Wireless Tools and Gadget

You are most likely already familiar with access points and wireless cards, but so many more tools and “gadgets” are available today for securing, attacking, monitoring,
auditing, and accessing wireless networks. In this chapter, you’ll learn some of the product
offerings on the market today as well as some of the more exotic tools that have security
implications for wireless networks. 

The discussion of tools in this chapter is not meant to be an exhaustive list of every
product offered on the market today. Instead, individual tools have been selected that
display specific capabilities or unique features. You definitely don’t want to skip this chapter;
not only will you be introduced to a lot of fun new toys, you’ll also receive a well-rounded
base of knowledge regarding wireless security.   

We’ll Cover
● Creating a lab environment
● Client devices
● Access points
● Antennas
● Wireless gadgets
● Choosing a wireless operating system 

A Lab of Your Own 

To get the most out of this book, you definitely need to follow along with as many of the
examples as possible. To do that, you’ll need a good wireless test lab. The cost of wireless
equipment has dropped drastically since its introduction. Today, a very effective lab could
cost you as little as $500. Take into consideration that you (or the company you work for)
probably already has what you need to test almost everything you read about in this book.
At a minimum, you should have the following equipment:
● Two wireless clients (laptops preferred, but you can use desktops)
● Two wireless cards
● One access point 

Client Devices 

No, I’m not going to list every type of laptop you can buy. The wireless world has exploded

so rapidly that you need to understand the security implications of all the new types of
wireless clients. Ironically, some of the biggest security threats could come from client
devices simply because they’re most often overlooked or ignored. 


Smartphones and PDAs are everywhere and are only becoming more ubiquitous. These
devices are covered in great detail later in the book, but for now consider that smartphones
and PDAs are not just clients on your network that attackers can target (typically housing
a large amount of sensitive data), but are also very stealthy attack tools for breaking into
your wireless network. These devices are able to run advanced wireless attack tools and
store the data while sitting neatly and covertly in a visitor’s pocket.


Many vendors offer printers with wireless technologies built right in. This provides a
very interesting attack vector for a would-be intruder. If you connect the printer to your
company’s otherwise secure network, does this provide an easy place to discover the
wireless encryption password? Is the password stored securely on the printer, or can you
simply print the configuration and view the password in plain text? If your printer is
connected to your network using wired technologies but is broadcasting a default ad-hoc
wireless SSID, can an attacker join the ad-hoc network and use the printer as a channel
onto your wired network? 

Access Points 

Access points have changed drastically since they first hit the market. Among other
things, they’ve changed in size, functionality, bandwidth, and range. From an attacker’s
perspective, two of the most interesting changes are that of physical size and feature set.
These new full-featured and compact access points provide a very easy attack scenario
with relatively low risk. You simply walk into a target organization, find an open network
data jack, plug in your access point, and walk out. You then finish all your nefarious
work from the parking lot, and the worst you’re risking is losing the access point if it’s


The DD-WRT website has the following to say about DD-WRT: “DD-WRT is a Linuxbased alternative OpenSource firmware suitable for a great variety of WLAN routers and
embedded systems.” 

Basically, you can replace the default firmware on a very large list of popular wireless
routers and access points and make them Linux-based devices with a substantial feature
list. Some of the more impressive features include the following:
● VPN (virtual private network) support
● SSH (Secure Shell) daemon
● Samba and CIFS client support
● SIP (VoIP) routing
● Traffic and bandwidth monitoring 


One of the most popular access points in both the small business and home market is the
Linksys WRT54G (see Figure 2-1). The WRT54G retails for about $60 and supports the
DD-WRT firmware, making it perfect for many small business deployments as well as
small office/home office (SOHO) environments—or your home lab. 

Apple Airport Express

The Apple Airport Express provides a beautiful and compact form factor perfect for an
attacker. It features a built-in plug for an electrical outlet, meaning you don’t need to carry
an additional external power adapter. It has some other interesting features, including a
USB port for a printer or USB drive. 

