Common Exploits of Wireless Networks
In general, attacks on wireless networks fall into four basic categories: passive attacks, active attacks, man-in-the middle attacks, and jamming attacks. Lets review what these attacks mean on a wireless network.

Passive Attacks on Wireless Networks

A passive attack occurs when someone listens to or eavesdrops on network traffic. Armed with a wireless network adaptor that supports promiscuous mode, the eavesdropper can capture network traffic for analysis using easily available tools, such as Network Monitor in Microsoft products, or TCPdump in Linux-based products, or AirSnort.

A passive attack on a wireless network may not be malicious in nature. In fact, many in the wardriving community claim their wardriving activities are benign or ?educational? in nature. It is worth noting that wardriving, looking for and detecting wireless traffic, is probably not illegal, even though propagandistic claims to the contrary are often made. Wireless communication takes place on unlicensed public frequencies?any one can use these frequencies. This makes protecting a wireless network from passive attacks more difficult.

Passive attacks are by their very nature difficult to detect. If an administrator is using DHCP on the wireless network (this is not recommended), he or she might notice that an authorized MAC address has acquired an IP address in the DHCP server logs. Then again, he or she might not. Perhaps the administrator notices a suspicious-looking car sporting an antenna out of one of its windows. If the car is parked on private property, the driver could be asked to move or possibly charged with trespassing.

But, the legal response is severely limited. Only if it could be determined the wardriver was actively attempting to crack any encryption used on the network or otherwise interfering or analyzing wireless traffic with malicious intent would he or she be susceptible to being charged with a data-related crime, but this would depend on the country or state in which the activity took place.

Passive attacks on wireless networks are extremely common, almost to the point of being ubiquitous. Detecting and reporting on wireless networks has become a popular hobby for many wireless wardriving enthusiasts. In fact, this activity is so popular that a new term, ?war plugging?, has emerged to describe the behavior of people who actually wish to advertise both the availability of an AP and the services they offer by configuring their SSIDs with text like, ?Get_food_here?!

Most of these wardriving enthusiasts use a popular freeware program, called Netstumbler, which is available from www.netstumbler.com. The Netstumbler program works primarily with wireless network adaptors that use the Hermes chipset because of its ability to detect multiple APs that are within range and WEP, among other features (a list of supported adaptors is available at the Netstumber web site). The most common card that uses the Hermes chipset for use with Netstumbler is the ORiNOCO gold card. Another advantage of the ORiNOCO card is that it supports the addition of an external antenna, which can greatly extend the range of a wireless network to many orders of magnitude, depending on the antenna. A disadvantage of the Hermes chipset is that it doesn?t support promiscuous mode, so it cannot be used to sniff network traffic. For that purpose, you need a wireless network adaptor that supports the PRISM2 chipset. The majority of wireless network adaptors targeted for the consumer market use this chipset, for example, the Linksys WPC network adaptors. Sophisticated wardrivers will arm themselves with both types of cards, one for discovering wireless networks and another for capturing the traffic.

In spite of the fact that Netstumbler is free, it is a sophisticated and feature-rich product that is excellent for performing wireless site surveys, whether for legitimate purposes or not. Not only can it provide detailed information on the wireless networks it detects, it can be used in combination with a GPS to provide exact details on the latitude and longitude of the detected wireless networks. Figure 1 below shows the interface of a typical Netstumbler session.

To read the complete article and see the accompanying illustrations see Wireless Attacks Primer on the WindowSecurity.com web site.