Table Of Content397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page i
Visit us at
w w w . s y n g r e s s . c o m
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our cus-
tomers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our solutions@syngress.com Web pages. There you will find an assortment
of value-added features such as free e-booklets related to the topic of this book,
URLs of related Web site, FAQs from the book, corrections, and any updates from
the author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of exper-
tise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.
DOWNLOADABLE EBOOKS
For readers who can’t wait for hard copy, we offer most of our titles in download-
able Adobe PDF form. These eBooks are often available weeks before hard copies,
and are priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our ebooks onto servers
in corporations, educational institutions, and large organizations. Contact us at
sales@syngress.com for more information.
CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.
Contact us at sales@syngress.com for more information.
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page iii
4 FREE BOOKLETS
YOUR SOLUTIONS MEMBERSHIP
How to Cheat at
Securing a
Wireless
Network
Chris Hurley
Brian Baker
Christian Barnes
Tony Bautts
Darren Bonawitz
Randy Hiser
Jan Kanclirz Jr.
Andy McCullough
Jeffrey A. Wheat
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page iv
Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to
state.
In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other
incidental or consequential damages arising out from the Work or its contents.Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation
may not apply to you.
You should always use reasonable care,including backup and other appropriate precautions,when working
with computers,networks,data,and files.
Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“Syngress:The
Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is
to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 HJPOOLL783
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing,Inc.
800 Hingham Street
Rockland,MA 02370
How to Cheat at Securing a Wireless Network
Copyright © 2006 by Syngress Publishing,Inc.All rights reserved.Except as permitted under the
Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by
any means,or stored in a database or retrieval system,without the prior written permission of the pub-
lisher,with the exception that the program listings may be entered,stored,and executed in a computer
system,but they may not be reproduced for publication.
1 2 3 4 5 6 7 8 9 0
ISBN:1597490873
Publisher:Andrew Williams Page Layout and Art:Patricia Lupien
Acquisitions Editor:Erin Heffernan Copy Editor:Darlene Bordwell
Technical Editor:Chris Hurley Indexer:Nara Wood
Cover Designer:Michael Kavish
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page v
Acknowledgments
Syngress would like to acknowledge the following people for their kindness and sup-
port in making this book possible.
Syngress books are now distributed in the United States and Canada by O’Reilly
Media,Inc.The enthusiasm and work ethic at O’Reilly are incredible,and we would
like to thank everyone there for their time and efforts to bring Syngress books to
market:Tim O’Reilly,Laura Baldwin,Mark Brokering,Mike Leonard,Donna Selenko,
Bonnie Sheehan,Cindy Davis,Grant Kikkert,Opol Matsutaro,Steve Hazelwood,Mark
Wilson,Rick Brown,Tim Hinton,Kyle Hart,Sara Winge,Peter Pardo,Leslie Crandell,
Regina Aggio Wilkinson,Pascal Honscher,Preston Paull,Susan Thompson,Bruce
Stewart,Laura Schmier,Sue Willing,Mark Jacobsen,Betsy Waliszewski,Kathryn
Barrett,John Chodacki,Rob Bullington,Kerry Beck,Karen Montgomery,and Patrick
Dirden.
The incredibly hardworking team at Elsevier Science,including Jonathan Bunkell,Ian
Seager,Duncan Enright,David Burton,Rosanna Ramacciotti,Robert Fairbrother,
Miguel Sanchez,Klaus Beran,Emma Wyatt,Krista Leppiko,Marcel Koppes,Judy
Chappell,Radek Janousek,Rosie Moss,David Lockley,Nicola Haden,Bill Kennedy,
Martina Morris,Kai Wuerfl-Davidek,Christiane Leipersberger,Yvonne Grueneklee,
Nadia Balavoine,and Chris Reinders for making certain that our vision remains
worldwide in scope.
David Buckland,Marie Chieng,Lucy Chong,Leslie Lim,Audrey Gan,Pang Ai Hua,
Joseph Chan,June Lim,and Siti Zuraidah Ahmad of Pansing Distributors for the
enthusiasm with which they receive our books.
David Scott,Tricia Wilden, Marilla Burgess,Annette Scott,Andrew Swaffer, Stephen
O’Donoghue,Bec Lowe,Mark Langley,and Anyo Geddes of Woodslane for distributing
our books throughout Australia,New Zealand,Papua New Guinea,Fiji,Tonga,Solomon
Islands,and the Cook Islands.
v
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page vi
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page vii
Technical Editor
and Contributor
Chris Hurley (Roamer) is a Senior Penetration Tester working in the
Washington,DC area.He is the founder of the WorldWide WarDrive,a
four-year effort by INFOSEC professionals and hobbyists to generate
awareness of the insecurities associated with wireless networks and is the
lead organizer of the DEF CON WarDriving Contest.
Although he primarily focuses on penetration testing these days,
Chris also has extensive experience performing vulnerability assessments,
forensics,and incident response.Chris has spoken at several security con-
ferences and published numerous whitepapers on a wide range of
INFOSEC topics.Chris is the lead author of WarDriving:Drive,Detect,
Defend,and a contributor to Aggressive Network Self-Defense,InfoSec Career
Hacking,OS X for Hackers at Heart,and Stealing the Network:How to Own
an Identity.Chris holds a bachelor’s degree in computer science.He lives
in Maryland with his wife Jennifer and their daughter Ashley.
Contributing Authors
Brian Baker is a computer security penetration tester for the U.S.gov-
ernment,located in the Washington,D.C.,area.Brian has worked in
almost every aspect of computing,from server administration to network
infrastructure support and now security.Brian has been focusing his work
on wireless technologies and current security technologies.
vii
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page viii
I’d like to thank my wife,Yancy,and children,Preston,Patrick,
Ashly,Blake and Zakary.A quick shout out to the GTN lab dudes,Chris,
Mike,and Dan.
