| Introduction to WarDriving and Penetration Testing | p. 1 |
| Introduction | p. 2 |
| WarDriving | p. 2 |
| The Origins of WarDriving | p. 3 |
| Definition | p. 3 |
| The Terminology History of WarDriving | p. 3 |
| WarDriving Misconceptions | p. 4 |
| The Truth about WarDriving | p. 4 |
| The Legality of WarDriving | p. 5 |
| Tools of the Trade or "What Do I Need?" | p. 5 |
| Getting the Hardware | p. 6 |
| The Laptop Setup | p. 6 |
| The PDA or Handheld Setup | p. 7 |
| Choosing a Wireless NIC | p. 8 |
| Types of Wireless NICs | p. 9 |
| Other Cards | p. 11 |
| External Antennas | p. 11 |
| Connecting Your Antenna to Your Wireless NIC | p. 12 |
| GPS | p. 13 |
| Putting It All Together | p. 14 |
| Disabling the Transmission Control Protocol/ Internet Protocol Stack in Windows | p. 15 |
| Disabling the TCP/IP Stack on an iPAQ | p. 17 |
| A Brief History of Wireless Security | p. 19 |
| Penetration Testing | p. 20 |
| Understanding WLAN Vulnerabilities | p. 21 |
| Penetration Testing Wireless Networks | p. 21 |
| Target Identification | p. 22 |
| Attacks | p. 23 |
| Tools for Penetration Testing | p. 25 |
| Conclusion and What to Expect From this Book | p. 26 |
| Solutions Fast Track | p. 27 |
| Frequently Asked Questions | p. 29 |
| Understanding Antennas and Antenna Theory | p. 31 |
| Introduction | p. 32 |
| Wavelength and Frequency | p. 32 |
| Terminology and Jargon | p. 35 |
| Radio Signal | p. 36 |
| Noise | p. 36 |
| Decibels | p. 37 |
| Gain | p. 39 |
| Attenuation | p. 39 |
| Signal-to-noise Ratio | p. 40 |
| Multipath | p. 40 |
| Diversity | p. 40 |
| Impedance | p. 41 |
| Polarization | p. 41 |
| Cable | p. 42 |
| Connectors | p. 43 |
| Differences Between Antenna Types | p. 43 |
| Omnidirectional Antennas | p. 44 |
| Omnidirectional Signal Patterns | p. 44 |
| Directional Antennas | p. 46 |
| Directional Antenna Types | p. 47 |
| Grid | p. 47 |
| Panel | p. 48 |
| Waveguide | p. 48 |
| Bi-Quad | p. 49 |
| Yagi Antenna | p. 50 |
| Directional Signal Patterns | p. 53 |
| Other RF Devices | p. 53 |
| RF Amplifiers | p. 53 |
| Attenuators | p. 54 |
| How to Choose an Antenna for WarDriving or Penetration Testing | p. 55 |
| WarDriving Antennas | p. 56 |
| Security Audit/Rogue Hunt and Open Penetration Testing | p. 57 |
| "Red Team" Penetration Test | p. 57 |
| Where to Purchase WiFi Antennas | p. 58 |
| Summary | p. 59 |
| Solutions Fast Track | p. 59 |
| Frequently Asked Questions | p. 60 |
| WarDriving With Handheld Devices and Direction Finding | p. 63 |
| Introduction | p. 64 |
| WarDriving with a Sharp Zaurus | p. 64 |
| Installing and Configuring Kismet | p. 65 |
| Configuring the Wireless Card to Work with Kismet | p. 69 |
| Starting Kismet on the Zaurus | p. 72 |
| Using a GPS with the Zaurus | p. 73 |
| Starting GPSD | p. 75 |
| Using a Graphical Front End with Kismet | p. 76 |
| Using an External WiFi Card with a Zaurus | p. 78 |
| WarDriving with MiniStumbler | p. 79 |
| Wireless Ethernet Cards that Work with MiniStumbler | p. 80 |
| MiniStumbler Installation | p. 81 |
| Running MiniStumbler | p. 82 |
| MiniStumbler Menus and Tool Icons | p. 85 |
| Using a GPS with MiniStumbler | p. 86 |
