Module 16: Hacking Wireless Networks
Wi-Fi Authentication process using a centralized authentication server
1) A centralized authentication server knowns as the remote authentication dial in user service (RADIUS) sends authentication keys to both the AP and client that require authentication with the AP 2) This key enables the AP to identify a particular wireless client
Service Set Identifier (SSID)
1) A human-readable text string with a maximum length of 32 bytes 2) A token to identify an 802.11 (Wi-Fi) network; by default, it is the part of the frame header sent over a WLAN 3) It acts as a single shared identifier between the APs and clients 4) Security concerns arise when the default values are not changed as these units can be compromised 5) If the SSID of the network is changed, reconfiguration of the SSID on every host is required as every user of the network configures the SSID into their system 6) A non-secure access mode allows clients to connect to the AP using the configured SSID, a black SSID, or an SSID configured as "any" 7) The SSID remains secret only on the closed networks with no activity that is inconvenient to the legitimate users
Rouge AP attack
1) A rouge wireless AP placed into an 802.11 network can be used to hijack the connections of legitimate network users 2) When the user turns on the computer, the rouge wireless AP will offer to connect with the network user's NIC 3) All the traffic the user enters will pass through the rouge AP, thus enabling a form of wireless packet sniffing
Wi-Fi Protected Access (WPA) Encryption
1) A security protocol defined by 803.22i standards; it uses a Temporal key Integrity Protocol (TKIP) that utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit MIC integrity check to provide stronger encryption and authentication 2) WPA uses TKIP to eliminate the weakness of WEP by including per-packet mixing functions, message integrity checks, extended initialization vectors, and re-keying mechanisms
Wired Equivalent Privacy (WEP) Encryption
1) A security protocol defined by the 802.11b standard; it was designed to provide a wireless LAN with a level of security and privacy comparable to that of a wired LAN 2) Uses a 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity of wireless transmissions 3) It has significant vulnerabilities and design flaws and can therefore be easily cracked
Sniffing Wireless Traffic
1) A type of eavesdropping wherein attackers capture all ongoing wireless communications 2) An attacker needs to enable monitor mode on their Wi-Fi cards 3) Attackers analyze the captured traffic to perform further attacks on the target network 4) Attackers use tools, such as Wireshark with Npcap, SteelCentral Packet Analyzer, OmniPeek Enterprise, CommView for Wi-Fi, and Kismet. to sniff the wireless network
Sinkhole Attack
1) A variant of selective forwarding attack where the attacker uses a malicious node and advertises this node as the shortest possible route to reach the base station 2) An attacker places the malicious node near the base station to attract all the neighboring nodes with fake routing information and further performs data forging attack
Launch of Wireless Attacks: Evil Twin
1) A wireless AP that pretends to be a legitimate AP by replicating another network name 2) Attackers set up a rouge AP outside the corporate perimeter and lures users to sign into the wrong AP 3) Once associated, users may bypass the enterprise security policies, giving attackers access to network data 4) Evil Twin can be configured with a common residential SSID, hotspot SSID, or a company's WLAN SSID
Misconfigured AP Attack
1) APs are configured to broadcast SSIDs to authorized users 2) To verify authorized users, network administrators incorrectly use the SSIDs as passwords 3) SSID broadcasting is a configuration error that enable intruders to steal an SSID and cause the AP assume they are allowed to connect
Key Reinstallation Attack (KRACK)
1) All secure Wi-Fi networks use the 4-way handshake process to join the network and generate a fresh encryption key that will be used to encrypt key that will be used to encrypt the network traffic 2) The KRACK attack works by exploiting the 4-way handshake of the WPA2 protocol by forcing Nonce reuse 3) KRACK works against all modern protected WI-Fi networks and allows attackers to steal sensitive information, such as credit card numbers, passwords, chat message, emails and photos
Jamming Signal Attack
1) All wireless networks are prone to jamming 2) This jamming signal causes a DoS because 802.11 is a CSMA/CA protocol whose collision avoidance algorithms require a period of silence before a radio is allowed to transmit 3) An attacker stakes out the are from a nearby location with a high-gain amplifier drowning out the legitimate AP 4) Users simply cannot get through to log in or they are knocked off their connections by the overpowering nearby signals
Wi-Fi Authentication Modes
1) Any wireless device can be authenticated with the AP, thus allowing the device to transmit data only when its WEP key matches to that of the AP 2) The station and AP use the same WEP key to provide authentication, which means that this key should be enabled and configured manually on both the AP and client
Client Mis-association
1) Attacker sets up a rouge AP outside the corporate perimeter and lures the employees of the organization to connect with it 2) Once associated, attackers may bypass the enterprise security policies
