Virtual Private Networks 309
If you are running a firewall with NAT, you may have to write a special rule in
your firewall so that it doesn’t translate the network address of that machine. Many
newer firewall models automatically recognize IPsec packets and pass them
through unchanged so this extra step is unnecessary.
8.
To test your connection, try pinging an internal address on the other side of the
remote gateway. If you get a successful response, then you have an IPsec tunnel up
and running.
9.
If you really want to verify that the packets are being encrypted, use a packet
sniffer such as Tcpdump or Ethereal to see if you can read any of the packets. If the
sniffer identifies the packets as ESP packets (ESP is one of the IPsec subprotocols)
Table 9.2 FreeS/WAN Parameters
Parameters Description
Left The IP address of your Left IPsec gateway.
Leftsubnet The range of IPs behind the Left gateway.
Leftid The host name in a fully qualified domain name format and with an
@
in front
of it. For example,
@gateway.example.com
.
Leftrsasigkey The key you copied earlier from the Left machine.
Leftnexthop The default gateway for the Left machine. The default setting should work in
most cases.
Right Same as Left above but for the Right machine
Rightsubnet Same as Leftsubnet above but for the Right machine.
Rightid Same as Leftid above but for the Right machine.
Rightrsasigkey Same as Leftrsasigkey above but for the Right machine.
Rightnexthop Same as Leftnexthop above but for the Right machine.

Auto The default setting of add authorizes the connection but doesn’t start it up
when the system is booted. If you want it to start automatically, change this
to
start
.
Howlett_CH09.fm Page 309 Thursday, June 24, 2004 11:12 PM
310 Chapter 9 • Encryption Tools
and the packet payloads come up looking like gibberish, then all is working cor-
rectly.
10.
If you want to add multiple net-to-net connections, you can just add another sec-
tion with a new title such as conn office1-to-office2. You can also rename the orig-
inal net-to-net connection name as long as it is the same in the ipsec config files on
both machines.
Road Warrior Mode This procedure is fairly similar to the last one, with a few excep-
tions. In this mode, the Right machine is the local machine on your IPsec gateway and the
Left machine is your remote user.
1.
On your remote machine, edit the same /etc/freeswan/ipsec.conf file using the fol-
lowing template. It looks similar to the net-to-net configuration with a few
differences.
conn road
left=%defaultroute
leftnexthop=%defaultroute
leftid=@tonyslaptop.example.com
leftrsasigkey=0sAQPIPN9uI
right=192.0.2.2
rightsubnet=10.0.0.0/24
rightid=@gateway.example.com
rightrsasigkey=0sAQOnwiBPt

auto=add
The remote configuration uses
%defaultroute
to pick up your dynamic IP.
2.
The Right side should contain the information for the gateway. Get on the gateway
machine and use this template for that ipsec.conf file.
conn road
left=192.0.2.2
leftid=
leftsubnet=192.0.2.1/24
leftrsasigkey=0sAQOnwiBPt
rightnexthop=%defaultroute
right=%any
rightid=
rightrsasigkey=0sAQPIPN9uI
auto=add
Notice the entries are reversed on the gateway, using left for the Local machine and
right for the remote. Also, the right IP is defined as
%any
. This is a wildcard that
allows any IP address, since you won’t learn it until the remote user tries to con-
nect.
3.
Save this file.
Howlett_CH09.fm Page 310 Thursday, June 24, 2004 11:12 PM
Virtual Private Networks 311
4.
You are ready to connect. Make sure that IPsec is up and running on the gateway
machine, and then type the following command on the remote user end:

ipsec auto start road
This should initiate the connection as before. If you don’t get the message
Ipsec
SA

established
, check your settings or refer to the troubleshooting section on
the FreeS/WAN Web site.
5.
Test and verify the connection in the same manner as the net-to-net procedure.
6.
You can set up multiple remote connections as in the previous procedure and
rename them whatever makes sense to you.
Opportunistic Encryption If you want to do this with FreeS/WAN, your gateway
box must not be behind a firewall doing NAT (the change in the IP address in the headers
messes up the IPsec header verification mode). It is preferable to have a static IP address
on your gateway box. There are two ways to do OE: full or partial. In the full OE you can
initiate outward IPsec connections and other IPsec hosts can initiate OE sessions with
your gateway. In partial mode, your gateway must always initiate the connection. Both OE
modes require you to have access to the DNS record for the hostname you want set up.
Setting Up a Partial Opportunistic Encryption (initiate only)
1.
First, edit the DNS record for the host name that you intend to use to add an entry
for your key. The DNS record must match the ID you use in the ipsec.conf file. In
the Road Warrior example earlier, that was
gateway.example.com
. Issue the
following command on your gateway machine to create this record:
ipsec showhostkey txt @
gateway_hostname


