another clever attack can be accomplished using rogue APs. If an attacker can
put together an AP with enough strength, end users may not be able to tell which
AP is the authorized one that they should be using. In fact, most will not even
know that another is available. Using this technique, an attacker is able to receive
authentication requests and information from the end workstation regarding the
secret key and where they are attempting to connect.
Rogue APs can also be used to attempt to break into more tightly configured
wireless APs. Utilizing tools such as AirSnort and WEPCrack requires a large
amount of data to be able to decrypt the secret key.A hacker sitting in a car in
front of a house or office is noticeable, and thus will generally not have enough
time to finish acquiring enough information to break the key. However, if an
attacker installs a tiny, easily hidden machine in an inconspicuous location, it could
sit there long enough to break the key and possibly act as an external AP into the
wireless network it has hacked.
Attackers who wish to spoof more than their MAC addresses have several tools
available. Most of the tools available are for use in a UNIX environment and can
be found through a simple search for “ARP Spoof” at
http://packetstormsecurity.com.With these tools, hackers can easily trick all
machines on a wireless network into thinking that the hacker’s machine is another
valid machine.Through simple sniffing on the network, an attacker can determine
which machines are in high use by the workstations on the network. If the attacker
then spoofs the address of one of these machines, they might be able to intercept
much of the legitimate traffic on the network.
AirSnort and WEPCrack are freely available.While it would take additional
resources to build a rogue AP, these tools run from any Linux machine.
Once an attacker has identified a network for attack and spoofed their MAC
address to become a valid member of the network, they can gain further informa-
tion that is not available through simple sniffing. If the network being attacked is
using SSH to access the hosts, stealing a password might be easier than attempting
to break into the host using an available exploit.
www.syngress.com
