Recent global events have emphasized the need for adequate security—both in the real world and in cyberspace. Hacking into a wireless 802.11b network is often easy. In fact, it's too easy. So how do corporate IT administrators or small-office home-office (SOHO) users protect their wireless networks from unwanted visitors? The answer is simple: They must step out of the bright light of respectability and into the shadowy world of the hacker. The best way to ensure that a WLAN is secure is to try to break into it. Once you know the weaknesses of your system, you will be better prepared to make an effective contingency plan. Good hacking is really just good risk assessment.
In fact, hacking by network administrators may one day become the law. A bill that is under consideration in New Hampshire's legislature states that operators of wireless networks must either secure them or lose some of their ability to prosecute anyone who gains access to the networks. House Bill 495 could effectively legalize many forms of war driving (i.e., motoring through an inhabited area while scanning for open wireless access points).
It would be wise for network administrators to hack into their own systems before someone else does. But how do hackers operate? What tools do they use? Is sheer technology enough, or is it important to plan the strategy of an attack? Before answering these questions, I'd like to offer an apology to my friends and colleagues who are hackers. I know that most hackers—like most engineers—are honest, curious, highly intelligent people. They simply enjoy the challenge of solving a complex technical problem. It doesn't matter if that problem is designing a secure network or discovering the inherent weakness in any man-made system, such as a wired or wireless network.
For the most part, hackers are neither malicious nor destructive. Instead, they're rather playful. In lieu of reformatting an unsuspecting network user's hard drive ('rm - rf/'), most of these individuals prefer to announce their presence in a friendly way ('echo giggle | wall'). Of course, some hackers do use their knowledge of technology and organizational infrastructures for criminal purposes. But don't forget: The white-collar world is full of non-hacker criminals. To obtain even more information about hackers, plan a late-night visit to the 2600 Web site (www.2600.com).
Now that these points have been stated, let's briefly consider some of the tools that are used to break into an 802.11b WLAN. First and foremost, there are detection tools. These tools fall into two main categories: active and passive detection. In the former category, a client transmits probe requests and looks for any responding networks. Probe packets contain a specific network Service Set Identifier (SSID). This identifier is used when a client tries to join a network. If an access point grants access to the client, it then transmits a probe response containing the SSID.
The active detection of 802.11b networks has a definite advantage: It doesn't require a card or a driver that's capable of RF monitor support. Yet it also has its drawbacks. The client must be within transmission range of the access point. Because this is an active detection, it also generates traceable traffic on the target network.
One of the more accessible tools for active detection is a free Windows utility called NetStumbler (www.netstumbler.com). Marius Milner wrote this 802.11b wireless-network-auditing program. For any wireless access points that it can find, NetStumbler identifies and tracks information like MAC address, WEP status, and channel.
Of course, hackers could use such a program to gain access to an unprotected wireless LAN. But responsible IT engineers also could use it to analyze their networks' capabilities. This program could help them locate WLAN dead spots and track sources of intermittent noise. In addition, tools like NetStumbler can determine where overlapping channels reduce overall performance. They also can establish the actual boundaries of a WLAN, which often reach beyond the office walls.
When used in conjunction with easily available WEP decryption tools, such as AirSnort (http://airsnort.shmoo.com/), NetStumbler and equivalent programs help to level the playing field. The wireless-network administrator or designer effectively becomes the hacker of his or her own system. What better way is there to appreciate your system's vulnerability?
Feel free to drop me an e-mail if you have any comments on the topic of WLAN security or hacking in general. I'm at [email protected].