Summary

Wireless networks can be attacked in a number of different ways. Because so many wireless networks are deployed with default configurations, it is possible to access them simply by being in range with a properly configured client. This is accomplished by setting up a default configuration profile in the wireless settings of your operating system. The exact steps taken to do this vary between operating systems, but the concept is the same. If an access point is deployed with a default configuration, an attacker will only need to set up a default configuration profile and the wireless network will be compromised.

In some cases, it is necessary to go slightly beyond the default configuration. Because some network administrators have disabled the DCHP server on their wireless network, it is occasionally necessary to manually set the IP address on the attacking client card. Most wireless networks are deployed using an IP address in the 192.168.1.0 Class C space. Manually setting the client to an IP address in this range is often all that is needed to gain access to the resources available to the target network. If that range doesn’t work, it is sometimes necessary to try a few different Class C ranges to find the right one. Kismet can also determine the IP range in use if enough packets have been captured.

Some network administrators allow only specific wireless cards to access their network. This is accomplished by MAC address filtering. However, this can also be defeated. Windows systems can be configured to send a spoofed MAC address by modifying the Registry or by using automated tools like BWMACHAK. The same can be accomplished on Linux systems by using the ifconfig command or tools like SirMACsAlot.

Another security measure that must be overcome in order to access some wireless networks is cloaked access points. A cloaked access point refers to one that has been set up not to broadcast its beacon. However, tools like Kismet and AirSnort can find these access points. Such tools operate in monitor mode, passively sniffing all wireless traffic. After enough traffic has been captured, Kismet and AirSnort can determine the SSID that the access point is using, after which the client can be configured to use that SSID and access the network.

The encryption standards that are utilized by wireless networks are flawed and can be defeated. Using tools like AirSnort and WEPCrack, an attacker can crack the WEP key used on a wireless network and configure a client with the captured WEP key. This will allow the attacker to access the wireless network. WPA is also flawed and in some cases is vulnerable to a dictionary attack.

Finally, at times, a combination of one or all of the attacks outlined in this chapter is required. For example, if a network administrator has disabled SSID broadcast, enabled WEP, and filtered access by MAC address, an attacker needs to follow the steps for each of the attacks designed to defeat those security mechanisms. However, this can be a tedious and time-consuming process.