zenmap a very useful network tracking utility

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

wpa cracker

WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.

WPA-PSK networks are vulnerable to dic tionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.

what dictionary use:
The standard English dictionary is 136 million words, and there is also an "extended" dictionary that is an additional 284 million words. The "extended" dictionary is not a superset of the "standard" dictionary. This is to say that the words in the "standard" dictionary are not also in the "extended" dictionary. The former contains the 136 million words that we find are most likely for cracking success, so we recommend only trying the "extended" dictionary where the "standard" dictionary has failed.
The job costs the same whether we find your password or not. You're paying for either the recovery (which is most often the case), or the knowledge that if you were to build an exhaustive 135 million word dictionary file and run your handshake against it for five days, you'd find nothing.

Installing and using Kismet

If you believe your destiny is to discover wireless networks, then Kismet is
for you. Kismet is freeware 802.11b and g (and 802.11a with the right card)
wardriving software. Kismet can capture data from multiple packet sources
and can log in ethereal-, tcpdump-, and AirSnort-compatible log files. In addition,
Kismet can do the following:
Detect other scanning programs like NetStumbler
Channel hop
Highlight the detected default access point configurations
Discover “closed,” “hidden,” or “cloaked” SSIDs for access points where
SSID broadcast is disabled
Identify the manufacturers of discovered access points
Group and custom name SSIDs
Detect Cisco products by using CDP
Detect IP block
Passively monitor and record wireless network data packets, including
encrypted ones
Map access point locations using a GPS
Work with ethereal and AirSnort
Kismet runs on most UNIX-like systems, including Linux, Mac OS, and Cygwin,
and supports Hermes and Prism2 chipset cards with linux-wlan-ng drivers.
You can find information at the following Web sites:
You can find more about drivers at Jean Tourrilhes’ Web page:
www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Wireless.html
Mark Mathew’s AbsoluteValue Systems Web page offers information
about drivers as well.
www.linux-wlan.com/linux-wlan
If you feel adventurous, you can learn how to install Kismet on Cygwin:
www.renderlab.net/projects/wardrive/wrt54g/kismetonwindows.html
You can find Kismet at www.kismetwireless.net. You also can get Kismet
for handheld computers — that is, iPaq/ARM and Zaurus/ARM — with embedded
Linux. You need the ARM version from www.kismetwireless.net/
download.shtml.

Looking for General Client Vulnerabilities-

After you find out which wireless systems are alive on your network, you can
take your testing a step further and see which vulnerabilities really stand out.
There are various freeware, open source, and commercial tools to help you
along with your efforts including:
LanSpy (www.lantricks.com): LanSpy is a Windows-based freeware
tool for enumerating Windows systems.
Amap (http://thc.org/thc-amap): Amap is an open source Linuxand
Windows-based application mapping tool.
Nessus (www.nessus.org): This is an open source network and OS vulnerability-
assessment tool that runs on Linux and Windows.
GFI LANguard Network Security Scanner (www.gfi.com/lannetscan):
This is a Windows-based commercial tool for performing network and
OS vulnerability assessments.
QualysGuard (www.qualys.com): QualysGuard is an application service,
provider-based commercial tool for performing network and OS
vulnerability assessments.

WEP Weaknesses

Security researchers have discovered security problems that let malicious
users compromise the security of WLANs that use WEP — these, for instance:
Passive attacks to decrypt traffic: These are based on statistical
analysis.
Active attacks to inject new traffic from unauthorized mobile stations:
These are based on known plaintext.
Active attacks to decrypt traffic: These are based on tricking the access
point.
Dictionary-building attacks: These are possible after analyzing enough
traffic on a busy network.
The biggest problem with WEP is when the installer doesn’t enable it in the
first place. Even bad security is generally better than no security.
When people do use WEP, they forget to change their keys periodically.
Having many clients in a wireless network — potentially sharing the identical
key for long periods of time — is a well-known security vulnerability. If you
keep your key long enough, someone can grab all the frames he needs to
crack it.
Can’t blame most access-point administrators for not changing keys — after
all, the WEP protocol doesn’t offer any key management provisions. But the
situation is dangerous: When someone in your organization loses a laptop for
any reason, the key could become compromised — along with all the other
computers sharing the key. So it’s worth repeating . . .
Shared keys can compromise a wireless network. As the number of people
sharing the key grows, so does the security risk. A fundamental tenet of cryptography
is that the security of a system is largely dependent on the secrecy
of the keys. Expose the keys and you expose the text. Share the key, and a
cracker only has to crack it once. Moreover, when every station uses the
same key, an eavesdropper has ready access to a large amount of traffic for
analytic attacks.
As if key management problems weren’t enough, you have other problems
with the WEP algorithm. Check out these bugbears in the WEP initialization
vector:
The IV is too small and in cleartext. It’s a 24-bit field sent in the cleartext
portion of a message. This 24-bit string, used to initialize the key
stream generated by the RC4 algorithm, is a relatively small field when
used for cryptographic purposes.
The IV is static. Reuse of the same IV produces identical key streams for
the protection of data, and because the IV is short, it guarantees that
those streams will repeat after a relatively short time (between 5 and 7
hours) on a busy network.
The IV makes the key stream vulnerable. The 802.11 standard does not
specify how the IVs are set or changed, and individual wireless adapters
from the same vendor may all generate the same IV sequences, or some
wireless adapters may possibly use a constant IV. As a result, hackers
can record network traffic, determine the key stream, and use it to
decrypt the ciphertext.
The IV is a part of the RC4 encryption key. The fact that an eavesdropper
knows 24-bits of every packet key, combined with a weakness in the
RC4 key schedule, leads to a successful analytic attack that recovers the
key after intercepting and analyzing only a relatively small amount of
traffic. Such an attack is so nearly a no-brainer that it’s publicly available
as an attack script and as open-source code.
WEP provides no cryptographic integrity protection. However, the
802.11 MAC protocol uses a non-cryptographic Cyclic Redundancy Check
(CRC) to check the integrity of packets, and acknowledges packets that
have the correct checksum. The combination of non-cryptographic checksums
with stream ciphers is dangerous — and often introduces vulnerabilities.
The classic case? You guessed it: WEP.
There is an active attack that permits the attacker to decrypt any packet
by systematically modifying the packet, and CRC sending it to the AP
and noting whether the packet is acknowledged. These kinds of attacks
are often subtle, and it is now considered risky to design encryption protocols
that do not include cryptographic integrity protection, because of
the possibility of interactions with other protocol levels that can give
away information about ciphertext.
Only one of the problems listed above depends on a weakness in the cryptographic
algorithm. Therefore substituting a stronger stream cipher will not
help. For example, the vulnerability of the key stream is a consequence of a
weakness in the implementation of the RC4 stream cipher — and that’s
exposed by a poorly designed protocol.

wep Encryption

The popular press has done a lot to discourage organizations and individuals
from using wireless networks. If you’ve been paying attention to the brouhaha,
then you’re aware of all the negative articles about wireless security — especially
those dealing with encryption. Part of the problem is that the press and
others don’t understand the basis for WEP. As implied by its name, the developers
of Wired Equivalent Privacy intended for it to give clients the same level
of security found on a wired network — which, quite frankly, isn’t much.
with the exception of a fully switched environment, eavesdroppers can have their
way with frames traversing a wired network. WEP was never intended to
provide message integrity, non-repudiation, and confidentiality. And guess
what — it doesn’t.
WEP uses the symmetrical RC4 (Ron’s Code 4) algorithm and a PRNG
(Pseudo-Random Number Generator). The original standard specified 40 (in
practice, 64) and 128-bit key lengths with a 24-bit initialization vector (IV).
Then there’s the matter of incomplete coverage of network layers: WEP
encrypts Layers 3 through 7, but does not encrypt the MAC layer (that is,
Layer 2). Because it’s a symmetrical algorithm, WEP gives every client the
keys and other configuration data.
Okay, we know there’s nothing wrong with the RC4 algorithm per se — after
all, Web browsers use it for Secure Sockets Layer (SSL). The problem is in the
WEP implementation of the RC4 algorithm — and the false sense of security it
encourages.
The algorithm takes the IV, which is in plaintext, and sticks it on the front end
of the secret key (which the decrypter knows). WEP then plugs the result
into the RC4 to regenerate the key stream. Next, the algorithm XORs the key
stream with the ciphertext, which should give us the plaintext value. Finally,
WEP re-performs the CRC-32 checksum on the message and ensures that it
matches the integrity check value in our encrypted plaintext. Should the
checksums not match, WEP assumes that someone tampered with the
packet, and will discard it.
As mentioned earlier, access points generally have only three (namely, the
following) encryption settings available:
None: This setting represents the most serious risk because someone
can easily intercept, read, and alter unencrypted data traversing the
network.
40-bit shared key: A 40-bit shared key encrypts the network communications
data, but there is still a risk of compromise. The 40-bit encryption
has been broken by brute force cryptanalysis, using a high-end
graphics computer — and even low-end computers — so it has only
questionable value. We show you some tools in later sections that allow
you to easily recover 40-bit keys — and if you can, a bad guy can.
104-bit setting: In general, 104-bit (sometimes called 128-bit) encryption is
more secure than 40-bit encryption because of the significant difference in
the size of the cryptographic key space. Even though this better security
isn’t true for 802.11 WEP (because of poor cryptographic design in the
use of IVs), it is nonetheless recommended as a good practice. Again, you
should be vigilant about checking with the vendor regarding upgrades
to firmware and software — you may find some that overcome some of
the WEP problems. (Some vendors, for example, support 152-bit keys.)