Launch of Wireless Attacks: Man-in-the-Middle Attack
1) Attacker sniffs the victim's wireless parameters 2) Sends a deauthentication request to the victim with the spoofed source address of the victim's AP 3) Victim is deauthenticated and starts to search all channels for a new valid AP 4) Attacker sets a forged AP on a new channel with the original MAC address and ESSID of the victim's AP 5) After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP 6) Attacker sits in between the AP and the victim and listens to all the traffic
Launch of wireless attacks: Wireless ARP Poisoning Attack
1) Attacker spoofs the MAC address of Jessica's wireless laptop and attempts to authenticate to AP1 2) AP1 sends updated MAC address info to the network routers and switches, which in turn update their routing and switching tables 3) Traffic now destined from the network backbone to Jessica's system is no longer sent to AP2
MAC Spoofing Attack
1) Attackers change the MAC address to that of an authenticated user to bypass the MAC filtering configured in AP 2) The attacker needs to set the value returned from ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff 3) Attaackers use MAC spoofing tools, such as Technitium MAC Address Changer and MAC Address Changer, to change the MAC address
GPS Mapping
1) Attackers create a map of discovered Wi-Fi networks and database with statistics collected by Wi-Fi discovery tools 2) GPS is used to track the location of the discovered Wi-Fi networks, and the coordinates are uploaded to sites like WiGLE
Types of wireless antennas
1) Directional Antenna 2) Omnidirectional Antenna 3) Parabolic Grid Antenna 4) Yagi Antenna 5) Diploe Antenna 6) Reflector Antenna
WPA3 Encryption Cracking
1) Dragonblood is a set of vulnerabilities in the WPA3 security standard that allows attackers to recover keys, downgrade security mechanisms, and launch various information-theft attacks 2) Attackers can use various tools, such as Dragonslayer, Dragonforce, Dragondrain, and Dragontime, to exploit these vulnerabilities and launch attacks on WPA3-enabled networks
Wireless Traffic Analysis
1) Enables attackers to identify vulnerabilities and susceptible victims in a target wireless network 2) This helps to determine the appropriate strategy for a successful attack 3) Attackers analyze a wireless network to determine the broadcast SSID, presence of multiple access points, possibility of recovering SSIDs, authentication method used, WLAN encryption algorithms, etc. 4) Attackers use Wi-Fi packet analyzer tools, such as AirMagnet WiFi Analyzer, Wireshark, SteelCentral Pacck Analyzer, OmniPeek Enterprise, and CommView for Wi-Fi, to capture and analyze the traffic of a target wireless network
Wormhole Attack
1) Exploits dynamic routing protocols, such as DP and AODV 2) An attacker locates himself strategically in the target network to sniff and record the ongoing wireless transmission 3) An attacker creates a tunnel to forward the data between the source and destination node
Type of wireless networks
1) Extension to a wired network 2) Multiple Access Points 3) LAN-to-LAN wireless network 4) 3G/4G hotspot
AP MAC Spoofing
1) Hacker spoofs the MAC address of WLAN client equipment to mask as an authorized client 2) Attacker connects to AP as an authorized client and eavesdrops on sensitive information
WAP2-Enterprise
1) It includes EAP or RADIUS for centralized client client authentication using multiple authentication methods, such as token cards, and Kerberos 2) Users are assigned login credentials by a centralized server, which they must present when connecting to the network
WPA3-Personal
1) It is mainly used to deliver password-based authentication using the SAE protocol, also known as Dragonfly Key Exchange 2) It is resistant to offline dictionary attacks and key recovery attacks
WPA-3 Enterprise
1) It protects sensitive data using many cryptographic algorithms 2) It provides authenticated encryption using GCMP-256 3) It uses HMAC-SHA-384 to generate cryptographic keys 4) It uses ECDSA-384 for exchanging keys
WPA2 Personal
1) It uses a set-up password (pre-shared key, PSK) to protect unauthorized network accesses 2) In PSK mode, each wireless network device encrypts the network traffic using a 128-bit key, which is derived from a passphrase of 8 to 63 ASCII characters
Wireless network
1) Refers to WLANs based on IEE 802.11 standard, which allows the device to access the network from from anywhere within an AP range 2) Devices, such as personal computer, video-game console, and smartphone, use Wi-Fi to connect to a network resource, such as the Internet, via a wireless network AP
Wi-Fi Network Discovery Through WarDriving
1) Register with WiGLE and download the map packs of you area to view the plotted APs on a geographical map 2) Connect the antenna or GPS device to the laptop via a USB serial adapter and board a car 3) Install and launch NetStubmler and WiGLE client software, and turn on the GPS device 4) Drive the car at speed of 35 mph or below 5) Capture and save the NetStumbler log files, which contain the GPS coordinates of the APs 6) Upload this log file to WiGLE, which will then automatically plot the points onto a map
Launch of wireless Attacks: Detection of Hidden SSIDs
1) Run alrmon-ng in monitor mode 2) Step airodump-ng to discover SSIDs on interface 3) De-authenticate the client to reveal hidden SSID using Aireplay-ng 4) Switch to airodump to see the revealed SSIS
