The document discusses various tools used in a hacker's toolkit. It describes network scanners like NetStumbler and Kismet that can detect wireless access points, their security settings, and connected devices. The document analyzes these scanners' abilities and limitations. It also mentions the importance of packet sniffers for analyzing network traffic in promiscuous mode and their uses for intrusion detection, information gathering, and monitoring network usage. The author provides examples of using these tools to probe their neighborhood wireless networks, finding an unsecured network they were able to access to control the router.
2. Running head: Hacker Essentials
Hacker Toolkit Essentials
The beginnings of the internet were created in 1960 when a technician from
ARPA named J.C.R. Licklider conceived the need for a global network. Eventually this
network became know as ARPANET. ARPANET then became NSFNet when they
merged into the Defense Communications Agency, an agency within the Department of
Defense. This network became known as an “internet” which is any network that utilizes
the protocol TCP/IP. The ARPANET evolved into the “Internet” that we know today.
Through the creation of the Internet spawned a whole new group of elite technology
minds that began building up and, of course, working at ways to exploit this new
network. Hacking was born. People began hacking for many reasons that include: doing
it for the thrill, gaining information for money, and even just getting back and people by
destroying their system. Hacking today has evolved beyond just a select few of the elite
and technological geniuses and is now available for everyone with the large amount of
tools that exist. The type of tools that you can use vary greatly in that there tools to
analyze networks such as: network scanners that try to go out and find networks, packet
sniffers that analyze the contents of packets that carry the bulk of internet traffic, and port
scanners that allow you to locate the ports that are open on a selected network. Tools like
MAC address spoofers allow you to mask the identity of your computer. There are
darker programs like brute forcers, dictionary attackers, and encryption crackers that try
to break down the defense systems of a target network. You can even use the search
engine, “Google”, to locate information on a specific network that you are targeting. It is
evident that are many tools that fall into a hacker toolkit. I will explore the different tools
for the operating systems, Windows and Linux, in the following paragraphs.
3. Running head: Hacker Essentials
The first tool that falls into the hacker toolkit is the network scanner. Network
scanners are programs that you use to locate networks. The type of scanning I’m going
to focus on is scanning that is done over the wireless technologies 802.11a, b, and g.
Anyone with a laptop and a wireless card can scan the area for all of the wireless access
points that are in the area. Network scanners will collect all of the wireless access points
they find and compile them into a list with a whole slew of data on the access point. The
scanner will determine the SSID of the access point, whether or not the access point is
encrypted, what vendor the access point is, and will tell you how strong your signal to it
is. With all that in mind, network scanners are useful for many different things. One of
the primary things that network scanners are used for is Wardriving. Wardriving is an
activity where people drive around with a laptop that is wireless-capable and scan for
networks all over their neighborhood, city, or even state. When they wardrive they
collect useful information like unencrypted access points, which ones are running on
factory defaults, and the location of where they believe the access point is. Wardriving is
useful for both sides of the hacking world as it can raise awareness of how insecure our
networks are and also prove to be a tool for hackers to find targets to hit. Network
scanners are also useful for finding rogue access points in the workplace. A while ago I
heard a story from a top penetration tester, Chris Hurley, where there was a guy in an
airport disguising an access point to look like a legitimate one to collect information from
people who were signing up to use the internet in the air port. He was able to collect all
sorts of information ranging from names to credit card numbers. Using a network
scanner Chris Hurley was able to locate the access point and inform the authorities of this
activity. Finally, you can also use network scanners to calibrate your access point
4. Running head: Hacker Essentials
antennas to provide better signal coverage to certain areas in the office. Network
scanners are extremely important in a hacker toolkit.