Mini Access Points 

Some vendors offer uber-portable access points perfect for dropping into a sensitive area.
Not the least of which is the D-Link DWL-G730AP, which can be purchased for as little
as $40. The D-Link DWL-G730AP is aptly named the “D-Link pocket router” because it
is about three inches square and less than an inch high. The only downside to this model is
the need for an external power adapter, which can be discovered or lost. 

Mobile Hotspots 

An interesting new product offering is what’s being called the “portable hotspot.” This
nifty access point’s back-end transmission medium is actually the cellular network.

An example is the Verizon 4G LTE mobile hotspot (see Figure 2-2). The back-end (or
Internet) connection is a 4G connection that can reach download speeds of 1 Gbps.
This device provides a very interesting attack vector. Consider the following scenario: 

An attacker walks into your business complex with a mobile hotspot, configured with
an innocuous SSID such as “Free Wifi Access.” An employee of your company wishes
to access sites that are otherwise restricted on your network, so he connects to the “Free
Wifi Access” network. He checks his personal e-mail, his favorite personal networking
site, and maybe chats with some friends. Little does he know that all his traffic was just
intercepted by the owner of the mobile hotspot, and his passwords sent in plain text have
been captured. Just ponder how many users reuse their passwords and you can guess the
impact this could have for your business network. 


Smartphones are no longer just clients accessing wireless networks but are also fullfeatured access points for other clients to connect to. Currently, the most versatile
operating system for smartphones is the Android OS by Google (www.android.com),
which is based on the Linux operating system. The processing power and storage
available on these little devices is astounding, and you might be surprised at some of
the tools already running on these phones. The previous scenario of an attacker offering
“free wireless services” is even easier on a phone such as the Google Galaxy Nexus by
Samsung, which has a 1.2 GHz dual-core processor, 1 GB of RAM and 16GB of storage!
So saving all the captured network traffic right to the phone and then walking out the door
is extremely easy—and, yes, Tcpdump has already been ported to work on the Android
operating system. 

Enterprise-Grade Access Points

Arguably the two biggest names in true enterprise-grade access points and wireless
systems are Cisco and Aruba. Both offer an extensive array of wireless products—
everything from antennas, access point enclosures, access points, access point controllers,
and even software to help manage your wireless infrastructure.
Surprisingly, not too many additional wireless features can be obtained from
enterprise-class wireless access points versus regular access points. Most of the core
functionality is the same between home/small business access points and enterprise-class
access points. Here are the main differences you can expect from business/enterprise-class
wireless products: 

● Much more rugged construction
● Controller-based systems (lightweight operation)
● Software management systems
● Vendor support options 

One of the most important features is the support option. If you rely on your wireless
network to support core business processes, you’re going to want to make sure you’re
covered in the event an access point or controller goes down. Most support contracts have
the option of 24/7 support with next-day hardware replacement, but keep in mind the cost
is in proportion to the level of support required.


Antennas are an important component of any wireless assessment, and understanding how
they work will help you adjust your thinking about the physical security implications for
wireless transmissions. The most important fact to keep in mind is that antennas increase
the range for both sending and receiving data. This means that a laptop with an antenna
doesn’t just send a stronger signal to the access point, but it can actually pick up weaker
signals from the access point, thus increasing the distance it can be from that access point.

So why does this matter from a security perspective? Well, it should definitely make you
reconsider how much importance you place on the range of your access points. It always
makes me cringe when I hear someone say, “I don’t really secure my wireless network, but
it doesn’t matter because the signal dies once you hit the parking lot.” It isn’t uncommon to
be able to pick up wireless signals a few miles from their source with a good antenna.

Signal increase from antennas is typically measured in dBi, which stands for decibels
isotropic. I won’t bore you with the mathematical calculations behind antenna gain and
dBi. Just know that the higher the number, the better. Most consumer-grade antennas
range from 3dBi gain to 24dBi gain. Also keep in mind that the cable that connects the
antenna to the adapter is detrimental to the signal. If you use a cable that is too long, is
kinked, or is otherwise damaged, you can actually lose all the signal gain provided by the
antenna. The only other major consideration you need when selecting an antenna is to
make sure the connectors available will match that of your wireless card. 

