Überhacker II, Chapter 18: Ethernet
Hacking: Wireless and Wired LANs
In this chapter you will learn:
· Why break into LANs?
· How to break into wireless LANs
· ARP spoofing
· MAC (Media Access Control) address spoofing
· A slightly stealthy way to add ARP entries
· How to hide or find a sniffer
· An example of MAC address hacking
Why Break into LANs?
Many networks maintain an outer layer of security such as a firewall,
network-based intrusion detection system, and physical security
to keep people out of their premises. The trouble is, if an intruder
does get onto the LAN, there are many ways to compromise computers
that take advantage of Ethernet protocol. It's like a bank locking
its doors but leaving all its valuables lying in the open, ready
for the first intruder to scoop it all up.
In the case of wireless LANs it is often even worse. It's as
if the bank also left all the windows open for anyone to crawl
David Taylor, an information technology manager with UK-based
consultancy Equation, has fashioned a unique solution to his neighborhood's
lack of high-speed Internet access -- he made an antenna out of
dog food cans to link his home to a broadband connection in a
nearby neighborhood. With the cooperation of a neighbor who lived
in an area that did have broadband coverage, he set up a connection
through a wireless transmitter to beam the Internet signal two
and a half kilometers to his office. The tin cans act as an antenna,
boosting the Internet radio signal and bouncing it from his office
to his home. At first Taylor tried several other types of cans
to act as a transmitter but found that they weren't waterproof.
"Other tins ended up rusting but the dog food tin has worked
very well. Now not only do the 20 staff in the office have Internet
connectivity, but I also have full access from my home even with
the entire area lying off the broadband grid," says Taylor.
-- (BBC News 7 Mar 2003)
Getting free Internet access through wireless Ethernet LANs (often
called Wi-Fi LANs or WLANs) is the newest and biggest ever hacker
scene. In many areas you can get free access legally through Wi-Fi
systems run by volunteers. Elsewhere, it's the wild west all over
again, with spammers, computer criminals, and mostly harmless
hackers running wild on WLANs whose owners have no concept of
what they are hosting.
First we will cover the easy stuff: how to break into a WLAN
(LANJacking) that doesn't authenticate users. These are fairly
common. To do this, get a laptop with a wireless NIC (WNIC). Configure
your NIC to automatically set up its IP address, gateway and DNS
servers. Then, use the software that came with your NIC to automatically
detect and get you online.
For example, with an Orinoco NIC, in Client Manager set the SSID
(service set identifier required to be able to exchange packets
on that WLAN) to be "any" or "null." Then
from the Advanced menu select Site Manager. That should show you
all available Wi-Fi access points.
Once you are set up to detect WLANs, then for happiest hunting,
start driving (wardriving) or walking (stumbling) around an area
with businesses or apartment buildings. Susan Updike points out,
"Don't forget airports - many VIP lounges, etc. have wireless
hubs accessible from inside the airport or even in the parking
How do you know when you've gotten online? One way is to run
an intrusion detection system that alerts you when you get any
kind of network traffic.
An easier and faster way to find those access points and choose
the one you want to use is to run Network Stumbler, at http://www.netstumbler.com.
It shows you all Wi-Fi access points within range of you. Network
Stumbler runs on Windows desktop and laptop machines, and Mini
Stumbler runs on Wi-Fi-enabled PDAs. Netstumbler-like software
is available for MacOSX with either an internal AirPort card or
any PCMCIA Wi-Fi card at http://www.mxinternet.net/~markw/.
For NetBSD,OpenBSD,and FreeBSD you can get BSD-Airtools at http://www.dachb0den.com/projects/bsd-airtools.html.