There are a few network scanners that are more popular than others that I’m going
to elaborate on further. The two most common ones are NetStumbler for the Windows
operating system and Kismet for the Linux operating system. The first one I’m going to
focus on is NetStumbler for Windows. NetStumbler is a great program that provides you
with a lot of information about networks. NetStumbler is easy to download and
configure. After installing it I just chose the network adapter that I would like to use
while scanning and then I let it start. It quickly found many wireless access points in my
area. There were many more than I had thought originally existed because the built in
Windows scanner only gives you a few. NetStumbler compiled the list and gave me the
SSID’s, channel information, and MAC address of all the access points. It told me all of
the access points that were encrypted and which encryption they were using, as well as,
the vendor of many of the access points. The two most common encryption methods
were WEP and WPA. I was then able to sort all the information using a variety of sorting
features including vendor type, encryption method, and what channel they were running
on. One of the only downfalls of NetStumbler is that it’s very noisy. NetStumbler
utilizes “active scanning” which means that it goes out and looks actively for any access
points that it can find. Essentially it just sends packets out and sees which ones send
information back to it. This makes a user utilizing NetStumbler, to a skilled network
administrator, very easy to locate and the traffic itself isn’t hard to find. Despite this
shortcoming very few people would have the skills to find NetStumbler traffic.
However, it does mean that the very serious hacker will avoid using NetStumbler. All in
5. Running head: Hacker Essentials
all, NetStumbler is still a great tool for users who want to locate networks using the
Windows operating system and should be included in any hacker’s toolkit.
The other network scanner I’m going to talk about is Kismet for Linux. Kismet is
arguably the most popular network scanner that is out there today. I used a Linux boot
CD that already had Kismet installed but it’s very easy to get on the internet by going to
Kismet’s website. Initial configuration proved to be difficult as I don’t have a lot of
Linux experience but I was able to get it running with my network adapter by selecting in
the config file. Kismet does a lot of the same things that NetStumbler does, however, it
has a few pros and cons. The cons are that since its Linux the GUI wasn’t as friendly as
NetStumbler. I had some difficulties in navigating it at first until I learned what I was
doing. The pro’s however, definitely out weigh the cons. Kismet, along with doing all of
the SSID, encryption, and channel listing, gave me information about which access points
were still running their factory defaults. Kismet also gave me the option of finding out
which computers were actually connected to the access point instead of just giving me
general information about the access point itself. The other advantage that Kismet is that
it utilizes “passive scanning,” which is also known as RFMON and promiscuous mode.
Kismet will scan for networks but instead of going out and looking for packets it will
accept and all packets that it receives and uses that information to compile the database.
Because Kismet traffic is very difficult to catch it is the choice of all the serious hackers
and war drivers. Kismet is the perfect program for network scanning. Both NetStumbler
and Kismet are completely free to the public via download.
Using both of these programs I probed my neighborhood and found a plethora of
unsecured access points. I was surprised to find the amount of people that actually don’t
6. Running head: Hacker Essentials
know how to secure their networks from outside intrusions. Anyway, one of my
neighbors was unsecured so I decided to probe around his network for a bit. I got the
MAC and IP address of the computers in their network and then tested to see if the router
was set to factory defaults. Both NetStumbler and Kismet told me that the access point
was a Linksys router. I was able to gain access to the router using the password “admin”
and I got full control of their access point. I didn’t do anything malicious to their
network; however, just knowing that I could have is scary.
Once you find the networks the next tool that you need in your hacker toolkit are
packet sniffers. Packet sniffers are critical as the bulk of internet traffic is sent over
packets. Packet sniffers allow you to capture all of the packets that propagate over the
network with a mode known as promiscuous mode. Promiscuous mode is essential
because if you don’t set this mode then you will only get to see traffic that goes in and
out of your computer. Windows doesn’t support promiscuous mode fresh off the install
so you have to download a patch called Winpcap which allows you to run in this mode.
Packet sniffers will capture and list all of the packets it gathers in their entirety. You get
information like source and destination IP address, which IP version it’s running, what
type of packet it is, and you can often see the purpose behind the packet as well. They
are very useful in that they allow you to detect network intrusion, gain information in
order to attack a network, monitor network usage, and spy on people and collect
passwords. If I wanted too detect network intrusions I could look for common patterns
that signal an attack is occurring. If I see a lot of authorization and deauthorization
packets I know that someone is likely trying to crack my WEP by using a replay attack.
