Security and Forensics Live

Check the strength of your WiFi network and make it hack-proof and do lots more by using this live security distro

Tuesday, March 03, 2009

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

The PCQLinux 2009 Security and Forensics Live is a distro for emergency incidence response. Like all other PCQLinux Live distros, this one can also be converted into a USB based bootable Live distro which makes it easy to carry, and as a result can provide you a machine ready with most crucial incidence response tools anywhere anytime. This tool is very useful for both home users and enterpises. The distro comes with a set of sniffers, honeypots, WiFi monitoring & hijacking, and forensics tools. Most of these tools are text based thus easy to learn and use instantly. Earlier, we talked about these tools including their benefits for enterprises. This time we want to give emphasis on securing home networks since WiFi security has taken a serious role today. Let's talk about a couple of tools which can help you track the status of your WiFi home or SMB WiFi network. The industry standard tools are being used by many enterprises. These tools being Open Source are free and easy to use and there is no harm to use them to strengthen your home/SMB WiFi network. Before we begin, there is a small prerequisite which you have to meet, to be able to use these WiFi tools, with PCQLinux 2009 Security Live. The machine (laptop/de sktop) should have a WiFi card which supports monitor mode. This is essentially a feature which lets the card become promiscuous and stealth and start capturing packets over the network. Most centrino laptops do come with such a card. Even most of the Old D-link Orinoco or Prism based chipset cards are capable of this mode. The easiest way to test if your card has this feature or not is by running the following command:

#iwconfig wlan0 mode monitor.

If the command gives no output, then the card supports the feature and if you see a message such as, 'Operation not Supported' then it's time to hunt for some other WiFi card. Just make sure that while running the command, you change WLAN0 with the correct name of your WiFi card devie file.

Kismet
The first one on this list is Kismet, which is a WiFi IDS (intrusion detection system). We have talked about it several times. Let's do a quick recap. Running Kismet is very easy. Just open the configuration file 'kismet.conf', which resides in the '/etc/kismet/' folder. Find the statement 'source = none ,none,addme' in the code and change it to 'source=orinoco,eth1 ,root'. The first parameter defines the source type, which could be Orinoco, Prism or Cisco based. The second parameter defines the interface card, which should be used for capturing packets, and the third parameter defines the name of the user. Save the file and exit. To start Kismet, write the following command on the terminal:
# kismet

Kismet showing the list with WiFi Access Points and the security mechanisms they are using.

Once Kismet is ready, you will be able to see all the access points available near your vicinity. You can even figure out any fake APs in your network, and can also see hidden WiFi network. For further configurations, press 'H' key. It will show all the options that are available. On the first screen itself, it will show you number of APs both fake and real. The other most important thing which you would like to know after running this tool is to see if there is any malicious attack happening on your WiFi network or not. You can see these attacks and warnings by pressing 'w' button.
Kismet.png

Airsnort capturing IV packets to crack WEP key.

Strengthening with security
Mostly, the AP at your home or home offices are deployed by the ISP engineers. They are the one who gives the passkey, and sets it to all machines. In most cases, we don't even ask them the strength or type of security they have enabled in the AP. Essentially there are three variants of WiFI encryption -WEP, WPA and WPA2. WEP is natively insecure and can be cracked very easily; WPA and WPA2 are more secure but susceptible to bruit force and dictionary attack. You can run the Airsnort and aircrack tools to see how easy is it to crack your WiFi network. Airsnort is very easy to run, and comes with a graphical interface. All you have to do is to start it from the terminal by typing Airsnort and then select your WiFi device and press the Start button. It might take from a couple of hours to a couple of days to crack the WEP key, so run it for atleast 24 hours to see the strength of your network. On the other hand if you don't want to use the graphical tool, then you can just run airodump for a couple of days. It's very small and consumes very less power. It will keep accumulating all the required data from the network to a dump file. Once you generate a huge file. You can run it through Aircrack or even with Airsnort to see the possibility of weak password or security mechanism. Running Airodump is very simple. Just run the following command:
#airodump wlan0 /dumpfile.dump

It will create the dump file. Once you get a big dump file, atleast with 75000 IV packets, you can run Aircrack on it by running the following command:
#aircrack /dumpfile.cap

If this is able to show your WEP key, then you network is vulnerable and you need to get it rectified by either using a complex enough WPA2 key or by changing the WEP key too frequently.

Page(s)   1