Wireless LAN Threats Vikas Khanduri CCIE#13516,CCSP,CCDP,CCNP,MCSE

Wireless LAN Threats

Vikas Khanduri CCIE#13516,CCSP,CCDP,CCNP,MCSE

22Page Page 22

Wireless - Higher Risk

• Current LaptopsCurrent Laptops

• Communication Medium – AIR Communication Medium – AIR

• Easy AccessEasy Access

• Lack of Security PolicyLack of Security Policy

• Tools Widely AvailableTools Widely Available

33Page Page 33

Wireless ThreatsWireless Threats

Denial of Service, Spoofing, and Eavesdropping

Easily compromised keys War Chalking Management Nightmare Ignorance Man in the Middle attacks

Monkey Jack Authentication missing

44Page Page 44

IgnoranceIgnorance

Remote Site

Secured Network

Switch Bridge Bridge

Firewall

Internet

55Page Page 55

Monkey JackMonkey Jack

66Page Page 66

Monkey JackMonkey Jack

77Page Page 77

Authentication MissingAuthentication Missing

Username

Password

Challenge

88Page Page 88

Authentication MissingAuthentication Missing

Challenge

99Page Page 99

Weak SecurityWeak Security

• User Roles not definedUser Roles not defined

• Rogue AP undetectedRogue AP undetected

• Authentication, Authorization & Auditing MissingAuthentication, Authorization & Auditing Missing

• Encryption MissingEncryption Missing

• No Monitoring and ReportingNo Monitoring and Reporting

• Bandwidth ManagementBandwidth Management

• No Laptop Security PolicyNo Laptop Security Policy

1010Page Page 1010

WLAN Tools AvailableWLAN Tools Available• AerosolAerosol

by Sniphby SniphAerosol is easy to use wardriving software for PRISM2 Chipset, ATMEL USB and WaveLAN Wireless cards on Windows. Its Aerosol is easy to use wardriving software for PRISM2 Chipset, ATMEL USB and WaveLAN Wireless cards on Windows. Its lightweight, written in C, free, and uh, just works!lightweight, written in C, free, and uh, just works!

AirCrackAirCrackby AirCrack Teamby AirCrack Teamaircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new aircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly recover the WEP key.recover the WEP key.

AirfartAirfartby Dave Smith et alby Dave Smith et alAirFart is a wireless tool created to detect wireless devices, calculate their signal strengths, and present them to the user in an AirFart is a wireless tool created to detect wireless devices, calculate their signal strengths, and present them to the user in an easy-to-understand fashion. It is written in C/C++ with a GTK front end. Airfart supports all wireless network cards supported easy-to-understand fashion. It is written in C/C++ with a GTK front end. Airfart supports all wireless network cards supported by the linux-wlan-ng Prism2 driver that provide hardware signal strength information in the "raw signal" format (ssi_type 3). by the linux-wlan-ng Prism2 driver that provide hardware signal strength information in the "raw signal" format (ssi_type 3). Airfart implements a modular n-tier architecture with the data collection at the bottom tier and a graphical user interface at the Airfart implements a modular n-tier architecture with the data collection at the bottom tier and a graphical user interface at the top.top.

AirJackAirJackby abaddonby abaddonAirJack is a device driver (or suit of device drivers) for 802.11(a/b/g) raw frame injection and reception. It is ment as a AirJack is a device driver (or suit of device drivers) for 802.11(a/b/g) raw frame injection and reception. It is ment as a development tool for all manor of 802.11 applications that need to access the raw protocol.development tool for all manor of 802.11 applications that need to access the raw protocol.

AirSnarfAirSnarfby The Shmoo Groupby The Shmoo GroupAirsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots--snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.802.11b hotspots--snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.

AirSnortAirSnortby The Shmoo Groupby The Shmoo GroupAirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort requires approximately 5-10 transmissions, computing the encryption key when enough packets have been gathered. AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.in under a second.

1111Page Page 1111

• AirTrafAirTrafby Elixar, Inc.by Elixar, Inc.AirTraf 1.0 is a wireless sniffer that can detect and determine exactly what is being transmitted over 802.11 wireless AirTraf 1.0 is a wireless sniffer that can detect and determine exactly what is being transmitted over 802.11 wireless networks. This open-source program tracks and identifies legitimate and rogue access points, keeps performance statistics on networks. This open-source program tracks and identifies legitimate and rogue access points, keeps performance statistics on a by-user and by-protocol basis, measures the signal strength of network components, and more. Developed as an open source a by-user and by-protocol basis, measures the signal strength of network components, and more. Developed as an open source program, AirTraf is available in a stand-alone Linux package.program, AirTraf is available in a stand-alone Linux package.

anwrapanwrapby Brian Barto, Ron Sweeneyby Brian Barto, Ron SweeneyDictionary Attack Tool against LEAP. anwrap is a wrapper for ancontrol that serves as a dictionary attack tool against LEAP Dictionary Attack Tool against LEAP. anwrap is a wrapper for ancontrol that serves as a dictionary attack tool against LEAP enabled Cisco Wireless Networks. It traverses a user list and password list attempting authentication and logging the results enabled Cisco Wireless Networks. It traverses a user list and password list attempting authentication and logging the results to a file.to a file.

