The Easiest Way to Get in

The first thing any attacker looks for is "low-hanging fruit." An inexperienced attacker will search for it because he or she can't get into anything else, whereas an experienced Black Hat will look for it to save time and to be sure that (unless it's a honeypot) no IDS and egress filtering is present and hosts on the network are easy to break into for further backdoor planting. Despite the opinion of a few "security experts," the amount of wide-open wireless networks is incredible. By "wide open" we mean no WEP, no MAC filtering, no closed ESSID, no protocol filtering, and most likely AP management interface accessible from the WLAN. There are a variety of reasons why this situation exists, the major one being the users' (or even system administrators') laziness and ignorance. When attacking such networks, a cracker has only three main concerns: physical network reachability, connectivity to the Internet, and the (rare) possibility of a honeypot trap. Let's explore each in further detail.

Physical network reachability: Even if a network is wide open, it is no good (for a cracker) if the only way to connect to it is to sit with a laptop right under the office window.
Connectivity to the Internet: Is it present and how "fat" is the "pipe"?
Honeypot trap: Is trouble on the way?

The first issue, reachability, is addressed by a high-gain antenna. A high-gain omnidirectional might look like a walking stick or a pool cue and will not raise any suspicions. The majority of Yagis can pass for poster holders and even the directional dishes would not surprise anyone as long as the cracker passes himself or herself off as telecom engineer troubleshooting a link or even an amateur radio enthusiast. It is truly amazing when you sit in the park with a huge antenna in the middle of nowhere and present yourself as a university student doing research. The second issue, connectivity, can be sorted via multiple means; for example, by looking at the DHCP traffic present, a gateway IP would be shown. We have to admit, we like Ettercap. Press "p/P" for the Ettercap plug-ins available. The plug-in that discovers LAN gateways is called triton. The last issue, the honeypot trap, is difficult to solve. Use your intuition and skill to determine whether this low-hanging fruit is poisoned. Looking for sniffers helps; check out the hunter plug-in in Ettercap (Figure 8-1).

Figure 8.1. Ettercap hunter plug-in.

[View full size image]

Of course, as a corporate penetration tester you can simply ask if there are honeypots, but that would spoil both fun and the challenge, would it not?