Unauthorized Association
1) Soft APs are client cards for embedded WLAN radios in some PDAs and laptops that can be launched inadvertently or through a virus program 2) Attackers infect a victim's machine and activate soft APs, thus allowing them unauthorized connection to the enterprise network 3) Attackers connect to enterprise networks through soft APs instead of the actual APs
Wi-Fi Encryption Cracking: WEP Encryption Cracking
1) Start the wireless interface in monitor mode on the specific AP channel 2) Test the injection capability of the wireless device to the AP 3) Use a tool, such as aireplay-ng, to do a fake authentication with the AP 4) Start a Wi-Fi sniffing tool, such as airodump-ng, with a BSSID filter to collect unique IVs 5) Start a Wi-Fi packet encryption tool, such as aireplay-ng, in ARP request replay mode to inject packets 6) Run a cracking tool, such as aircrack-ng, to extract encryption keys from the IVs
Wi-Fi Discovery: Finding Wi-Fi Networks in Range to Attack
1) The first task an attacker will go through when searching for Wi-Fi targets is checking the potential networks that are in range to find the best one to attack 2) Attackers use various Wi-Fi Chalking techniques, such as WarWalking, WarChalking, WarFlying, and WarDriving to find the target Wi-Fi network to attack 3) Drive around with Wi-Fi enabled laptop installed with a wireless discovery tool and map out active wireless networks
aLTEr Attack
1) Usually performed on LTE devices 2) Attacker installs a virtual (fake) communication tower between two authentic endpoints intending to mislead the victim 3) This virtual tower is used to interrupt the data transmission between the user and real tower attempting to hijack the active session
Launch of Wireless Attack: Fragmentation Attack
1) When a fragmentation attack is successful, it can obtain 1500 bytes of pseudo random generation algorithm (PRGA) 2) This attack does not recover the WEP key itself, but merely obtains the PRGA 3) The PRGA can then be used to generate packets with packetforge-ng, which are in turn used for various injection attacks 4) It requires at least one data packet to be received from the AP to initiate the attack
Denial-of-Service attack
1) Wireless DoS Attacks disrupt wireless network connections by sending broadcast "de-authenticate" commands 2) Transmitted deauthentication forces clients to disconnect from the AP
Wireless Security Layers
1) Wireless Signal Security 2) Data protection 3) Connection Security 4) Network protection 5) Device security 6) End-user protection
Reflector Antennas
Used to concentrate EM energy, which is radiated or received at a focal point
Bluetooth Stack
1) A short-range wireless communication technology that replaces the cables connecting portable or fixed devices while maintaining high levels of security 2) It allows devices to share data over short distances
Creating of a Rouge AP using MANA Toolkit
1) Modify the hostapd-mana.conf MANA's configuration file using any text editor to setup a fake AP 2) Modify the start-nat-simple.sh script used to launch the rouge AP 3) Execute the script file start-nat-simple.sh using the bash command 4) After the rouge AP is up, use a Windows machine or mobile device to connect to the rouge AP 5) In the Wi-Fi enabled device, search for the Internet connection that is not password-protected and connect to it 6) All the data packets from your machine flow through the rouge AP; now you can use tools, such as tcpdump and Wireshark, to capture and analyze the packets
Defense Against WPA/WPA2/WPA3 Cracking
1) Passphrases 2) Client settings 3) Additional control
Diploe Antenna
A bidirectional antenna used to support client connections rather than site-to-site applications
Launch of Wireless Attacks: Rouge APs
A rouge AP provides backdoor access to the target wireless network
Yagi Antenna
A unidirectional antenna commonly used in communications for a frequency band of 10MHz to VHF and UHF
WPA3 Encryption
An advanced implementation of WPA2 providing trailblazing protocols and uses the AES-GCMP 256 encryption alogorithm
WPA2 Encryption
An upgrade to WPA, and it includes mandatory support for counter mode with cipher block chaining message authentication code protocol (CCMP), an AES-based encryption mode with strong security
Honeypot AP attack
Attackers traps victim using fake hotspots
Parabolic Grid Antenna
Based on the principle of a satellite dish but lacks a solid backing; can pick up Wi-Fi signals from ten miles or more
WPA/WPA2 Brute Forcing
Fern Wifi Cracker is a wireless security auditing and attack software that can crack and recover WEP/WPA/WPS keys
Wireless Intrusion Prevention Systems
Protect networks against wireless threats and enable administrators to detect and prevent various network attacks
Omnidirectional Antenna
Provides a 360-degree horizontal radiation pattern; used in wireless base stations
Bluetooth Hacking
Refers to the exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks
Bluejacking
The activity of sending anonymous messages over Bluetooth to Bluetooth-enabled devices, such as laptop and mobile phones, via the OBEX protocol
Directional Antenna
Used to broadcast and obtain radio waves from a single direction
WEP Cracking
Wesside-ng first identifies a network, and then proceeds to associate with it. He then obtains the PRGA and XOR data, determines the network IP scheme, reinjects the ARP request, and finally determines the WEP key