AP HopperAP Hopperby Matthew Davidson, Jeffrey Strubeby Matthew Davidson, Jeffrey StrubeAP Hopper is a program that automatically hops between access points of different wireless networks. It checks for DHCP AP Hopper is a program that automatically hops between access points of different wireless networks. It checks for DHCP and Internet Access on all the networks found. It logs successful and unsuccessful attempts.and Internet Access on all the networks found. It logs successful and unsuccessful attempts.

AP RadarAP Radarby Don Parkby Don ParkNetwork Stumbler and Wireless Configuration client. AP Radar is a Linux/GTK+ based graphical netstumbler and wireless Network Stumbler and Wireless Configuration client. AP Radar is a Linux/GTK+ based graphical netstumbler and wireless profile manager. This project makes use of the version 14 wireless extensions in linux 2.4.20 and 2.6 to provide access point profile manager. This project makes use of the version 14 wireless extensions in linux 2.4.20 and 2.6 to provide access point scanning capabilities for most models of wireless cards. It is meant to replace the manual process of running iwconfig and scanning capabilities for most models of wireless cards. It is meant to replace the manual process of running iwconfig and dhclient. It makes reconfiguring for different APs quick and easy.dhclient. It makes reconfiguring for different APs quick and easy.

APhunterAPhunterby Jim Carterby Jim CarterAccess Point Hunter. It can find and automatically connect to whatever wireless network is within range. It can be used for Access Point Hunter. It can find and automatically connect to whatever wireless network is within range. It can be used for site surveys, writing the results in a file.site surveys, writing the results in a file.

APSniffAPSniffby Frederic Bret-Mounetby Frederic Bret-MounetWireless (802.11) Access Point Sniffer for Windows 2000 only. It enables you to list all access points broadcasting beacon Wireless (802.11) Access Point Sniffer for Windows 2000 only. It enables you to list all access points broadcasting beacon signals at your location. This is not a finished product. It was only tested on DWL-650 & Linksys and requires you to signals at your location. This is not a finished product. It was only tested on DWL-650 & Linksys and requires you to manually change the SSID to blank before running it.manually change the SSID to blank before running it.

1212Page Page 1212

• APToolsAPToolsby Kirby Kuehlby Kirby KuehlAPTools is a Win32/Unix 802.11b rogue access point detection tool that is able to locate access points over the "wired" APTools is a Win32/Unix 802.11b rogue access point detection tool that is able to locate access points over the "wired" network.network.

AsleapAsleapby Joshua Wrightby Joshua WrightRecovers weak LEAP passwords. Can read live from any wireless interface in RFMON mode. Can monitor a single channel, Recovers weak LEAP passwords. Can read live from any wireless interface in RFMON mode. Can monitor a single channel, or perform channel hopping to look for targets. This tool is released as a proof-of-concept to demonstrate a weakness in the or perform channel hopping to look for targets. This tool is released as a proof-of-concept to demonstrate a weakness in the LEAP protocol. LEAP is the Lightweight Extensible Authentication Protocol, intellectual property of Cisco Systems, Inc. LEAP protocol. LEAP is the Lightweight Extensible Authentication Protocol, intellectual property of Cisco Systems, Inc. LEAP is a security mechanism available only on Cisco access points to perform authentication of end-users and access LEAP is a security mechanism available only on Cisco access points to perform authentication of end-users and access points. LEAP is written as a standard EAP-type, but is not compliant with the 802.1X specification since the access point points. LEAP is written as a standard EAP-type, but is not compliant with the 802.1X specification since the access point modifies packets in transit, instead of simply passing them to a authentication server (e.g. RADIUS).modifies packets in transit, instead of simply passing them to a authentication server (e.g. RADIUS).

BSD-AirToolsBSD-AirToolsby Dachb0den Labsby Dachb0den Labsbsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.

chopchopchopchopby KoreKby KoreKWEP cracker which uses the AP to decipher packets. Easiest one are ARP's. Takes 10-20s. Included within patches for wlan-WEP cracker which uses the AP to decipher packets. Easiest one are ARP's. Takes 10-20s. Included within patches for wlan-ng to inject packets in monitor mode (I'll try to do hostap for the next release). That's about it. Bits and pieces are missing ng to inject packets in monitor mode (I'll try to do hostap for the next release). That's about it. Bits and pieces are missing here and there (only decodes IP/ARP traffic), but it's pretty complete.here and there (only decodes IP/ARP traffic), but it's pretty complete.

ClassicStumblerClassicStumblerby alksoftby alksoftClassicStumbler scans for and displays information about all the wireless access points in range. It will display your signal ClassicStumbler scans for and displays information about all the wireless access points in range. It will display your signal strength, noise strength, signal to noise ratio, what channel your access point is on, if other access points are interfering with strength, noise strength, signal to noise ratio, what channel your access point is on, if other access points are interfering with yours, and whether or not those access points are providing encrypted, unencrypted, computer-to-computer, or infrastructure yours, and whether or not those access points are providing encrypted, unencrypted, computer-to-computer, or infrastructure type networks. For an AirPort capable Mac.type networks. For an AirPort capable Mac.