Replace
gateway_hostname
with your hostname, such as
gateway.
example.com
.
It produces a text file with a text record containing your key and formatted in
the proper DNS syntax.
2.
Insert this record into the zone file for that domain as a forward TXT record.
Note:
If you aren’t sure how to edit DNS records, have your DNS administrator
help you. Making a mistake with a DNS record can easily take your whole domain
down.
Also, keep in mind that the changes will take a while to propagate across the
Internet. Depending on where you are querying from, this process might take as
long as 48 hours.
3.
You can check to see if the change has taken place yet with the following query:
ipsec verify host
gateway.example.com
It should respond with an OK statement for the forward record.
The reverse record lookup will fail, but this is acceptable as long as you don’t
want to do a full OE. Remember that even though you can correctly query the DNS
server, the other end of your connection may not be able to yet. Have them run the
verify command as well.
Howlett_CH09.fm Page 311 Thursday, June 24, 2004 11:12 PM
312 Chapter 9 • Encryption Tools
4.

Once both sides can see the DNS record, then all you should have to do is restart
your IPsec service by typing:
service ipsec restart
When it comes back up, you should be ready to go.
This is all that is required, since FreeS/WAN will automatically configure the connec-
tion using the DNS record information when it comes up.
Setting Up Full Opportunistic Encryption
In order to do full OE, you must have a static IP on the gateway and have full control of
the DNS record for that IP. FreeS/WAN OE uses a reverse DNS lookup to verify the public
key of any machine attempting to connect. The instructions are exactly the same as for
partial OE, except that you also create a reverse DNS record for your gateway host name.
Create the text file the same way as above and after adding it as a forward record, add it as
a reverse record tying it back to your static IP address. Again, if you are unsure of how to
edit a DNS file, get some help. DNS is not something to monkey around with lightly. Once
both records are visible from the Internet, you should be able to restart your IPsec service
and establish connections with IPsec OE compliant hosts.
Password Crackers You have learned how to protect your information various ways
using encryption, and how to encrypt files, sessions, and whole connections with other
sites. The next section looks at a tool to help you make sure your password files are safe.
This tool is a password encryption cracker. It does the reverse of all the tools in this chap-
ter in that it tries to decrypt the password file without any keys. It is primarily to be used
on password files to make sure you don’t have passwords that are easy to crack.
Most passwords these days are not stored in plain text on the server. They are stored
as hashes of the password so that the clear text password is not being passed across the
network. On some operating systems, however, this hashing system is weak and the
encryption is easily cracked. Worst case, if someone captures a password file, he or she
can run a brute force attack on the hashes, discovering some passwords. This takes advan-
tage of the tendency of most people to use simple passwords. You can limit this ability in
most operating systems, but even then, people will figure out ways to get around the limi-
tations in the interest of making their life simpler. Testing your password files with pass-

word crackers is the only way to know for sure how safe your users’ passwords are.
John the Ripper: A Password Cracking Tool
John the Ripper
Author/primary contact: Solar Designer
Web site: www.openwall.com/john
Platforms: Windows and most UNIX
License: Freeware, BSD-like
Version reviewed: 1.6
Howlett_CH09.fm Page 312 Thursday, June 24, 2004 11:12 PM
Virtual Private Networks 313
John the Ripper was designed by the enigmatic Solar Designer to help system admin-
istrators flush out weak passwords, mostly on UNIX systems. John uses a text password
file and checks the hash for each word in the file against the password file. It even tries
variations on dictionary words such as cat1, cat2, and so on. It also uses some randomizing
techniques after it runs out of words to keep on trying as long as you want to let it run. It
comes with a basic word file and you can also download various custom word files for dif-
ferent operating systems or create your own.
It is available for both UNIX and Windows. Since it is a command line tool only, the
basic operations are the same for both operating systems. The separate installation pro-
cesses are covered here.
Windows Installation
1.
Download the Windows binary package from the Web site or the book’s CD-ROM
and unzip the file into its own directory.
2.
There is no real Windows setup process here. Just put the files where you want
them to reside and run them from that directory with the proper commands. You
may want to add that directory to your system path if you want to be able to run
John the Ripper from any directory. Otherwise, change to the john/run directory to
access the binaries and run the program.

UNIX Installation
1.
Download and untar the source code files from the Web site or the book’s
CD-ROM.
2.
Issue the following command from the src directory it created:
make
This displays a list of systems supported.
Note: If your system is not listed, substitute the command
make

generic
in
the next step (this should work most of the time).
3.
Issue the following command substituting your supported system type for
system
:
make
system
This builds the program and puts the main binary programs in the john/run
directory.
4.
Change into that directory and you are ready to run John the Ripper.
Using John the Ripper
1.
First, you need to have a copy of the password file.
On most UNIX systems the password hashes aren’t stored in the main password
file but are kept in a file called the shadow password file (called shadow on Linux
systems). This protects the password hashes from being viewed easily, since the

main user password file has to be accessible to various other parts of the operating
system and so has to be world-readable.
Howlett_CH09.fm Page 313 Thursday, June 24, 2004 11:12 PM
314 Chapter 9 • Encryption Tools
The password hash file looks something like Listing 9.1.
Listing 9.1 Sample Password Hash File
root:$1$‰8_pwš/‚$3ABCmAmVVtBbgXc1EpAZ7.:12080:0:99999:7:::
bin:*:12080:0:99999:7:::
daemon:*:12080:0:99999:7:::
adm:*:12080:0:99999:7:::
lp:*:12080:0:99999:7:::
sync:*:12080:0:99999:7:::
apache:!!:12080:0:99999:7:::
postfix:!!:12080:0:99999:7:::
mysql:!!:12080:0:99999:7:::
tony:$1$™bFÌb/_R$6RFzrkqq6nY4zTkmWQ8xV0:12080:0:99999:7:::
The seemingly list of random characters after the account name is the hash of the
password. That is what John the Ripper goes to work on.
2.
The text file
password
in your John the Ripper directory contains the default word
list. You can add to this list if you have some custom passwords you want it to try
or replace it with your own word list.
3.
To run John the Ripper, type the following command:
john
password_filename
Replace
password_filename

with the filename of the password file you want to
test.
John the Ripper shows you any passwords it is able to crack on the screen as it
tries. Most of the word lists will be run through in a few minutes. This is long
enough for most purposes, but if you want to let it run longer to really test your
passwords, you can run the process in the background.
You can also interrupt the testing process and return to it later. Press CTRL+C
once to stop the testing and save the results in a file called john.pot. Note that
pressing CTRL+C twice will abort the search and not save your results.
4.
You can view the passwords retrieved thus far by typing:
john -show password_file
5.
If you want to back up a cracking session, use the following command:
john –restore
And that’s about all there is to it. Happy password cracking (only your own password
files, please!). If you find weak passwords, you can go to those people and have them
change them or institute policies on the server that require stronger passwords.
Howlett_CH09.fm Page 314 Thursday, June 24, 2004 11:12 PM
315
C HAPTER 10
Wireless Tools
Until recently, network administrators mostly only had to worry about securing physical,
fixed information technology assets. This includes servers, routers, and firewalls: the
things that make up our wire-line networks. However, with the advent of inexpensive wire-
less network equipment, there is a whole new spectrum (no pun intended) of security
problems to contend with.
This new technology has helped to lower the cost of deploying networks, brought
access to places it wasn’t before, and made the term “mobile computing” truly a reality. It
has also drastically changed the network security perimeter for companies of all sizes. Tra-

ditionally, corporate networks were connected to the outside world in only a few places
(see Figure 10.1). This allowed network managers to concentrate on protecting these lim-
ited access points. You could put firewalls and other defenses at these crucial choke points.
The inside of the network was largely treated as trusted because there was no way to get
there other than through the protected points.
Chapter Overview
Concepts you will learn:
•
Wireless LAN terms
•
The 802.11 protocols
•
Weaknesses of wireless LANs
•
Wireless assessment equipment
Tools you will use:
NetStumbler, StumbVerter, Kismet Wireless, and AirSnort
Howlett_CH10.fm Page 315 Friday, June 25, 2004 12:07 AM
316 Chapter 10 • Wireless Tools
Now the advancing march of technology has moved the security bar up a notch again.
With a wireless LAN deployed, your new security perimeter becomes literally the air
around you. Wireless attackers or eavesdroppers can come from any direction. If you have
wireless access deployed, anyone with a $50.00 card can potentially listen in on your
network wire without ever stepping foot on your premises. Figure 10.2 shows the new net-
work security perimeter with wireless technology. As you can see, if you are using
wireless for part of your network, your security threats go up considerably. But before you
can properly secure your wireless network, you need to understand how wireless local
area networks function and what their basic weaknesses are.
Manufacturers of wireless LAN equipment have lowered the prices so much that it is
now a feasible alternative for home networks. Rather than wiring your house for Ethernet

to connect your PCs, you can buy a wireless base station and a couple of wireless cards
and use the Internet from any room in your house (or outside for that matter). Many busi-
ness conventions now offer free wireless Internet access to their attendees via wireless sta-
tions. There are grassroots campaigns to create free Internet access for neighborhoods
outside the reach of DSL or cable by using public wireless access points. Wide deploy-
ment of wireless LAN technology is definitely here to stay, and sooner or later you will
probably have to deal with it.
Wireless LAN Technology Overview
The most popular protocol for wireless LAN technology today is by far the 802.11 series,
commonly known as
Wi-Fi
. The 802.11 wireless standards are basically an extension of
the Ethernet protocol, which is why it interoperates so well with wired Ethernet networks.
It uses the frequencies of 2.4GHz for 802.11b and 802.11g and 5GHz for 802.11a to
Figure 10.1 Network Threats Before Wireless Networking
Firewall
Attacks
Attacks
Computer
Computer
Computer
Computer
Computer
The Internet
Local LAN
Howlett_CH10.fm Page 316 Friday, June 25, 2004 12:07 AM
Wireless LAN Technology Overview 317
broadcast data signals. These frequencies are general-use spectrum, so you don’t have to
apply for a license from the FCC to use them. The downside of this is that other consumer
devices can use these wavelengths too. Some cordless phones and microwaves are also on

the 2.4GHz band, so if you have these devices or other Wi-Fi networks in your area, you
may encounter some interference.
This wavelength is perfect for the short range that Wi-Fi is intended for. Its design
parameters allow for about 150 feet indoors and over 800 feet outdoors under normal con-
ditions. However, with a high-power antenna and line of sight, you can get up to a 20-mile
range, which makes it attractive for office-to-office communications within a city (this
assumes you are not in very mountainous terrain and you have access to a rooftop at least
several floors up). Table 10.1 describes the four flavors of the 802.11 wireless standard
that have emerged.
Wi-Fi Terms
A Wi-Fi wireless network can operate in one of two modes.
Ad-hoc

mode
allows you to
directly connect two nodes together. This is useful if you want to connect some PCs
together and don’t need access to a LAN or to the Internet.
Infrastructure mode
lets you
set up a base station, known as an
access point
(AP), and connect it to your LAN. All of
the wireless nodes connect to the LAN through this point. This is the most common con-
figuration in corporate networks, as it allows the administrator to control wireless access at
Figure 10.2 Network Threats with Wireless Networking
Firewall
Attacks
Attacks
Attacks
Computer

Computer
Computer
Computer
Computer
The Internet
Local LAN
Wireless
access point
Laptop
Laptop
Laptop
Howlett_CH10.fm Page 317 Friday, June 25, 2004 12:07 AM
318 Chapter 10 • Wireless Tools
one point. Each wireless access point and card has a number assigned to it called a
Basic
Station System ID
(BSSID). This is the MAC address for the access point’s wireless side.
The access point also has a
Station Set Identifier
(SSID), which defines the name of the
wireless network that all the nodes associate with. This name is not necessarily unique to
that access point. In fact, most manufacturers assign a default SSID to APs so they are
usable right out of the box. The access point’s SSID is needed to connect to the network.
Some base stations have additional functionality, including routers and built-in DHCP
servers. There are even some integrated units that act as a wireless access point, firewall,
and router for home and small business users.
You set up a wireless network node by installing a wireless
network interface card
(NIC) in a computer. A wireless NIC comes in several forms: It can be a card that goes in
a PC slot, a PCMCIA card, an external USB device, and now even a compact flash format

for the smaller slots in handheld computers. An 802.11 wireless network in infrastructure
mode has an access point that acts as your bridge between the wired Ethernet LAN and
one or more wireless endpoints. The access point sends out “beacon” broadcasts fre-
quently to let any wireless node in the area know that it is there. The beacon broadcasts act
like a lighthouse, inviting any wireless nodes in the area to log on. These beacon signals
are part of the problem with Wi-Fi. It is impossible turn off these signals completely,
which makes it hard to hide the fact that you have a wireless network in your office. Any-
one with a wireless card can at least see your beacon signals if they are in range, although
some sets allow you to limit the amount of information that goes out in these broadcasts.
Table 10.1 802.11 Wireless Standards
Standards Descriptions
802.11a This version of the standard uses the 5 GHz wavelength, which is a less
crowded spectrum and is less likely to have interference problems. The theo-
retical potential for this technology is 54Mps, which is a huge amount of band-
width, but most applications in the field do not get that nearly that much.
802.11b This is currently the most popular wireless standard. It uses the 2.4 GHz wave-
length, which Bluetooth and other consumer devices also use. It offers up to
11Mps of bandwidth, although practical applications under less than optimal
conditions usually yield about half of that.
802.11g A newer release, this standard provides up to 54Mps bandwidth, but in the
same 2.4GHz spectrum as 11b. It is also backwardly compatible with 11b
hardware.
802.11i This new protocol is basically an extension of 802.11b with fixes to the
encryption protocol to make it much more secure. It has just recently been
approved by the IEEE, and products using it should be available in late 2004.
Howlett_CH10.fm Page 318 Friday, June 25, 2004 12:07 AM