Types of Antennas 

Antennas come in many different shapes and sizes, and some even have a few neat
features that help security assessors. The two most important types for the security tester
are directional and omnidirectional. Directional antennas, also commonly referred to as
yagi antennas, radiate basically straight forward (and typically slightly askew to one side).
They are best suited for “one-to-one” communication, where you can “point” at the target.
Omnidirectional antenna’s essentially radiate outward evenly from the horizontal plane of
the antenna. Take this with a grain of salt, though. In reality, the signal radiation pattern
looks most similar to a donut with the antenna sticking up through the center of the donut.
Mmm, delicious wireless technologies.

      The quintessential wardriver’s antenna is arguably a small, magnetic, omnidirectional
antenna. It is typically no more than four inches high and includes a pretty strong magnet
on the bottom, allowing you to stick it to the top of your car. You can purchase such an
antenna on the Internet for as little as $15. 

The other most popular antenna is the directional (or yagi) antenna. The radiation pattern
is basically straight ahead in the direction you are aiming the antenna, although oftentimes 

to get the best signal you’ll need to aim slightly to the side of your target. You can find plenty 

of videos and resources on the Internet to help you build your very own directional antenna for 

about $10. However, if you’re looking for a quick solution, you can find some good directional 

antennas on the Internet for under $20 that have a surprisingly good range. Figure 2-3 shows an 

example of a custom yagi antenna purchased on the Internet for about $25. One of the most popular 

antennas for wireless enthusiasts will always be the so-called cantenna, which not surprisingly is a 

homebrew antenna made, in part,  from a can. The can from Pringles potato chips is a favorite, 

but almost most any can will do, including coffee cans. A cantenna is a yagi antenna and is thus 

a directional antenna.

Another very popular antenna you’re probably already familiar with is the parabolic
antenna (see Figure 2-4). The quintessential parabolic antenna is the satellite dish. The
parabolic antenna is a directional antenna, and you can find some very-high-gain parabolic
antennas, giving you the ability to pick up wireless signals from literally miles away.  


A plethora of other fun and interesting gadgets can be used to enumerate or penetrate
wireless networks. Some of the more popular gadgets include the following:
● GPS (Global Positioning System)
● Smartphones and PDAs
●Pocket wireless scanners
●Spectrum analyzers 


Many available GPS units can integrate with wardriving software, allowing you to pinpoint
where you first discovered and found the strongest signal for a wireless network. GPS devices,
including the well-known Garmin models, offer many options, including the newer USB
options. Figure 2-5 shows a Globalsat Bu-353 GPS, which is extremely compact easily fits
in your hand, and has a magnet on the base of the unit.

Smartphones and PDAs 

One of the most exciting and interesting new wireless-enabled devices by far is the
smartphone. The three main choices today for a smartphone with wireless tools are
iPhones, Windows-based smartphones, and Android-based smartphones.

I definitely prefer the flexibility and available software of the Android OS. Keep
in mind that the Android OS is based on Linux, so it might not be long until all the
wireless security software covered in this book can be run from your shirt pocket. In the
next chapter, we’ll cover some of the terrific software programs already available for

In addition to the huge list of software already available for smartphones, think about
all the features you already have in the palm of your hand. You can scan for wireless
networks while logging your position with a built-in GPS and recording what you see
with a video camera. All the data you gather can be saved locally to your smartphone on
a flashcard that has over 20GB of storage.

We’ll explore some of the very interesting attacks against smartphones in a later chapter. 

Pocket Wireless Scanners 

A few interesting little handheld devices work perfectly for the impromptu warwalking
adventure. Although most don’t provide a whole lot of detail, often the SSID can be enough
to enumerate an interesting target. For example, the Hotspotter device, retails for $50 from
Canary Wireless, can display the wireless channel, the signal strength levels, and the
encryption type in use. You can read more about the Hotspotter at Canarywireless.com. 