1313Page Page 1313

•DMZS-CarteDMZS-Carteby DMZ Services, Inc.by DMZ Services, Inc.Perl script uses the text output of netstumbler and generates IDW overlay images on top of terraserver satellite maps.Perl script uses the text output of netstumbler and generates IDW overlay images on top of terraserver satellite maps.

DriftnetDriftnetby Chris Lightfootby Chris LightfootInspired by EtherPEG, Driftnet is a program which listens to network traffic and picks out images from TCP streams it Inspired by EtherPEG, Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic. In an experimental enhancement, driftnet now picks out MPEG observes. Fun to run on a host which sees lots of web traffic. In an experimental enhancement, driftnet now picks out MPEG audio streams from network traffic and tries to play them. can also now use driftnet with Jamie Zawinski's webcollage, so audio streams from network traffic and tries to play them. can also now use driftnet with Jamie Zawinski's webcollage, so that it can run as a screen saver.that it can run as a screen saver.

dstumblerdstumblerby Dachb0den Labsby Dachb0den LabsPart of the BSD-AirTools suite, dstumbler is a wardriving/netstumbling/lanjacking utility for bsd operating systems that Part of the BSD-AirTools suite, dstumbler is a wardriving/netstumbling/lanjacking utility for bsd operating systems that attempts to provide features similar to netstumbler in a fast and easy to use curses based application. it is part of the bsd-attempts to provide features similar to netstumbler in a fast and easy to use curses based application. it is part of the bsd-airtools package released by Dachb0den Labs, which provides a complete bsd based tool set for 802.11b penetration testing.airtools package released by Dachb0den Labs, which provides a complete bsd based tool set for 802.11b penetration testing.

dweputilsdweputilsby Dachb0den Labsby Dachb0den LabsPart of the BSD-AirTools suite, dweputils is a set of utilities that allows you to fully audit and secure a wep encrypted Part of the BSD-AirTools suite, dweputils is a set of utilities that allows you to fully audit and secure a wep encrypted network. it consists of a packet collection tool called dwepdump, which allows you to collect wep encrypted packets using a network. it consists of a packet collection tool called dwepdump, which allows you to collect wep encrypted packets using a prism2 card, as well as dwepcrack which allows you to recover wep keys using any of the commonly used methods, and prism2 card, as well as dwepcrack which allows you to recover wep keys using any of the commonly used methods, and dwepkeygen a secure 40-bit key generator that creates keys that aren't vulnerable to the Tim Newsham 2^21 attack using a dwepkeygen a secure 40-bit key generator that creates keys that aren't vulnerable to the Tim Newsham 2^21 attack using a variable length seed.variable length seed.

EtherealEtherealby Gerald Combs et alby Gerald Combs et alEthereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, reconstructed stream of a TCP session. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms). platforms).

1414Page Page 1414

• EtherPEGEtherPEGby Sam Bushell, Peter Bierman, Stuart Cheshireby Sam Bushell, Peter Bierman, Stuart CheshireEtherPEG is a free program for the Macintosh that shows you all the JPEGs (and GIFs) going by on your network. EtherPEG is a free program for the Macintosh that shows you all the JPEGs (and GIFs) going by on your network. EtherPEG works by capturing unencrypted TCP packets off your local network, collecting packets into groups EtherPEG works by capturing unencrypted TCP packets off your local network, collecting packets into groups based on TCP connection (determined from source IP address, destination IP address, source TCP port and based on TCP connection (determined from source IP address, destination IP address, source TCP port and destination TCP port), reassembling those packets into order based on TCP sequence number, and then scanning destination TCP port), reassembling those packets into order based on TCP sequence number, and then scanning the resulting data for byte sequences that suggest the presence of JPEG or GIF data. EtherPEG works with any the resulting data for byte sequences that suggest the presence of JPEG or GIF data. EtherPEG works with any TCP/IP network, including Ethernet networks and wireless networks like AirPort, as long as the data is not TCP/IP network, including Ethernet networks and wireless networks like AirPort, as long as the data is not encrypted. If the data is encrypted using IPSEC, or Virtual Private Network (VPN) products like PGPNet, or Web encrypted. If the data is encrypted using IPSEC, or Virtual Private Network (VPN) products like PGPNet, or Web Browser SSL encryption, then third-parties cannot view your data.Browser SSL encryption, then third-parties cannot view your data.

FakeAPFakeAPby Black Alchemy Enterprisesby Black Alchemy EnterprisesIf one access point is good, 53,000 must be better. Black Alchemy's Fake AP generates thousands of counterfeit If one access point is good, 53,000 must be better. Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.other undesirables.

gpsdgpsdby Remco Treffkornby Remco Treffkorngpsd is a daemon that listens to a GPS or Loran receiver and translates the positional data into a simplified format gpsd is a daemon that listens to a GPS or Loran receiver and translates the positional data into a simplified format that can be more easily used by other programs, like chart plotters. The package comes with a sample client that that can be more easily used by other programs, like chart plotters. The package comes with a sample client that plots the location of the currently visible GPS satellites (if available) and a speedometer. It can also use DGPS/ip.plots the location of the currently visible GPS satellites (if available) and a speedometer. It can also use DGPS/ip.

