#hack FAQ Home | Computers | Data Networks | Wireless Networks | Telephony | Mobile Telephony
Radio | Television | Resources | 2600 | Smart Cards and Magnetic Cards | Miscellaneous

Section C -- Wireless Networks


C-01. What kinds of wireless data networks are there?

Wireless data networks exist in such number and variety as to be difficult to categorize and compare.

Some wireless data networks run over wireless voice networks, such as mobile telephone networks. CPDP, HSCSD, PDC-P, and GPRS are examples. Other wireless networks run on their own physical layer networks, utilizing anything from antennas built into handlheld devices to large antennas mounted on towers. 802.11, LMDS, and MMDS are examples. A few wireless networks are intended only to connect small devices over short distances. Bluetooth is an example.

Wireless network which run over other wireless networks often utilize the lower layer networks to provide security and encryption. Stand-alone wireless networks either provide their own security and encryption features or rely upon VPN's (Virtual Private Networks) to provide those features. In many cases, multiple layers of security and encryption may be desirable.

Some wireless networks are fixed, meaning that antennas do not move frequently. Other wireless networks are mobile, meaning that the antenna can move constantly. This is often a feature of the specific implementation and antenna design, instead of an inherent limitation of the wireless network specification.

Wireless networks may operate on licensed or unlicensed portions of the frequency spectrum.

CDPDCellular Digital Packet Data
HSCSDHigh Speed Circuit Switched Data
PDC-PPacket Data Cellular
GPRSGeneral Packet Radio Service
Bluetooth 
IrDA 
LMDSLocal Multipoint Distribution Service
MMDSMultichannel Multipoint Distribution Service
802.11 

C-02. What is CDPD (Cellular Digital Packet Data)?

Fixed/MobileMobile
Circuit/PacketPacket (A circuit switched variant, CS-CDPD, does exist.)
Max Bandwidth19.2Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkCellular
DefinerCTIA (Cellular Telecommunications and Internet Association)
URLhttp://www.wow-com.com/

CDPD (Cellular Digital Packet Data) is a specification for supporting wireless access to the Internet and other public packet-switched networks over callular telephone networks. CDPD supports TCP/IP and Connectionless Network Protocol (CLNP). CDPD utilizes RSA'a RC4 algorithm with for 40 bit keys for encryption.


C-03. What is HSCSD (High Speed Circuit Switched Data)?

Fixed/MobileMobile
Circuit/PacketCircuit
Max Bandwidth57.6Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkGSM
DefinerETSI (European Telecommunications Standards Institute)
URLhttp://www.etsi.org/

HSCSD (High Speed Circuit Switched Data) is a specification for data transfer over GSM networks. HSCSD utilizes up to four 9.6Kb or 14.4Kb time slots, for a total bandwidth of 38.4Kb or 57.6Kb.14.4Kb time slots are only available on GSM networks that operate at 1,800Mhz. 900Mhz GSM networks are limited to 9.6Kb time slots.

EDGE (Enhanced Data-Rates for GSM Evolution) enabled GSM networks are able to implement ECSD (Enhanced Circuit Switched Data), an enhanced version of HSCSD. ECSD increases the bandwith of each timeslot to 38.4Kb.


C-04. What is PDC-P (Packet Data Cellular)?

Fixed/MobileMobile
Circuit/PacketPacket
Max Bandwidth28.8Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkNTT DoCoMo i-mode
DefinerNTT DoCoMo
URLhttp://www.nttdocomo.com/

PDC-P (Packet Data Cellular) is a packet switching message system utilized by NTT DoCoMo in Japan. PDC-P utilizes up to three 9.6Kb TDMA channels, for a total maximum bandwidth of 28.8Kb.


C-05. What is GPRS (General Packet Radio Service)?

Fixed/MobileMobile
Circuit/PacketPacket
Max Bandwidth107.2Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkTDMA, GSM
DefinerETSI (European Telecommunications Standards Institute)
URLhttp://www.etsi.org/

GPRS (General Packet Radio Service) is a specification for data transfer on TDMA and GSM networks. GPRS utilizes up to eight 9.05Kb or 13.4Kb TDMA timeslots, for a total bandwidth of 72.4Kb or 107.2Kb. GPRS supports both TCP/IP and X.25 communications.

EDGE (Enhanced Data-Rates for GSM Evolution) enabled GSM networks are able to implement EGPRS (Enhanced General packet Radio Service), an enhanced version of GPRS. EGPRS increases the bandwith of each timeslot to 60Kb.

For more information on GPRS security, read GSM and GPRS Security by Chengyuan Pen.


C-06. What is Bluetooth?

