Before making an attempt to penetrate any site, all intruders gain as much information on the target without directly probing the target. This could involve one of the many ways listed below
whois database (Domain and IP )
CompanyÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢s support line/help desk
This is the first stage of active penetration, which requires the attacker to send suspicious packets to the target network. There are few things which the attacker needs to keep in mind while attempting this scan.
List possible entry points
Keep a low profile. Use stealth mode as much as possible.
Go as slow as possible
Do not repeat tests
Prepare to change tools quickly depending on output from the current tools.
Decoy is your friend
So are bounce scans
War dialing is an act of gaining access to modems by repeatedly dialing a block of phone numbers looking for a modem handshake. If the attacker has sufficient information on the block of phone numbers assigned to a target, he/she can get a lot of information based on this scan which includes
Generate list of modems
Generate list of unsecure modems
Generate list of misconfigured devices
Generate list of fax numbers
Deciding on the right tool
How many numbers do I need to dial?
How often will I be performing the war dial assessment?
What is the false positive rate?
Is the software user friendly?
Does the software contain documentation?
What type of reporting am I looking for?
What extension(s) can I use to export my findings?
Can I trust the download site or does the software contain malicious code?
Is technical support offered?
What is the time frame offered to finish the assessment?
Does the application have a scheduling feature?
Does the application allow for differential reporting?
THC-Scan (freeware) http://www.securityfocus.com/tools/47
Toneloc (freeware) http://www.securityfocus.com/tools/48
SecureLogix Telesweep Secure (commercial)
Sandstorm PhoneSweep (commercial)
War driving is an act of gaining access to network by listening to mis-configured or unsecured wireless Access Points.
Generate list of APs
Generate list of unsecured APs
Generate list of misconfigured AP
No Encryption ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ Anyone can join
MITM attack possible
DOS leading to MITM. After Disassociating, the client might re-attach to attackers AP.
Sending a ÃƒÂ¢Ã¢â€šÂ¬Ã…â€œDisassociateÃƒÂ¢Ã¢â€šÂ¬Ã‚Â forces the client to send SSID in cleartext
MAC address can easily be sniffed. MAC based authentication is no good
MAC poisoning is also another problem
Static WEP encryption can be hacked easily using statistical analysis. It can be speeded up by replay-packet attacks which creates network activity.
802.11a ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ Direct Sequence Spread Spectrum
2.4GHz ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ 2.4835GHz
14 Channels, 1-11 used in US
1000mW max power, Most use between 10-100mW
CMSA/CA - (Carrier Sense Multiple Access/Collision Avoidance)
Exponential Backoff and retry
Collision avoidance via physical carier sence and Network allocation vector.
Types of management packets
Probe requests and response
Associate request and response
RTS ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ request for tramist
CTS ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ clear to transmit
ACK ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ transmit ok
Packet format ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ (Ref: http://www.zytrax.com/tech/wireless/802_mac.htm)
MAC Packet Format
Wellenreiter - http://www.remote-exploit.org/modules.php?op=modload&name;=Downloads&d;_op=viewdownload&cid;=13
Ãƒâ€šÃ‚Â§ 802.11 protocol decoder for prismdump output. Either specify prismdump capture file or pipe prismdump
THC-wardrive (freeware) http://www.thehackerschoice.com/releases.php?q=wardrive
Airsnort - http://airsnort.shmoo.com/ (linux/bsd)
Ethereal - http://www.ethereal.com/
Aerosol - http://www.sec33.com/sniph/aerosol.php
Istumbler (imac) - http://homepage.mac.com/alfwatt/istumbler/
Apsniff - http://www.bretmounet.com/ApSniff/index.asp
KisMAC - http://www.binaervarianz.de/projekte/programmieren/kismac/
KisMet - http://www.kismetwireless.net/
PocketWarrior - http://www.pocketwarrior.org/
Prism2 Dump - http://www.seattlewireless.net/index.cgi/Prism2Dump
Tcpdump - http://www.tcpdump.org/
Wavemon - http://www.jm-music.de/projects.html
Wistumbler - http://www.gongon.com/persons/iseki/wistumbler/index.html
Airscope - http://www.linux-wlan.com/
Mognet - http://chocobospore.org/mognet/
The encryption apparently is a form of XOR
The WEP key is 40 or 104 bit long. This is a shared key.
In RC4 each key has an associated encryption and decryption stream.
The size of each encrypted text is variable. Hence
The Packet is encrypted using RC4 and the key is a combination of the WEP key and a psuedo session IV (initialization vector) which acts as a seed. The IV is 3 bytes long which is unique for each client and the WEP key shared secret is 104 bytes.
Now if we can sniff the 802.11 header and get the cryptic text then logically if you know the date which is encypted you can figure out the key
How to secure yourself against this attack
SLAN - http://slan.sourceforge.net/faq/
Secure the last mile
Hacking with a Pringles Tube: http://news.bbc.co.uk/1/hi/sci/tech/1860241.stm
Hacking Techniques: http://www-106.ibm.com/developerworks/security/library/s-dial/?t=gr,lnxw41=WarDialing
Layer 2 Protocol Specification: http://www.zytrax.com/tech/wireless/802_mac.htm
Network Scanning is currently the most watched intrusion space which is both easy to scan and easy to set off alarms if the intruder is not carefull.
Arpscan ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“ http://ish.cx/~jason/arpscan/
arpscan is a very simple scanner which sends out arp requests for the given IP addresses and displays a list of the found hosts.
Firewalk - http://www.packetfactory.net/firewalk/
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.
Fragroute - http://monkey.org/~dugsong/fragroute/
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour.
Libdnet - http://libdnet.sourceforge.net/
libdnet provides a simplified, portable interface to several low-level networking routines
Libnet - http://www.packetfactory.net/libnet/
Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection. Libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort
lsrscan - http://gaia.synacklabs.net/projects/lsrscan/
lsrscan checks the behaviour of remote hosts to loose source routed packets.
Lsrtunnel - http://www.synacklabs.net/projects/lsrtunnel/
lsrtunnel spoofs connections using source routed packets.
RING - http://www.planb-security.net/wp/ring.html
By measuring the behavior of various operating systems' TCP retransmission timeout lengths (or RTOs), it is possible to distinguish between OSes on a network. Franck Veysset, Olivier Courtay, and Olivier Heen of the Intranode Research Team first published this concept in April, 2002, and their paper goes into appreciable detail in its discussion of this technique, the mechanisms by which TCP retransmission timers are computed, and OS fingerprinting in general.
Maps network design
Nmap another swiss army knife
Active OS fingerprinting tool
P0f - http://www.stearns.org/p0f/README
The passive OS fingerprinting technique is based on information coming from a remote host when it tries to establish a connection to your system. Captured packet parameters contain enough information to identify the remote OS. In contrast to active scanners such as nmap and queso, p0f does this without sending anything to the remote host.
Great fingerprinting tool
FTP Bounce scans - http://www.cert.org/advisories/CA-1997-27.html
Bounces tcp connect scans using open ftp proxy servers
Launching attacks with popular source port
IP Personalities - http://ippersonality.sourceforge.net/
The Linux IP Personality patch adds to your Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to change some characteristics of its network traffic, depending on different parameters
IP Scrubbing, is central part of any new firewall. It cleans up the packets and repackages it which scrubs off critical information which could be leaked to the attacker.
Using Application Proxies
IDS evasion is important for penetration testing without generating alarm. Look at fragroute and fragrouter for possible tools which can be used to evade.