GpsDriveGpsDriveby Fritz Ganterby Fritz GanterGpsdrive is a map-based navigation system. It displays your position on a zoomable map provided from a NMEA-Gpsdrive is a map-based navigation system. It displays your position on a zoomable map provided from a NMEA-capable GPS receiver. The maps are autoselected for the best resolution, depending of your position, and the capable GPS receiver. The maps are autoselected for the best resolution, depending of your position, and the displayed image can be zoomed. Maps can be downloaded from the Internet with one mouse click. The program displayed image can be zoomed. Maps can be downloaded from the Internet with one mouse click. The program provides information about speed, direction, bearing, arrival time, actual position, and target position. Speech provides information about speed, direction, bearing, arrival time, actual position, and target position. Speech output is also available.output is also available.

1515Page Page 1515

• HotspotterHotspotterby Max Moser, Joshua Wrightby Max Moser, Joshua WrightHotspotter was written to exploit this weakness in the Windows XP operating system. Hotspotter passively monitors the Hotspotter was written to exploit this weakness in the Windows XP operating system. Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.

iStumbleriStumblerby Alf Wattby Alf WattiStumbler is a free, open source tool for finding wireless networks and devices with your AirPort equipped Macintosh. iStumbler is a free, open source tool for finding wireless networks and devices with your AirPort equipped Macintosh. iStumbler combines a compact user interface with a real time graph of signal strength and complete debugging iStumbler combines a compact user interface with a real time graph of signal strength and complete debugging information such as network type, name and mac address. Real-time visual feedback of signal strength and encryption information such as network type, name and mac address. Real-time visual feedback of signal strength and encryption allows you to quickly find open networks, perform site surveys or just have a look at your wireless neighborhood. For allows you to quickly find open networks, perform site surveys or just have a look at your wireless neighborhood. For MacOSMacOS

KisMACKisMACby Michael Rossberg et alby Michael Rossberg et alKisMAC is a free stumbler application for MacOS X, that puts your card into the monitor mode. Unlike most other KisMAC is a free stumbler application for MacOS X, that puts your card into the monitor mode. Unlike most other applications for OS X we are completely invisible and send no probe requests. KisMAC supports third party PCMCIA applications for OS X we are completely invisible and send no probe requests. KisMAC supports third party PCMCIA cards with Orinoco and PrismII chipsets, as well as Cisco Aironet cards. This program is not intended for people, who cards with Orinoco and PrismII chipsets, as well as Cisco Aironet cards. This program is not intended for people, who have not much knowledge about WiFi, but for professional users.have not much knowledge about WiFi, but for professional users.

KismetKismetby Mike Kershawby Mike KershawKismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which support raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet wireless card which support raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet is fully passive and undetectable when in operation. Kismet automatically tracks all networks in range and is able to is fully passive and undetectable when in operation. Kismet automatically tracks all networks in range and is able to detect (or infer) hidden networks, attack attempts, find rogue access points, and find unauthorised users.detect (or infer) hidden networks, attack attempts, find rogue access points, and find unauthorised users.

LibRadiateLibRadiateby The Packetfactoryby The PacketfactoryA toolkit for 802.11 frame capturing, creation and injection.A toolkit for 802.11 frame capturing, creation and injection.

1616Page Page 1616

• LibWnetLibWnetby h1kariby h1karilibwnet is a packet creation and injection framework for building raw 802.11b frames and injecting them on *BSD libwnet is a packet creation and injection framework for building raw 802.11b frames and injecting them on *BSD based systems. Included in this base package are the following applications which make use of libwnet: based systems. Included in this base package are the following applications which make use of libwnet: dinjectdinject is a is a command line 802.11b packet injection package based on nemesis; command line 802.11b packet injection package based on nemesis; reinjreinj is a proof-of-concept for the tcp/arp is a proof-of-concept for the tcp/arp reinjection attack to generate traffic on a weped network.reinjection attack to generate traffic on a weped network.

Lucent/Orinoco Registry Encryption/DecryptionLucent/Orinoco Registry Encryption/Decryptionby Anders Ingebornby Anders IngebornLucent Orinoco Client Manager stores WEP keys in Windows registry under a certain encryption/obfuscation. This Lucent Orinoco Client Manager stores WEP keys in Windows registry under a certain encryption/obfuscation. This tool can be used to encrypt WEP keys to reg value or to decrypt reg value into WEP key.tool can be used to encrypt WEP keys to reg value or to decrypt reg value into WEP key.

MacStumblerMacStumblerby Korbenby KorbenMacStumbler is a utility to display information about nearby 802.11b and 802.11g wireless access points. It is MacStumbler is a utility to display information about nearby 802.11b and 802.11g wireless access points. It is mainly designed to be a tool to help find access points while traveling, or to diagnose wireless network problems. mainly designed to be a tool to help find access points while traveling, or to diagnose wireless network problems. Additionally, MacStumbler can be used for "wardriving", which involves co-ordinating with a GPS unit while Additionally, MacStumbler can be used for "wardriving", which involves co-ordinating with a GPS unit while traveling around to help produce a map of all access points in a given area. MacStumbler requires an Apple Airport traveling around to help produce a map of all access points in a given area. MacStumbler requires an Apple Airport Card and MacOS 10.1 or greater. MacStumbler doesn't currently support any kind of PCMCIA or USB wireless Card and MacOS 10.1 or greater. MacStumbler doesn't currently support any kind of PCMCIA or USB wireless device.device.