| Direction Finding with a Handheld Device | p. 87 |
| Summary | p. 90 |
| Solutions Fast Track | p. 91 |
| Frequently Asked Questions | p. 92 |
| WarDriving and Penetration Testing with Windows | p. 93 |
| Introduction | p. 94 |
| WarDriving with NetStumbler | p. 94 |
| How NetStumbler Works | p. 94 |
| NetStumbler Installation | p. 96 |
| Running NetStumbler | p. 99 |
| NetStumbler Menus and Tool Icons | p. 105 |
| Toolbar Icons | p. 107 |
| Wireless Penetration Testing with Windows | p. 108 |
| AirCrack-ng | p. 109 |
| Determining Network Topology | p. 112 |
| Network View | p. 112 |
| Summary | p. 117 |
| Solutions Fast Track | p. 117 |
| Frequently Asked Questions | p. 118 |
| WarDriving and Penetration Testing with Linux | p. 119 |
| Introduction | p. 120 |
| Preparing Your System to WarDrive | p. 120 |
| Preparing the Kernel | p. 120 |
| Preparing the Kernel for Monitor Mode | p. 120 |
| Preparing the Kernel for a Global Positioning System | p. 123 |
| Installing the Proper Tools | p. 124 |
| Installing Kismet | p. 125 |
| Installing GPSD | p. 126 |
| Configuring Your System to WarDrive | p. 127 |
| WarDriving with Linux and Kismet | p. 131 |
| Starting Kismet | p. 131 |
| Using the Kismet Interface | p. 133 |
| Understanding the Kismet Options | p. 133 |
| Using a Graphical Front End | p. 137 |
| Wireless Penetration Testing Using Linux | p. 138 |
| WLAN Discovery | p. 140 |
| WLAN Discovery Using Public Source Information | p. 140 |
| WLAN Encryption | p. 141 |
| Attacks | p. 141 |
| Attacks Against WEP | p. 141 |
| Attacks Against WPA | p. 142 |
| Attacks Against LEAP | p. 143 |
| Attacking the Network | p. 144 |
| MAC Address Spoofing | p. 144 |
| Deauthentication with Void11 | p. 145 |
| Cracking WEP with the Aircrack Suite | p. 146 |
| Cracking WPA with the CoWPAtty | p. 148 |
| Association with the Target Network | p. 148 |
| Summary | p. 150 |
| Solutions Fast Track | p. 151 |
| Frequently Asked Questions | p. 152 |
| WarDriving and Wireless Penetration Testing with OS X | p. 153 |
| Introduction | p. 154 |
| WarDriving with KisMAC | p. 154 |
| Starting KisMAC and Initial Configuration | p. 154 |
| Configuring the KisMAC Preferences | p. 155 |
| Scanning Options | p. 156 |
| Filter Options | p. 156 |
| Sound Preferences | p. 157 |
| Traffic | p. 160 |
| KisMAC Preferences | p. 160 |
| Mapping WarDrives with KisMAC | p. 162 |
| Importing a Map | p. 162 |
| WarDriving with KisMAC | p. 166 |
| Using the KisMAC Interface | p. 167 |
| Penetration Testing with OS X | p. 170 |
| Attacking WLAN Encryption with KisMAC | p. 171 |
| Attacking WEP with KisMAC | p. 171 |
| Reinjection | p. 173 |
| Attacking WPA with KisMAC | p. 174 |
| Other Attacks | p. 175 |
| Bruteforce Attacks Against 40-bit WEP | p. 175 |
| Wordlist Attacks | p. 175 |
| Other OS X Tools for WarDriving and WLAN Testing | p. 176 |
| Summary | p. 178 |
| Solutions Fast Track | p. 178 |
| Frequently Asked Questions | p. 180 |
| Wireless Penetration Testing Using a Bootable Linux Distribution | p. 183 |
| Introduction | p. 184 |
| Core Technologies | p. 185 |
| WLAN Discovery | p. 185 |
| Choosing the Right Antenna | p. 186 |
| WLAN Encryption | p. 187 |
| WEP | p. 188 |
| WPA/WPA2 | p. 188 |
