Catalog
1. Software and hardware selection and physical and electrical parameters required for wireless security research
Before the actual wireless security attack and research, we need to prepare some hardware devices, including the supporting software. Basically, wireless hacking involves the following components
One thing to note:
As we said earlier, the "main difference" of different types of network cards lies in the built-in chipset. However, the quality of a wireless network card is not only related to the chipset and driver mentioned above, but also related to its own physical and electrical characteristics. Let's learn one by one.
Generally speaking, the comprehensive evaluation of the performance of a network card has the following dimensions
0 × 1: chipset model
In my personal experience, the chip performance of the mainstream chip manufacturers is not much different (at least not for the low-end network card). I chose the "rt3070l" chip in the experiment, and it also provides driver support under BT5 by default, so it is convenient to prepare this chip in the early stage. Generally speaking, when the price of network card reaches thousands of levels, the difference of chip model may bring performance difference.
During chip selection, we should pay attention to the driver support of this chip. The following commands can help us better achieve this goal
0 × 2: TX power
Transmission power is a dimension we need to focus on. When we need to send data packets in the wireless mode, the protocol stack will package our data packets layer by layer, and finally package them into "data frame". Finally, the data will be converted into radio frequency signal (an electromagnetic pulse) through wireless network card, and transmitted to the antenna through feeder (cable), and radiated out by the antenna in the form of electromagnetic wave (if You plug in the Internet cable and send it through the Internet port). The electromagnetic wave will be continuously attenuated in the process of propagation in the medium (air), which is also the reason why we can't receive the Wi Fi signal far away from us. When the electromagnetic wave arrives at the receiving place, it is received by the antenna (only a small part of the power is received, because the electromagnetic wave spreads around at the same time), and it is sent to the target wireless receiving equipment through the feeder In the engineering of wireless network, it is very important to calculate the transmitting power of the transmitter and the radiation ability of the antenna. TX is short for transmissions. The transmitting power of radio wave refers to the energy within a given frequency band. There are usually two standards:
Conversion of power units MW and dBm
In a "small power" system (such as a WLAN device), every DB is very important. In particular, remember the "3dB rule", that is:
Every time the power is doubled, the level value is increased by 3dbm. There are many tools to measure the signal strength of AP or local network card
0 × 3: antenna support (signal gain, type)
Antenna is very important for the performance of a wireless network card. Although they often don't seem to be so important, if the medium for connection between wired broadband is cable or optical fiber, then for wireless network, air is its transmission medium, and antenna is equivalent to the "connector" of NIC network card and air medium (similar to crystal head)
In wireless system, antenna is used to convert current wave into electromagnetic wave. In the process of conversion, the transmitted and received signals can also be "amplified". This energy amplification measure is called "gain". The unit of measurement of antenna gain is "DBI". Since the electromagnetic wave energy in the wireless system is generated by the emission energy of the transmitting equipment and the amplification and superposition of the antenna, the best measurement of the emission energy is the same - gain (DB). For example, if the power of the transmitting equipment is 100MW (20dbm), and the gain of the antenna is 10dbi, then the total emission energy is:
It should be noted that we may have a preconceived concept about the word "antenna", such as the metal bar seen on the radio when we were children. In fact, from the perspective of physics, "antenna" should be an abstract concept, which refers to all devices that can gather, gain and send electromagnetic signals. We can understand it as follows:
Antennas can be roughly divided into two types:
0 × 4: sensitivity
Sensitivity is also a dimension we need to pay attention to. When we use an ammeter, we have heard a concept. The sensitivity of this device indicates how much the device can "sense" the minimum current. For the antenna, the sensitivity determines how weak the signal our wireless network card can receive, that is, how far the AP can receive This is very important when hacking, because it means that you can launch a wireless attack at a greater distance from the principle target.
