16. Hacking Wireless Networks

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Authentication Attacks

PSK Cracking LEAP Cracking VPN Login Cracking Domain Login Cracking Key Re-installation Attack Identity Theft Shared Key Guessing Password Speculation Application Login Theft

Direct- sequence Spread Spectrum DSSS

spread spectrum technique that multiple the original data signal with a pseudo random noise spearing code.

EAP

supports multiple authentication methods, such as token cards, Kerberos, certificates

AES

symmetric encryption used in WAP2 as a replacement of TKIP

Aircracking -ng Suite

www.aircrack-ng.org Airbase-ng - capture WPA/WPA2 handshake and can act as an ad-hoc Access Point Aircrack-ng - Defacto WEP and WPA/WPA2-PSK cracking tool Airdecap-ng dectype WEP/WPA/WPA2 and can be used to strip the wireless headers from Wifi packets. Airdeclock-ng removes WEP cloaking from a pcap file Airdriver-ng provides status info about the wireless drivers on your system Airdrop-ng this program is used for targeted, rule based de-authentication of users Aireplay-ng used for traffic generation, fake authentication, packet replay, and ARP request injection Airgraph-ng creates client to AP relationship and common probe graph from airodump Airodump-ng used to capture packets of raw 802.11 frames and collect WEP IVs Airoliib-ng store and manage essid and password lists used in WPA/WPA2 cracking Airserv-ng allows multiple programs to independently use a wifi card via a client server TCP connection Airmon-ng used to enable monitor mode on wireless interfaces from managed mode and vice versa Airtun-ng injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystrim from wifi traffic Easside-ng allows you to communicate via a WEP encrypted access point AP without knowing the WEP key. Packetforge-ng used to create encrypted packets that can subsequently be used for injection Tkiptun-ng creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network Wesside-ng incorporates a number of techniques to seamlessly obtain a WEP key in minutes

WEP

Encryption algorithm for IEEE 802.11 wireless networks Security protocol uses a 24 bit initialization vector IV to form stream cipher RC4 for confidentiality and the CRC 32 checksum for integrity of wireless transmission

802.11d

Enhanced version of 802.11a and 802.11b. The standard supports regulatory domains. The particulars of this standard can be set at the media access control MAC layer.

Weak Initialization Vectors

1. in the RC4 algorithm, the Key Scheduling Algorithm creates an IV based on the base key. 2. the IV value is too short and not protected from reuse and no protection again message replay 3. a flaw in the WEP implementation of RC4 allows week IVs to be generated 4. the way the key stream is constructed from the IV makes it susceptible to weak key attacks 5. those weak IVs reveal info about the key bytes they were derived from 6. no effective detection of message tampering 7. an attack will collect enough weak IVs to reveal bytes of the base key 8. it directly uses the master key and has no built-in provision to update the keys

Discover WiFI Network Using Wardriving

1. register with WIGLE and download map packs of your area to view the plotted access point on a geographic map 2. connect the antenna, GPS device to the laptop via a USB serial adapter and board a car 3. install and launch NetStumpler and WIGLE client software and turn on the GPS deivce 4. drive the car at speeds of 35 mph or below (at higher speeds, wifi antenna will not be able to detect wifi spots 5. capture and save the NetStumbler log file that contains GPS coordinates of the access points 6. upload this log file to WIGLE, which will then automatically plot the points onto a map

TKIP

A security protocol used in WPA as a replacement for WEP

Availability Attacks

Access Point Theft Disassociation Attacks EAP-Failure Beacon Flood Denial of service De-authenticate Flood Routing Attacks Authenticate Flood ARP Cache Poisoning Attack Power Saving Attacks TKIP MIC Exploit

WiFi Traffic Analyzer Tools

AirMagnet Wifi Analyzer http://enterprise.netscout.com

Wifi USB Dongle: AirPcap

AirPcap adapter captures full 802.11 data, management, and control frames that can be viewed in Wireshark for in depth protocol dissection and analysis AirPcap software can be configured to decrypt WEP/WPA encrypted frames

Wardriving Tools

Airbase-ng https://aircrack-ng.org MacStumbler www.macstumbler.com AirFart https://sourcefart.net 802.11 Network Discovery Tools https://sourceforge.net G-MoN https://play.google.com

GPS Mappingq

Attackers create map of discovered WiFI networks and create a database with statistics collected by WiFI discovery tools GPS is used to track the location of the discovered WiFi networks and the coordinates are uploaded to sites like WiGLE Tools: WiGLE Skyhook

BSSID

Basic Service Set Identifier.