Using Cain & Abel

Cain & Abel is a freeware password recovery tool that runs on a Microsoft
platform. It allows easy recovery of various kinds of passwords by sniffing
the network, cracking encrypted passwords using Dictionary, Brute-Force
and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled
passwords, revealing password boxes, uncovering cached passwords
and analyzing routing protocols. This tool covers some security weaknesses
present in the protocols, authentication methods and caching mechanisms.
Cain & Abel was developed for network administrators, security consultants
or professionals, forensic staff, security-software vendors, and professional
penetration testers.
Cain & Abel is actually two different programs. Cain has the following
features:
Protected Storage Password Manager: Reveals locally stored passwords
of Outlook, Outlook Express, Outlook Express Identities, Outlook
2002, Internet Explorer, and MSN Explorer.
Credential Manager Password Decoder: Reveals passwords stored in
Enterprise and Local Credential Sets on Windows XP/2003.
LSA Secrets Dumper: Dumps the contents of the Local Security
Authority Secrets.
Dialup Password Decoder: Reveals passwords stored by Windows “Dial-
Up Networking” component.
APR (ARP Poison Routing): Enables sniffing on switched networks and
Man-in-the-Middle attacks.
Route Table Manager: Provides the same functionality of the Windows
tool route.exe with a GUI front-end.
SID Scanner: Extracts usernames associated with Security Identifiers
(SIDs) on a remote system.
Network Enumerator: Retrieves, where possible, the user names,
groups, shares, and services running on a machine.
Service Manager: Allows you to stop, start, pause, continue, or remove
a service.
Sniffer: Captures passwords, hashes, and authentication information
during transmission on the network. Includes several filters for application
specific authentications and routing protocols. The VoIP filter
enables the capture of voice conversations transmitted with the SIP/RTP
protocol saved later as WAV files.
Routing Protocol Monitors: Monitors messages from various routing
protocols (HSRP, VRRP, RIPv1, RIPv2, EIGRP, OSPF) to capture authentications
and shared route tables.
Full SSH-1 sessions sniffer for APR (APR-SSH-1): Allows you to capture
all data sent in a HTTPS session on the network.
Full HTTPS sessions sniffer for APR (APR-HTTPS): Allows you to capture
all data sent in a HTTPS session on the network.
Certificates Collector: Grabs certificates from HTTPS Web sites and prepares
them for use by APR-HTTPS.
MAC Address Scanner with OUI fingerprint: Using OUI fingerprint,
makes an informed guess about the device based on the MAC address.
Promiscuous-mode Scanner based on ARP packets: Identifies sniffers
and network intrusion detection systems present on the LAN.
Wireless Scanner: Scans for wireless networks signal within range. This
feature is based on NetStumbler that we discuss in Chapter 9.
Access (9x/2000/XP) Database Passwords Decoder: Decodes the stored
encrypted passwords for Microsoft Access Database files.
Base64 Password Decoder: Decodes Base64 encoded strings.
Cisco Type-7 Password Decoder: Decodes Cisco Type-7 passwords used
in router and switches configuration files.
VNC Password Decoder: Decodes encrypted VNC passwords from the
registry.
Enterprise Manager Password Decoder: Decodes passwords used by
Microsoft SQL Server Enterprise Manager (SQL 7.0 and 2000 supported).
Remote Desktop Password Decoder: Decodes passwords in Remote
Desktop Profiles (.RPD files).
PWL Cached Password Decoder: Allows you to view all cached
resources and relative passwords in clear text either from locked or
unlocked password list files.
Password Crackers: Enables the recovery of clear text passwords
scrambled using several hashing or encryption algorithms. All crackers
support Dictionary and Brute-Force attacks.
Cryptanalysis attacks: Enables password cracking using the “Faster
Cryptanalytic time – memory trade off” method introduced by Philippe
Oechslin. This cracking technique uses a set of large tables of precalculated
encrypted passwords, called Rainbow Tables, to improve
the trade-off methods known today and to speed up the recovery of
cleartext passwords.
NT Hash Dumper + Password History Hashes (works with Syskey
enabled): Retrieves the NT password hash from the SAM file regardless
of whether Syskey is enabled or not.
Microsoft SQL Server 2000 Password Extractor via ODBC: Connects to
an SQL server via ODBC and extracts all users and passwords from the
master database.
Box Revealer: Shows passwords hidden behind asterisks in password
dialog boxes.
RSA SecurID Token Calculator: Calculates the RSA key given the tokens
.ASC file.
Hash Calculator: Produces the hash values of a given text.
TCP/UDP Table Viewer: Shows the state of local ports (like netstat).
TCP/UDP/ICMP Traceroute with DNS resolver and WHOIS client: An
improved traceroute that can use TCP, UDP and ICMP protocols and
provides whois client capabilities.
Cisco Config Downloader/Uploader (SNMP/TFTP): Downloads or
uploads the configuration file from/to a specified Cisco device (IP or
hostname) given the SNMP read/write community string.
Abel provides the following features:
Remote Console: Provides a remote system shell on the remote machine.
Remote Route Table Manager: Manages the route table of the remote
system.
Remote TCP/UDP Table Viewer: Shows the state of local ports (like netstat)
on the remote system.
Remote NT Hash Dumper + Password History Hashes (works with
Syskey enabled): Retrieves the NT password hash from the SAM file
regardless of whether Syskey is enabled or not; works on the Abel-side.
Remote LSA Secrets Dumper: Dumps the contents of the Local Security
Authority Secrets present on the remote system.

Using iwspy linux tools

You use iwspy to get statistics from specific wireless nodes. With iwspy, you
can list the addresses associated with a wireless network interface and get
link-quality information for each. The syntax is as follows:
iwspy interface [+] DNSNAME | IPADDR | HWADDR [...]
iwspy interface off
Let’s look at each one of the parameters.
DNSNAME | IPADDR: Use this parameter to set an IP address or DNS
name (using the name resolver).
HWADDR: Use this parameter to set a hardware (MAC) address.
Plus sign (+): Use this parameter to add a new set of addresses to
the end of the current.
off: Use this parameter to remove the current list of addresses and to
disable the spy functionality.

Using iwpriv linux tools

iwpriv is the companion tool to iwconfig. Again, you use iwpriv to configure
optional (private) parameters for a wireless network interface. You use
iwpriv for parameters and settings specific to each driver, as opposed to
iwconfig, which deals with generic ones. The syntax is as follows:
iwpriv interface private-command [I] [private-parameters]
iwpriv interface –all
iwpriv interface roam {on,off}
iwpriv interface port {ad-hoc,managed,N}
Using the iwpriv command without any parameters lists the available private
commands for each interface and the parameters required.
Let’s look at each one of the parameters.
private-command [I] [private-parameters]: Use the specified
private-command on the interface. The I parameter, which stands for
an integer, is the integer to pass to the command as a Token Index. Your
driver documentation should specify the value for the integer, otherwise
leave the value out.
The command may optionally take or require arguments, and may display
information. The following paragraphs provide information on the
arguments.
-a/--all: Use this parameter to execute and display all the private
commands that don’t require any arguments, for example, read only.
roam: Use this parameter to enable or disable roaming, when supported.
port: Use this parameter to read or configure the port type.
Using iwlist
iwlist allows you to display more detailed information from a wireless interface
than you can get with iwconfig. For instance, you can get the ESSID,
node name, frequency, signal quality and strength and bit data and error rate.
The syntax is as follows:
iwlist interface scanning
iwlist interface frequency
iwlist interface rate
iwlist interface key
iwlist interface power
iwlist interface txpower
iwlist interface retry
iwlist –-help
iwlist –version
Let’s look at each one of the parameters.
scan[ning]: Use this parameter to specify the access points and ad-hoc
cells in range. For example, the following enables scanning.
iwlist wlan0 scan
Run this command and you may see something like the following:
wlan0 Scan completed:
Cell 01 – Address: 00:02:2D:8F:09:8D
ESSID:”pdaconsulting”
Mode:Master
Frequency:2.462GHz
Quality:0/88 Signal level:-50 dBm Noise level:-
092 dBm
Encryption key:off
Bit Rate:1Mb/s
Bit Rate:2Mb/s
Bit Rate:5.5Mb/s
Bit Rate:11Mb/s
freq[uency]/channel: Use this parameter to specify the list of available
frequencies for the device and the number of defined channels.
rate/bit[rate]: Use this parameter to list the bit-rates supported by
the device.
key/enc[ryption]: Use this parameter to list the supported encryption
key sizes and to display all the available encryption keys.
power: Use this parameter to list the various Power Management attributes
and modes of the device.
txpower: Use this parameter to list the various Transmit Powers available
on the device.
retry: Use this parameter to list the transmit retry limits and retry lifetime
on the device.
--version: Use this parameter to display the version of the tools, as
well as the recommended and current Wireless Extensions version for
the tool and the various wireless interfaces.

Using iwconfig linux tools

You use iwconfig to configure a wireless network interface. If you’re familiar
with the ifconfig command, the iwconfig command is similar but works
only with wireless interfaces. You use iwconfig to set the network interface
parameters, such as frequency. As well, you can use iwconfig to set the
wireless parameters and display statistics. The syntax is as follows:
iwconfig interface [essid X] [nwid N] [freq F] [channel C]
[sens S] [mode M] [ap A] [nick NN]
[rate R] [rts RT] [frag FT] [txpower T]
[enc E] [key K] [power P] [retry R]
[commit]
iwconfig --help
iwconfig --version
Let’s look at each one of the parameters.
essid: Use the ESSID parameter to specify the ESSID or Network Name.
For example, the following specifies that you want to set the ESSID for
the wireless adapter to ANY for wardriving.
iwconfig eth0 essid any
nwid/domain: Use the Network ID parameter to specify the network ID
or Domain ID. For example, the following specifies that you want to disable
Network ID checking.
iwconfig eth0 nwid off
freq/channel: Use this parameter to set the operating frequency or
channel. A value below 1,000 represents the channel number, while a
value over is the frequency in Hz. For example, the following specifies
that you want to set the frequency to 2.422 GHz.
iwconfig eth0 freq 2.422G
Or for example, the following specifies that you want to use
channel three.
iwconfig eth0 channel 3
sens: Use this parameter to set the sensitivity threshold. For example,
the following specifies the level as 80 dBm.
iwconfig eth0 sens -80
mode: Use this parameter to set the operating mode of the device. The
operating mode is one of the following:
• Ad-hoc: no Access Point.
• Managed: more than one Access Point, with roaming.
• Master: synchronization master or an Access Point.
• Repeater: node forwards packets between other wireless nodes.
• Secondary: node acts as a backup master or repeater.
• Monitor: the node acts as a passive monitor and only receives
packets.
• Auto: self-explanatory.
For example, the following specifies that the network is infrastructure
mode.
iwconfig eth0 mode managed
ap: Use this parameter to force the card to register to the Access Point
given by the address. Use off to re-enable automatic mode without
changing the current Access Point, or use any or auto to force the card
to re-associate with the current best Access Point. For example, the following
forces association with the access point with the hardware
address of 00:60:1D:01:23:45.
iwconfig eth0 ap 00:60:1D:01:23:45
nick[name]: Use this parameter to set the nickname or station name.
For example, the following sets the nickname to Peter Node.
iwconfig eth0 nickname Peter Node
rate/bit[rate]: Use this parameter to set the bit-rate in bits per
second for cards supporting multiple bit rates. For example, the following
sets the bit rate to 11 Mbps.
iwconfig eth0 rate 11M
rts[_threshold]: Use this parameter to turn RTS/CTS on or off. For
example, the following turns RTS/CTS off.
iwconfig eth0 rts off
frag[mentation_threshold]: Use this parameter to turn fragmentation
on or off. For example, the following specifies a maximum fragment
size of 512K.
iwconfig eth0 frag 512
key/enc[ryption]: Use this parameter to turn encryption or scrambling
keys on or off and to set the encryption mode. For example, the following
specifies an encryption key.
iwconfig eth0 key 0123-4567-89
power: Use this parameter to set the power management scheme and
mode. For example, the following disables power management.
iwconfig eth0 power off
txpower: Use this parameter to set the transmit power in dBm for cards
supporting multiple transmit powers. For example, the following set the
transmit power to 15 dBm.
iwconfig eth0 txpower 15
If you are unfamiliar with dBM as a measurement, refer to www.atis.org/
tg2k/_dbm.html for a definition.
retry: Use this parameter to set the maximum number of MAC retransmission
retries. For example, the following specifies to retry 16 times.
iwconfig eth0 retry 16
commit: Use this parameter to force the card to apply all pending
changes rather than waiting for the issuance of an ifconfig command.
For example, the following specifies to commit the changes.
iwconfig eth0 commit
Link quality: Use this parameter to display the quality of the link.
Signal level: Use this parameter to show the received signal strength.
Noise level: Use this parameter to display the background noise level.
invalid nwid: Use this parameter to detect configuration problems or
the existence of an adjacent network.
invalid crypt: Use this parameter to display the number of packets
that the hardware couldn’t decrypt.
invalid misc: Use this parameter to display other packets lost in relation
with specific wireless operations.
There you have it. Remember you can get more information by using the
man command.

Using Linux Wireless Extension and Wireless Tools

The Linux Wireless Extension and Wireless Tools are an open source project
sponsored by Hewlett Packard. The Wireless Extension is a generic application
programming interface (API) that gives you information and statistics
about the user space. Wireless Tools is a set of tools that use the Wireless
Extensions. The Wireless Tools are:
iwconfig: Changes the basic wireless parameters.
iwpriv: Changes the Wireless Extensions specific to a driver (private).
iwlist: Lists addresses, frequencies, and bit rates.
iwspy: Gets per-node link quality.
We explore these tools in turn in the following sections. For each tool, we
provide an illustrative example. If you want to really understand the command
and its many parameters, however, please check out the man page for
the syntax and other information about any of these commands. If you have a
Web browser, you can use Google.
Linux Wireless Extensions are powerful additions to your ethical hacking
utility belt. Linux Wireless Extensions are available from http://pcmcia-cs.
sourceforge.net/ftp/contrib. Look for the entry wireless_tools.27.tar.gz
near the bottom of the available documents and programs. Wireless Extensions
v.14 is bundled in the 2.4.20 kernel, and v.16 is in the 2.4.21 kernel.
iwlist and the others are great tools. They get their information from the
standard kernel interface /proc/net/wireless. But these tools provide only
a snapshot in time; they do not provide statistics over time. If you favor the
Windows platform, you can use a great tool like NetStumbler (we cover this
tool in depth in Chapter 9). But when you work with Linux, you want to find a
better link-monitoring tool. The other tools in this section provide more functionality
than iwconfig, iwpriv, iwlist, and iwspy.

open ports - Xavi7968 Solos 4610 RD telefonica router

for start you need to find out your router model,then you find your router ip by typing in cmd console ipconfig then in your browser you will type your router ip something like that:






after that find port configuration select both protocols tcp/udp select your port that you wish to
open:

Understanding Standards

1.ISO 17799
2. COBIT
3. SSE-CMM
4. ISSAF
5.OSSTMM

ISO 17799
The ISO/IEC 17799 is an internationally adopted “code of practice for information
security management” from the International Organization for Standardization
(ISO). The international standard is based on British Standard BS-799.
You can find information about the standard at www.iso.org.
ISO/IEC 17799 is a framework or guideline for your ethical hack — not a true
methodology — but you can use it to help you plan. The document does not
specifically deal with wireless, but it does address network-access control.
The document is a litany of best practices at a higher level than we would
want for a framework for ethical hacking.
One requirement in the document is to control access to both internal and
external networked services. To cover this objective, you need to try to connect
to the wireless access point and try to access any resource on the wired
network.
The document also requires that you ensure there are appropriate authentication
mechanisms for users. You can test this by attempting to connect to a
wireless access point (AP). When there is Open System authentication (see
Chapter 16) you need not do any more work. Obviously no authentication
is not appropriate authentication. APs with shared-key authentication may
require you to use the tools shown in Chapter 15 to crack the key. If the AP is
using WPA security, then you will need to use another tool, such as WPAcrack.

COBIT
COBIT is an IT governance framework. Like ISO 17799, this framework will
not provide you with a testing methodology, but it will provide you with the
objectives for your test.
You can find information about COBIT at www.itgi.org/.

Using SSE-CMM
Ever heard of the CERT? (Give you a hint: It’s not a breath mint or a candy.)
It’s the Computer Emergency Response Team that’s part of the Software
Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh,
Pennsylvania. Well, the SEI is known for something else: It developed a
number of capability maturity models (CMM) — essentially specs that can give
you a handle on whether a particular system capability is up to snuff. The SEI
included a CMM just for security — the Systems Security Engineering CMM
(SSE-CMM for short). Now, the SSE-CMM won’t lay out a detailed method of
ethical hacking, but it can provide a framework that will steer you right. The
SSE-CMM can help you develop a scorecard for your organization that can
measure security effectiveness.
You can find out about SSE-CMM at www.sei.cmu.edu/.
The Computer Emergency Response team also sends out security alerts and
advisories. The CERT has a methodology as well — OCTAVE. OCTAVE stands
for Operationally Critical Threat, Asset, and Vulnerability Evaluation. You can
use OCTAVE as a methodology to build a team, identify threats, quantify vulnerabilities,
and develop an action plan to deal with them.
You can find OCTAVE at www.cert.org/octave

ISSAF
The ISSAF details a process that includes the following steps:
1. Information gathering
a. Scan
b. Audit
2. Analysis and research
3. Exploit and attack
4. Reporting and presentation
These steps correspond to our Ten Commandments of Ethical Hacking. For
each of the steps just given, the document identifies appropriate tasks and
tools. For example, the scanning step lists the following tasks:
Detect and identify the wireless network
Test for channels and ESSID
Test the beacon broadcast frame and recording of broadcast information
Test for rogue access points from outside the facility
IP address collection of access points and clients
MAC address collection of access points and clients
Detect and identify the wireless network
The document recommends you use programs such as Kismet, nmap, and
ethereal as tools for Step 1.
You also will find information in the document on the software you can use
and the equipment you will need to build or acquire to do your assessment
of your organization’s wireless-security posture.
The document we reviewed was a beta version, but it shows promise and is
worth watching. You can find the ISSAF at www.oissg.org/issaf.

OSSTMM
You’ll find that the OSSTMM gathers the best practices, standard legal issues,
and core ethical concerns of the global security-testing community — but
this document also serves another purpose: consistent definition of terms.
The document provides a glossary that helps sort out the nuances of vulnerability
scanning, security scanning, penetration testing, risk assessment,
security auditing, ethical hacking, and security hacking. The document also
defines white-hat, gray-hat, and black-hat hackers, so that by their metaphorical
hats ye shall know them. But even more importantly (from your viewpoint
as an ethical-hacker-to-be), it provides testing methodologies for wireless
security, distilled in the following bullets:
Posture review: General review of best practices, the organization’s
industry regulations, the organization’s business justifications, the organization’s
security policy, and the legal issues for the organization and
the organization’s regions for doing business.
Electromagnetic radiation (EMR) testing: Testing of the electromagnetic
radiation emitted from wireless devices.
802.11 wireless-networks testing: Testing of access to 802.11 WLANs.
Bluetooth network testing: Testing of Bluetooth ad-hoc networks.
Wireless-input-device testing: Testing of wireless input devices, such as
mice and keyboards.
Wireless-handheld testing: Testing of handheld wireless devices, such
as personal digital assistants and personal electronic devices.
Cordless-communications testing: Testing of cordless communications
communication devices, such as cellular technology.
Wireless-surveillance device testing: Testing of wireless surveillance or
monitoring devices, such as cameras and microphones.
Wireless-transaction device testing: Testing of wireless-transaction
devices, such as uplinks for cash registers and other point of sale
devices in the retail industry.
RFID testing: Testing of RFID (Radio Frequency Identifier) tags.
Infrared testing: Testing of infrared communications communication
devices.
Privacy review: General privacy review of the legal and ethical storage,
transmission, and control of data, based on employee and customer
privacy.
Each step has associated tasks that provide more detail and specific tests. As
well, each step has a table that outlines the expected results. For example,
expected results for Step 3 include these:
Verification of the organization’s security policy and practices — and
those of its users.
Identification of the outermost physical edge of the wireless network.
Identification of the logical boundaries of the wireless network.
Enumeration of access points that lead into the network.
Identification of the IP-range (and possibly DHCP-server) of the wireless
network.
Identification of the encryption methods used for data transfer.
Identification of the authentication methods of exploitable “mobile
units” (that is, the clients) and users.
Verification of the configuration of all devices.
Determination of the flaws in hardware or software that facilitate attacks.
Obviously, you need to cut and paste these tests according to your needs.
For instance, should your organization not have infrared, then you would
skip Step 11.
The OSSTMM is available from www.isecom.org/osstmm/.

Network attacks Software attacks

When it comes to the nitty-gritty bits and bytes, there are a lot of techniques
the bad guys can use to break inside your wireless realm or at least leave it
limping along in a nonworking state. Network-based attacks include
Installing rogue wireless APs and “tricking” wireless clients into connecting
to them
Capturing data off the network from a distance by walking around, driving
by, or flying overhead
Attacking the networking transactions by spoofing MAC addresses (masquerading
as a legitimate wireless user), setting up man-in-the-middle
(inserting a wireless system between an AP and wireless client) attacks,
and more
Exploiting network protocols such as SNMP
Performing denial-of-service (DoS) attacks
Jamming RF signals

As if the security problems with the 802.11 protocol weren’t enough, we now
have to worry about the operating systems and applications on wireless-client
machines being vulnerable to attack. Here are some examples of software
attacks:
Hacking the operating system and other applications on wireless-client
machines
Breaking in via default settings such as passwords and SSIDs that are
easily determined
Cracking WEP keys and tapping into the network’s encryption system
Gaining access by exploiting weak network-authentication systems

Understanding the enemy

The wireless network’s inherent vulnerabilities, in and of themselves, aren’t
necessarily bad. The true problem lies with all the malicious hackers out
there just waiting to exploit these vulnerabilities and make your job — and
life — more difficult. In order to better protect your systems, it helps to
understand what you’re up against — in effect, to think like a hacker. Although
it may be impossible to achieve the same malicious mindset as the cyberpunks,
you can at least see where they’re coming from technically and how
they work.
For starters, hackers are likely to attack systems that require the least
amount of effort to break into. A prime target is an organization that has just
one or two wireless APs. Our findings show that these smaller wireless networks
help stack the odds in the hackers’ favor, for several reasons:
Smaller organizations are less likely to have a full-time network administrator
keeping tabs on things.
Small networks are also more likely to leave the default settings on their
wireless devices unchanged, making them easier to crack into.
Smaller networks are less likely to have any type of network monitoring,
in-depth security controls such as WPA or WPA2, or a wireless intrusiondetection
system (WIDS). These are exactly the sorts of things that
smart hackers take into consideration.
However, small networks aren’t the only vulnerable ones. There are various
other weaknesses hackers can exploit in networks of all sizes, such as the
following:
The larger the wireless network, the easier it may be to crack Wired
Equivalent Privacy (WEP) encryption keys. This is because larger networks
likely receive more traffic, and an increased volume of packets
to be captured thus leads to quicker WEP cracking times. We cover WEP
in-depth in Chapter 14.
Most network administrators don’t have the time or interest in monitoring
their networks for malicious behavior.
Network snooping will be easier if there’s a good place such as a crowded
parking lot or deck to park and work without attracting attention.
Most organizations use the omnidirectional antennae that come standard
on APs — without even thinking about how these spread RF signals
around outside the building.
Because wireless networks are often an extension of a wired network,
where there’s an AP, there’s likely a wired network behind it. Given this,
there are often just as many treasures as the wireless network, if not more.
Many organizations attempt to secure their wireless networks with routine
security measures — say, disabling service-set-identifier (SSID)
broadcasts (which basically broadcasts the name of the wireless network
to any wireless device in range) and enabling media-access control
(MAC) address filtering (which can limit the wireless hosts that can
attach to your network) — without knowing that these controls are
easily circumvented.
SSIDs are often set to obvious company or department names that can
give the intruders an idea which systems to attack first.
Throughout this book, we point out ways the bad guys work when they’re
carrying out specific hacks. The more cognizant you are of the hacker mindset,
the deeper and broader your security testing will be — which leads to
increased wireless security.
Many hackers don’t necessarily want to steal your information or crash your
systems. They often just want to prove to themselves and their buddies that
they can break in. This likely creates a warm fuzzy feeling that makes them feel
like they’re contributing to society somehow. On the other hand, sometimes
they attack simply to get under the administrator’s skin. Sometimes they are
seeking revenge. Hackers may want to use a system so they can attack other
people’s networks under disguise. Or maybe they’re bored, and just want to
see what information is flying through the airwaves, there for the taking.
The “high-end” uberhackers go where the money is — literally. These are the
guys who break into online banks, e-commerce sites, and internal corporate
databases for financial gain. What better way to break into these systems than
through a vulnerable wireless network, making the real culprit harder to trace?
One AP or vulnerable wireless client is all it takes to get the ball rolling.

Knowing the dangers your systems face

Threat: A threat is an indication of intent to cause disruption within an
information system. Some examples of threat agents are hackers, disgruntled
employees, and malicious software (malware) such as viruses
or spyware that can wreak havoc on a wireless network.

Vulnerability: A vulnerability is a weakness within an information
system that can be exploited by a threat. Some examples are wireless
networks not using encryption, weak passwords on wireless access
points or APs (which is the central hub for a set of wireless computers),
and an AP sending wireless signals outside the building. Wireless-network
vulnerabilities are what we’ll be seeking out in this book.

Beyond these basics, quite a few things can happen when a threat actually
exploits the vulnerabilities of a various wireless network. This situation is
called risk. Even when you think there’s nothing going across your wireless
network that a hacker would want — or you figure the likelihood of something
bad happening is very low — there’s still ample opportunity for trouble.
Risks associated with vulnerable wireless networks include
Full access to files being transmitted or even sitting on the server
Stolen passwords
Intercepted e-mails

Back-door entry points into your wired network
Denial-of-service attacks causing downtime and productivity losses
Violations of state, federal, or international laws and regulations relating
to privacy, corporate financial reporting, and more
“Zombies” — A hacker using your system to attack other networks
making you look like the bad guy
Spamming — A spammer using your e-mail server or workstations to
send out spam, spyware, viruses, and other nonsense e-mails
We could go on and on, but you get the idea. The risks on wireless networks
are not much different from those on wired ones. Wireless risks just have a
greater likelihood of occurring — that’s because wireless networks normally
have a larger number of vulnerabilities.
The really bad thing about all this is that without the right equipment and
vigilant network monitoring, it can be impossible to detect someone hacking
your airwaves — even from a couple of miles away! Wireless-network compromises
can include a nosy neighbor using a frequency scanner to listen in
on your cordless phone conversations — or nosy co-workers overhearing
private boardroom conversations. Without the physical layer of protection
we’ve grown so accustomed to with our wired networks, anything is possible.

p2p programs increase download speed

560-570 kbs download speed with utorrent 2.0 wireless internet access at a point (router) located at 500 m 12 dBi omni antenna Erize pigtai 40cm adapter cable alpha one information for who has small download speed : before setting up P2P program provided that you have- open portsv in your router and p2p privileges if you use firewall

antenas

Omnidirectional Antennas

The radio antenna on your automobile is a common example of an
omnidirectional vertical antenna—a simple wire or rod oriented vertically
to match the RF radiation polarity of most radio broadcast
stations.
An ideal but theoretical omnidirectional vertical antenna would
radiate 360 degrees from a point in a spherical pattern.
This theoretical antenna employs an isotropic radiator—having no
depth, width, or height—and is used only as a reference to calculate
antenna performance—gain or loss—expressed in decibels as dBi or
decibels relative to an isotropic radiator. Your neighbors and most
environmentalists would really appreciate isotropic radiators—if
they existed.
Omnidirectional antennas are typically oriented vertically, perpendicular
to the Earth, so the signal they radiate spans out and around
across the horizon. If the antenna were oriented horizontally, parallel to
the Earth, much of the available signal would be lost, radiating into the
Earth and up into the atmosphere. We want our wireless signals more
earthbound, but not wasted into the ground either.