Fixed/MobileMobile
Circuit/PacketPoint to Point
Max Bandwidth1Mb
Range10 meters
Frequency2.40Ghz-2.483.5Ghz (U.S. and Europe) or 2.472Ghz-2.497Ghz (Japan)
Host NetworkNone
DefinerBluetooth SIG
URLhttp://www.bluetooth.org/

Bluetooth is a specification for short distance wireless communication between two devices. Bluetooth is not really a wireless network, in that it does not connect to any external network.


C-07. What is IrDA?

Fixed/MobileMobile
Circuit/PacketPoint to Point
Max Bandwidth16Mb
Range1M
FrequencyInfrared
Host NetworkNone
DefinerThe Infrared Data Association
URLhttp://www.irda.org/

IrDA defines a standard for an interoperable universal two way cordless infrared light transmission data port.

IrDA is utilized for high speed short range, line of sight, point-to-point cordless data transfer - suitable for HPCs, digital cameras, handheld data collection devices, etc...


C-08. What is LMDS (Local Multipoint Distribution Service)?

Fixed/MobileFixed
Circuit/Packet:n/a
Max Bandwidth1.5Gb downstream, 200Mb upstream
Range4 miles
Frequency27.5Ghz-28.35Ghz, 29.1Ghz-29.25Ghz, 31.075Ghz-31.225Ghz, 31.Ghz-31.075Ghz, 31.225Ghz-31.3Ghz
Host NetworkNone
DefinerIEEE (Institute of Electrical and Electronic Engineers)
URLhttp://grouper.ieee.org/groups/802/16/

LMDS (Local Multipoint Distribution Service) is a broadband wireless point-to-multipoint specification utilizing microwave communications. LMDS operates on FCC licensed frequencies. The FCC divided the United States into 493 BTA's (Basic Trading Areas), and auctioned the rights to transmit on the LMDS bands in each of those areas to LMDS service providers. Each BTA is licensed to two LMDS service providers. The LMDS bandplan is available from the FCC at http://wireless.fcc.gov/auctions/data/bandplans/lmds.pdf.


C-09. What is MMDS (Multichannel Multipoint Distribution Service)?

Fixed/MobileFixed
Circuit/Packetn/a
Max Bandwidth10Mb
Range70 miles
Frequency2.5Ghz-2.686Ghz
Host NetworkNone
DefinerIEEE (Institute of Electrical and Electronic Engineers)
URLhttp://grouper.ieee.org/groups/802/16/

MMDS (Multichannel Multipoint Distribution Service) is a broadband wireless point-to-multipoint specification utilizing UHF (Ultra High Frequency) communications. MMDS operates on FCC licensed frequencies. The FCC divided the United States into BTA's (Basic Trading Areas), and auctioned the rights to transmit on the MMDS bands in each of those areas to MMDS service providers. The MMDS bandplan is available from the FCC at http://wireless.fcc.gov/auctions/data/bandplans/mdsband.pdf.


C-10. What is 802.11?

802.11 is a suite of specifications for wireless Ethernet. 802.11 is interesting to hackers because it allows almost untraceable entry into networks.

The 802.11 standards are defined by the IEEE (Institute of Electrical and Electronic Engineers) at http://grouper.ieee.org/groups/802/11/.

Standard Speed Frequency Modulation
802.11 2Mb 2.4Ghz Phase-Shift Keying
802.11a 54Mb 5Ghz Orthogonal Frequency Division Multiplexing
802.11b 11Mb 2.4Ghz Complementary Code Keying
802.11g 54Mb 2.4Ghz Orthogonal Frequency Division Multiplexing


C-11. What is a SSID?

The SSID (Service Set IDentifier) is a token which identifies an 802.11 network. The SSID is a secret key which is set by the network administrator. You must know the SSID to join an 802.11 network, however, the SSID can be discovered by network sniffing.

The fact that the SSID is a secret key instead of a public key creates a management problem for the network administrator. Every user of the network must configure the SSID into their system. If the network administrator seeks to lock a user out of the network, the administrator must change the SSID of the network, which requires reconfiguration of every network node. Some 802.11 NICs allow you to configure several SSIDs at one time.

Most 802.11 access point vendors allow the use of an SSID of "any" to enable an 802.11 NIC to connect to any 802.11 network. This is known to work with gear from Buffalo Technologies, Cisco, D-Link, Enterasys, Intermec, Lucent, and Proxim.


C-12. What is WEP?

WEP (Wired Equivalent Privacy) is the encryption algorithm built into the 802.11 standard. WEP used the RC4 cipher encryption algorithm with 40 or 104 bit keys with 24 bit salts.

WEP limitations include:

  1. A high percentage of wireless networks have WEP disabled because of the administrative overhead of maintaining a shared WEP key.
  2. WEP has the same problem as all systems based upon shared keysany secret held by more than one person soon becomes public knowledge. Take for example an employee who leaves a company - they still know the shared WEP key. The ex-employee could sit outside the company with an 802.11 NIC and sniff network traffic or even attack the internal network.
  3. The initialization vector that seeds the WEP algorithm is sent in the clear.
  4. The WEP checksum is linear and predictable.

