|
TABLE OF CONTENTS Acknowledgements Introduction Why does Wi-Foo exist and whom did we write it for? What about the funky name? SECTION 1 THE BATTLEFIELD Chapter I The real world wireless security Why do we concentrate on the 802.11 security? Getting a grip on reality: wide open 802.11 networks around us The future of 802.11 security: is it as bright as it seems? Chapter II Under the siege Why are "they" after your wireless network? Wireless crackers: who are they? Corporations, SMEs and home users: targets acquired Target yourself: penetration testing as your first line of defense SECTION 2 ATTACK Chapter III Putting the gear together: 802.11 hardware PDA's vs laptops PCMCIA and CF wireless cards Prism chipset Cisco Aironet chipset Hermes chipset Symbol chipset Atheros chipset ADM8211 chipset Other novel chipsets Selecting or assessing your wireless client card RF characteristics Antennas RF Amplifiers RF cables and connectors Chapter IV Making the engine run: 802.11 drivers and utilities OS, Open Source and Close Source The engine: chipsets, drivers and commands Making your client card work with Linux and BSD Getting used to efficient wireless interface configuration Linux Wireless Extensions Linux-wlan-ng utilities Cisco Aironet cards configuration Configuring wireless client cards on BSD systems Chapter V Learning to 'wardrive': network mapping and site surveying Active scanning in wireless network discovery Monitor mode network discovery and traffic analysis tools Kismet Kismet and Gpsdrive integration Wellenreiter Airtraf Gtkskan Airfart Mognet WifiScanner Miscellaneous command line scripts and utilities BSD tools for wireless network discovery and traffic logging Tools that use the iwlist scan command RF signal strength monitoring tools Chapter VI Assembling the arsenal: tools of trade Encryption cracking tools WEP crackers AirSnort Wepcrack Dweputils Wep_tools Wepattack Tools to retrieve WEP keys stored on the client hosts: LucentRegCrypto Traffic injection tools used to accelerate WEP cracking 802.1x cracking tools Asleap-imp and leap Leapcrack Wireless frame generating tools AirJack File2air Libwlan FakeAP Void11 Wnet Wireless encrypted traffic injection tools: Wepwedgie Access points management tools Chapter VII Planning the attack The "rig" Network footprinting Site survey considerations and planning Proper attack timing and battery power preservation Stealth issues in wireless penetration testing An attack sequence walk-through scheme Chapter VIII Breaking through The easiest way to get in A short fence to climb: bypassing closed ESSIDs, MAC and protocols filtering Picking a trivial lock: various means of cracking WEP WEP bruteforcing The FMS Attack An improved FMS Attack Picking the trivial lock in a less trivial way: injecting traffic to accelerate WEP cracking Field Observations in WEP Cracking Cracking TKIP: the new menace The frame of deception: wireless man-in-the-middle attacks and rouge access points deployment DIY: rogue access points and wireless bridges for penetration testing Hit or miss: physical layer man-in-the-middle attacks Phishing in the air: man-in-the-middle attacks combined Breaking the secure safe Crashing the doors: authentication systems attacks Tapping the tunnels: attacks against VPNs The last resort: wireless DoS attacks Chapter IX Looting and pillaging: the enemy inside Step 1 Analyze the network traffic 802.11 frames Plaintext data transmission and authentication protocols Network protocols with known insecurities DHCP, routing and gateway resilience protocols Syslog and NTP traffic Protocols that shouldn't be there Step 2 Associate to WLAN and detect sniffers Step 3 Identify the hosts present and perform passive OS fingerprinting Step 4 Scan and exploit vulnerable hosts on WLAN Step 5 Take the attack to the wired side Step 6 Check wireless-to-wired gateway egress filtering rules SECTION 3 DEFENSE Chapter X Building the Citadel: an introduction to wireless LAN defense Wireless security policy: the cornerstone Layer one wireless security basics The usefulness of WEP, closed ESSIDs, MAC filtering and SSH port forwarding