0 × 4: frequency range
The frequency here refers to the working frequency band of the wireless network card. The wireless signal under IEEE802.11 works in
Frequency itself only represents the "number of vibrations per second" of electromagnetic wave, which has no other significance. The transmission speed of 2.4 and 4.9/5.8ghz are the same, and they do not interfere with each other. Note that because there is no interference with each other, it means that if your device is in the 2.4GHz working mode, it can't receive data packets working at 5GHz. Similarly, the mainstream wireless network cards and khars sold in the market are 2.4GHz, while 5GHz devices are many in foreign shops, but the price is relatively expensive. So to some extent, switching the working frequency to 5GHz is a way to combat the wireless sniffer attack
0 × 5: working channel (frequency hopping supported or not)
Wi Fi has a total of 14 channels (IEEE standards, different national standards)
Channel division in other countries
0 × 5: supported modes
At present, the main working modes of wireless network card are as follows:
At the beginning of this article, I will list the current working modes of 802.11 family
When selecting the network card, it is important to see the working mode clearly, because there will be a working mode negotiation process when connecting and interacting with the AP:
Only when both the client and the AP support a certain working mode can the two sides continue to connect.
0 × 6: whether USB interface is supported
Does the wireless network card have a USB interface for peripherals
0 × 7: price
For the selection of wireless network card, please refer to the following link
2. The first step of wireless attack: "network AP detection", use of scanner
After knowing the selection of wireless network card, we are ready for the basic work of wireless security research. Next, we will start the first step of wireless security research, which is also the first problem we face. How to find our attack target, namely "network AP detection (service discovery)", to achieve this target, we need to use scanner
As we said before, basically speaking, wireless security software needs to complete the following functions:
Next, let's take a look at the software and how it works to accomplish these goals
0 × 1: packet sniffing
Packet sniffer software monitors the wireless signal of packets on a given "channel" and does not send packets by itself. Instead, they use monitor mode to listen for all packets on the channel. Setting a wireless card to monitor mode is similar to setting a normal wired Ethernet card to promiscuous mode. In this case, you can see all packets passing through the "cable" (or channel). However, the key differences between them are:
The principle of packet sniffer scanning tool
Use Kismet for wireless sniffing
Kismet is not only a scanning tool, but also a framework for 802.11 protocol packet capture and analysis (packets captured by Kismet can be dumped for use by other analysis frameworks). It consists of three parts:
Input Kismet under BT5, and Kismet will automatically detect the appropriate source network card
Click "s" in the menu bar to sort the AP, and click the specific SSID to view the details:
0 × 2: packet injection
There are many "WEP password cracking", "WPA", "WP2 password cracking" and many automation tools (such as WiFi, fern WiFi cracker) on Google. The principle of their cracking is packet injection
Use airdump ng series software to inject wireless packets and crack passwords
It should be noted that the data frame is injected into WEP, while the management frame is injected into WPA cracking. On the format of IEEE802.11 frame, I summarize it in another article
0 × 3: service discovery, active sending of probe packets
In order to combat the wireless sniffer attack to a certain extent, many wireless network APS adopt some configurations:
For this kind of defense, the scanner also adopts the corresponding technology to obtain the hidden SSID
3. postscript
There are many directions for wireless security research. There are many articles on Google about password cracking and tool use, which are very exciting. In addition, I think they can be combined with traditional intranet security issues, such as:
Related learning materials:
http://www.cnblogs.com/LittleHann/p/3700357.html
http://www.anywlan.com/
http://radiowar.diandian.com/
http://wireless.kernel.org/en/developers
http://wireless.kernel.org/en/developers/Documentation/mac80211
http://www.ayxsj.com/pdf/mw&dbm.pdf
http://www.antenna-theory.com/cn/basics/main.php
http://zh.wikipedia.org/wiki/%E5%A4%A9%E7%BA%BF
http://www.antenna-theory.com/cn/antennas/aperture/slottedWaveguide.php
http://www.360doc.com/content/14/0314/20/5896561_360631387.shtml
http://zh.wikipedia.org/wiki/WLAN%E4%BF%A1%E9%81%93%E5%88%97%E8%A1%A8
http://publish.it168.com/2005/0913/20050913020801.shtml
http://blog.csdn.net/myarrow/article/details/7930131