For more information, read Security of the WEP Algorithm by Nikita Borisov, Ian Goldberg, and David Wagner at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html


C-13. What is MAC Address Filtering?

Most 802.11 access points allow the network administrator to enter a list of MAC (Media Access Control) addresses that are allowed to communicate on the network. On the other hand, most 802.11 NICs allow you to configure the MAC address of the NIC in software. Therefore, if you can sniff the MAC address of an existing network node, it is possible to join the network using that nodes MAC address.


C-14. What is a rogue access point?

802.11 utilizes SSIDs to authenticate NICs to Access Points. There is no similar protocol for authenticating Access Points. It is possible to place a rogue Access Point into an 802.11 network. This rogue Access Point can then be used to hijack the connections of legitimate network users.


C-15. Where can I get some really cool 802.11 antennae?

Antenna Systems and Supplies Inc.
http://www.antennasystems.com/broadband.html#anchor932487

Andrew
http://www.andrew.com

ComTelCo
http://www.comtelco.net/

HyperLink Technologies, Inc.
http://www.hyperlinktech.com/web/antennas_2400.html

Use a Surplus Primestar Dish as an IEEE 802.11 Wireless Networking Antenna
http://www.wwc.edu/~frohro/Airport/Primestar/Primestar.html

2.4Ghz PtMP Antenna FAQ
http://www.telexwireless.com/wlanfaq.htm

LM Electronics
http://www.lm-electronics.com/

Antenna Sources for Wireless LAN/MAN Applications
http://www.airnet.am/wlan_ant.html


C-16. What are some interesting 802.11 tools?

AirSnort

AirSnort, by Jeremy Bruestle and Blake Hegerle, is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

The AirSnort home page is at http://airsnort.shmoo.com

Kismet

Kismet, by Mike Kershaw, is an 802.11b network sniffer and network dissector. It is capable of sniffing using most wireless cards, automatic network IP block detection via UDP, ARP, and DHCP packets, Cisco equipment lists via Cisco Discovery Protocol, weak cryptographic packet logging, and Ethereal and tcpdump compatible packet dump files. It also includes the ability to plot detected networks and estimated network ranges on downloaded maps or user supplied image files

The Kismet home page is at http://www.kismetwireless.net

Wellenreiter

Wellenreiter, by Max Moser, is a GTK/Perl program that makes the discovery and auditing of 802.11b wireless networks much easier. All three major wireless cards (Prism2, Lucent, and Cisco) are supported. It has an embedded statistics engine for the common parameters provided by wireless drivers. Its scanner window can be used to discover access-points, networks, and ad-hoc cards. It detects essid broadcasting or non-broadcasting networks in every channel. The manufacturer and WEP is automaticly detected. A flexible sound event configuration lets you work in unattended environments. An ethereal / tcpdump-compatible dumpfile can be created for the whole session. GPS is used to track the location of the discovered networks immediately. Automatic associating is possible with randomly generated MAC addreses. Wellenreiter can reside on low-resolution devices that can run GTK/Perl and Linux/BSD (such as iPaqs). Uniq Essod-bruteforcer is now included too.

The Wellenreiter home page is at http://www.remote-exploit.org/

BSD AirTools

bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.

The BSD-AirTools home page is at http://www.dachb0den.com/projects/bsd-airtools.html

NetStumbler

NetStumbler, by Marius Milner, is a Windows utility for 802.11b based wireless network auditing.

The NetStumbler home page is at http://www.netstumbler.com/


C-17. What is SMS (Short Message Service)?

SMS (Short Message Service) is a protocol for sending and receiving text messaging over digital cellular networks, including TDMA, CDMA, and GSM networks. SMS messages are limited to 160 characters.

SMS is vulnerable to DoS (Denial of Service) and identity spoofing attacks.


C-18. What is WAP (Wireless Application Protocol)?

WAP (Wireless Application Protocol) is an open specification for displaying content on wireless devices. WAP supports XHTML for message format. WAP supports WTSL (Wireless Transport Layer Security) and PKI (Public Key Infrastructure) for security.

WAP clients exist for platforms as varied as PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS. WAP rides over data networks as varied as CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX, ReFLEX, iDEN, TETRA, DECT, DataTAC, Mobitex and GRPS.

Some WAP devices support 128 bit WTLS keys, while other WAP devices do not. Security is therefore difficult for the average user to gauge.

For information regarding the security of the WTLS protocol, check Attacks Against the WAP WTLS Protocol by Markku-Juhani Saarinen.




#hack FAQ Home | Computers | Data Networks | Wireless Networks | Telephony | Mobile Telephony
Radio | Television | Resources | 2600 | Smart Cards and Magnetic Cards | Miscellaneous