MiniStumblerMiniStumblerby W. Slavinby W. SlavinNetwork Stumbler for Pocket PC 3.0 and 2002. Supports ARM, MIPS and SH3 CPU types.Network Stumbler for Pocket PC 3.0 and 2002. Supports ARM, MIPS and SH3 CPU types.

MognetMognetby Sean Whalenby Sean WhalenMognet is a simple, lightweight 802.11b sniffer written in Java and available under the GPL. It features realtime Mognet is a simple, lightweight 802.11b sniffer written in Java and available under the GPL. It features realtime capture output, support for all 802.11b generic and frame-specific headers, easy display of frame contents in hex or capture output, support for all 802.11b generic and frame-specific headers, easy display of frame contents in hex or ascii, text mode capture for GUI-less devices, and loading/saving capture sessions in libpcap format. Mognet ascii, text mode capture for GUI-less devices, and loading/saving capture sessions in libpcap format. Mognet requires a Java Development Kit 1.3 or higher, and a working C compiler for native code compilation. Your requires a Java Development Kit 1.3 or higher, and a working C compiler for native code compilation. Your wireless card must support monitor mode, which most (but not all) do.wireless card must support monitor mode, which most (but not all) do.

1717Page Page 1717

• Musatcha Advanced WiFi Mapping EngineMusatcha Advanced WiFi Mapping Engineby Brad Isbellby Brad IsbellThis is a freeware client to WiGLE.net. It also acts as a Kismet client that can log (so you can effectively wardrive with a This is a freeware client to WiGLE.net. It also acts as a Kismet client that can log (so you can effectively wardrive with a Linksys wap54g or wrt54g running kismet). It supports NMEA GPS units (or you can get GPS data from Netstumbler.) Linksys wap54g or wrt54g running kismet). It supports NMEA GPS units (or you can get GPS data from Netstumbler.) GPSd is in the works.GPSd is in the works.

NetChaserNetChaserby Michael A. Waldronby Michael A. WaldronFind WiFi hotspots with your Palm Tungsten C Handheld Computer.Find WiFi hotspots with your Palm Tungsten C Handheld Computer.

NetStumblerNetStumblerby W. Slavinby W. SlavinWindows Utility for 802.11b based Wireless Network Auditing.Windows Utility for 802.11b based Wireless Network Auditing.

OmertaOmertaby Mike D. Schiffmanby Mike D. SchiffmanDisassociates all 802.11 network connections within range on the same channel as the card in the machine. Built on top of Disassociates all 802.11 network connections within range on the same channel as the card in the machine. Built on top of libradiate.libradiate.

PocketWarriorPocketWarriorby DataWorm Labsby DataWorm LabsWi-Fi Surveying Tool for the Pocket PC. Wireless auditing software for PRISM and NDIS 5.1 compatible card that runs Wi-Fi Surveying Tool for the Pocket PC. Wireless auditing software for PRISM and NDIS 5.1 compatible card that runs on PocketPC 2002. Supports GPS.on PocketPC 2002. Supports GPS.

PongPongby MobileAccessby MobileAccessA Tool to check the vulnerability of your WirelessLan AccessPoint. In case your AccessPoint is running a vulnerable A Tool to check the vulnerability of your WirelessLan AccessPoint. In case your AccessPoint is running a vulnerable Firmware, you get access to all relevant details such as admin password, WEP keys, allowed MAC-Addresses and some Firmware, you get access to all relevant details such as admin password, WEP keys, allowed MAC-Addresses and some more.more.

PrismStumblerPrismStumblerby Jan Fernquistby Jan FernquistPrismstumbler is a wireless LAN (WLAN) which scans for beaconframes from accesspoints. Prismstumbler operates by Prismstumbler is a wireless LAN (WLAN) which scans for beaconframes from accesspoints. Prismstumbler operates by constantly switching channels an monitors any frames recived on the currently selected channel.constantly switching channels an monitors any frames recived on the currently selected channel.

1818Page Page 1818

• SMACSMACby KLC Consultingby KLC ConsultingSMAC is an easy-to-use Windows MAC Address Modifying Utility which allows users to change MAC address SMAC is an easy-to-use Windows MAC Address Modifying Utility which allows users to change MAC address for almost any Network Interface Card (NIC) on the Windows 2000, XP, and 2003 Server systems, regardless of for almost any Network Interface Card (NIC) on the Windows 2000, XP, and 2003 Server systems, regardless of whether the manufactures allow this option or not. SMAC does not change the hardware burned-in MAC addresses. whether the manufactures allow this option or not. SMAC does not change the hardware burned-in MAC addresses. It is not necessary. SMAC changes the "software based" MAC addresses on the Windows 2000, XP, and 2003 It is not necessary. SMAC changes the "software based" MAC addresses on the Windows 2000, XP, and 2003 Server systems, and the new MAC addresses you change will sustain from reboots.Server systems, and the new MAC addresses you change will sustain from reboots.