| EAP | p. 189 |
| VPN | p. 189 |
| Attacks | p. 189 |
| Attacks Against WEP | p. 189 |
| Attacks Against WPA | p. 191 |
| Attacks Against LEAP | p. 191 |
| Attacks Against VPN | p. 192 |
| Open Source Tools | p. 193 |
| Footprinting Tools | p. 193 |
| Intelligence Gathering Tools | p. 194 |
| User's Network Newsgroups | p. 194 |
| Google (Internet Search Engines) | p. 194 |
| Scanning Tools | p. 195 |
| Wellenreiter | p. 195 |
| Kismet | p. 198 |
| Enumeration Tools | p. 200 |
| Vulnerability Assessment Tools | p. 201 |
| Exploitation Tools | p. 203 |
| MAC Address Spoofing | p. 203 |
| Deauthentication with Void11 | p. 203 |
| Cracking WEP with the Aircrack Suite | p. 205 |
| Cracking WPA with CoWPAtty | p. 208 |
| Case Study | p. 208 |
| Case Study Cracking WEP | p. 209 |
| Case Study: Cracking WPA-PSK | p. 212 |
| Further Information | p. 214 |
| Additional GPSMap Map Servers | p. 215 |
| Solutions Fast Track | p. 215 |
| Frequently Asked Questions | p. 217 |
| Mapping WarDrives | p. 219 |
| Introduction | p. 220 |
| Using the Global Positioning System Daemon with Kismet | p. 220 |
| Installing GPSD | p. 220 |
| Starting GPSD | p. 223 |
| Starting GPSD with Serial Data Cable | p. 223 |
| Starting GPSD with USB Data Cable | p. 225 |
| Configuring Kismet for Mapping | p. 226 |
| Enabling GPS Support | p. 226 |
| Mapping WarDrives with GPSMAP | p. 227 |
| Creating Maps with GPSMAP | p. 227 |
| Mapping WarDrives with StumbVerter | p. 231 |
| Installing StumbVerter | p. 231 |
| Generating a Map With StumbVerter | p. 235 |
| Exporting NetStumbler Files for Use with StumbVerter | p. 235 |
| Importing Summary Files to MapPoint with StumbVerter | p. 237 |
| Saving Maps with StumbVerter | p. 242 |
| Summary | p. 244 |
| Solutions Fast Track | p. 245 |
| Frequently Asked Questions | p. 246 |
| Using Man-in-the-Middle Attacks to Your Advantage | p. 247 |
| Introduction | p. 248 |
| What is a MITM Attack? | p. 248 |
| MITM Attack Design | p. 248 |
| The Target-AP(s) | p. 248 |
| The Victim-Wireless Client(s) | p. 248 |
| The MITM Attack Platform | p. 249 |
| MITM Attack Variables | p. 249 |
| Hardware for the Attack-Antennas, Amps, WiFi Cards | p. 250 |
| The Laptop | p. 251 |
| Wireless Network Cards | p. 251 |
| Choosing the Right Antenna | p. 252 |
| Amplifying the Wireless Signal | p. 253 |
| Other Useful Hardware | p. 254 |
| Identify and Compromise the Target Access Point | p. 255 |
| Identify the Target | p. 255 |
| Compromising the Target | p. 255 |
| The MITM Attack Laptop Configuration | p. 257 |
| The Kernel Configuration | p. 258 |
| Obtaining the Kernel Source | p. 258 |
| Configure and Build the Kernel | p. 258 |
| Setting Up the Wireless Interfaces | p. 261 |
| wlan0 - Connecting to the Target Network | p. 261 |
| wlan1 - Setting up the AP | p. 261 |
| IP Forwarding and NAT Using Iptables | p. 262 |
| Installing Iptables and IP Forwarding | p. 263 |
| Establishing the NAT Rules | p. 264 |
| Dnsmasq | p. 265 |
| Installing Dnsmasq | p. 265 |
| Configuring Dnsmasq | p. 265 |
| Apache Hypertext Preprocessor and Virtual Web Servers | p. 267 |
| Clone the Target Access Point and Begin the Attack | p. 269 |
