Advertisment

Security and Forensics Live

author-image
PCQ Bureau
New Update

The PCQLinux 2009 Security and Forensics Live is a distro for emergency

incidence response. Like all other PCQLinux Live distros, this one can also be

converted into a USB based bootable Live distro which makes it easy to carry,

and as a result can provide you a machine ready with most crucial incidence

response tools anywhere anytime. This tool is very useful for both home users

and enterpises. The distro comes with a set of sniffers, honeypots, WiFi

monitoring & hijacking, and forensics tools. Most of these tools are text based

thus easy to learn and use instantly. Earlier, we talked about these tools

including their benefits for enterprises. This time we want to give emphasis on

securing home networks since WiFi security has taken a serious role today. Let's

talk about a couple of tools which can help you track the status of your WiFi

home or SMB WiFi network. The industry standard tools are being used by many

enterprises. These tools being Open Source are free and easy to use and there is

no harm to use them to strengthen your home/SMB WiFi network. Before we begin,

there is a small prerequisite which you have to meet, to be able to use these

WiFi tools, with PCQLinux 2009 Security Live. The machine (laptop/de sktop)

should have a WiFi card which supports monitor mode. This is essentially a

feature which lets the card become promiscuous and stealth and start capturing

packets over the network. Most centrino laptops do come with such a card. Even

most of the Old D-link Orinoco or Prism based chipset cards are capable of this

mode. The easiest way to test if your card has this feature or not is by running

the following command:

Advertisment

#iwconfig wlan0 mode monitor.

If the command gives no output, then the card supports the feature and if you

see a message such as, 'Operation not Supported' then it's time to hunt for some

other WiFi card. Just make sure that while running the command, you change WLAN0

with the correct name of your WiFi card devie file.



List of other tools in PCQLinux Security

Live 2009
Wireshark



Ettercap


Dsniff


LaBrea


Honeyd


QTPartd


Sleuthkit


Autopsy


airdump


aircrack


airsnort


kismet









LAN and WLAN

Packet capture and IDS



Sniffer


Sniffer


Specialized Honeypot


Honeypot


Disk Partitioning


Forensic


Forensic


Wifi Packet Capture


Wep crack


Wep crack


WiFi IDS









Advertisment

Kismet



The first one on this list is Kismet, which is a WiFi IDS (intrusion

detection system). We have talked about it several times. Let's do a quick

recap. Running Kismet is very easy. Just open the configuration file 'kismet.conf',

which resides in the '/etc/kismet/' folder. Find the statement 'source = none ,none,addme'

in the code and change it to 'source=orinoco,eth1 ,root'. The first parameter

defines the source type, which could be Orinoco, Prism or Cisco based. The

second parameter defines the interface card, which should be used for capturing

packets, and the third parameter defines the name of the user. Save the file and

exit. To start Kismet, write the following command on the terminal:



# kismet

Kismet showing the

list with WiFi Access Points and the security mechanisms they are using.

Once Kismet is ready, you will be able to see all the access points available

near your vicinity. You can even figure out any fake APs in your network, and

can also see hidden WiFi network. For further configurations, press 'H' key. It

will show all the options that are available. On the first screen itself, it

will show you number of APs both fake and real. The other most important thing

which you would like to know after running this tool is to see if there is any

malicious attack happening on your WiFi network or not. You can see these

attacks and warnings by pressing 'w' button.



Kismet.png

Advertisment
Airsnort capturing

IV packets to crack WEP key.

Strengthening with security



Mostly, the AP at your home or home offices are deployed by the ISP

engineers. They are the one who gives the passkey, and sets it to all machines.

In most cases, we don't even ask them the strength or type of security they have

enabled in the AP. Essentially there are three variants of WiFI encryption -WEP,

WPA and WPA2. WEP is natively insecure and can be cracked very easily; WPA and

WPA2 are more secure but susceptible to bruit force and dictionary attack. You

can run the Airsnort and aircrack tools to see how easy is it to crack your WiFi

network. Airsnort is very easy to run, and comes with a graphical interface. All

you have to do is to start it from the terminal by typing Airsnort and then

select your WiFi device and press the Start button. It might take from a couple

of hours to a couple of days to crack the WEP key, so run it for atleast 24

hours to see the strength of your network. On the other hand if you don't want

to use the graphical tool, then you can just run airodump for a couple of days.

It's very small and consumes very less power. It will keep accumulating all the

required data from the network to a dump file. Once you generate a huge file.

You can run it through Aircrack or even with Airsnort to see the possibility of

weak password or security mechanism. Running Airodump is very simple. Just run

the following command:



#airodump wlan0 /dumpfile.dump

It will create the dump file. Once you get a big dump file, atleast with

75000 IV packets, you can run Aircrack on it by running the following command:



#aircrack /dumpfile.cap

If this is able to show your WEP key, then you network is vulnerable and you

need to get it rectified by either using a complex enough WPA2 key or by

changing the WEP key too frequently.

Advertisment