SSIDsniffSSIDsniffby Kostas Evangelinosby Kostas EvangelinosA nifty tool to use when looking to discover access points and save captured traffic. Comes with a configure script A nifty tool to use when looking to discover access points and save captured traffic. Comes with a configure script and supports Cisco Aironet and random prism2 based cards.and supports Cisco Aironet and random prism2 based cards.

StreetStumblerStreetStumblerby kg4ixsby kg4ixsMapping program for Windows. StreetStumbler was designed from the ground up to be able to use both full and Mapping program for Windows. StreetStumbler was designed from the ground up to be able to use both full and summary EXPORTS of NetStumbler logs. Please consult NetStumbler on how to Export files.summary EXPORTS of NetStumbler logs. Please consult NetStumbler on how to Export files.

StumbVerterStumbVerterby Michael Puchol, Sonar Securityby Michael Puchol, Sonar SecurityStumbVerter is a standalone application which allows you to import Network Stumbler's summary files into StumbVerter is a standalone application which allows you to import Network Stumbler's summary files into Microsoft's MapPoint 2004 maps. The logged WAPs will be shown with small icons, their colour and shape Microsoft's MapPoint 2004 maps. The logged WAPs will be shown with small icons, their colour and shape relating to WEP mode and signal strength. As the AP icons are created as MapPoint pushpins, the balloons contain relating to WEP mode and signal strength. As the AP icons are created as MapPoint pushpins, the balloons contain other information, such as MAC address, signal strength, mode, etc. This balloon can also be used to write down other information, such as MAC address, signal strength, mode, etc. This balloon can also be used to write down useful information about the AP, notes, etc.useful information about the AP, notes, etc.

THC LEAPcrackerTHC LEAPcrackerby The Hacker's Choiceby The Hacker's ChoiceThe THC LEAP Cracker Tool suite contains tools to break the NTChallengeResponse encryption technique e.g. The THC LEAP Cracker Tool suite contains tools to break the NTChallengeResponse encryption technique e.g. used by Cisco Wireless LEAP Authentication. Also tools for spoofing challenge-packets from Access Points are used by Cisco Wireless LEAP Authentication. Also tools for spoofing challenge-packets from Access Points are included, so you are able to perform dictionary attacks against all users.included, so you are able to perform dictionary attacks against all users.

1919Page Page 1919

• void11void11by Reyk Floeterby Reyk FloeterA free implementation of some basic 802.11b attacks. This tool consists of the tools "deauth" and "auth". A free implementation of some basic 802.11b attacks. This tool consists of the tools "deauth" and "auth". deauthdeauth (Network (Network DOS) (flood wireless networks with deauthentication packets and spoofed BSSID; authenticated stations will drop their DOS) (flood wireless networks with deauthentication packets and spoofed BSSID; authenticated stations will drop their network connections). network connections). authauth (Accesspoint DOS) (flood accesspoints with authentication packets and random stations (Accesspoint DOS) (flood accesspoints with authentication packets and random stations addresses; some accesspoints will deny any service after some flooding)addresses; some accesspoints will deny any service after some flooding)

Wardrive CD (.iso)Wardrive CD (.iso)by Wireless Nederlandby Wireless NederlandDownloadable .iso with wardriving utilities. Based on Slackware. Contains AirSnort and Kismet. This distribution can work Downloadable .iso with wardriving utilities. Based on Slackware. Contains AirSnort and Kismet. This distribution can work with both USB and Serial GPS. Logs can be written to floppy or USB drive. Floppy and USB drive have to be formatted in with both USB and Serial GPS. Logs can be written to floppy or USB drive. Floppy and USB drive have to be formatted in vfat format (Win98).vfat format (Win98).

WarGlueWarGlueby WarGlue Teamby WarGlue TeamThis is a multiplatform general utility suite for use with existing network stumbling software, such as Kismet or NetStumbler. This is a multiplatform general utility suite for use with existing network stumbling software, such as Kismet or NetStumbler. The program will convert between multiple output logs, including the popular wi-scan format, between platforms.The program will convert between multiple output logs, including the popular wi-scan format, between platforms.

WarLinuxWarLinuxby Fredby FredA new linux distribution for Wardrivers. It is available on disk and bootable CD. Its main intended use is for systems A new linux distribution for Wardrivers. It is available on disk and bootable CD. Its main intended use is for systems administrators that want to audit and evaluate their wireless network installations. Should be handy for wardriving also.administrators that want to audit and evaluate their wireless network installations. Should be handy for wardriving also.

Wavelan ToolsWavelan Toolsby Cyrus Durgin et alby Cyrus Durgin et al802.11 network tools - allow for detection of networks and services initially using wireless extensions for linux and raw 802.11 network tools - allow for detection of networks and services initially using wireless extensions for linux and raw 802.11 frames. Initial support is for the wavelan/orinoco card and plan support for aironet cards.802.11 frames. Initial support is for the wavelan/orinoco card and plan support for aironet cards.