Directional Yagi Antennas

The popular and unsightly rooftop TV antenna is a common example
of a Yagi antenna (named after Hidetsugu Yagi, a Japanese electrical
engineer who came up with this type of antenna) or beam antenna
(so nick-named because it concentrates the RF signal into a beam of
radiated energy).
A Yagi antenna enhances the normal 1/4 wavelength dipole
antenna by adding a reflecting element behind a dipole antenna and
several directing elements. This creates a concentrated beam pattern
of radiated signal in a single direction, with minimal signal
radiation to the rear and sides of the antenna’s designed directionality
The common home rooftop television antenna is intended as a
receiving antenna covering an extremely broad range of frequencies—
from 50 MHz on up to nearly 1 GHz in one physical framework—
which accounts for the various sized and positioned elements.
It is effective, but not the efficient design you would find for a specific
application, such as two-way or amateur radio or wireless networking.
As with omnidirectional antennas designed to provide signal gain
by forcing the radiation pattern into a narrower shape, Yagi or beam
antennas do the same thing plus add the advantage of concentrating
the signal radiation into a specific direction. The simple rule is more
gain—less pattern area but stronger signal in the direction of the
pattern.

Wi-Fi versus Bluetooth

Distance: Bluetooth is lower powered, which means its signal can only
go short distances (up to 30 feet). 802.11 technologies can cover your
home, and in some cases more, depending on the antenna that you use.
Note: New software for Bluetooth devices is enabling the creation of
mesh networks in the home, where interconnected Bluetooth devices
can create a large mesh network that can be interconnected to the
Internet — thereby creating a network similar to an 802.11b network in
the home, for instance.
Application: Bluetooth is designed as a replacement of cables: that is,
trying to get rid of that huge tangle of cables that link your mouse,
printer, monitor, scanner, and other devices on your desk and around
your home. In fact, the first Bluetooth device was a Bluetooth headset,
eliminating that annoying cable to the telephone that got in the way of
typing. New cars are also becoming outfitted with Bluetooth so that you
can use your cell phone in your car, with your car’s stereo speakers and
an onboard microphone serving as your hands-free capability. Pretty
neat, huh?
Wi-Fi (IEEE 802.11a, 802.11b, and 802.11g) and Bluetooth are similar in certain
respects: They both enable wireless communication between electronic
devices but are more complementary than direct competitors. Wi-Fi technology
is most often used to create a wireless network of personal computers
that can be located anywhere in a home or business. Bluetooth devices usually
communicate with other Bluetooth devices in relatively close proximity
Wi-Fi is wireless Ethernet. Wi-Fi is a wireless version of the Ethernet
communication protocol and is intended to replace networking cable
that would otherwise be run through walls and ceilings to connect computers
in multiple rooms or even multiple floors of a building.
Bluetooth replaces peripheral cables. Bluetooth wireless technology
operates at short distances — usually about 10 meters — most often
replaces cables that connect peripheral devices, such as a printer, keyboard,
mouse, or personal digital assistant (PDA) to your computer.
Bluetooth replaces IrDA. Bluetooth can also be used to replace
another wireless technology — Infrared Data Association (IrDA) wireless
technology — that’s already found in most laptop computers, PDAs, and
even many printers. Although IR signals are very secure and aren’t bothered
with radio frequency (RF) interference, IrDA’s usefulness is hindered
by infrared’s requirement for line-of-sight proximity of devices.
Just like how your TV’s remote control must be pointed directly at your
TV to work, the infrared ports on two PDAs must be lined up to trade
data, and your laptop has to be “pointing” at the printer to print over
the infrared connection. Because Bluetooth uses radio waves rather
than light waves, line-of-sight proximity is not required.
Like Wi-Fi, Bluetooth offers wireless access to LANs, including Internet
access. Bluetooth devices can potentially access the Public Switched
Telephone Network (PSTN: you know, the phone system) and mobile telephone
networks. Bluetooth should be able to thrive alongside Wi-Fi by
making possible such innovative solutions as a hands-free mobile phone
headset, print-to-fax, and automatic PDA, laptop, and cell phone/address
book synchronization.

Who or What Is Bluetooth?

One of the most often talked about wireless standards, besides Wi-Fi, is
Bluetooth. The Bluetooth wireless technology, named for the tenth-century
Danish King Harald Blatand “Bluetooth,” was invented by the L.M. Ericsson
company of Sweden in 1994. King Harald helped unite his part of the world
during a conflict around 960 AD. Ericsson intended for Bluetooth technology
to unite the mobile world. In 1998, Ericsson, IBM, Intel, Nokia, and Toshiba
founded the Bluetooth Special Interest Group (SIG), Inc. to develop an open
specification for always-on, short-range wireless connectivity based on
Ericsson’s Bluetooth technology. Their specification was publicly released on
July 26, 1999. The Bluetooth SIG now includes 3Com, Agere, Ericsson, IBM,
Intel, Microsoft, Motorola, Nokia, Toshiba, and nearly 2,000 other companies.
Dozens of Bluetooth-enabled products are already on the market, with many
more on the way.
Sometimes a network of devices communicating via Bluetooth is described as
a personal area network (PAN) to distinguish it from a network of computers
often called a local area network (LAN). In March 2002, the Institute for
Electrical and Electronics Engineers (IEEE) approved IEEE 802.15.1, a standard
for wireless PANs (WPANs), which was adapted from portions of the
Bluetooth wireless specification. IEEE 802.15.1 is fully compliant with the
Bluetooth v1.1 specification. As IEEE worked toward the 802.15 standard, the
Bluetooth SIG simultaneously has been working on Bluetooth Version 3.0.
Any new Bluetooth standard will likely also become an updated IEEE 802.15
standard. (Read more at the Bluetooth Web site at www.bluetooth.com.)
The following is a small sampling of existing Bluetooth products:
Microsoft Wireless IntelliMouse Explorer for Bluetooth (a wireless mouse)
Microsoft Wireless Optical Desktop for Bluetooth (wireless multimedia
center keyboard and mouse)
Sony digital video camera recorder
HP Deskjet 995c printer
HP iPAQ H5450 Pocket PC with Bluetooth (and Wi-Fi) onboard
Ericsson Bluetooth Phone Adapter
Motorola Bluetooth Handsfree Car Kit
Belkin Bluetooth Universal Serial Bus (USB) Adapter

Your Wireless Network’s Power Station — the Antenna

Access point antennas vary from manufacturer to manufacturer. Many APs
have a single external antenna about five inches in length. This type of
antenna is a dipole antenna. Some APs have two external dipole antennas.
Dual external antenna models should provide better signal coverage throughout
the house. APs with dual antennas might transmit from only one of the
antennas but receive through both antennas by sampling the signal and using
whichever antenna is getting the strongest signal — a diversity antenna
system.
Typical omnidirectional dipole antennas attach to the AP with a connector
that enables you to position the antenna at many different angles; however,
omnidirectional dipole radio antennas send and receive best in the vertical
position.
The range and coverage of a Wi-Fi wireless AP used indoors is determined by
the following factors:
AP transmission output power: This is the power output of the AP’s
radio, usually referred to as transmission power or TX power. Higher
power output produces a longer range. Wi-Fi APs transmit at a power
output of less than 30 dBm (one watt). Government agencies around the
world regulate the maximum power output allowed. APs for home use
generally have power outputs in the range 13 dBm (20 mW) to 15 dBm
(31.6 mW). The higher the power rating, the stronger the signal and the
better range your wireless network will have. Some wireless networking
equipment manufacturers offer add-on amplifiers that boost the standard
signal of the AP to achieve a longer range. We talk about boosters
in Chapter 18. (For more on TX power, see the sidebar, “TX power
output and antenna gain.”)
Antenna gain: The AP’s antenna and the antenna(s) on the other
device(s) on the network improve the capability of the devices to send
and receive radio signals. This type of signal improvement is gain.
Antenna specifications vary depending on vendor, type, and materials.
Adding a higher gain antenna at either end of the connection can
increase the effective range.
Antenna type: Radio antennas both send and receive signals. Different
types of antennas transmit signals in different patterns or shapes. The
most common type of antenna used in wireless home networks, the
dipole antenna, is described as omnidirectional because it transmits its
signal in all directions equally. In fact, the signal from a dipole antenna
radiates 360° in the horizontal plane and 75° in the vertical plane, creating
a doughnut-shaped pattern. Consequently, the area directly above or
below the antenna gets a very weak signal.
Some types of antenna focus the signal in a particular direction and are
referred to as directional antennas. In special applications where you
want an AP to send its signal only in a specific direction, you could
replace the omnidirectional antenna with a directional antenna. In a
home, omnidirectional is usually the best choice, but that also depends
on the shape of the home; some antennas are better for brownstones
and multifloor buildings because they have a more spherical signal footprint
rather than the standard flat-ish one.
Receive sensitivity: The receive sensitivity of an AP or other wireless
networking device is a measurement of how strong a signal is required
from another radio before the device can make a reliable connection and
receive data.
Signal attenuation: A radio signal can get weaker as a result of interference
caused by other radio signals because of objects that lie in the
radio wave path between radios and because of the distance between
the radios. The reduction in signal is attenuation. Read through Chapter
6 for a discussion of how to plan the installation of your wireless network
to deal with signal attenuation.
In order to replace or add an antenna to an AP or other wireless device, you
need to have a place to plug it in — as obvious a statement as that is, many
antennas are not detachable, and you can’t add another antenna. Some
access points use reverse TNC connectors that let optional antennas be used
in 802.11b/g products, but there’s a minor trend away from using detachable
antennas in 802.11a products because of potential conflict in the frequency
channels allocated to 802.11a. This potentially thwarts misuse, but also robs
those deploying access points of their ability to choose optimal antennas.

Network infrastructure

Network hubs
In a typical office network, a strand of wiring similar to phone cable is run
from each computer to a central location, such as a phone closet, where each
wire is connected to a network hub. The network hub, similar conceptually to
the hub of a wheel, receives signals transmitted by each computer on the network
and sends the signals out to all other computers on the network.

Bridges
A network bridge provides a pathway for network traffic between networks or
segments of networks. A device that connects a wireless network segment to
a wired network segment is a type of network bridge. In larger networks, network
bridges are sometimes used to connect networks on different floors in
the same building or in different buildings. In a wireless home network, the
device that manages the wireless network, an access point, often acts as a
bridge between a wireless segment of the network and a wired segment.

Hubs and switches
Networks transmit data in bundles called packets. Along with the raw information
that’s being transmitted, each packet also contains the network
address of the computer that sent it and the network address of the recipient
computer. Network hubs send packets indiscriminately to all ports of all computers
connected to the hub.
A special type of hub called a switched hub examines each packet, determines
the addressee and port, and forwards the packet only to the computer and port
to which it is addressed. Most often, switched hubs are just called switches.
A switch reads the addressee information in each packet and sends the packet
directly to the segment of the network to which the addressee is connected.
Packets that aren’t addressed to a particular network segment are never
transmitted over that segment, and the switch acts as a filter to eliminate
unnecessary network traffic. Switches make more efficient use of the available
transmission bandwidth than standard hubs and therefore offer higher
aggregate throughput to the devices on the switched network.

Routers
Over a large network and on the Internet, a router is analogous to a superefficient
postal service — reading the addressee information in each data
packet and communicating with other routers over the network or Internet to
determine the best route for each packet to take. Routers can be a standalone
device, but more often, home networks use a device known as a cable/(digital
subscriber line) DSL router. This type of router — which marries a cable or DSL
modem and a router — uses a capability called Network Address Translation
(NAT) to enable all the computers on a home network to share a single
Internet address on the cable or DSL network. Such routers also exist for
satellite and dialup connections. Generically, these are called WAN routers
because they have access to your wide area network connection, whether it’s
broadband or dialup.

Workstations and servers

Each computer in your home that’s attached to a network is a workstation, also
sometimes referred to as a client computer. The Windows operating system
(OS) refers to the computers residing together on the same local area network
as a workgroup. A Windows-based computer network enables the workstations
in a workgroup to share files and printers that are visible through the Network
Neighborhood (or My Network Places). Home networks based on the Apple
Macintosh OS offer the same capability. On a Mac, all the computers on the
network are called a network neighborhood.

File server: A file server makes storage space on hard disks or some
other type of storage device available to workstations on the network.
Home networks seldom have a file server because each computer typically
has enough storage space to store the files created on that computer.
Common in-home applications of a file server today are consumer
devices such as Yamaha’s MusicCast (www.yamaha.com; $2,000) or
Turtle Beach Systems’ AudioTron (www.turtlebeach.com; $269) MP3
servers that enable you to play your MP3s over your stereo wirelessly.
Print server: A print server is a computer or other device that makes it
possible for the computers on the network to share one or more printers.
You won’t commonly find a print server in a home network, but
some wireless networking equipment comes with a print server feature
built in, which turns out to be very handy.
E-mail server: An e-mail server is a computer that provides a system for
sending e-mail to users on the network. You might never see an e-mail
server on a home network. Most often, home users send e-mail through
a third-party service, such as America Online (AOL), EarthLink, MSN
Hotmail, Yahoo!, and so on.

DHCP server: Every computer on a network, even a home network,
must have its own unique network address in order to communicate
with the other computers on the network. A Dynamic Host Configuration
Protocol (DHCP) server automatically assigns a network address to
every computer on a network. You most often find DHCP servers in
another device like a router or an AP.
There are many types of client computers — network-aware devices — that
you can find on your network, too. Some examples include
Gaming consoles: Microsoft’s Xbox (www.xbox.com), Sony PlayStation 2
(www.playstation.com), and Nintendo’s GameCube (www.nintendo.
com) have adapters for network connections or multi-player gaming and
talking to other players while gaming. Cool! Read more about online
gaming in Chapter 12.

Wireless network cameras: Panasonic’s KX-HCM250 and KX-HCM270
Network Cameras (www.panasonic.com/consumer_electronics/
gate/cameras.asp) enable you to not only view your home from when
away but also pan, tilt, scan, zoom, and so on your way around the
home. Now that’s a nanny-cam.

MP3 players: Yamaha’s MusicCAST interactive wireless home music network
system (www.yamaha.com) enables you to use wireless technology
to stream music files throughout your home. The system uses a main
server (about $2,000), which stores your CDs in the MP3 (or other) electronic
format, and a series of receivers or clients (about $800) in remote
rooms for playing back music. You can have one in each room — if you
can afford it!

Choosing Wireless Home Networking Equipment

Access point: At the top of the list will be at least one wireless access
point (AP), also sometimes called a base station. An AP acts like a wireless
switchboard that connects wireless devices on the network to each
other and to the rest of the network. You gotta have one of these to createa wireless home network. They range in price from about $100 to $300,
with prices quickly coming down. You can get APs from many leading
vendors in the marketplace, including Apple (www.apple.com), D-Link
(www.d-link.com), Linksys (www.linksys.com), NETGEAR (www.
netgear.com), and Siemens/Efficient Networks (www.speedstream.
com). We give you a long list of vendors in Chapter 20, so check that out
when you go to buy your AP.
For wireless home networks, the best AP value is often an AP that’s bundled
with other features. The most popular APs for home use also come
with one or more of the following features:
• Network hub or switch: A hub connects wired PCs to the network.
A switch is a “smarter” version of a hub that speeds up network
traffic. (We talk more about the differences between hubs and
switches in Chapter 2.)
• DHCP server: A Dynamic Host Configuration Protocol (DHCP)
server assigns network addresses to each computer on the network;
these addresses are required for the computers to communicate.
• Network router: A router enables multiple computers to share a
single Internet connection. The network connects each computer
to the router, and the router is connected to the Internet through a
broadband modem.
• Print server: Use a print server to add printers directly to the network
instead of attaching a printer to each computer on the
network.
In Figure 1-3, you can see an AP that also bundles in a network router,
switch, and DHCP server.
Network interface adapters: As we mention earlier in this chapter,
home networks use a communication method (protocol) known as
Ethernet. The communication that takes place between the components
of your computer, however, does not use the Ethernet protocol. As a
result, for computers on the network to communicate through the
Ethernet protocol, each of the computers must translate between their
internal communication protocol and Ethernet. The device that handles
this translation is a network interface adapter, and each computer on the
network needs one. Prices for network interface adapters are typically
much less than $50, and most new computers come with one at no additional
cost.
A network interface adapter that installs inside a computer is usually
called a network interface card (NIC). Many computer manufacturers
now include an Ethernet NIC with each personal computer as a standard
feature.
Wireless network interface adapter: To wirelessly connect a computer
to the network, you must obtain a wireless network interface adapter for
each computer. Prices range between $50 and $150. A few portable computers
now even come with a wireless network interface built in. These
are very easy to use; most are adapters that just plug in.
The four most common types of wireless network interface adapters are
• PC Card: This type of adapter is often used in laptop computers
because most laptops have one or two PC Card slots.
CF card: A Compact Flash (CF) card adapter is smaller in size than
a PC Card adapter and enables you to link a Pocket PC or other
palm-sized computer to your network. Many high-end personal digital
assistants (PDAs) now even come with wireless capability
built-in, obviating the need for a wireless adapter.
• USB: A Universal Serial Bus (USB) adapter connects to one of your
computer’s USB ports; these USB ports have been available in
most computers built in the last four or five years.
• ISA or PCI adapter: If your computer doesn’t have a PC Card slot,
CF card slot, or USB port, you have to either install a network interface
card or a USB card (for a USB wireless network interface
adapter) in one of the computer’s internal peripheral expansion
receptacles (slots). The expansion slots in older PCs are Industry
Standard Architecture (ISA) slots. The internal expansion slots in
newer PCs and Apple Macintosh computers follow the Peripheral
Component Interconnect (PCI) standard.

Wireless Standard

IEEE 802.11a: Wireless networks that use the Institute for Electrical and
Electronics Engineers (IEEE) 802.11a standard use the 5 GHz radio frequency
band. Equipment of this type is among the fastest wireless networking
equipment widely available to consumers.
IEEE 802.11b: Home wireless networks that use the IEEE 802.11b standard
use the 2.4 GHz radio band. This is the most popular standard in
terms of numbers of installed networks and numbers of users.
IEEE 802.11g: The last and newest member of the 802.11 wireless family,
IEEE 802.11g is coming to market as this book goes to press. In fact, only
a draft of the IEEE 802.11g specification has been approved with the
finalized specs due by mid-2003. In many ways, 802.11g offers the best of
both worlds — backward compatibility with IEEE 802.11b networks (it,
too, operates over the 2.4 GHz radio frequency band) and the speed of
802.11a networks.
Data speed: IEEE 802.11a and IEEE 802.11g networks are almost ten
times faster than IEEE 802.1b networks. However, IEEE 802.11b networks
are almost ten times faster than the fastest broadband Internet connection.
Unless you expect to routinely share very large files over your network,
you probably wouldn’t be able to notice the difference in speed
between these two standards.
Price: IEEE 802.11a and g networking equipment is typically more expensive
than similar IEEE 802.11b equipment, but the price differential might
be temporary. IEEE 802.11b equipment has been on the market for a
longer period of time than 802.11a and g with dozens of products in the
marketplace. As a result, IEEE 802.11b will probably be the least expensive
version of Wi-Fi for some period of time. However if the first IEEE
802.11g products out the door are any indication, the price differential
between 802.11g and 802.11b will be negligible very soon.
Radio signal range: IEEE 802.11a wireless networks tend to have a
shorter maximum signal range than IEEE 802.11b and g networks. The
actual distances vary depending on the size construction of your home.
In most modern homes, however, all three of the competing standards
should provide adequate range.
Radio signal interference: The radio frequency band used by both IEEE
802.11b and IEEE 802.11g equipment is also used by other home devices,
such as microwave ovens and portable telephones, resulting sometimes
in network problems caused by radio signal interference. Very few other
types of devices currently use the radio frequency band employed by
the IEEE 802.11a standard.
Interoperability: Because IEEE 802.11a and IEEE 802.11b/g use different
frequency bands, they aren’t able to communicate over the same radio.
Several manufacturers, however, have already released products that
can operate with both IEEE 802.11a and IEEE 802.11b/g equipment simultaneously.
By contrast, IEEE 802.11g equipment is designed to be backward
compatible with IEEE 802.11b equipment — both operating on the
same frequency band — but in early tests of the first IEEE 802.11g products,
actual interoperability was often problematic. Nevertheless, it will
only be a matter of time before IEEE 802.11g is fully adopted, and multistandard
(802.11 a/b/g) wireless networking equipment will be the norm.

Wired versus Wireless

Ethernet is the most-often used method of connecting personal computers
together to form a network because it’s fast and its equipment is relatively
inexpensive. In addition, Ethernet can be transmitted over several types of
network cable or sent through the air by using wireless networking equipment.
Many new computers have an Ethernet connection built in, ready for
you to plug in a network cable. The most popular wireless networking equipment
transmits a form of Ethernet.

Installing wired home networks
Even though we’re talking mostly about wireless networks in this book and
how great they are, we’d be misleading you if we told you that wireless was
the only way to go. Wireless and wired homes each have advantages.
Wired homes are
Faster: Wired lines can reach 1000 Mbps in speed, whereas wireless
homes tend to be in the 10 Mbps and soon 100 Mbps range. Both wireless
and wired technologies are getting faster and faster, but wired will
always be ahead.
More reliable: Wireless signals are prone to interference and fluctuations;
wired connections typically are more stable and reliable.
More secure: You don’t have to worry about your signals traveling
through the air and being intercepted by snoopers, like with unsecured
wireless systems.
Economical over the long term: The incremental cost of adding Cat 5e
voice and data cabling and RG-6 coaxial cabling into your house — over
a 30-year mortgage — will be almost nothing each month.
Salable: More and more homebuyers are not only looking for well-wired
homes but are discounting homes without the infrastructure. As good as
wireless is, it is not affixed to the house and is carried with you when
you leave. Most new homes have structure wiring in the walls.
If you’re building a new home or renovating an old one, we absolutely recommend
that you consider running the latest wiring in the walls to each of your
rooms. That doesn’t mean that you won’t have a wireless network in your
home — you will. It just will be different than if you were wholly reliant on
wireless for your networking.
If you choose to use network cable, it should ideally be installed in the walls,
just like electrical and phone wiring. Network jacks (outlets) are installed in
the walls in rooms where you would expect to use a computer. Connecting
your computer to a wired network is just as easy as plugging a phone into a
phone jack

Installing wireless home networks

If you’re networking an existing home or are renting your home, wireless has
fabulous benefits:
Portable: You can take your computing device anywhere in the house
and be on the network. Even if you have a huge house, you can interconnect
wireless access points to have a whole home wireless network.
Flexible: You’re not limited to where a jack is on the wall; you can network
anywhere.
Cost effective: You can start wireless networking for a couple of hundred
dollars. Your wiring contractor can’t do much with that!
Clean: You won’t have to tear down walls or trip over wires when they
come out from underneath the carpeting.
What’s more, there’s really no difference how you use your networked computer,
whether it’s connected to the network by a cable or by a wireless networking
device. Whether you’re sharing files, a printer, your entertainment
system, or the Internet over the network, the procedures are the same on a
wireless network as on a wired network. In fact, you can mix wired and wireless
network equipment on the same network with no change in how you use
a computer on the network.
Time for the fine print. We’d be remiss if we weren’t candid and mention any
potential drawbacks to wireless networks compared with wired networks.
The possible drawbacks fall into four categories:
Data speed: Wireless networking equipment does transmit data at
slower speeds than wired networking equipment. Wired networks are
already networking at gigabit speeds, although the fastest wireless networking
standards (in the best situations) tops out at 54 Mbps.
Some vendors have proprietary extensions that will take the speed higher, but
even these top out at a little more than 100 Mbps in the best scenarios.)
But for almost all the uses that we can think of now, this is plenty fast.
Your Internet connection probably doesn’t exceed a few Mbps in speed,
so your wireless connection should be more than fast enough.
Radio signal range: Wireless signals fade when you move away from the
source. Some homes, especially older homes, might be built from materials
that tend to block the radio signals used by wireless networking
equipment, causing even faster signal degradation. If your home has
plaster walls that contain a wire mesh, the wireless networking equipment’s
radio signal might not reach all points in your home. Most
modern construction, however, uses drywall materials that reduce the
radio signal only slightly. As a result, most homeowners can reach all
points in their home with one centralized wireless access point (also
called a base station) and one wireless device in or attached to each personal
computer. And if you need better coverage, you can just add
another access point — we show you how in Chapter 18.
Radio signal interference: The most common type of wireless networking
technology uses a radio frequency that’s also used by other home
devices, such as microwave ovens and portable telephones. Some home
wireless network users, as a consequence, experience network problems
(the network slows down or the signal is dropped) caused by radio
signal interference.
Security: The radio signal from a wireless network doesn’t stop at the
outside wall of your home. A neighbor or even a total stranger could
access your network from an adjoining property or from the street
unless you implement some type of security technology to prevent
unauthorized access. To prevent unauthorized access, you can safeguard
yourself with security technology that comes standard with the
most popular home wireless networking technology. However, it’s not
bulletproof, and it certainly won’t work if you don’t turn it on. For more
on wireless security
For our money, wireless networks compare favorably with wired networks for
most homeowners who didn’t have network wiring installed when the house
was built.

