Operating System, Open Source, and Closed Source

It is no secret that the majority of the techniques and methodologies we describe are based on open source (both GPL and Berkeley-licensed) software. There are several reasons for this. When doing anything related to wireless hacking (see the Introduction for our definition of hacking), you want to operate with "hackable" software you can modify and optimize for your specific needs and hardware at hand. This book is oriented toward wireless community activists and enthusiastic users as well as corporate professionals and security consultants, so we want to describe affordable techniques and solutions. Finally, as long as penetration testing is supposed to be looking at the network through the cracker's eyes, we should stick to the same methodology used by Black Hats. Do you really expect a cracker to use a copy of the latest $5,000 closed source wireless protocol analyzer? In addition, many of the "underground" attacking tools we describe have features no commercial product possesses; never underestimate the power of the Black Hat community. For example, there isn't a commercial wireless security auditing tool capable of cracking WEP or generating custom 802.11 frames (to our knowledge, anyway).

Naturally, Linux comes as the platform of choice for running, tweaking, and developing such software. BSD is our second choice (mainly due to the smaller size of the developer community and somewhat smaller list of supported hardware). Unfortunately, to our current knowledge, there is no 802.11a support under any BSD flavor at the time of writing. However, some reviewed 802.11b/g security-relevant tools and commands are BSD-specific (BSD-airtools, Wnet, leapcrack), and BSD systems have decent 802.11b software access point support. Nevertheless, in our opinion Linux HostAP has more functionality and is more configurable than BSD software AP implementations.

Why do we use Linux? The main reason is simple: It is easy to use. You can use the tools described as they come, without any additional modification. If you are bound to the Microsoft platform, you can install Cygwin (http://www.cygwin.com), Perl, and port a variety of existing relevant UNIX tools and scripts to run using Windows headers and libraries. This would work fine, but would take a lot of unnecessary effort. Installing Linux or BSD is much easier and saves time. There are also multiple commercial (and even freeware) wireless-related tools for Windows. The high-end commercial tools like Sniffer Wireless or AiroPeek are powerful, but somewhat costly. The low-end tools such as Netstumbler or the majority of Windows Freeware 802.11 "sniffers" are not up to the job; we outline the reasons for this in Chapter 5. There are some brilliant exemptions, such as the Packetyzer/Ethereal for Windows combination. Somehow, these exemptions happen to be released under the GPL.

However, the approach taken in the "Defense" part of this book is different. As a security consultant or enthusiast, you might have the freedom and opportunity to select wireless security auditing hardware and software that suits you the best. As a system administrator or network manager, you have to defend what your company has by using existing resources, possibly without significant additional funds or available time. Thus, the defensive countermeasures are platform-independent and range from using free open source tools to deploying high-end commercial wireless gateways and IDS systems. For now, we review 802.11 configuration utilities and drivers from a Linux, and partially BSD, perspective with penetration testing in mind. If you are not a part of the UNIX world, don't worry. We tried to simplify the described methodologies as much as possible. Our apologies to seasoned UNIX hackers; you know which bits and pieces you can safely skip. We have aimed to provide an easy step-by-step installation, configuration, and usage instructions for all utilized tools and utilities.