The PCQLinux 2009 Security and Forensics Live is a distro for emergency
incidence response. Like all other PCQLinux Live distros, this one can also be
converted into a USB based bootable Live distro which makes it easy to carry,
and as a result can provide you a machine ready with most crucial incidence
response tools anywhere anytime. This tool is very useful for both home users
and enterpises. The distro comes with a set of sniffers, honeypots, WiFi
monitoring & hijacking, and forensics tools. Most of these tools are text based
thus easy to learn and use instantly. Earlier, we talked about these tools
including their benefits for enterprises. This time we want to give emphasis on
securing home networks since WiFi security has taken a serious role today. Let's
talk about a couple of tools which can help you track the status of your WiFi
home or SMB WiFi network. The industry standard tools are being used by many
enterprises. These tools being Open Source are free and easy to use and there is
no harm to use them to strengthen your home/SMB WiFi network. Before we begin,
there is a small prerequisite which you have to meet, to be able to use these
WiFi tools, with PCQLinux 2009 Security Live. The machine (laptop/de sktop)
should have a WiFi card which supports monitor mode. This is essentially a
feature which lets the card become promiscuous and stealth and start capturing
packets over the network. Most centrino laptops do come with such a card. Even
most of the Old D-link Orinoco or Prism based chipset cards are capable of this
mode. The easiest way to test if your card has this feature or not is by running
the following command:
#iwconfig wlan0 mode monitor.
If the command gives no output, then the card supports the feature and if you
see a message such as, 'Operation not Supported' then it's time to hunt for some
other WiFi card. Just make sure that while running the command, you change WLAN0
with the correct name of your WiFi card devie file.
List of other tools in PCQLinux Security Live 2009 |
|
Wireshark Ettercap Dsniff LaBrea Honeyd QTPartd Sleuthkit Autopsy airdump aircrack airsnort kismet |
LAN and WLAN Packet capture and IDS Sniffer Sniffer Specialized Honeypot Honeypot Disk Partitioning Forensic Forensic Wifi Packet Capture Wep crack Wep crack WiFi IDS |
Kismet
The first one on this list is Kismet, which is a WiFi IDS (intrusion
detection system). We have talked about it several times. Let's do a quick
recap. Running Kismet is very easy. Just open the configuration file 'kismet.conf',
which resides in the '/etc/kismet/' folder. Find the statement 'source = none ,none,addme'
in the code and change it to 'source=orinoco,eth1 ,root'. The first parameter
defines the source type, which could be Orinoco, Prism or Cisco based. The
second parameter defines the interface card, which should be used for capturing
packets, and the third parameter defines the name of the user. Save the file and
exit. To start Kismet, write the following command on the terminal:
# kismet
Kismet showing the list with WiFi Access Points and the security mechanisms they are using. |
Once Kismet is ready, you will be able to see all the access points available
near your vicinity. You can even figure out any fake APs in your network, and
can also see hidden WiFi network. For further configurations, press 'H' key. It
will show all the options that are available. On the first screen itself, it
will show you number of APs both fake and real. The other most important thing
which you would like to know after running this tool is to see if there is any
malicious attack happening on your WiFi network or not. You can see these
attacks and warnings by pressing 'w' button.
Kismet.png
Airsnort capturing IV packets to crack WEP key. |
Strengthening with security
Mostly, the AP at your home or home offices are deployed by the ISP
engineers. They are the one who gives the passkey, and sets it to all machines.
In most cases, we don't even ask them the strength or type of security they have
enabled in the AP. Essentially there are three variants of WiFI encryption -WEP,
WPA and WPA2. WEP is natively insecure and can be cracked very easily; WPA and
WPA2 are more secure but susceptible to bruit force and dictionary attack. You
can run the Airsnort and aircrack tools to see how easy is it to crack your WiFi
network. Airsnort is very easy to run, and comes with a graphical interface. All
you have to do is to start it from the terminal by typing Airsnort and then
select your WiFi device and press the Start button. It might take from a couple
of hours to a couple of days to crack the WEP key, so run it for atleast 24
hours to see the strength of your network. On the other hand if you don't want
to use the graphical tool, then you can just run airodump for a couple of days.
It's very small and consumes very less power. It will keep accumulating all the
required data from the network to a dump file. Once you generate a huge file.
You can run it through Aircrack or even with Airsnort to see the possibility of
weak password or security mechanism. Running Airodump is very simple. Just run
the following command:
#airodump wlan0 /dumpfile.dump
It will create the dump file. Once you get a big dump file, atleast with
75000 IV packets, you can run Aircrack on it by running the following command:
#aircrack /dumpfile.cap
If this is able to show your WEP key, then you network is vulnerable and you
need to get it rectified by either using a complex enough WPA2 key or by
changing the WEP key too frequently.