CEH Module 16: Hacking Wireless Networks
Access Control Attack: Client Mis-association
A security flaw that can occur when a network client connects with a neighboring AP This is because the WLAN signals travel in the air, through walls and other obstructions. Happen for a number of reasons such as -misconfigured clients -insufficient coverage of corporate Wi-Fi -lack of Wi-Fi policy restrictions on use of internet in the office - ad-hoc connections that administrators do not manage very often -attractive SSIDs
ISM Band
A set of frequencies for the international industrial, scientific, and medical communities
Bluetooth Stack
A short-range wireless communication technology that replaces the cables connecting portable or fixed devices while maintaining high levels of security. It allows mobile phones, computers, and other devices to exchange information. Two Bluetooth-enabled devices connect through the pairing technique. Has two parts, general purpose and embedded system
Access Control Attack: Promiscuous clients
Allow an attacker to transmit target network traffic through a fake AP. It is very similar to the evil twin threat on wireless network, in which an attacker launches an AP that poses as an authorized AP by beaconing the WLAN's SSID
Access Control Attack: War Driving
Also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere wireless LANS are detected either by sending probe requests over a connection or by listening to web beacons
Choosing to obtain Wi-Fi Cards
Requirements/ Consider o Determine the Wi-Fi requirements o Learn the capabilities of a wireless card o Determine the chipset of the Wi-Fi card o Verify the chipset capabilities o Determine the drivers and patches required
BSSID (basic service set identifier)
The MAC address of an access point (AP) or base station that has set up a Basic Service Set (BSS)
Association
The process of connecting a wireless device to an access point
Bluebugging
This is a Bluetooth attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it. In this attack, an attacker sniffs sensitive information and might perform malicious activities such as intercepting phone calls and messages, forwarding calls and text messages, etc.
Bluejacking
This is the use of Bluetooth to send messages to users without the recipient's consent, similar to email spamming. It also uses OBEX protocol. Use BBProxy tool for an attack
Multiple APs
This type of network connects computers wirelessly by using multiple APs. If a single AP cannot cover an area, multiple APs or extension points can be established.
Wireless Pen Testing
Threat Assessment: Identify the wireless threats facing an organization's information assets. Upgrading Infrastructure: Change or upgrade existing infrastructure of software, hardware, or network design. Risk Prevention and Response: Provide comprehensive approach of preparation steps that can be taken to prevent inevitable exploitation. Security Control Auditing: To test and validate the efficiency of wireless security protections and controls. Data Theft Detection: Find streams of sensitive data by sniffing the traffic Information System Management: Collect information on security protocols, network strength, and connected devices
Access point (AP or wireless AP)
A device that receives the signals and transmits signals back to wireless network interface cards (NICs). Used to connect wireless devices to a wireless/wired network. It allows wireless communication devices to connect to a wireless network through wireless standards such as Bluetooth and Wi-Fi. It serves as a switch or hub between the wired LAN and wireless network.
BluePrinting
A footprinting technique performed by an attacker in order to determine the make and model of the target Bluetooth-enabled device
Service Set Identifier (SSID)
A 32 alphanumeric character unique identifier given to wireless local area network (WLAN) that acts as a wireless identifier on the network. It permits connections to the required network among an available independent network. Devices connecting to the same WLAN should use the same SSID to establish the connection Identifies an 802.11 (Wi-Fi) network
Access Control Attack: Unauthorized Association
A major threat to a wireless network. -Prevention of this kind of attack depends on the method or technique that the attacker uses to get associated with the network It may take two forms: o Accidental association -involves connecting to the target network's AP from a neighboring organization's overlapping network without the victim's knowledge o Malicious association -done with the help of soft APs instead of corporate APs.
3G/4G Hotspot
A type of wireless network that provides Wi-Fi access to Wi-Fi-enabled devices including MP3 players, notebooks, tablets, cameras, PDAs, netbooks, and more.
AirMagnet Planner
A wireless network planning tool that accounts for building materials, obstructions, AP configurations, antenna patterns, and a host of other variables to provide a reliable predictive map of Wi-Fi signal and performance.
Component functions in a Cisco's Wireless IPS Deployment
APs in Monitor Mode: Provides constant channel scanning with attack detection and packet capture capabilities. Mobility Services Engine (running wireless IPS Service): The central point of alarm aggregation from all controllers and their respective wireless IPS Monitor Mode APs. Alarm information and forensic files are stored on the system for archival purposes. Local Mode AP(s): Provides wireless service to clients in addition to time-sliced rogue and location scanning. Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode APs to the MSE and distributes configuration parameters to APs. Wireless Control System: Provides the means to configure the wireless IPS Service on the MSE, push wireless IPS configurations to the controller, and set APs into wireless IPS Monitor mode. It is also used for viewing wireless IPS alarms, forensics, reporting, and accessing the threat encyclopedia.
How to Defend Against Wireless Attacks: Configuration
Best practice o Change the default SSID after WLAN configuration. o Set the router access password and enable firewall protection. o Disable SSID broadcasts. o Disable remote router login and wireless administration. o Enable MAC Address filtering on your access point or router. o Enable encryption on access point and change passphrase often
BluetoothView
Bluetooth Hacking Tool A utility that monitor the activity of Bluetooth devices around you. For each detected Bluetooth device, it displays the information like device name, bluetooth address, major device type, minor device type, first detection time, last detection time, etc. It can also notify you when a new bluetooth device is detected.