Packet sniffers are also useful for monitoring network usage. Using packet sniffers I can
7. Running head: Hacker Essentials
see what websites people are going too and what if they are running messenger clients
they aren’t suppose to. I can also capture packets that contain passwords in plain text as
e-mail logins often are. Packet sniffers are extremely useful and are an integral part of
any hacker’s toolkit.
The most commonly used packet sniffer is called Ethereal. Ethereal is available
for both the Windows and Linux operating systems and is free to download. Ethereal is
also compatible with both wired and wireless networks so it’s very flexible. Installing
and configuring Ethereal is extremely easy. All you have to do is tell Ethereal which
network adapter you want it to use in its scan and set that network adapter in promiscuous
mode. Running a scan is easy and it tells you while it’s scanning what types of packets
it’s collecting and how many. Typical scans usually include a few ARP and DHCP
packets and a ton of TCP and UDP ones as well. After you scan your network it
compiles the list and it sorts it by time on its default settings. However, there are a ton of
sorting features that allow you to sort based on protocol, IP address, MAC address, and
several other things. If there is some specific traffic you are looking for before you scan
it’s very easy to setup a filter and have it only list those packets that you want it too.
Ethereal’s GUI is also very good in that it color codes all of the packets that it lists to
make it easy to find certain traffic after you scan. Ethereal is a great tool that is a staple
for any hacker.
Using Ethereal in my own experiences has been very rewarding. On my
neighbors network that I mentioned earlier I was able to run ethereal at around 7 pm and
capture some interesting traffic. I found out that my neighbors use AOL instant
messenger and use yahoo mail. I also was able to gather information about all of the
8. Running head: Hacker Essentials
computers on the network and I could have mapped it out on paper. As you can see there
are many applications for packet sniffers.
The next tool that is essential for any hacker toolkit is a port scanner. Port
scanners analyze networks to see which ports are open and determine what services are
currently running through those ports. A port scanner would notify you that your port 80
is open and tell you that that port is used for HTTP, or web browser, traffic. They can be
useful because they allow you to find open ports that you can use to either close if you
are trying secure your network or exploit if you are looking for a target. Most port
scanners have other sniffing abilities like finding out which operating system the target
computer is using.
The most common port scanner is Nmap for both Windows and Linux. Nmap is
easy to setup tool that runs through a command prompt. Even though it doesn’t have a
helpful GUI it is still very easy to use as it gives you the correct syntax at the beginning
of the programs start. Nmap also gives you the basic example scan syntax so that you
can begin immediately. Nmap is a tool that is designed for stealth port scanning so it’s a
tool that is often used by the top hackers and penetration testers. It offers a lot of
functionality in that you can do stealth scans, fingerprint the systems for operating
system, give it a wide range of IP addresses to scan, and can also scan for different IP
versions.
I used Nmap to scan my neighbor’s ports and I found out a lot of information. I
ran a test under the following syntax “nmap –v –sS –O 192.168.1.1/24” which will do a
verbose (-v) Nmap scan on that network that will be stealthy (-sS) and try to finger print
the network for operating systems (-O). What I found out was that they had several ports
9. Running head: Hacker Essentials
open: HTTP port 80, netbios-ssn port 139, Microsoft-ds port 445, IIS port 1025, uPnP
port 5000, and gnutella port 6346. I also found out that the systems in their network were
running Microsoft XP home edition. Based on the port scan I know that they use peer to
peer file sharing as a gnutella port was open and I could potentially use that port as a
basis for an attack. As you can see there are many different applications and uses for a
port scanner so it should be another staple in a hacker’s toolkit.
Next, I’m going to go over MAC spoofers. MAC spoofers are programs that
allow you to mask the identity of your “burned-in” MAC address on your network
adapter. This is extremely useful in that you can hide your computer for a bit longer and
bypass MAC filtering on routers. I’ve heard stories of people scanning for MAC
addresses that were commonly used on networks and then they spoofed themselves as
that MAC address once it was available to try and pass as an authenticated user.
I’m going to look at a two popular Windows MAC spoofers first. The first one is
SMAC. SMAC is a great program that is easy to install and run. After you get it setup
it’s a very simple GUI to work with. There are only a few prompts in which you can
change your MAC address which takes effect on restart. It’s then easy to see that your
MAC address has been spoofed and you can quickly change it back to the way it was
using the same program. SMAC is a very simple tool but it does have one downside.