Abbreviations

μs microseconds
2G second generation (cellular)
3G third generation (cellular)
AC access category
ACK acknowledgement
ADC analog-to-digital converter
ADDBA add block acknowledgement
ADDTS add traffic stream
AGC automatic gain control
AID association identifier
AIFS arbitration inter-frame space
A-MPDU aggregate MAC protocol data unit
A-MSDU aggregate MAC service data unit
AoA angle of arrival
AoD angle of departure
AP access point
APSD automatic power save delivery
A-PSDU aggregate PHY service data unit
AS angular spectrum
ASEL antenna selection
AWGN additive white Gaussian noise
BA block acknowledgement
BAR block acknowledgement request
BCC binary convolution code
BF beamforming
BICM bit interleaved coded modulation
bps bits-per-second
BPSCS coded bits per single carrier for each spatial stream
BPSK binary phase shift keying
BSS basic service set
BSSID BSS identifier
BW bandwidth
CBPS coded bits per symbol
CBPSS coded bits per spatial stream
CBW channel bandwidth
CCA clear channel assessment
CCDF complementary cumulative distribution function
CCK complementary code keying
CFP contention free period
CP contention period
CRC cyclic redundancy code
CS carrier sense
CSD cyclic shift diversity
CSI channel state information
CSMA carrier sense multiple access
CSMA/CA carrier sense multiple access with collision avoidance
CSMA/CD carrier sense multiple access with collision detection
CTS clear to send
CW contention window
DA destination address
DAC digital-to-analog converter
dB decibels
dBc decibels relative to carrier
dBi decibels isotropic relative to an antenna
dBm decibel of measured power referenced to one milliwatt
DBPS data bits per OFDM symbol
dBr dB (relative)
DC direct current
DCF distributed coordination function
DELBA delete block acknowledgement
DIFS DCF inter-frame space
DLS direct link session
DS distribution system
DSL digital subscriber line
DSSS direct sequence spread spectrum
DTIM delivery traffic indication message
DVD digital versatile disc
EDCA enhanced distributed channel access
EIFS extended inter-frame space
ERP enhanced rate PHY
ESS extended service set
ETSI European Telecommunications Standards Institute
EVM error vector magnitude
EWC Enhanced Wireless Consortium
FCC Federal Communications Commission
FCS frame check sequence
FEC forward error correction
FFT fast Fourier transform
FHSS frequency hopped spread spectrum
FS free space
FTP file transfer protocol
GF Greenfield
GF-HT-STF Greenfield High Throughput Short Training field
GHz gigahertz
GI guard interval
GIF graphics interchange format
GPS global positioning system
HC hybrid coordinator
HCCA HCF controlled channel access
HCF hybrid coordination function
HEMM HCCA, EDCA mixed mode
HT high throughput
HTC high throughput control
HT-DATA High Throughput Data field
HT-LTF High Throughput Long Training field
HTSG High Throughput Study Group
HT-SIG High Throughput Signal field
HT-STF High Throughput Short Training field
HTTP hypertext transfer protocol
Hz Hertz
IBSS independent basic service set
IC integrated circuit
IDFT inverse discrete Fourier transform
IEEE Institute of Electrical and Electronic Engineers
IFFT inverse fast Fourier transform
IFS inter-frame space
IP Internet Protocol
IPv6 Internet Protocol version 6
IR infrared
ISI inter-symbol interference
ISM industrial, scientific, and medical
JPEG Joint Photographic Experts Group
kHz kilohertz
km/h kilometers per hour
LAN local area networking
LDPC low density parity check
LLC logical link control
L-LTF Non-HT (Legacy) Long Training field
LNA low noise amplifier
LOS line-of-sight
LSB least significant bit
L-SIG Non-HT (Legacy) Signal field
L-STF Non-HT (Legacy) Short Training field
LTF Long Training field
m meters
MAC medium access control
MAI MRQ or ASEL indication
MAN metropolitan area networking
Mbps megabit per second
MCS modulation and coding scheme
MF mixed format
MFB MCS feedback
MFSI MCS feedback sequence indication
MHz megahertz
MIB management information base
MIMO multiple-input multiple-output
ML maximum likelihood
MMPDU MAC management protocol data unit
MMSE minimum mean-square-error
MPDU MAC protocol data unit
MPEG Moving Picture Experts Group
MRC maximal-ratio combining
MRQ MCS request
Msample/s mega-samples per second
MSB most significant bit
MSDU MAC service data unit
MSE mean-square-error
MSFI MCS feedback sequence identifier
MSI MCS request sequence identifier
NAV network allocation vector
NDP null data packet
NF noise figure
NLOS non-line-of-sight
nsec nanosecond
OBO output back-off
OBSS overlapping BSS
OFDM orthogonal frequency division multiplexing
OSI open systems interconnection
PA power amplifier
PAR project authorization request
PAS power angular spectrum
PC point coordinator
PCF point coordination function
PCO phased coexistence operation
PDU protocol data unit
PER packet error rate
PHY physical layer
PIFS PCF inter-frame space
PLCP physical layer convergence procedure
PPDU PLCP protocol data unit
ppm parts per million
PSD power spectral density
PSDU PLCP service data unit
PSMP power-save multi-poll
PSMP-DTT PSMP downlink transmission time
PSMP-UTT PSMP uplink transmission time
QAM quadrature amplitude modulation
QoS quality of service
QPSK quadrature phase shift keying
R code rate
RA receiver address
RD reverse direction
RDG reverse direction grant
RF radio frequency
RIFS reduced inter-frame space
RMS root-mean-square
RSSI received signal strength indication
RTS request to send
Rx receive
SA source address
SAP service access point
SCP secure copy protocol
SDM spatial division multiplexing
SDU service data unit
SE spatial expansion
SIFS short inter-frame space
SIG Signal field
SIMO single-input, multiple-output
SISO single-input, single-output
SMTP simple mail transfer protocol
SNR signal-to-noise ratio
SOHO small-office, home-office
SS spatial stream
SSC starting sequence control
SSID service set identifier
SSN starting sequence number
STA station
STBC space-time block coding
STF Short Training field
STS space-time stream
SVD singular value decomposition
SYM symbol
TA transmitter address
TBTT target beacon transmission time
TC traffic category
TCLAS traffic classification
TCM trellis coded modulation
TCP transmission control protocol
TDD time division duplexing
TGn Task Group n
TGy Task Group y
TID traffic identifier
TIFF tagged image file format
TRQ training request
TS traffic stream
TSID traffic stream identifier
TSPEC traffic specification
TV television
Tx transmit
TxBF transmit beamforming
TXOP transmit opportunity
TXTIME transmit time
UDP user datagram protocol
USA United States of America
VoIP voice over IP
VPN virtual private network
WEP wired equivalent privacy
WFA Wi-Fi Alliance
WLAN wireless local area network
WM wireless medium
WNG SC Wireless Next Generation Standing Committee
WWiSE world wide spectral efficiency
XOR exclusive-or
ZF zero-forcing
ZIP ZIP file format

Wireless Protected Access

Differences

WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages.

WPA Flavours

WPA basically comes in two flavours RADIUS or PSK. PSK is crackable, RADIUS is not so much.

PSK uses a user defined password to initialize the TKIP, temporal key integrity protocol. There is a password and the user is involved, for the most part that means it is flawed. The TKIP is not really crackable as it is a per-packet key but upon the initialization of the TKIP, like during an authentication, we get the password (well the PMK anyways). A robust dictionary attack will take care of a lot of consumer passwords.

Radius involves physical transferring of the key and encrypted channels blah blah blah, look it up to learn more about it but 90% of commerical APs do not support it, it is more of an enterprise solution then a consumer one.

The Handshake

The WPA handshake was designed to occur over insecure channels and in plaintext so the password is not actually sent across. There are some fancy dancy algorithms in the background that turn it into a primary master key, PMK, and the like but none of that really matters cause the PMK is enough to connect to the network.

The only step we need to do is capture a full authenication handshake from a real client and the AP. This can prove tricky without some packet injection, but if you are lucky to capture a full handshake, then you can leave and do the rest of the cracking at home.

We can force an authenication handshake by launching a Deauthentication Attack, but only if there is a real client already connected (you can tell in airodump). If there are no connected clients, you're outta luck.

Like for WEP, we want to know the channel the WPA is sitting on, but the airodump command is slightly different. We don't want just IVs so we don't specify an IV flag. This will produce "lucid.cap" instead of "lucid.ivs". Assume WPA is on channel 6 and wireless interface is ath0.

./airodump ath0 lucid 6


Dictionary Brute Force

The most important part of brute forcing a WPA password is a good dictionary. Check out http://www.openwall.com/wordlists/ for a 'really' good one. It costs money, but its the biggest and best I've ever seen (40 Million words, no duplicates, one .txt file). There is also a free reduced version from the same site but i'm sure resourceful people can figure out where to get a good dictionary from.

When you have a good dictionary the crack is a simple brute force attack:

./aircrack -a 2 -b 00:23:1F:55:04:BC -w /path/to/wordlist

Either you'll get it or you won't... depends on the strength of the password and if a dictionary attack can crack it.

Using Aireplay

Aireplay is the fun part. You get to manipulate packets to trick the network into giving you what you want.

WEP Attacks

Attacks used to create more traffic on WEP networks to get more IVs.

ARP Injection

ARP Replay is a classic way of getting more IV traffic from the AP. It is the turtle. Slow but steady and almost always works. We need the BSSID of the AP and the BSSID of an associated client. If there are no clients connected, it is possible to create one with another WEP attack explained below: Fake Authentication Attack.

With airodump listening, we attack:

./aireplay -3 -b -h ath0

Note: The -3 specifys the type of attack (3=ARP Replay).

This will continue to run, and airodump, listening fron another terminal, will pick up anY reply IVs.

Interactive Packet Replay

Interactive Packet Reply is quite a bit more advanced and requires capturing packets and constructing your own. It can prove more effective then simple ARP requests but I won't get into packet construction here.

A useful attack you might try is the re-send all data attack, basically you are asking the AP to re-send you everything. This only works if the AP re-encrypts the packets before sending them again (and therefore giving you a new IV). Some APs do, some don't.

aireplay -2 -b -h -n 100 -p 0841 -c FF:FF:FF:FF:FF:FF ath0


Fake Authentication Attack

This attack won't generate any more traffic but it does create an associative client MAC Address useful for the above two attacks. Its definately not as good as having a real, connected client, but you gots to do what you gots to do.

This is done easiest with another machine because we need a new MAC address but if you can manually change your MAC then that'll work too. We'll call your new MAC address "Fake MAC".

Now most APs need clients to reassociate every 30 seconds or so or they think they're disconnected. This is pretty arbitrary but I use it and it has worked but if your Fake MAC gets disconnected, reassociate quicker. We need both the essid and bssid and our Fake MAC.

./aireplay -1 30 -e '' -a -h ath0

If successful, you should see something like this:

23:47:29 Sending Authentication Request
23:47:29 Authentication successful
23:47:30 Sending Association Request
23:47:30 Association successful :-)

Awesome! Now you can use the above two attacks even though there were no clients connected in the first place! If it fails, there may be MAC Address Filtering on so if you really want to use this, you'll have to sniff around until a client provides you with a registered MAC to fake.

WPA Attacks

So far, the only way to really crack WPA is to force a re-authentication of a valid client. We need a real, actively connected client to break WPA. You might have to wait a while.

Deauthentication Attack

This is a simple and very effective attack. We just force the connected client to disconnect then we capture the re-connect and authentication, saves time so we don't have to wait for the client to do it themselves (a tad less "waiting outside in the car" creepiness as well). With airodump running in another console, your attack will look something like this:

aireplay -0 5 -a -c ath0

After a few seconds the re-authentication should be complete and we can attempt to Dictionary Brute Force the PMK.

Conclusion

Well thats that. APs crack fairly often but sometimes there is just nothing you can do. Obviously you are not allowed to illegally crack other people's wireless connections, this is purely for penetration testing purposes and some fun.