Secure wireless network positioning and VLANs Using Cisco Catalyst switches and Aironet access points to optimise secure wireless network design Deploying a Linux-based custom-built hardened wireless gateway Proprietary improvements to WEP and WEP usage 802.11i wireless security standard and WPA: the new hope Introducing the sentinel: 802.1x Patching the major hole: TKIP and CCMP Chapter XI Introduction to applied cryptography: symmetric ciphers The introduction to applied cryptography and steganography Modern day ciphers structure and operation modes A classical example: dissecting DES Kerckhoff's rule and cipher secrecy The 802.11i primer: a cipher to help another cipher There is more to a cipher than the cipher: understanding cipher operation modes Bit-by-bit: streaming ciphers and wireless security The quest for AES AES (Rijndael) MARS RC6 Twofish Serpent Between DES and AES: common ciphers of the "transition period" 3DES Blowfish IDEA Selecting a symmetric cipher for your networking or programming needs Chapter XII Cryptographic data integrity protection, key exchange and user authentication mechanisms Cryptographic hash functions Dissecting an example standard one-way function Hash functions, their performance and HMACs Michael (MIC): weaker but faster Asymmetric cryptography: a different animal The examples of asymmetric ciphers: ElGamal, RSA and the elliptic curves Practical use of asymmetric cryptography: key distribution, authentication and digital signatures Chapter XIII The fortress gates: user authentication in wireless security Basics of AAA framework An overview of RADIUS protocol RADIUS features Packet Formats Packet Types Installation of FreeRADIUS Configuration User Accounting RADIUS vulnerabilities RADIUS related tools 802.1x: the gates to your wireless fortress Basics of EAP/TLS Creating Certificates FreeRADIUS integration Supplicants An example of access point configuration: Orinoco AP-2000 LDAP protocol and wireless authentication What is LDAP? How does LDAP work? Installation of OpenLDAP Configuration of OpenLDAP Testing LDAP Populating LDAP database Centralizing Authentication with LDAP Mobile users and LDAP LDAP related tools NoCat: an alternative method of wireless users authentication Installation and Configuration of NoCat Gateway Installation and Configuration of Authentication Server Chapter XIV Guarding the airwaves: deploying higher layers wireless VPNs Why you may want to deploy a VPN ? VPN topologies review: the wireless perspective Network-to-network Host-to-network Host-to-host Star Mesh Common VPN and tunneling Protocols IPSec PPTP GRE L2TP Alternative VPN implementations cIPe OpenVPN Vtun The main player in the field: IPSec protocols, operations and modes overview Security Associations Authentication Header Encapsulated Security Payload IP Compression IPSec Key Exchange and Management Protocol Internet Key Exchange Phase 1 mode of operation Phase 2 mode of operation Perfect Forward Secrecy Dead Peer Discovery IPSec Road Warrior Opportunistic Encryption Deploying affordable IPSec VPNs with FreeS/WAN FreeS/WAN compilation FreeS/WAN configuration Keys Generation X509 Certificate generation Ipsecconf organization Network to Network VPN topology setting Host to network VPN topology setting Windows 2000 client setting Windows 2000 IPSec client configuration Chapter XV The counter-intelligence: wireless IDS systems Introducing wireless intrusion detection Categorizing suspicious events on wireless LANs The examples and analysis of common wireless attack signatures Radars up! Deploying a wireless IDS solution for your WLAN Commercial wIDS Open Source wIDS settings and configuration Few recommendations on DIY wireless IDS sensors construction Appendixes Appendix A Decibel - Watts conversion table Appendix B 802.11 Wireless Equipment Appendix C Antenna Types Appendix D Wireless utilities manpages Appendix E Signal Loss for type of obstacles Appendix F Warchalking Signs Appendix G Penetration testing template Appendix H Default SSIDs for several common 802.11 Access Point and PCMCIA card Products Glossary Index Bibliography
|