Chapter 2 is dedicated to my mother,Harriet Ann Baker,for the
love,dedication,and inspiration she gave her three kids,raising us as a
single parent.Rest in peace,and we’ll see you soon...
Christian Barnes (CCNA,CCDA,MCSE,CNA,A+) is a Network
Consultant for Lucent Technologies in Overland Park,KS.His career in
the IT industry began with supporting NT and NetWare servers and NT
workstations for a large banking company in Western New York.It
quickly evolved into support of high-level engineers and LAN and WAN
administrators as they attempted to troubleshoot and design their net-
works,and then on to consulting.Chris has a wife and four sons.
Tony Bautts is a Senior Security Consultant with Astech Consulting.He
currently provides security advice and architecture for clients in the San
Francisco Bay area.His specialties include intrusion detection systems,fire-
wall design and integration,post-intrusion forensics,bastion hosting,and
secure infrastructure design.Tony’s security experience has led him to
work with Fortune 500 companies in the United States as well as two
years of security consulting in Japan.He is also involved with the
BerkeleyWireless.net project,which is working to build neighborhood
wireless networks for residents of Berkeley,CA.
Darren Bonawitz is a Network Systems Engineer with Lucent
Worldwide Service.Darren started his career pursuing entrepreneurial
endeavors in electronic commerce.In January 2001,he joined Lucent
Worldwide Service as a Network Systems Engineer,bringing his knowl-
edge of the desktop platform and a general understanding of a broad range
of technologies in areas such as remote access,ATM,frame relay,and wire-
less.In addition,his background includes consulting with universities and
corporate clients on a pre- and post-sales basis,business/technology plan-
ning,and a proven dedication to customer service.He studied Electrical
viii
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page ix
Engineering with an emphasis in Communication Systems at Kansas State
University.In 2000,Darren was nominated for Kansas Young Entrepreneur
of the Year,and he was also recently recognized by The Los Angeles Times
for commitment to online customer service.
Anthony Bruno (CCIE #2738,CCDP,CCNA-WAN,MCSE,NNCSS,
CNX-Ethernet) is a Principal Consultant with Lucent Worldwide
Services.As a consultant,he has worked with many customers in the
design,implementation,and optimization of large-scale,multiprotocol net-
works.Anthony has worked on the design of wireless networks,voice over
technologies,and Internet access.Formerly,he worked as an Air Force
Captain in network operations and management.While in this role,he
implemented wireless LANs on the base network.Anthony received his
master’s degree in Electrical Engineering from the University of Missouri-
Rolla in 1994 and his B.S.in Electrical Engineering from the University
of Puerto Rico-Mayaguez in 1990.He is the coauthor of CCDA Exam
Certification Guide and has performed technical reviews for several Cisco
professional books.
Dan Connelly (MSIA,GSNA) is a Senior Penetration Tester for a
Federal Agency in the Washington,D.C.,area.He has a wide range of
information technology experience,including Web applications and
database development,system administration,and network engineering.
For the last five years he has been dedicated to the information security
industry,providing penetration testing,wireless audits,vulnerability assess-
ments,and network security engineering for many federal agencies.Dan
holds a Bachelor of Science degree in Information Systems from Radford
University and a Master of Science degree in Information Assurance from
Norwich University.
I would like to thank Chris Hurley,Mike Petruzzi,Brian Baker,and
everyone at GTN and CMH for creating such an enjoyable work environment.
Thanks to everyone at ERG for letting me do what I love to do and still paying
me for it.
I would also like to thank my mom and dad for their unconditional sup-
port,wisdom,and guidance;my brother for his positive influence;and my sister for
ix
397_HTC_Wireless_FM.qxd 6/30/06 9:40 AM Page x
always being there.I would particularly like to thank my beautiful wife,Alecia,for
all her love and support throughout the years and for blessing our family with our
son,Matthew Joseph.He is truly a gift from God and I couldn’t imagine life
without him.
Chuck Fite is a Consultant currently working for Iconixx Systems
Engineering on Sprint ION.He has been a technical writer,a test techni-
cian,and a business analyst in the computer and telecommunications
industries for the past eight years.Chuck received a B.S.in Physics and an
M.A.in Rhetoric and Professional Communication from Iowa State
University.
Randy Hiser is a Senior Network Engineer for Sprint’s Research,
Architecture & Design Group,with design responsibilities for home distri-
bution and DSL self-installation services for Sprint’s Integrated On
Demand Network.He is knowledgeable in the areas of multimedia ser-
vices and emerging technologies,has installed and operated fixed wireless
MMDS facilities in the Middle East,and has patented network communi-
cation device identification in a communications network for Sprint.
Randy lives in Overland Park,KS,with his wife,Deborah,and their chil-
dren,Erin,Ryan,Megan,Jesse,and Emily.
Jan Kanclirz Jr. (CCIE #12136-Security,CCSP,CCNP,CCIP,CCNA,
CCDA,INFOSEC Professional) is a Senior Network Information
Security Engineer working for IBM Global Services.Currently,he is
responsible for strategic and technical evolution of a large multicus-
tomer/multidata center networks and their security environment.Jan spe-
cializes in multivendor,hands-on implementations and architectures of
network technologies such as routers,switches,firewalls,intrusion sensors,
content networking,and wireless networks.Beyond network design and
engineering,Jan’s background includes extensive experience with Linux
and BSD administration and security implementations.
x