|
features post Articles
(Articles)
online chat server:
irc.xor.cx
channel:
#neworderrandom article
quotable quotes If you can't find a solution, try assuming that you have a solution and seeing what you can derive from that ("working backward"). George Pólya
|
Mac Attack Part 2: The Wireless Hack
@ Articles -> Security
Apr 08 2002, 06:23 (UTC+0) | kdm writes:  A bit after our originally scheduled 'second-half' article, we've finally gotten our act together for part two of our Mac Attack series. This tale again takes place with n2k and myself @ that very same mall, at the heart of the midwest's (that'd be the US ;) suburbia. Included will be how we prepped for our wireless expedition to this site, as well as the results of other similar expeditions in the metropolitan area.
First and foremost, we had to make sure that our hardware was up to snuff. We both had reasonable laptops at our disposal (although n2k, being the dork that he is, had quite the more hardcore setup), but the bread and butter of this operation would of course be what we were making the link with. Fortunately we both had linksys WPC11 cards care of our employer :) From there, logically you've got to think what good is the hardware if you can't talk to/with it? For that, n2k used his distro's built in kernel modules, while I hit up the linux wlan homepage. Not to say that the base kernel modules were a bad fit (infact, depending on the distro, you might even end up with a copy of linux wlan's drivers already loaded), I was just hoping to get newer drivers - hopefully with the 'promiscuous mode' perfected. Either way, an easy load... n2k booted up, while I just copied the compiled binaries to the src dir and booted. Assuming we'd run into some sort of WEP (wired equivalent protocol) security, we also nabbed a fresh copy of airsnort, our preferred method of gaining entry to a wireless network.
Off we went to the mall, each with our respective machines in backpack and an itch to explore. As the pictures below indicate, we initially setup shop right outside our target. My machine wouldn't operate too long on it's batteries (that's compaq for ya), so we had to also choose a location near a power receptacle. Mr '36hr battery life' and his dell could really care less, but regardless we had laid our first nomadic camp ground.
*turning machines on...*
*select kernel...*
*blinky lights on the NIC...*
We stumbled onto a completely unprotected 2megabit pipe to the internet. No obscure channel settings. No obscure host settings. No WEP encryption present. Completely default settings on the Mac store's wireless links. Through further examination, we also found that there was no cap set on bandwidth (meaning we had complete access to the capacity). As much as we laughed initially, this was really more sad than anything. It's unfortunately common to run into this sort of situation. A newer technology hitting the retail markets, consumers (and some technicians) not familiar enough with it's capabilities.
One such premise brought up by n2k quite frequently was the possibility of this facility being used as a point of attack. Had we been malicious in our intent, there could have been very tragic consequences. In this area in particular, we were only an actual NAP and only couple hops from the nearest backbone (see VR maps at bottom). These were only 2megabit connects, get a couple dozen people around the relative area and you've got the aggregate capacity of a ds3. It's only a matter of time before this type of situation comes up. Our hope is that people might read this article and give it a bit more voice. It's possible to prevent anything, you just need to make the choice not to be ignorant. The store was actually protected by a cisco pix box, however all that does is keep people from coming in through an outside network - unfortunately it's child's play to enter into the trusted intranet.
Many people we've brought our findings to have insisted that this was an isolated incident and that what could potentially happen has been exaggerated. I'd love to think that was the truth. I'd love for you people to prove me wrong, but so far that just isn't the case.
Although it wasn't documented as thoroughly as our Mac store exposé, we were also able to confirm connection to an open wireless router connected to a partial ds3 (21megabit) in one of the largest metropolis' in the US. Current 802.11b standards don't support that type of speed, but I'll be even more concerned if this company's IT department decides to upgrade to the soon-to-be 802.11g hoping for more wireless capacity. Did I mention this office building was a single hop from UUnet's backbone? A 2ms ping to an OC192 backbone. I may not have any sort of legal degree, but given the US government's stance (and possibly many EU governments shortly) on 'cyber attacks' being considered federally prosecuted terrorism, wouldn't leaving this type of bandwidth on an unregulated connection be considered criminal negligence?
Despite 802.11g supposedly toting much better encryption standards, there is still the matter of common sense involved. Any of the networks we penetrated could very easily have isolated the wireless segment with both bandwidth and firewall restrictions - meaning much less possibility of wrong-doing. This technology is very impressive stuff, but just like everything preceding it, it only does what you tell it to.
comments and suggestions are very welcome :) as usual, hugz and kisses... goodnight people!
n2k & onni
but wait, what about the pjix0rz?
photos
first shot is yours truly outside the mac store. second shot is of n2k and myself getting comfy with our connection...
desktop shots
  
first and second grabs are of us doing a visualroute to prove actual network location. third is the same concept but from a terminal prompt. |
| Top of page
|