Spectrum Analyzer

Although a spectrum analyzer’s core functionality isn’t necessarily security related,
some manufacturers bundle traffic-dumping software to allow you to see wireless
communications. Spectrum analyzers give you data on the physical communications on
a given wireless frequency. This can aid you in troubleshooting issues from congestion,
range, and physical topology. Spectrum analyzers used to be prohibitively expensive, but
nowadays very affordable and surprisingly easy-to-use options are available. One option
is the Wi-Spy by Metageek. Wi-Spy offers a few options that range from $99 to $1,000
and come with a USB wireless card and the software to display the information in a nice
graphical manner. 

Operating System of Choice 

It might not be surprising that my operating system of choice for wireless security
assessments is Linux; however, many tools can still be run from Windows. Additionally,
many open-source tools can be run from the Mac OS, including some tools that are
exclusive to the Mac OS. 

Most of the examples in this book use Linux, so it is highly recommended that you
familiarize yourself with it. For those readers who have zero experience with the Linux
operating system, don’t fret: Now is the perfect time to get some face time with the best
operating system available today.

For beginners I recommend either Ubuntu or BackTrack. Ubuntu is a great all-purpose
desktop operating system and comes with a decent list of preselected software packages
installed for everyday use. BackTrack is a great choice for security enthusiasts and
penetration testers. The makers of the BackTrack distribution describe it as “the complete
penetration testing arsenal for security professionals.” It comes with an enormous list of
security tools, including most of the wireless security tools we’ll be covering in this book.

Both Ubuntu and BackTrack can be run as live-CD distributions. This means that
the operating system actually launches right from the CD. You can save and manipulate
files on your hard drive, but you also have the option of leaving your hard drive alone
completely. When you’re done testing the operating system, you simply reboot your
system, remove the CD from your drive, and you’ll boot right back into your normal
operating system. The only real disadvantage to using a live-boot operating system is
that it tends to be a little slower, and any changes you make won’t be maintained during
reboots, unless specifically saved to external media (hard drive, USB drive, and so on).

One of the features that newcomers really enjoy is the apt utilities. Essentially,
centralized databases are maintained on the Internet that keep a list of all the files (and
typically default configurations) for an enormous amount of programs for the Linux
operating system. Users can search this database using locally installed apt utilities for
a program they wish to install, issue a single command to “install” the program, and the
program and all its supporting libraries are “automagically” downloaded and installed
on the system. If you’re unfamiliar with Linux, now might be a good time to read the
appendix on using BackTrack Linux.
        Getting BackTrack running on your system is incredibly easy; just follow these simple
1. Grab the latest release of BackTrack from www.backtrack-linux.org/downloads/.
2. Burn the ISO image using a DVD-burning program. 

3. Configure your computer BIOS to boot to the DVD drive. (Most modern computers
have a key combination you can press to manually select your boot device; many
laptops use ctrl-f12.)
4. Select EDIT from the boot menu and select your DVD device.

Optionally, you can boot the BackTrack operating system from a USB thumb drive.
Directions on how to accomplish this can be found in the appendix. 

We’ve Covered

In this chapter, we reviewed some of the fun toys available for connecting to, attacking, or
offering wireless networks. We also reviewed some interesting items such as smartphones,
miniature access points, and some unusual wireless clients. We reviewed some of the
options for antennas as well.

Make sure you have a good lab set up and ready to go so that you can follow along in
the upcoming chapters. You’ll get much more out of this book if you follow along with
the examples instead of just reading through them. These examples not only include the
appropriate wireless hardware but also the correct software you’ll need to use. 

Creating a lab environment
● Necessary hardware for an affordable lab
Client devices
● Phones
● Printers 

Access points
● Linksys WRT54G
● Apple Airport Express
● Mini access points
● Mobile hotspots 

● Directional
● Omnidirectional

Wireless gadgets
● Smartphones
● Wireless scanners
● Spectrum analyzers 

Choosing a wireless operating system
● Ubuntu Linux
● Backtrack Linux

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *