Ethical Hacking:Module08: Wireless Attacks and Countermeasures
Best Practices for Configuration
1. Change the default SSID after WLAN configuration. 2. Set the router access password and enable firewall protection. 3. Disable SSID broadcasts. 4. Disable remote router login and wireless administration. 5. Enable MAC address filtering on APs or routers. 6. Enable encryption on APs and change passphrases often. 7. Close all unused ports to prevent attacks on Aps.
AP MAC Spoofing
An attacker can spoof the MAC address of the AP by programming a rogue AP to advertise the same identity information as that of the legitimate AP. An attacker connected to the AP as the authorized client can have full access to the network This type of attack succeeds when the target wireless network uses MAC filtering to authenticate their clients (users).
Which of the following terms describes the amount of information broadcast over a connection and is measured in terms of "number of bits per seconds (bps)"?
Bandwidth
Patrick, a parent of school-going kids, is frustrated with his children continuously playing an online game. After realizing that direct confrontation may not be the most effective option in the long term, he turned on the Bluetooth on their devices and performed an over-the-air attack by sending annoying messages to the children's devices. As a result, his children lost interest in the game. Identify the type of Bluetooth attack performed by Patrick in the above scenario. A. Bluejacking B. Btlejacking C. Bluesmacking D. Bluebugging
Bluejacking
DSSS (Direct Sequence Spread Spectrum)
Is a spread spectrum technique that multiplies the original data signal with a pseudo-random noise spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming.
BSSID (basic service set identifier)
It is the media access control (MAC) address of an access point (AP) or base station that has set up a basic service set (BSS).
WZCook
It is used to recover WEP keys from the Wireless Zero Configuration utility of Windows XP.
Douglas, a professional hacker, attempts to impede legitimate traffic to an organization's employees by sending large amounts of malicious traffic. He uses a technique that stakes out the target area from a nearby location with a high gain amplifier that drowns out a legitimate AP and disconnects the employees from it. Which of the following attacks has Douglas launched in the above scenario?
Jamming signal attack
Which of the following practices is NOT a countermeasure against Bluetooth attacks?
Keep the device in the discoverable mode (?)
Which of the following practices helps security professionals secure the network from wireless threats?
Limit the strength of the wireless network
Which of the following practices can allow attackers to evade the wireless authentication process?
Never update drivers on all wireless equipment
Which of the following Bluetooth mode rejects connection requests sent by any device in the vicinity?
Non-pairable mode
802.11d
This amendment was published in 2001. Written for compliance with the regulatory domains of the USA, Japan, Canada and Europe. Added Country code info in beacons and probe responses.
ISM band
This band is a set of frequencies used by the international industrial, scientific, and medical communities.
In which of the following attacks does an attacker create a soft AP, typically on a laptop, by running a tool that makes the laptop's NIC appear as a legitimate AP?
Unauthorized association
Airdrop-ng
Used for targeted, rule-based deauthentication of users
Airmon-ng
Used to enable monitor mode on wireless interfaces from managed mode and reversed.
WPA3 - Enterprise Mode
Uses AES-256 encryption with a SHA-384 hash for integrity checking
WPA3 - Personal Mode
Uses CCMP-128 as the minimum encryption required for secure connectivity
Identify the protocol that is a component of IEEE 802.11 WLAN standards, the primary purpose of which is to ensure data confidentiality on wireless networks at a level equivalent to that of wired LANS.
WEP
Cedrick, a security professional, implemented stronger encryption and authentication for protecting his organization's network from wireless attacks. He utilized an encryption technique that uses TKIP for data encryption and eliminates the weaknesses of WEP by including per-packet mixing functions, MICs, extended IVs, and re-keying mechanisms. Identify the encryption technique employed by Cedrick in the above scenario. A. WPA B. CCMP C. LEAP D. WEP
WPA
Identify the mode of operation that uses EAP or RADIUS for central client authentication using multiple authentication methods, such as token cards, Kerberos, and certificates.
WPA2-Enterprise (?)
Ashley, a security professional, analyzed the authentication and wireless encryption techniques implemented in her organization for BYOD policy. While doing so, she noticed that certain techniques were outdated. In this regard, she implemented a Wi-Fi security protocol using GCMP-256 for encryption and HMAC-SHA-384 for authentication. Identify the protocol employed by Ashley in the above scenario.
WPA3
Which of the following modes of operation is responsible for delivering password based authentication using the SAE protocol or Dragonfly Key Exchange?
WPA3-Personal
Ad-Hoc Connection Attack
Wi-Fi clients can communicate directly via Anna's-HOF mode that does not require an AP to relay packets. Data can be conveniently shared among clients in ad-hoc networks, which are quite popular among Wi-Fi users.
802.11n
Wireless networking standard that can operate in both the 2.4-GHz and 5-GHz bands and uses multiple in/multiple out (MIMO) to achieve a theoretical maximum throughput of 100+ Mbps.
802.11b
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 11 Mbps.
802.11g
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 54 Mbps and is backward compatible with 802.11b.
Which of the following protocols is an 802.15.4 standard and transmits long distance data through a mesh network?
ZigBee
802.15.1 (Bluetooth)
is mainly used for exchanging data between fixed and mobile devices over short distances.
Bluesmacking Attack
similar to Ping of Death; whereas the Ping of Death relies on oversized ICMP ping messages, Bluesmacking attack relies on overized Logical Link Control Adaptation layer Protocol (L2CAP) ping messages. When a device receives these oversized messages, the device crashes.
WEP encryption can be cracked using Aircrack-GM through the following steps.
1. Run airmon-ng in the monitor mode. 2. Start airodump to discover SSIDs on the interface and keep it running. The capture file should contain more than 50,000 IVs to successfully crack the WEP key. 3. Associate the system's wireless card with the target AP. 4. Inject packets using aireplay-ng to generate traffic on the target AP. 5. Wait for airodump-ng to capture more than 50,000 IVs. Crack the WEP key using aircrack-ng.
Wireless Attack Countermeasures
1. Use SSID cloaking to keep certain default wireless messages from broadcasting the SSID to everyone. 2. Do not use the SSID, company name, network name, or any easy to guess string in passphrases. 3. Place a firewall or packet filter between an AP and the corporate Intranet. 4. Limit the strength of the wireless network so that it cannot be detected outside the bounds of the organization. 5. Check the wireless devices for configuration or set up problems regularly. 6. Implement an additional technique for encrypting traffic, such as IPSec over wireless. 7. Disable remote router login and wireless administration.
Which of the following tools creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network?
Airtun-ng
Bluejacking
An attack against Bluetooth devices. It is the practice of sending unsolicited messages to nearby Bluetooth devices.
Below are various steps involved in cracking WEP encryption: 1. Inject packets using aireplay-ng to generate traffic on the target AP. 2. Start airodump to discover SSIDs on the interface and keep it running. 3. Wait for airodump-ng to capture more than 50,000 iVs. Crack the WEP key using aircrack-ng. 4. Run airmon-ng in monitor mode. 5. Associate the system's wireless card with the target AP. Identify the correct sequence of steps involved in cracking WEP encryption.
4-2-5-1-3
Which of the following wireless standards guides prioritizing data, voice, and video transmissions enabling QoS?
802.11e
SSID (Service Set Identifier)
A 32-bit alphanumeric string that identifies a WAP and all devices attached to it.
WEP (Wired Equivalent Privacy)
A key encryption technique for wireless networks that uses keys both to authenticate network clients and to encrypt data in transit. Utilizes an encryption mechanism at the data link layer for minimizing unauthorized access to the WLAN. This is accomplished by encrypting data with the symmetric Rivest Cipher 4 (RC4) encryption algorithm, which is a cryptographic mechanism used to defend against threats.
802.11
A series of network standards that specifies how two wireless devices communicate over the air with each other.
WPA2-Enterprise
A version of WPA2 that uses a RADIUS server for authentication.
802.16
A wireless standard (also known as WiMAX) with a range of up to 30 miles.
Samson, an attacker, targets an organization's network to steal sensitive information such as credit card numbers, passwords, chat messages, emails, and photos. He uses a technique to compromise the vulnerability in the four-way handshake process of the WPA2 protocol by forcing Nonce reuse. Identify the technique employed by Samson in the above scenario. A. Key reinstallation attack B. Honeypot AP attack C. Rogue AP attack D. AP MAC spoofing
A. Key reinstallation attack
Which of the following components of a wireless network is used to connect wireless devices to a wireless/wired network and serves as a switch between a wired LAN and wireless network?
Access Point
Which of the following tools from Aircrack-ng Suite decrypts WEP/WPA/WPA2 and can be used to strip wireless headers from Wi-Fi packets?
Airdecap-ng
Smith, a professional hacker, has performed an attack on an organization's employees by taking advantage of a security flaw present in a wireless access point. He changed the SSID of a rogue access point with the SSID of the organization's access point and sent beacons advertising the rogue AP to lure employees into connecting to it. Consequently, Smith gained access to sensitive information such as the usernames and passwords of connected users. Identify the type of attack performed by Smith in the above scenario. A. Ad-Hoc connection attack B. Honeypot AP attack C. Misconfigured AP attack D. Client mis-association attack
Client mis-association attack
Airtun-ng
Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network
Airgraph-ng
Creates client-to-AP relationship and common probe graph from airodump file
David, a professional hacker, has performed an attack to crack WPA2 encryption used in the target wireless network. He employed a tool from the Aircrack-ng Suite to switch his wireless interface from the managed mode to the monitor mode. Identify the tool employed by David in the above scenario. A. Wesside-ng B. Packetforge-ng C. Aireplay-ng D. Airmon-ng
D. Airmon-ng
Meghan, a professional hacker, was researching the latest vulnerabilities and practicing how to compromise them. She targeted an employee and performed footprinting to determine the make and model of the employee's Bluetooth-enabled device. She used the gathered information to create infographics of the model and manufacturer and analyzed the information to check whether the device had any exploitable vulnerabilities. Identify the type of attack performed by Meghan in the above scenario. A. BlueSniff B. Bluesnarfing C. Bluebugging D. BluePrinting
D. BluePrinting
Alvin, a professional hacker, targeted the Bluetooth-enabled device of an employee in an organization that handles critical information. Alvin initiated an attack on the target device by sending an oversized ping packet, causing a buffer overflow. Identify the type of attack performed by Alvin in the above scenario. A. Btlejacking B. Bluejacking C. Bluebugging D. Bluesmacking
D. Bluesmacking
Jack, a professional hacker, has performed an attack on Bluetooth paired devices. He leveraged a vulnerability in Bluetooth and breached the security mechanisms to eavesdrop on all the data being shared. Jack managed to intercept the data transfer between devices and gained access to chats and documents being shared. Identify the type of attack Jack has performed in the above scenario. A. BlueSniff B. MAC spoofing attack C. BluePrinting D. KNOB attack
D. KNOB attack
Smith, a network administrator, was instructed to enhance wireless security and implement a centralized authentication mechanism for clients. To achieve this, Smith implemented a wireless encryption technology that uses EAP or RADIUS for centralized client authentication using multiple authentication methods, such as token cards, Kerberos, and certificates. Which of the following technology has Smith implemented in the above scenario? A. WPA2-Personal B. WPA3-Enterprise C. WPA3-Personal D. WPA2-Enterprise
D. WPA2-Enterprise
Which of the following terms is a spread spectrum technique that multiplies the original data signal with a pseudo-random noise spreading code and protects signals from interference?
DSSS (Direct Sequence Spread Spectrum)
Which of the following countermeasures helps users defend their devices against Bluetooth attacks?
Disable automatic connections to public Wi-fi networks
Which of the following practices should be followed while configuring a wireless network to defend against potential wireless attacks?
Enable MAC address filtering on APs or routers
Easside-ng
Enables communication via a WEP encrypted AP without the knowledge of the WEP key.