WatchGuard WIPS
Defends your airspace 24/7 from unauthorized devices, rogue APs, and malicious attacks and with close to zero false positives. Features: o Defends Against Rogue Aps o Prevents Evil Twin o Shuts Down Denial-of-Service Attacks
War Driving Tools
Enable users to list all APs broadcasting beacon signals at their location. o Airbase-ng o MacStumbler o AirFart o 802.11 Network Discovery Tools o G-MoN
Access Control Attack: Rogue Access Point (AP)
In order to create a backdoor into a trusted network, an attacker may install this inside a firewall It is an access point installed on a trusted network without authorization. placed into an 802.11 network to hijack the connections of legitimate network users.
Shared Key Authentication Process
In this process, each wireless station receives a shared secret key over a secure channel that is distinct from the 802.11 wireless network communication channels.
How to Defend Against WPA/WPA2 Cracking
Passphrases -sniff the password PMK associated with the "handshake" authentication process, o Select a random passphrase that is not made up of dictionary words o Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals Client Settings o Use WPA2 with AES/CCMP encryption only o Properly set the client settings (e.g. validate the server, specify server address, do not prompt for new servers, etc.) Additional Controls o Use virtual-private-network (VPN) technology such as Remote Access VPN, Extranet VPN, Intranet VPN, etc. o Implement a Network Access Control (NAC) or Network Access Protection (NAP) solution for additional control over end-user connectivity
How to BlueJack a Victim
STEP 1 o Select an area with plenty of mobile users, like a café, shopping center, etc. o Go to contacts in your address book (You can delete this contact entry later). STEP 2 o Create a new contact on your phone address book. o Enter the message into the name field. Ex: "Would you like to go on a date with me?" STEP 3 o Save the new contact with the name text and without the telephone number. o Choose "send via Bluetooth". These searches for any Bluetooth device within range. STEP 4 o Choose one phone from the list discovered by Bluetooth and send the contact. o You will get the message "card sent" and then listen for the SMS message tone of your victim's phone.
Authentication Attacks
The objective of these attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources Type o PSK Cracking o LEAP Cracking o VPN Login Cracking o Domain Login Cracking o Identity Theft o Shared Key Guessing o Password Speculation o Application Login Theft o Key Reinstallation Attack
Honeypot Access Point (AP)
These APs mounted by the attacker are called "honeypot" APs. They transmit a stronger beacon signal than the legitimate APs. NICs searching for the strongest available signal may connect to the rogue AP. Setting an AP's SSID to be the same as that of a legitimate AP -Manipulating SSID ex: fake McDonald's network
BlueSniff
This Bluetooth attack is a proof of concept code for a Bluetooth wardriving utility. It is useful for finding hidden and discoverable Bluetooth devices. It operates on Linux.
Blue Snarfing
This Bluetooth attack uses OBEX to gaining access to sensitive data in a Bluetooth-enabled device. An attacker who is within range of a target can use special software to obtain the data stored on the victim's device.
Discovery Tools
inSSIDer Office WifiExplorer NetSurveyor Xirrus Wi-Fi Inspector Acrylic Wi-Fi Home WirelessMon Ekahau HeatMapper Vistumbler Wi-Fi Scanner Kismet iStumbler AirRadar 4 Wellenreiter NetStumbler AirCheck G2 Wireless Tester
Bluetooth hacking tools
o BTCrawler o BlueScan o bt_rng o Bluesnarfer o Bluetooth (JABWT) Browser o GATTack.io oBluediving o BluPhish o ubertooth o Btlejuice o Super Bluetooth Hack o CIHwBT o BH BlueJack o Bluez/I2ping
Pen Testing LEAP Unencrypted WLAN
o Check if the SSID is visible or hidden o If SSID is visible, sniff for IP range and then check the status of MAC filtering o If MAC filtering is enabled, spoof valid MAC using tools such as Technitium MAC Address Changer (TMAC), MAC Address Changer or Change MAC Address or connect to the AP using IP within the discovered range o If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, and CommView for WiFi, associate the client, and then follow the procedure of visible SSID
Pen Testing WEP Encrypted WLAN
o Check if the SSID is visible or hidden o If SSID is visible, sniff the traffic and then check the status of packet capturing o If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng and WEPcrack, or else sniff the traffic again o If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng and CommView for Wi-Fi, associate the client and then follow the procedure of visible SSID
How to Defend Against Wireless Attacks: Authentication
o Choose Wi-Fi Protected Access (WPA) instead of WEP. o Implement WPA2 Enterprise wherever possible. o Disable the network when not required. o Place wireless access points in a secured location. o Keep drivers on all wireless equipment updated. o Use a centralized server for authentication.
Wi-Fi Security Auditing Tools
o Cisco Adaptive Wireless Intrusion Prevention System (IPS) - offers advanced network security for dedicated monitoring and detection of wireless network anomalies, unauthorized access, and RF attacks o AirMagnet WiFi Analyzer o RFProtect o Fern Wifi Cracker o OSWA-Assistant o Zebra's AirDefense o FruityWifi
Wi-Fi Predictive Planning Tool
o Cisco Prime Infrastructure o AirTight Planner o LANPlanner o RingMaster Software o Ekahau Site Survey (ESS) o Connect EZ Turnkey Wireless LAN Bundle o TamoGraph Site Survey o NetSpot o Wi-Fi Designer
How to Defend Against Wireless Attacks
o Configuration Best Practices o SSID Settings Best Practices o Authentication Best Practices
Pen Testing for General Wi-Fi Network Attack
o Create a rogue access point o Deauthenticate the client using tools such as Karma and aireplay-ng, and then check for client deauthentication o If client is deauthenticated, then associate with the client, sniff the traffic and check if passphrase/ certificate is acquired, or else try to deauthenticate the client again o If passphrase is acquired, then crack the passphrase using the tool wzcook to steal confidential information or else try to deauthenticate the client again
Pen Testing LEAP Encrypted WLAN
o Deauthenticate the client using tools such as Karma and aireplay-ng o If client is deauthenticated, then break the LEAP encryption using tools such as Asleap, and THC-LEAPcracker to steal confidential information or else try to deauthenticate the client again
Pen Testing WPA/WPA2 Encrypted WLAN
o Deauthenticate the client using tools such as Karma and aireplay-ng. o If client is deauthenticated, sniff the traffic and then check the status of capturing EAPOL handshake or else try to deauthenticate the client again o If EAPOL handshake is captured, then perform PSK dictionary attack using tools such as coWPAtty and Aircrack-ng to steal confidential information or else try to deauthenticate the client again
How to Block Rogue AP
o Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP. o Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN.
Wireless Pen Testing Framework
o Discover wireless devices o If wireless device is found, document all the findings o If the wireless device is found using Wi-Fi network, then perform general Wi-Fi network attack and check if it uses WEP encryption o If WLAN uses WEP encryption, then perform WEP encryption pen testing or else check if it uses WPA/WPA2 encryption o If WLAN uses WPA/WPA2 encryption, then perform WPA/WPA2 encryption pen testing or else check if it uses LEAP encryption o If WLAN uses LEAP encryption, then perform LEAP encryption pen testing or else check if WLAN is unencrypted o If WLAN is unencrypted, then perform unencrypted WLAN pen testing or else perform general Wi-Fi network attack
Bluetooth Security Tools
o FruitMobile Bluetooth Firewall -protects your android device against all sorts of bluetooth attack from devices around you. It displays alerts when bluetooth activities occur. o Bluediving o Bluelog o Blooover II o Btscanner o BlueRange
Bluetooth Threats
o Leaking Calendars and Address Books: o Bugging Devices: o Sending SMS Messages: o Causing Financial Losses: o Remote Control: o Social Engineering: o Malicious Code: o Protocol Vulnerabilities:
How to Detect Rogue AP
o RF Scanning: Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area. o AP Scanning: Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface. o Using Wired Side Inputs: Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols
How to Defend Against KRACK Attacks
o Update all the routers and Wi-Fi devices with the latest security patches o Turn On auto updates for all the wireless devices and patch the device firmware o Avoid using public Wi-Fi networks o Browse only secured websites and do not access sensitive resource when your device is connected to an unprotected network o If you own IoT devices, audit the devices and do not connect to the insecure Wi-Fi routers o Always enable HTTPS Everywhere extension o Make sure to enable two factor authentication
How to Defend Against Wireless Attacks: SSID settings
o Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone. o Do not use your SSID, company name, network name, or any easy to guess string in passphrases. o Place a firewall or packet filter in between the AP and the corporate Intranet. o Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization. o Check the wireless devices for configuration or setup problems regularly. o Implement an additional technique for encrypting traffic, such as IPSEC over wireless.
How to Defend Against Bluetooth Hacking
o Use non-regular patterns as PIN keys while pairing a device. Use those key combinations which are non-sequential on the keypad. o Keep BT in the disabled state, enable it only when needed and disable immediately after the intended task is completed. o Keep the device in non-discoverable (hidden) mode. o DO NOT accept any unknown and unexpected request for pairing your device. o Keep a check of all paired devices in the past from time to time and delete any paired device that you are not sure about. o Always enable encryption when establishing BT connection to your PC. o Set Bluetooth-enabled device network range to the lowest and perform pairing only in a secure area. o Install antivirus that supports host-based security software on Bluetooth-enabled devices. o Change the default settings of the Bluetooth-enabled device to a best security standard. o Use Link Encryption for all Bluetooth connections. o If multiple wireless communications are being used, make sure that encryption is empowered on each link in the communication chain.
WI-Fi Prevention System
o WatchGuard WIPS o Enterasys IPS o AirMagnet Enterprise o SONICWALL SONICPOINT N2 o SonicPoint Wireless Security Access Point Series o HP TippingPoint NX Platform NGIPS o AirTight WIPS o Network Box IDP o ZENworks® Endpoint Security Management o FortiGate next-generation firewalls
Wi-Fi Security Tools for Mobile
o Wifi Protector -detects and protects cell phones from all kinds of ARP attacks, such as DOS or MITM. o WiFiGurad - can work on both Root and Non-root devices o Wifi Inspector - finds all the devices connected to the network (both wired and Wi-Fi, whether consoles, TVs, pcs, tablets, phones, etc.), giving relevant data such as IP address, manufacturer, device name, and MAC Address.
Wi-Fi Vulnerability Scanning Tools
o Zenmap - a multi-platform GUI for the Nmap Security Scanner, which is useful for scanning vulnerabilities on wireless networks. o Nessus o Network Security Toolkit o Nexpose o WiFish Finder o Penetrator Vulnerability Scanner o SILICA o WebSploit o Airbase-ng
Bluetooth Hacking
o Blusmacking o Bluejacking o Blue Snarfing o BlueSniff o Bluebugging o BluePrinting o MAC spoofing Attack o MITM/Impersonation Attack
Spectrum Analyzing Tools
tools perform RF Spectrum Analysis and Wi-Fi troubleshooting. o Wi-Spy and Chanalyzer o AirMagnet Spectrum XT o Cisco Spectrum Expert o USB Spectrum Analyzer o AirSleuth-Pro o BumbleBee-LX Spectrum Analyzer o WiFi Surveyor
Footprinting
Passive-an attacker detects the existence of an AP by sniffing the packets from the airwaves. Active-In this method, the attacker's wireless device sends a probe request with the SSID to see if an AP responds.
Wireless Standards
*802.11 (Wi-Fi) applies to wireless LANs* o *802.11a* - 5 GHz, 54 Mbps by using Orthogonal Frequency Division Multiplexing (OFDM) -more sensitive to walls and other obstacles o *802.11b* - 2.4 GHz, 11 Mbps by using direct-sequence spread spectrum DSSS modulation. o *802.11d* is an enhanced version of 802.11a and 802.11b. -The standard supports regulatory domains. -Can be set at the media access control (MAC) layer o 802.11e: It is used for real-time applications such as voice, VoIP, and video. -Quality of Service (QoS) to Layer 2 o *802.11g* - 54 Mbps using the OFDM technology and uses the same 2.4 GHz band as 802.11b. - defines high-speed extensions to 802.11b. -compatible with the 802.11b standard o *802.11ac* - 5 GHz. -Faster and more reliable than the 802.11n - involves Gigabit networking that provides an instantaneous data transfer experience. o *802.11i* -improves WLAN security by implementing new encryption protocols such as TKIP and AES o *802.11ad* - 60 GHz -inclusion of a new physical layer -operating on 2.4 GHz and 5 GHz. - speed is much higher than that of 802.11n. o *802.15*: It defines the standards for a wireless personal area network (WPAN). It describes the specification for wireless connectivity with fixed or portable devices o *802.15.1* - Bluetooth is mainly used for exchanging data over short distances on fixed and mobile devices. This standard works on a 2.4 GHz ban o 802.15.4 (ZigBee), 802.15.5 (mesh network), 802.16 (WiMax), 802.11X (RADIUS)
Wired Equivalent Privacy (WEP) Flaws
-WEP is a stream cipher that uses RC-4 to produce a stream of bytes that are XORed with plaintext - No defined method for encryption key distribution -RC4 was designed to be used in a more randomized environment than WEP utilized:
Direct Sequence Spread Spectrum (DSSS)
A spread spectrum technique that multiplies the original data signal with a pseudo random noise spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming.
Dipole Antenna
A straight electrical conductor measuring half of a wavelength from end to end and connected at the RF feed line's center. Also called as a doublet, the antenna is bilaterally symmetrical, so it is inherently a balanced antenna. This kind of antenna feeds on a balanced parallel-wire RF transmission line.
Extension to wired
A user can create an extension of a wired network by placing APs between the wired network and the wireless devices. In this type of network, the AP acts like a switch, providing connectivity for computers that use a wireless network interface card (NIC). The AP can connect wireless clients to a wired LAN, which allows wireless computer access to LAN resources, such as file servers or internet connections
Access Control Attack: Misconfigured AP
A user improperly configures any of the critical security settings at any of the APs Some of the key elements that play an important role in this kind of attack include: o SSID Broadcast o Weak/default password o Configuration Error
Evil Twin
A wireless AP that pretends to be a legitimate AP by imitating another network name. It poses a clear and present danger to wireless users on private and public WLANs. An attacker sets up a rogue AP outside the network perimeter and lures users to sign into the wrong AP. The attacker uses attacking tools such as KARMA, which monitors station probes to create an evil twin.
LAN-to-LAN wireless
APs provide wireless connectivity to local computers, and local computers on different networks can be interconnected. All hardware APs have the capability to interconnect with other hardware APs. complex task
Advantages and Disadvantages of Wireless Networks:
Advantages o Installation is fast and easy and eliminates wiring through walls and ceilings o It is easier to provide connectivity in areas where it is difficult to lay cable o Access to the network can be from anywhere within range of an access point o Public places like airports, libraries, schools or even coffee shops offer you constant Internet connections using Wireless LAN Disadvantages o Security is a big issue and may not meet expectations o As the number of computers on the network increases, the bandwidth suffers o Wi-Fi enhancements can require new wireless cards and/or access points o Some electronic equipment can interfere with the Wi-Fi networks
Availability Attacks
Aim at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources. This attack makes wireless network services unavailable to legitimate users Types o AP Theft -Physically removing an AP from its installed location. o Disassociation Attacks -Destroying the connectivity between an AP and client, to make the target unavailable to other wireless devices. o EAP-Failure -Observing a valid 802.1X EAP exchange, and then sending the client a forged EAP-Failure message. o Beacon Flood -Generating thousands of counterfeit 802.11 beacons to make it hard for clients to find a legitimate AP. o Denial-of-Service o De-authenticate Flood o Routing Attacks o Authenticate Flood o ARP Cache Poisoning Attack o Power Saving Attacks o TKIP MIC Exploit
Technitium MAC Address Changer
Allows you to change (spoof) the Media Access Control (MAC) Address of your Network Interface Card (NIC) instantly. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard-coded MAC address is used by windows drivers to access the Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address.
Yagi Antenna
Also called as Yagi Uda antenna, is a unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF. Improving the gain of the antenna and reducing the signal-to-noise (SNR) level of a radio signal are the focus of this antenna. It consists of a reflector, dipole, and many directors. This antenna develops an end fire radiation pattern.
WifiExplorer
An 802.11 network discovery tool --also known as a Wi-Fi scanner. It was designed for mobile platforms - in particular, Android phones and tablets. Using the device's built-in 802.11 radio, it collects information about nearby wireless access points and displays the data in useful ways. The diagnostic views are helpful when installing and troubleshooting Wi-Fi networks. It uses 5 diagnostic views that collectively provide an overview of the current Wi-Fi environment. In the 'normal' mode, all APs are displayed, while in the 'Monitor Mode' only the APs of interest are displayed.
Wireless MITM Atk
An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers. Associated with an 802.11 WLAN, as well as with wired communication systems Used to eavesdrop or manipulate Aircrack-ng
Jamming Signal
An attack performed on a wireless environment in order to compromise it. During this type of exploitation, overwhelming volumes of malicious traffic result in DoS to authorized users, obstructing legitimate traffic. All wireless networks are prone this
Wireless ARP Poisoning
An attack technique that exploits the lack of verification. In this technique, the ARP cache maintained by the OS with the wrong MAC addresses is corrupted. An attacker performs this by sending an ARP Replay pack constructed with a wrong MAC addres Cain & Abel
AP MAC Spoofing
An attacker can spoof the MAC address of the AP by programming a rogue AP to advertise the same identity information as that of the legitimate AP. An attacker connected to the AP as the authorized client can have full access to the network This type of attack succeeds when the target wireless network uses MAC filtering to authenticate their clients (users).
Open System Authentication Process:
Any wireless client that wants to access a Wi-Fi network sends a request to the wireless AP for authentication.
Integrity Attacks
Attack involves changing or altering data during transmission. Attackers send forged control, management, or data frames over a wireless network to misdirect wireless devices in order to perform another type of attack (e.g., DoS) Types o Data Frame Injection -Constructing and sending forged 802.11 frames -Tools Airpwn, File2air, libradiate, void11, WEPWedgie, wnet dinject/reinject o WEP Injection -Constructing and sending forged WEP encryption keys. -Methods/tools -WEP cracking + injection tools o Bit-Flipping Attacks - Capturing the frame and flipping random bits in the data payload, modifying ICV, and sending to the user.
Directional Antenna
Can broadcast and receive radio waves from a single direction. -helps in reducing interference.
Fragmentation Attack
Can obtains 1500 bytes of pseudo random generation algorithm (PRGA), then generate packets with packetforge-ng The Aircrack-ng suite program helps attacker to obtain a small amount of keying material from the packet, then attempts to send ARP and/or LLC packets with known content to the AP.
Aircrack-ng Suite
Detector, sniffer, WEP/WPA/WPA2PSK cracker runs under linux and windows o Airbase-ng: Captures WPA/WPA2 handshake and can act as an ad-hoc Access Point. o Aircrack-ng: Defacto WEP and WPA/ WPA2-PSK cracking tool. o Airdecap-ng: Decrypt WEP/WPA/ WPA2 and can be used to strip the wireless headers from Wi-Fi packets. o Airdecloak-ng: Removes WEP cloaking from a pcap file. o Airdriver-ng: Provides status information about the wireless drivers on your system. o Airdrop-ng: This program is used for targeted, rule-based de-authentication of users. o Aireplay-ng: Used for traffic generation, fake authentication, packet replay, and ARP request injection. o Airgraph-ng: Creates client to AP relationship and common probe graph from airodump file. o Airodump-ng: Used to capture packets of raw 802.11 frames and collect WEP IVs. o Airolib-ng: Store and manage essid and password lists used in WPA/ WPA2 cracking. o Airserv-ng: Allows multiple programs to independently use a Wi-Fi card via a client-server TCP connection. o Airmon-ng: Used to enable monitor mode on wireless interfaces from managed mode and vice versa. o Airtun-ng: Injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystream from Wi-Fi traffic. o Easside-ng: Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key. o Packetforge-ng: Used to create encrypted packets that can subsequently be used for injection. o Tkiptun-ng: Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network. o Wesside-ng: Incorporates a number of techniques to seamlessly obtain a WEP key in minutes.
Skyhook
GPS Mapping tool Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi APs It uses a combination of GPS tracking and a Wi-Fi positioning system to determine the location of a wireless network indoor and in urban areas. Features: o Makes location precise and reliable where it counts, even in hard-to-reach urban and indoor environments o Uses multiple location sources to verify device location o Builds a living network of geolocated IP addresses by matching precise GPS and Wi-Fi data with the IP address from billions of location requests o Provides precise positioning data even when an Internet connection is unavailable o Toggles clusters of nearby geofences on and off for each device based on its location
DoS: Disassociation & Deauthentication Attacks
Disassociation attack - the attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the AP and client Deauthentication attack -the attacker floods station(s) with forged deauthenticates or disassociates to disconnect users from an AP.
inSSIDer Office
Discovery Tool AWi-Fi optimization and troubleshooting tool. It scans for wireless networks with your Wi-Fi adapter The application uses a native Wi-Fi API and the user's NIC, and sorts the results by MAC address, SSID, channel, RSSI, MAC, vendor, data rate, signal strength and "Time Last Screen. Features: o Inspect WLAN and surrounding networks to troubleshoot competing APs o Track the strength of the received signal in dBm over time o Track the strength of received signal in dBm over time and filter access points o Highlight APs for areas with high Wi-Fi concentration o Export Wi-Fi and GPS data to a KML file to view in Google Earth o Shows which Wi-Fi network channels overlap o Compatible with GPS devices
Key Reinstallation Attack (KRACK)
Exploiting the 4-way handshake of the WPA2 protocol Forcing Nonse reuse
More Integrity Attacks
Extensible AP Replay -Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, and Failure) for later replay. -Methods/Tool -Wireless capture + injection tools between client and AP Data Replay -Capturing 802.11 data frames for later (modified) replay. -Methods/Tools - Capture + injection tools Initialization Vector Replay Attacks - Deriving the key stream by sending plain-text message. RADIUS Replay - Capturing RADIUS Access-Accept or Reject messages for later replay Viruses have a great impact on a wireless network. -Methods/tools -Ethernet capture + injection tools between AP and authentication server Wireless Network Viruses -Viruses can provide an attacker with a simple method to compromise APs.
WiGLE
GPS Mapping tool consolidates location and information of wireless networks worldwide to a central database, and provides user-friendly Java, Windows, and web applications that can map, query and update the database via the web. You can add a wireless network from a stumble file or by hand and add remarks to an existing network
Bandwidth
It describes the amount of information that may be broadcasted over a connection. -Usually, refers to the data transfer rate. -Measured in bits (amount of data) per second (bps).
Frequency-hopping Spread Spectrum (FHSS)
Known as Frequency-Hopping Code Division Multiple Access (FH-CDMA), is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels. It decreases the efficiency of unauthorized interception or jamming of telecommunications.
Wi-Fi Jamming Devices
MGT-P1B Wi-Fi Jammer o 6-8 meters,Internal antennas, 1 frequency bands, Portable MGT-P6 Wi-Fi Jammer o 10-12 meters ,4 antennas and jammers MGT-615 Jammer o 5-100 meters, 6 antennas and 6 Blurred frequency bands, Wall mountable MGT-04 Wi-Fi Jammer, MGT-06B Jammer, MGT-08 Jammer
Hotspot
Places where wireless networks are available for public use. Refer to areas with Wi-Fi availability, where users can enable Wi-Fi on their devices and connect to the Internet
RADIUS
The 802.1X standard provides centralized authentication. 802.1X authentication to work on a wireless network, the AP must be able to securely identify the traffic from a specific wireless client. In this Wi-Fi authentication process, a centralized authentication server known as Remote Authentication Dial in User Service sends authentication keys to both the AP and to clients that want to authenticate with the AP. This key enables the AP to identify a particular wireless client.
MAC Spoofing Attack Tools
Technitium MAC Address Changer Change MAC Address GhostMAC Spoof-Me-Now SpoofMAC Win7 MAC Address Changer SMAC
Access Control Attacks
These attacks aim to penetrate a network by evading wireless LAN access control measures, such as AP MAC filters and Wi-Fi port access controls Types o War Driving o Rogue Access Point o MAC Spoofing o AP Misconfiguration o Ad Hoc Association o Promiscuous Client o Client Mis-Association o Unauthorized Association
Confidentiality Attacks
These attacks attempt to intercept confidential information sent over a wireless network, regardless of whether the system transmits data in clear text or encrypted format. Types o Eavesdropping o Traffic Analysis o Cracking WEP Key - Aircrack, AirSnort, chopchop, WepAttack, WepDecrypt o Evil Twin AP o Honeypot AP o Session Hijacking o Masquerading -Pretending to be an authorized user to gain access to a system o MITM Attack
Raw Packet Capturing Tools
These tools capture every packet and support both Ethernet LAN and 802.11, and display network traffic at the MAC level. o WirelessNetView o PRTG Network Monitor o Tcpdump o RawCap o Airodump-ng o Microsoft Network Monitor
Bluesmacking
This Bluetooth attack occurs when an attacker sends an oversized ping packet to a victim's device, causing a buffer overflow. This type of attack is similar to an ICMP ping of death.
Omnidirectional Antenna
This antennas radiate electromagnetic energy in all directions. -It provides a 360-degree horizontal radiation pattern. -A good example radio stations. These antennas are effective for radio signal transmission because the receiver may not be stationary. Therefore, a radio can receive a signal regardless of where it is
Temporal Key Integrity Protocol (TKIP)
WPA encryption Used in a unicast encryption key, which changes the key for every packet, thereby enhancing the security. Uses a Michael Integrity Check algorithm with a message integrity check key to generate the MIC value. Client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a keystream that is used to encrypt data via the RC4. keys are changed for every 10,000 packets
GSM (Global System for Mobile Communications)
Universal system used for mobile transportation for wireless network worldwide.
Reflector Antenna
Used to concentrate EM energy that is radiated or received at a focal point. -Generally parabolic. -If in tolerance limit, it can be used as a primary mirror for all the frequencies. -Can prevent interference while communicating with other satellites. The larger the antenna reflector in terms of wavelengths, the higher the gain -cost of the antenna is high
Spectrum Analysis
Used to discover the presence of wireless networks. Employ statistical analysis to plot spectral usage, quantify "air quality," and isolate transmission sources. Ekahau -an easy to use USB device for interference analysis
Parabolic Grid Antenna
Uses the same principle as a satellite dish but it does not have a solid backing. It consists of a semi-dish that is in the form of a grid made of aluminum wire. -can achieve very long-distance Wi-Fi transmissions by making use of a highly focused radio beam. - This type of antenna is useful for transmitting weak radio signals over very long distances—on the order of 10 miles.