SMAC is a program that requires a payment so you have to either download and use a
trial version for a few days or buy a license. Either way it’s a good program that is easy
to use. The other windows program that I’m going to focus on is Etherchange.
Etherchange does the same stuff that SMAC does but it’s not GUI based. You run it
through a command prompt which makes it a little more difficult to use but it’s still pretty
10. Running head: Hacker Essentials
straight forward. The pro’s to using this program over SMAC is that it is free of charge
so it will probably be the program of choice for most people who hack.
There are also a few spoofers for Linux as well. The program, SMAC, is also
available for Linux; but you can use command line as well. The commands
“/etc/init.d/networking stop, ifconfig eth0 hw ether 00:01:02:03:04:08, and
/etc/init.d/networking start” can be entered into the root level prompt in Linux to change
your MAC address without downloading a program. As you can see it’s very easy to do
MAC spoofing with the right tools and it’s always an important for any hacker’s
repertoire.
I have used both SMAC and Etherchange before and I will tell you personally that
they are great programs. Both are very easy to use and install and there wasn’t any
problems getting them to run. On my own network at home I put a MAC filter on the
router for my laptops MAC address. I was able to use both programs to defeat the
filtering. Both are very solid programs.
In addition to the tools I’ve mentioned, hackers should also have brute forcers and
dictionary attackers in their toolkits. Brute forcers are password crackers that try every
combination up to a certain character length and try them. It will try every single
password that it can generate and try and force it on the insert password prompt. While
this may seem like it takes a long time a computer can do thousands of combinations a
second and many programs will also check the hash output of the failed attempts in effort
to shorten the time it takes to crack them. Dictionary attackers are very similar in that
they are used to crack passwords; however, their approach is much different. A
dictionary attacker will have a database of passwords known as their “dictionary” where
11. Running head: Hacker Essentials
it will try every entry in that dictionary to see if it will break the password. There are
several different types of existing dictionaries that range from common words, names,
different languages, and much more. Both of these programs have their applications so
it’s hard to say which one is more important than the other.
There are many different types of dictionary and brute force attackers out there.
After searching for a bit I found ones named: John the Ripper, LC5 (L0phtCrack),
Brutus, Cain, and RainbowCrack.
The program I decided to download was RainbowCrack. RainbowCrack has a
very nice tutorial for getting it setup and running on their website. In order to setup a
Rainbow table that is going to be used in the cracking process you have to run rtgen.exe
in the command prompt. You can sort that table by using rtsort.exe as well.
RainbowCrack uses a command prompt interface to run but gives you all the syntax you
will need. After you have a table ready the other items you need are going to be a hash
you’ve taken or a password dump text file so that it can crack it. I took a sample hash file
from the RainbowCrack website and applied RainbowCrack too it and the program was
able to crack it in about 10 minutes or so. There are many different kinds of programs
that can be used in this process. Using these programs was probably the most difficult
part of this assignment so it will take a while to master this for most people.
The last tool I’m going to talk about in a hacker’s toolkit is one that isn’t a
program but a search engine: Google. Google is now becoming an important tool that a
lot of hackers are using. Google is getting a lot of flak from online companies and
websites because their search engine is now turning up things that shouldn’t be readily
available to the public. Hackers now have the ability to use Google to search for
12. Running head: Hacker Essentials
information on any person that might have any content available online whether that
resource would normally take a password or not. The scare thing is that right now if it
exists on the Internet, Google has a good chance of finding it. It will be interesting to see
how this pans out in the near future and whether or not it evolves or Google has a tap put
on its resources.
To end, these are only a few of the programs that you can use in a hacker’s
toolkit. The spectrum of things goes far beyond what I have mentioned and I’ve only
really touched the surface of what is possible. These are the tools, however, that you will
need in the beginnings of a toolkit. With all that aside, this was a very enjoyable project
and I learned a lot about the basics of network security and hacking. Hopefully this is
just a stepping stone to becoming even more skilled and network security, hacking, and
administration.