Saturday, October 30, 2010

Top Five Windows Based Wireless Attack Tools You Should Really Know About

[Category-Security]

Plethora of wireless attack tools are freely available on the Internet.  But most of these tools are written for Linux platforms. A naïve user might not comfortably run these tools as it requires good knowledge of tools and the underlying system.

Windows (XP, Vista or 7) is the most popular and widely used operating system in the world. It provides click based environment to interact with any application. Since most of us already feel comfortable working in Windows based environment, we do understand its power of quickly turning even a naïve user into a skilled one. But the unavailability of free wireless tools for Windows machines have kept their users afar from playing with wireless networks  in the past. But lately, windows based tools have started showing up. What if people start getting access to these attack tools. Wouldn’t it give rise to new security threat in an enterprise network environment?

In this post, I am going to  brief you about such tools and what all is possible using these tools.

Tool #1. CommView for WiFi

CommView for WiFi is a very powerful wireless network monitor and analyzer tool for 802.11 a/b/g/n networks. It is paid software but limited period, evaluation version is freely available for download.

Some of the things one can do with CommView for WiFi are mentioned below:

  • Scan the air for WiFi stations and access points and capture 802.11a, 802.11b, 802.11g, and 802.11n WLAN traffic
  • Specify WEP or WPA keys to decrypt encrypted packets
  • View detailed IP connections statistics: IP addresses, ports, sessions, etc
  • Reconstruct TCP/UDP sessions
  • Search for strings or hex data in captured packet contents
  • Load and view capture files offline
  • Modify and inject captured frame; It also supports injection of all captured traffic

CommView runs under Windows XP/2003/Vista/2008/7 and requires a compatible wireless network adapter. The list of adapters that have been tested and are compatible with CommView for WiFi, are available at http://www.tamos.com/products/commwifi/adapterlist.php

Figure 1: Snapshot of Running CommView

So, using an evaluation version of CommView for WiFi, one can actually capture all the wireless traffic, sniff password in an open WiFi network. A malicious insider can decrypt private data frames of other wireless users in WPA-PSK or WPA2-PSK enabled wireless networks.

Packet injection capability can be exploited to launch denial of service attack, stealth mode ARP spoofing attack in an open Wireless Network and what not. It completely depends on the imagination of an intruder.

So, using an evaluation version of CommView for WiFi, one can actually capture all the wireless traffic, sniff password in an open WiFi network. A malicious insider can decrypt private data frames of other wireless users in WPA-PSK or WPA2-PSK enabled wireless networks.

Packet injection capability can be exploited to launch denial of service attack, stealth mode ARP spoofing attack in an open Wireless Network and what not. It completely depends on the imagination of an intruder.


Figure 2: Raw Packet Injection
Tool #2: Aircrack-ng

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

In fact aircrack-ng is a suite of wireless tools that can be used to capture traffic, setup Access Point (AP), Launch denial-of-service (DoS) attack and cracking encryption.

Previous version of aircrack-ng was supported only on Linux distribution.  But the latest version is also supported on Windows. The software can be free downloaded from the Internet at http://www.aircrack-ng.org/


Tool #3:Mdk-3
MDK can be put in the category of denial-of-service (DoS) attack tool. It exploits the wireless driver of Commview software to do packet capture or injection. This is less heard tool and not much information is available on the Internet yet it's been tested and talked in hackers community.
More information about the software is available here.

Tool #4: Connectify 
Connectify is a third party application that allows user to run a full fledge WiFi hotspot on a WiFi enabled machine. While this is a great way of sharing the Internet with friends, co-workers, and mobile devices, it weakens the security cordon of a corporate network by simply converting WiFi enabled authorized corporate laptops into unmanaged rogue devices.
 
Current version of the software is compatible only with Windows 7.
 
In the same category falls Intel's  "My WiFi" wireless technology. It helps form a wireless Personal Area Network (PAN). Basically, you can run wireless access point if you have a laptop with Intel's latest wireless card inside e.g. Centrino Wireless-N 1000, 5100 or 6200. Intel provides MyWiFi software using which you can run virtual AP and choose any security configuration and in fact you can also run open WiFi AP. The technology is supported both on Windows Vista and Windows 7.

 
Tool#5: Meraki's "WiFi Stumbler" and WLANController's Virtual Access Point
These are the examples of cloud based tools. Installation is not needed. You just need to have access to the Internet, that's it.

The first is Meraki's WiFi Stumbler. It can be used for wireless network scanning. Using this tool you can instantly know various important attributes of a wireless network e.g. MAC address, signal level, encryption type, channel etc. This is a very powerful tool if you are interested in conducting wireless scan. No additional hardware is needed. You can use your own machine. But it can also be misused by attacker to scan and select the target.
 
Figure3: Meraki's WiFi Stumbler
Second interesting cloud based tool is "Virtual Access Point" software offered by www.virtualaccesspoint.com. If you want to run your own access point on Windows 7 and don't want take the risk of software installation then this would be the best bet. Enter the SSID and WPA2 Key and behold! Your virtual AP is up and running. Here is a video that shows how you can run your own AP in just 60 seconds.

 
 This can be misused in launching security enabled Honeypot AP. I have posted the technical details of WPA2 Honeypots here.

So the conclusion is that almost all attacks are possible using Windows based wireless attack tools. This is going to increase the security and manageability risk on network administrator. One more reason why you need to monitor your air 24 x 7.

If you are aware of any other Windows based wireless attack tool, please do share with us. I would love to test and write about that. Cheers!

No comments:

Post a Comment