WEP vs WPA vs WPA2
WEP -provided data confidentiality on wireless networks, -weak and failed to meet any of its security goals. -replaced with either WPA or WPA2 -encryption RC4, IV 24-bits, Key Length 40/104-bits, Integrity check CRC-32 WPA -fixes most of WEP's problems. -protections against forgery and replay attacks. - encryption RC4, TKIP, IV 48-bits, Key Length 128-bits, Integrity check Michael algorithm and CRC-32 WPA2 -makes wireless networks almost as secure as wired networks -supports authentication -protections against forgery and replay attacks. - encryption AES-CCMP, IV 48-bits, Key Length 128-bits, Integrity check CBC-MAC
Wi-Fi Traffic Analyzer Tools
o AirMagnet WiFi Analyzer -Wi-Fi networks traffic auditing and troubleshooting tool, which provides real-time accurate, independent and reliable Wi-Fi analysis of 802.11a/b/g/n and ac wireless networks o Capsa Network Analyzer o PRTG Network Monitor o Observer Analyzer o OmniPeek Enterpris
Hotspot Finders
Wi-Fi Finder an android mobile application that can be used for finding free or paid public Wi-Fi hotspots online or offline. Features: o Scan for Wi-Fi hotspots around you o Search for public Wi-Fi anywhere in the world o View Wi-Fi hotspot detail, call location, get directions or share the hotspot o Filter results by location (cafe, hotel, etc.) or provider type o Works both online and offline -Homedale::Wi-Fi/WLAN Monitor -Avast Wi-Fi Finder -Open WiFi Finder -Free WiFi Finder - Fing - Network Tools
AirPcap
Wi-Fi USB dongle captures full 802.11 data, management, and control frames that can be viewed in Wireshark, -provides in-depth protocol dissection and analysis capabilities. -can operate in a completely passive mode Features: o It provides capability for simultaneous multi-channel capture and traffic aggregation o It can be used for traffic injection that help in assessing the security of a wireless network o Supported in Aircrack-ng, Cain & Able, and Wireshark tools o AirPcapReplay, included in Software Distribution, replays 802.11 network traffic that is contained in a trace file
Access Control Attack: Ad Hoc Connection
Wi-Fi clients communicate directly through this and it does not require an AP to relay packets. Networks in this mode can conveniently share information among clients. An attacker may carry out this kind of attack by using any USB adapter or wireless card. The attacker connects the host is to an unsecured client to attack a specific client or to avoid AP security.
Mobile Discovery Tools
WifiExplorer WiFi Manager OpenSignalMaps Network Signal Info Pro WiFiFoFum WiFinder
Elcomsoft Wireless Security Auditor
Wireless Hacking Tool allows attackers to break into a secured Wi-Fi network by sniffing wireless traffic and running an attack on the network's WPA/WPA2-PSK password. It helps administrators verify how secure a company's wireless network is. It examines the security of your wireless network by attempting to break into the network from outside or inside. It can work as a wireless sniffer or operate offline by analyzing a dump of network communications. The tool attempts to retrieve the original WPA/WPA2-PSK passwords in plain text.
Wi-Fi Packet Sniffer
Wireshark w/ AirPcap SteelCentral OmniPeek CommView
Reveal Hidden SSID
airmon-ng + airodump + Aireplay-ng Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface Step 3: De-authenticate (deauth) the client to reveal hidden SSID using Aireplay-ng Step 4: Switch to airodump to see the revealed SSID
Used to Launch Wireless Attacks
o Aircrack-ng Suite
Multiple input, Multiple output (MIMO-OFDM)
influences the spectral efficiency of 4G and 5G wireless communication services. Reduces the interference and increases how robust the channel is.
Orthogonal Frequency-division Multiplexing (OFDM)
method of digital modulation of data in which a signal, at a chosen frequency, is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other. maps information on the changes in the carrier phase, combination of these, and shares bandwidth with other independent channels. It is also a method of encoding digital data on multiple carrier frequencies.