WaveMonWaveMonby Jan Morgensternby Jan MorgensternWaveMon is a ncurses-based monitor for wireless devices. It allows you to watch the signal and noise levels, packet statistics, WaveMon is a ncurses-based monitor for wireless devices. It allows you to watch the signal and noise levels, packet statistics, device configuration, and network parameters of your wireless network hardware. It has currently only been tested with the device configuration, and network parameters of your wireless network hardware. It has currently only been tested with the Lucent Orinoco series of cards, although it should work (with varying features) with all devices supported by the wireless Lucent Orinoco series of cards, although it should work (with varying features) with all devices supported by the wireless kernel extensions written by Jean Tourrilhes.kernel extensions written by Jean Tourrilhes.

2020Page Page 2020

• WaveStumblerWaveStumblerby Patrikby PatrikWaveStumbler is console based 802.11 network mapper for Linux. It reports the basic AP stuff like channel, WEP, WaveStumbler is console based 802.11 network mapper for Linux. It reports the basic AP stuff like channel, WEP, ESSID, MAC etc. It has support for Hermes based cards (Compaq, Lucent/Agere, ... ) It still in development but tends ESSID, MAC etc. It has support for Hermes based cards (Compaq, Lucent/Agere, ... ) It still in development but tends to be stable. It consist of a patch against the kernel driver, orinoco.cs which makes it possible to send the scan to be stable. It consist of a patch against the kernel driver, orinoco.cs which makes it possible to send the scan command to the driver via the /proc/hermes/ethX/cmds file. The answer is then sent back via a netlink socket. command to the driver via the /proc/hermes/ethX/cmds file. The answer is then sent back via a netlink socket. WaveStumbler listens to this socket and displays the output data on the console. The patch should be applied agains WaveStumbler listens to this socket and displays the output data on the console. The patch should be applied agains linux-2.4.17. It patches the whole linux/drivers/wireless to version 2.4.18-pre7 + the apscan code in orinoco.c. This is a linux-2.4.17. It patches the whole linux/drivers/wireless to version 2.4.18-pre7 + the apscan code in orinoco.c. This is a 100% experimental patch, but it seems to work quite good with a Orinoco Silver Card, so feel free to try it out.100% experimental patch, but it seems to work quite good with a Orinoco Silver Card, so feel free to try it out.

WebStumblerWebStumblerby Frank Echaniqueby Frank EchaniqueWebStumbler is a simple application for turning NetStumbler summary files into HTML files.WebStumbler is a simple application for turning NetStumbler summary files into HTML files.

WellenReiterWellenReiterby Michael Lauer et alby Michael Lauer et alWellenreiter is a wireless network discovery and auditing tool. Prism2, Lucent, and Cisco based cards are supported. It Wellenreiter is a wireless network discovery and auditing tool. Prism2, Lucent, and Cisco based cards are supported. It is the easiest to use Linux scanning tool. No card configuration has to be done anymore. The whole look and feel is is the easiest to use Linux scanning tool. No card configuration has to be done anymore. The whole look and feel is pretty self-explaining. It can discover networks (BSS/IBSS), and detects ESSID broadcasting or non-broadcasting pretty self-explaining. It can discover networks (BSS/IBSS), and detects ESSID broadcasting or non-broadcasting networks and their WEP capabilities and the manufacturer automatically. DHCP and ARP traffic are decoded and networks and their WEP capabilities and the manufacturer automatically. DHCP and ARP traffic are decoded and displayed to give you further information about the networks. An ethereal/tcpdump-compatible dumpfile and an displayed to give you further information about the networks. An ethereal/tcpdump-compatible dumpfile and an Application savefile will be automaticly created. Using a supported GPS device and the gpsd you can track the Application savefile will be automaticly created. Using a supported GPS device and the gpsd you can track the location of the discovered networks.location of the discovered networks.

WepAttackWepAttackby Dominik Blunk, Alain Girardetby Dominik Blunk, Alain GirardetWepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.

WEPCrackWEPCrackby Anton Rager, Paul Danckaertby Anton Rager, Paul DanckaertWEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.scheduling.

2121Page Page 2121

• WeplabWeplabby Jose Ignacio Sanchezby Jose Ignacio SanchezWeplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several Weplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several attacks are available so it can be measured the efectiveness and minimun requirements of each one.attacks are available so it can be measured the efectiveness and minimun requirements of each one.

WEPWedgieWEPWedgieby Anton Ragerby Anton RagerWEPWedgie is a toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams. The toolkit WEPWedgie is a toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams. The toolkit also includes logic for firewall rule mapping, pingscanning, and portscanning via the injection channel and a cellular also includes logic for firewall rule mapping, pingscanning, and portscanning via the injection channel and a cellular modem.modem.

WEP_Tools (wep_crack/wep_decrypt)WEP_Tools (wep_crack/wep_decrypt)by Tim Newshamby Tim NewshamThis package contains two tools, one for cracking WEP keys and one for decrypting WEP packets. This package contains two tools, one for cracking WEP keys and one for decrypting WEP packets. Wep_crackWep_crack: Given a : Given a pcap file containing a packet capture of WEP packets, this program will attempt to find the key used in encryption. This is pcap file containing a packet capture of WEP packets, this program will attempt to find the key used in encryption. This is done by searching the key space using keys generated from dictionary words, or by exhaustively searching through the key done by searching the key space using keys generated from dictionary words, or by exhaustively searching through the key generation seeds. Keys are validated by decrypting a number of packets and verifying their CRC. If the CRC validates for generation seeds. Keys are validated by decrypting a number of packets and verifying their CRC. If the CRC validates for all packets, there is a high probability that the proper key was used. all packets, there is a high probability that the proper key was used. Wep_decryptWep_decrypt is a program for decrypting captured is a program for decrypting captured 802.11 traffic that is protect with WEP traffic. It reads in a pcap capture file, such as that generated by prismdump, and 802.11 traffic that is protect with WEP traffic. It reads in a pcap capture file, such as that generated by prismdump, and outputs another pcap capture file with decrypted packets. By default it will read from stdin and ouput to stdout. The key to outputs another pcap capture file with decrypted packets. By default it will read from stdin and ouput to stdout. The key to decrypt with can be specified as a string of hex characters, optionally seperated by spaces or colons, or as a text string. If a decrypt with can be specified as a string of hex characters, optionally seperated by spaces or colons, or as a text string. If a text string is specified, the actual keying material will be generated by the string in the (ad hoc) standard fashion used by text string is specified, the actual keying material will be generated by the string in the (ad hoc) standard fashion used by many drivers.many drivers.

Wi-FindWi-Findby Eric Olingerby Eric OlingerWi-find is a wirelesss network detection tool that is written in C and is aiming for flexibility and clean easy to understand Wi-find is a wirelesss network detection tool that is written in C and is aiming for flexibility and clean easy to understand code. It currently only suports prism2 based cards using the wlan-ng drive (the hostap might work also) but the support is code. It currently only suports prism2 based cards using the wlan-ng drive (the hostap might work also) but the support is there to add more cards.there to add more cards.

WiFiFoFumWiFiFoFumby Malcolm Hallby Malcolm HallWiFiFoFum is a 802.11 scanner designed for PDAs running PocketPC 2003. It scans all 802.11 access points in range and WiFiFoFum is a 802.11 scanner designed for PDAs running PocketPC 2003. It scans all 802.11 access points in range and offers a list and a radar to view. It also offers GPS features to record the location of the access points. The list can be saved offers a list and a radar to view. It also offers GPS features to record the location of the access points. The list can be saved to file.to file.

2222Page Page 2222

•WifiScannerWifiScannerby Jérôme Poggiby Jérôme PoggiWifiScanner is a tool that has been designed to discover wireless node (i.e access point and wireless clients). It is WifiScanner is a tool that has been designed to discover wireless node (i.e access point and wireless clients). It is distributed under the GPL License. It works with CISCO cards and prism cards with a hostap driver or wlan-ng distributed under the GPL License. It works with CISCO cards and prism cards with a hostap driver or wlan-ng driver. An IDS system is integrated to detect anomaly like MAC usurpation.driver. An IDS system is integrated to detect anomaly like MAC usurpation.

WinDumpWinDumpby Loris Degioanni et alby Loris Degioanni et alWinDump is the porting to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX. WinDump is the porting to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX. WinDump is fully compatible with tcpdump and can be used to watch and diagnose network traffic according to WinDump is fully compatible with tcpdump and can be used to watch and diagnose network traffic according to various complex rules. It can run under Windows 95/98/ME, and under Windows NT/2000/XP. WinDump uses a various complex rules. It can run under Windows 95/98/ME, and under Windows NT/2000/XP. WinDump uses a libpcap-compatible library for Windows, WinPcap, which is freely downloadable from the WinPcap site. libpcap-compatible library for Windows, WinPcap, which is freely downloadable from the WinPcap site. WinDump is free and is released under a BSD-style licence.WinDump is free and is released under a BSD-style licence.

WiStumblerWiStumblerby Isao Sekiby Isao SekiNetwork stumbler for WaveLAN/IEEE wireless networking of NetBSD.Network stumbler for WaveLAN/IEEE wireless networking of NetBSD.

WPA CrackerWPA Crackerby Takehiro Takahashiby Takehiro TakahashiWPA Cracker is a dictionary/brute-force attacker against WiFi Protected Access (WPA). WPA takes two forms; WPA Cracker is a dictionary/brute-force attacker against WiFi Protected Access (WPA). WPA takes two forms; WPA Enterprise Mode and WPA PSK (Pre-Shared Key) Mode. WPA Cracker takes advantage of an inherently WPA Enterprise Mode and WPA PSK (Pre-Shared Key) Mode. WPA Cracker takes advantage of an inherently vulnerable characteristics of the PSK implementation to provide users an insight that the security must be deployed vulnerable characteristics of the PSK implementation to provide users an insight that the security must be deployed properly.properly.

wscanwscanby Portland State Universityby Portland State Universitywscan is a X-11/visual 802.11 wireless signal-strength display tool (version 2.0 includes AP scanning mode). You wscan is a X-11/visual 802.11 wireless signal-strength display tool (version 2.0 includes AP scanning mode). You can download a tar archive for it that allows you to build it on Linux or FreeBSD. There's also an ipkg/package for can download a tar archive for it that allows you to build it on Linux or FreeBSD. There's also an ipkg/package for linux/ipaqs running familiar.linux/ipaqs running familiar.