Dipole Antenna

Bidirectional antenna, used to support client connections rather than site-to-site applications

WEP Issues

CRC32 is not sufficient to ensure complete cryptographic integrity of a packet IVs are 24 bits Known plaintext attacks Dictionary attacks Denial of Service Eventually, an attacker can construct a decryption table of reconstructed key streams A lack of centralized key management makes it difficult to change WEP keys with any regularity IV is a value that is used to randomize the key stream value and each packet has an IV value The standard does not dictate that each packet must have a unique IV, so vendors use only a small part of the available 24-bit possibilities Use of RC4 was designed to be a one time cipher and not intended for multiple message use. An attacker can construct a decryption table of the reconstructed key stream and can use it to decrypt the WEP packets in real time.

WEP Cracking

Cain & Abel is password recovery tool for Windows. The WEP cracker utility in Cain implements statistical cracking and the PTW cracking method for the recovery of WEP key.

WPA Brute Forcing

Cain's new version also ships routing protocols, authentication monitors and routes extractors, dictionary and brute force crackers for all common hashing algorithms and for several specific authentications, password/ hash calculators, cryptanalysis attacks, password decoders, and some not so common utilities related to network and system security.

Bluemacking

DOS attack which overflows Bluetooth enabled devices with random packets causing the device to crash.

Integrity Attacks

Data Frame Injection WEP Injection Bit-Flipping Attacks Extensible AP Replay Data Replay Initialization Vector Replay Attacks RADIUS Replay Wireless Network Viruses

802.15.5

Deploys itself on a full mesh or a half mesh topology. It includes network initialization, addressing, and unicasting.

Bluetooth Modes

Discoverable Modes: Discoverable - other devices are visible to other Bluetooth enabled devices. Limited discoverable - it is onoly for limited period, specific period, or during temporary conditions. Non-discoverable - devices do not appear on the list during a Bluetooth. Pairing Modes: Non-pairable mode - device reject the pairing request sent by any device. Pairable mode - Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.

Confidentiality Attacks

Eavesdropping Traffic Analysis Cracking WEP Key Evil Twin AP Honeypot Access Point Session Hijacking Masquerading Man-in-the-Middle Attack

WEP/WPA Cracking Tools

Elcomsoft Wireless Security Auditor www.elcomsoft.com WepAttack http://wepattack.sourceforge.net Wesside-ng www.aircrack-ng.org

Launch Wireless Attacks: Evil Twin

Evil Twin is a wireless AP that pretends to be a legitimate AP by replacing another network name Attacker sets up a rogue AP outside the corporate perimeter and lures user to sign into the wrong AP Once associated, users may bypass the enterprise security policies giving attackers access to network data Evil Twin can be configured with a common residential SSID hotspot SSID and SSID company's WLAN

Types of Wireless Networks

Extension to a Wired Network Multiple Access Points LAN-to-LAN Wireless Network 3G/4G hotspot

De-authentication attack

Force the connected client to disconnect, then capture the re-connect and authentication packet using tools such as airplay, you should be able to re-authenticate in a few seconds then attempt to Dictionary Brute force the PMK

Frequency-hopping spread spectrum FHSS

Frequency Hopping Code Division Multiple Access FH-CDMA, method of transmitting radio signal by rapidly switching a carrier among many frequency channels

802.15.4 ZigBee

Has low data rate and complexity. ZigBee transmits long distance data through a mesh network. Its data rate is 250 kbit/s.

Wireless Traffic Analysis

Helps in determining the appropriate strategy for a successful attack Attackers analyze a wireless network to determine broadcast SSID, presence of multiple access points, possibility of recovering SSIDs, authentication method used, WLAN encryption algorithms Attackers use WIFI packet sniffing tools such as Wireshark, SteelCentral Packet Analyzer, omniPeek Enterprise, CommView wifi, to capture and analyze the traffic of a target wireless network

Service Set Identifier SSID

Human readable text string with a maximum length of 32 bytes. SSID is a token to identify 802.11 WIFI network. It acts as a single shared identifier between the access points and client. Security concerns arise when the default values are not changed, as these units can be compromised. If SSID of the network is changed the recognition of the SSID on every host is required. A non-secure access mode allows clients to connect to the access point using the configured SSID, a blank SSID, and a SSID that configured as any. The SSID remains secret only on the closed networks with no activity that is inconvenient to the legitimate users.

Wireless Standards

IEE Standard 802.11 has evolved from a basic wireless extension to the wired LAN into a mature protocol that supports enterprise authentication, strong encryption, and quality of service.

802.11i

IEEE 802.11i standard improves WLAN security by implementing new encyption protocol such as TKIP an AES.

802.16

IEEE 802.16 standard is a wireless communications standard designed to provide multiple physical layer and Media Access Control options. Knows WiMax.

802.11b

IEEE expanded the 802.11 by creating 802.11b specifications in 1999. 2.4 GHz ISM band and it supports bandwidth up to 11 Mbps

802.11n

IEEE is a revision that enhnaces the earlier 802.11g standards with multiple-input multiple output MIMO antennas. Work in both 2.4 GHz and 5 GHz bands. It is for wifi local network transportation. DAB and OFDM.

802.11ad

Involves the inclusion of a new physical layer for 802.11 networks. The standard works on the 60 GHz spectrum.

Bandwidth

It describes the amount of information that may be broadcaster over a connection. Data transfer rate. The unit measuring the bandwidth is bits per second.

RADIUS

It is a centralized authentication and authorization management system

LEAP

It is a proprietary version of EAP developed by Cicso

PEAP

It is a protocol, which encapsulates the EAP within an encrypted and authenticated Transport Layer Security tunnel

802.11i

It is an IEEE amendment that specifies security mechanism for 802.11 wireless networks

WPA

It is an advanced wireless encryption protocol using TKIP and MIC to provide stronger encryption and authentication. WPA uses TKIP to emliminate the weaknesses of WEP by including per-packet mixing functions, message integrity checks, extended initialization vector, and re-keying mechanisms.

802.11g

It is an extension of 802.11 and supports a mazimum bandwidth of 54 Mpbs using the OFDM technology and uses the same 2.4 GHz band as 802.11b.

Parabolic Grid Antenna

It is based on the principle of a satellite dish but it does not have a solid backing. The can pick up wifi signals 10 miles or more.

802.11a

It is the second extension to the original 802.11 and it operates in the 5 GHz frequency band and supports bandwidth up to 54 Mbps by using OFDM.

IEEE 802.11e

It is used for real time applications such as voice, ViIP and video. It defines mechanisms to ensure Quality of service to Layer 2 of the reference mode, the medium access layer, or MAC.

Omnidirectional Antenna

It provides 360 degree horizontal radiation pattern. It is used in wireless base stations.

802.11ac

It provides a high throughput network at the frequency of 5 GHz. It involves Gigabit networking that provides an instantaneous data transfer experience.

WiFI Sniffer

Kismet www.kismetwireless.net Tcpdump www.tcpdump.org SmartSniff www.nirsoft.net

802.15.1 Bluetooth

Mainly used for exchanging data over short distances on fixed and mobile devices. Works on a 2.4 GHz band.

Orthogonal Frequency-division Multiplexing

Method of digital modulation of data in which a signal, at a chosen frequency, it split into multiple carrier frequencies that are orthogonal to each other.

BlueSnif

Proof of concept code for a Bluetooth wardriving utility

Wireless Networks

Refers ti wireless local area networks based on IEEE 802.11 standard where it allows the device to access the network from anywhere within range of an access point.

Reflector Antennas

Reflector antennas are used to concentrate EM energy which is radiated or received at a focal point.

Bluebugging

Remotely accessing the Bluetooth enabled devices and using its features

RF Monitoring Tools

Sentry Edge II www.tek.com Network Manager https://wiki.gnome.org xosview http://xoview.sourceforge.net CPRIAdvisor www.viavisolutions.com sigX www.kratoscomms.com

SSID

Service Set Identifier. 32 alphanumeric character unique identifier given to wireless local area network that acts as a wireless identifier on the network.

BluePrinting

The art of collecting info about Bluetooth enabled device such as manufacture, device model and firmware version

Perform Spectrum Analysis

Spectrum analysis of wireless network helps an attacker to actively monitor the spectrum usage in a particular usage in a particular area and detect the spectrum signal of target network It helps the attacker to measure the power of the spectrum of known and unknown signals Attackers use spectrum analysis tools such as Ekahau Spectrum Analyzer to perform spectrum analysis

802.12

This standard dominates media utilization by working on the domain priority protocol. Speed increases to 100 Mbps.

Directional Antenna

Used to broadcast and obtain radio waves from a single direction

WPA PSK

Uses a user defined password to initialize the TKIP, which is not crack able as it is a per packet keys but the keys can be brute forced using dictionary attacks

802.15

Ut defines the standard for a wireless personal areas network WPAN. It describes the specification for wireless connectivity with fixed or portable devices.

WEP/WPA Cracking Tool for Mobile

WIBR - WIFI BRUTEFORCE HACK https://auradesign.cz WIFI WSP WPA TESTER https://play.google.com

WIFI Chalking Techniques

WarWalking - attacker walk around with WiFi enabled laptops to detect open wireless networks WarChalking - a method used to draw symbols in public places to advertise open WiFi networks WarFlying - attackers use drones to detect open wireless networks WarDriving - attackers dive around with wifi enable laptops to detect open wireless networks

Access Control Attacks

Ware Driving Rogue Access Points MAC Spoofing AP Misconfiguration Ad Hoc associations Promiscuous Client Client Mis-association Unauthorized Association

Spectrum Analyzing Tools

Wi-Spy and Chanalyzer www.metageek.com AirMagnet Spectrum XT https://enterprise.netscout.com Cisco Spectrum Expert www.cisco.com USB Spectrum Analyzer www.tek.com

WiFi Hotspot Finder Tools

WiFi Finder Homedale::WiFi/WLAN Monitor Avast Wifi Finder Open Wifi Open Wifi Finder Free WiFi finder Fing - Network Tools

802.11

Wifi applies to wireless LAN and uses FHSS or DSSS as the frequency-hopping spectrum. It allows the electronic device to connect to using a wireless connection that is established any network.

Mobile-based Wifi discovery tools

WifiExplorer http://nutsaboutnets.com Wifi Manager OpenSignalMaps Network Signal Info Pro WIfiFoFum WiFinder

Wireless Security Layers

Wireless Signal Security Connection Security Device Security Data Protection Network Protection End-user Protection

Raw Packet Capturing Tools

WirelessNetwork View https://nirsoft.net PRTG network Monitor https://www.paessler.com Tcpdump www.tcpdump.com RawCap www.netresec.com

Wifi Packet Sniffer

Wireshark with AIrPcap SteelCentral Packet Analyzer OmniPeek Enterprise CommView for WiFi

Yagi Antenna

Yagi is a underectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF

Brute-Force WPA Keys

You can use tools sucha s aircrack, aireplay, KisMAC to brute-force WPA Keys

OffLine Attack

You only have to be near the AP for a matter of seconds in order to capture the WPA/WPA2 authentication handshake, by capturing the right type of packets, you can crack WPA keys offline

Wifi Discovery Tools

inSSIDer Office www.metageek.com

WPA2 Enterprise

it integrates EAP standard with WPA2 encryption

CCMP

it is an encryption protocol used in WPA2 for stronger encryption and authentication

WPA2

it is an upgrade to WPA using AES and CCMP for wireless data encryption. Is upgrade to WPA it includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol CCPM, and AES based encryption mode with strong security.


Ensembles d'études connexes

Negotiable Instruments Law Codal

View Set

Order of events: French Revolution

View Set

Chemistry Unit 7 Quizzes 1-3 (Monarch)

View Set

(6) The Structure of the Constitution's Protections of Individual Liberties

View Set