Wi-Fi Protected Access (WPA) Encryption
o 802.11i o RC4 stream cipher o TKIP (Temporal Key Integrity Protocol) -includes per-packet mixing, msg integrity checks, extended IVs (up to 48 bits) and re-keying mechanisms -Uses 128-bit keys for each packet
Wireless Enryption Algorthims
o 802.11i: It is an IEEE amendment that specifies security mechanisms for 802.11 wireless networks. - LEAP: It is a proprietary version of EAP developed by Cisco. - TKIP: A security protocol used in WPA as a replacement for WEP. - AES: It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP. - CCMP: It is an encryption protocol used in WPA2 for stronger encryption and authentication. - WPA2 Enterprise: It integrates EAP standards with WPA2 encryption. - EAP: Supports multiple authentication methods, such as certificates, etc. - RADIUS: It is a centralized authentication and authorization management system. - PEAP: It is a protocol that encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
Wireless Threats
o Access control attacks o Integrity attacks o Confidentiality attacks o Availability attacks o Authentication attacks
WEP Issues
o CRC-32 is not sufficient to ensure complete cryptographic integrity of a packet o IVs are 24 bits: An AP broadcasting 1500-byte packets at 11 Mb/s would exhaust the entire IV Space in five hours. o Known plaintext attacks - Dictonary attacks o Dos o A lack of centralized key management makes it difficult to change WEP keys with any regularity o Does not dictate that each packet must have a unique IV o Use of RC4 was designed to be a one-time cipher and not intended for multiple message use
Types of integrity attacks
o Data Frame Injection o WEP Injection o Bit-Flipping Attacks o Extensible AP Replay o Data Replay o Initialization Vector Replay Attacks o RADIUS Replay o Wireless Network Viruses
Wireless Antennae
o Directional o Omnidirectional o Parabolic Grid o Yagi o Dipole o Reflector
Bluetooth Discoverable Modes
o Discoverable mode - other devices are visible to other Bluetooth-enabled devices o In limited discoverable mode - the Bluetooth devices are discoverable only for a limited period, for a specific event, or during temporary conditions o non-discoverable mode - prevents that device from appearing on the list during a Bluetooth-enabled device search process
Wireless Hacking Tools
o Elcomsoft Wireless Security Auditor o WepAttack o Wesside-ng o coWPAtty o Reaver Pro o WepCrackGui o WEPCrack o WepDecrypt o Portable Penetrator o KisMAC
Types of Wireless Networks
o Extension to wired o Multiple APs o LAN-to-LAN wireless o 3G/4G Hotspot
Wireless Terminologies
o GSM o Bandwidth o BSSID o ISM Band o Access Point (AP) o Hotspot o Association o Service Set Identifier (SSID) o Orthogonal Frequency-division Multiplexing (OFDM) o Multiple input, Multiple output (MIMO-OFDM) o Direct Sequence Spread Spectrum (DSSS) o Frequency-hopping Spread Spectrum (FHSS)
Wi-Fi Snffer
o Kismet o Tcpdump o SmartSniff o Acrylic WiFi Professional o NetworkMiner o WifiScanner o Free Network Analyzer
Bluetooth Pairing Modes
o Non-pairable mode: In non-pairable mode, a Bluetooth device rejects the pairing request sent by any device. o Pairable mode: In pairable mode, the Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.
Wi-Fi Authentication Modes
o Open System o Shared Key o RADIUS
Radio Frequency Monitoring Tools
o Sentry Edge II o NetworkManager o xosview o CPRIAdvisor o sigX o satID o KWiFiManager o RF Signal Tracker o FieldSENSE o WaveNode o 3M Home Curfew RF Monitoring System o DTC-340 RFXpert
How to Break WEP Encryption
o Start the wireless interface in monitor mode on the specific AP channel o Test the injection capability of the wireless device to the AP o Use a tool such as aireplay-ng to do a fake authentication with the AP o Start the Wi-Fi sniffing tool o Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets o Run a cracking tool such as Cain & Abel or aircrack-ng
WPA2
o Supports Counter Mode w/ Cipher Block Chaining o Message Authentication Code Protocol (CCMP), an AES-based encryption mode with strong security. Modes of Operations o Personal- Pre-shared key (PSK) -router uses the combination of passphrase, network SSID, and TKIP to generate a unique encryption key for each wireless client. -changes constantly o Enterprise- EAP or RADIUS (token cards, Kerberos, certificates) -Users are allocated login credentials by a centralized server
Types of Wireless enryption
o WEP (Wired Equivalent Privacy) - an encryption algorithm for IEEE 802.11 wireless networks. It is an old and original wireless security standard, which can be cracked easily. o WPA (Wi-Fi Protected Access) - It is an advanced wireless encryption protocol using TKIP and MIC to provide stronger encryption and authentication. It uses a 48 bit IV, 32 bit CRC and TKIP encryption for wireless security. o WPA2 - It is an upgrade to WPA using AES and CCMP for wireless data encryption
WEP/WPA Cracking Tool for Mobile
o WIBR - WIFI BRUTEFORCE HACK -It discovers weak passwords. WIBR+ supports queuing, custom dictionaries, brute force generator, and advanced monitoring o WIFI WPS WPA TESTER o iWep PRO o AndroDumpper (WPS Connect) o Wifi Password WPA-WEP FREE o WPS WPA WiFi Tester
Techniques used to Crack WPA Encryption
o WPA PSK (Pre-Shared Key) -dictionary attack will compromise most consumer passwords o Offline Attack o De-authentication Attack o Brute Force WPA Keys
Wi-Fi Chalking Techniques
o WarWalking: Attackers walk around with Wi-Fi enabled laptops to detect open wireless networks. o WarChalking: A method used to draw symbols in public places to advertise open Wi-Fi networks. o WarFlying: Attackers use drones to detect open wireless networks. o WarDriving: Attackers drive around with Wi-Fi enabled laptops to detect open wireless networks.
Wireless Hacking Methodology
o Wi-Fi Discovery o GPS Mapping o Wireless Traffic Analysis o Launch Wireless Attacks o Crack Wi-Fi Encryption o Compromise the Wi-Fi Network
Wired Equivalent Privacy (WEP) Encryption
o weak encryption (stack encrytion key) o 802.11b o 24-bit initialization vector (IV) in RC4 The length of the WEP and the secret key are: - 64-bit WEP uses a 40-bit key - 128-bit WEP uses a 104-bit key size - 256-bit WEP uses 232-bit key size