| Establish Wireless Connectivity and Verify Services are Started | p. 269 |
| Start the Wireless Interface | p. 269 |
| Verify Connectivity to the Target Access Point | p. 270 |
| Verify Dnsmasq is Running | p. 270 |
| Verify Iptables is Started and View the Running Rule Sets | p. 271 |
| Deauthenticate Clients Connected to the Target Access Point | p. 272 |
| Wait for the Client to Associate to Your Access Point | p. 272 |
| Identify Target Web Applications | p. 273 |
| Spoof the Application | p. 274 |
| Using wget to Download the Target Web Page | p. 274 |
| Modify the Page | p. 274 |
| Redirect Web Traffic Using Dnsmasq | p. 276 |
| Summary | p. 278 |
| Solutions Fast Track | p. 278 |
| Frequently Asked Questions | p. 281 |
| Using Custom Firmware for Wireless Penetration Testing | p. 283 |
| Choices for Modifying the Firmware on a Wireless Access Point | p. 284 |
| Software Choices | p. 284 |
| Hyper WRT | p. 284 |
| DD-WRT | p. 284 |
| OpenWRT | p. 284 |
| Hardware Choices | p. 285 |
| Installing OpenWRT on a Linksys WRT54G | p. 285 |
| Downloading the Source | p. 286 |
| Installation and How Not to Create a Brick | p. 287 |
| Installation via the Linksys Web Interface | p. 288 |
| Installation via the TFTP Server | p. 290 |
| Command Syntax and Usage | p. 293 |
| Configuring and Understanding the OpenWRT Network Interfaces | p. 296 |
| Installing and Managing Software Packages for OpenWRT | p. 298 |
| Finding and Installing Packages | p. 299 |
| Uninstalling Packages | p. 302 |
| Enumeration and Scanning from the WRT54G | p. 302 |
| Nmap | p. 302 |
| Netcat | p. 304 |
| Tcpdump | p. 304 |
| Installation and Configuration of a Kismet Drone | p. 306 |
| Installing the Package | p. 306 |
| Configuring the Kismet Drone | p. 307 |
| Making the Connection and Scanning | p. 307 |
| Installing Aircrack to Crack a WEP Key | p. 310 |
| Mounting a Remote File System | p. 310 |
| Installing the Aircrack Tools | p. 311 |
| Summary | p. 314 |
| Solutions Fast Track | p. 315 |
| Frequently Asked Questions | p. 318 |
| Wireless Video Testing | p. 319 |
| Introduction | p. 320 |
| Why Wireless Video? | p. 320 |
| Let's Talk Frequency | p. 320 |
| Let's Talk Format | p. 320 |
| Let's Talk Terms | p. 321 |
| Wireless Video Technologies | p. 321 |
| Video Baby Monitors | p. 322 |
| Security Cameras | p. 324 |
| X10.com | p. 324 |
| D-Link | p. 325 |
| Others | p. 326 |
| Tools for Detection | p. 327 |
| Finding the Signal | p. 327 |
| Scanning Devices | p. 328 |
| ICOM IC-R3 | p. 329 |
| X10 Accessories | p. 334 |
| WCS-99 | p. 336 |
| The Spy Finder | p. 338 |
| Summary | p. 339 |
| Solutions Fast Track | p. 339 |
| Frequently Asked Questions | p. 341 |
| Solutions Fast Track | p. 343 |
| Device Driver Auditing | p. 361 |
| Introduction | p. 362 |
| Why Should You Care | p. 363 |
| What is a Device Driver? | p. 366 |
| Windows | p. 367 |
| OS X | p. 367 |
| Linux | p. 368 |
| Setting Up a Test Enviroment | p. 368 |
| WiFi | p. 369 |
| Bluetooth | p. 370 |
| Testing the Drivers | p. 371 |
| WiFi | p. 372 |
| Bluetooth | p. 378 |
| Looking to the Future | p. 380 |
| Summary | p. 383 |
| Index | p. 385 |
| Table of Contents provided by Ingram. All Rights Reserved. |
