M16 Hacking Wireless Networks

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Ad-Hoc Connection Attack

- Ad-Hoc Mode (like airdrop) o Allows clients to communicate with each other directly WITHOUT an AP o Allows data to be conveniently shared o Does NOT provide strong authentication or encryption - Attacker connects to client operating in Ad-Hoc Mode

Frequency-hopping spread spectrum (FHSS)

- AKA Frequency-hopping code-division multiple access (FH-CDMA) - Transmitting radio signals by rapidly switching a carrier among many frequency channels - It decreases the efficiency of unauthorized interception or jamming of telecommunications - A transmitter hops between available frequencies using a specified algorithm in a pseudorandom sequence known to both the sender and receiver

(4) Launch of Wireless Attacks

Aircrack-ng Suite

WPA3 Cracking Techniques

Downgrade Security Attacks - Downgrade the AP to WPA2 - 2 Ways to Downgrade o Exploiting Backward Compatibility o Exploiting the Dragonfly handshake Side-Channel Attacks § Timing-based attack § Cache-based attack

802.11d

Enhancement to a and b Enables global portability = allows variations in frequencies, power levels and bandwidth

Brute forcing of WPA keys

- Perform a brute-force attack on WPA encryption keys using a dictionary or using tools such as aircrack, aireplay, or KisMAC - May take hours, days, or even weeks

iCopy-X

- Portable RFID cloning device - Entirely stand-alone device with an integrated screen and buttons = does NOT need external computer

Reflector Antennas

- Reflect radio signals and has a high manufacturing cost - Concentrates EM energy that is radiated or received at a focal point - Generally parabolic

Jamming Signal Attack

- Send overwhelming volumes of malicious traffic = DoS - Use hardware to perform attack o Generates signals that appear to be noise to the devices on network o Causes them to hold their transmissions until the signal has subsided

Honeypot/Honeypot AP Attack

- Setting up an unauthorized wireless network using a rogue AP + impersonate - Has high-power (high-gain) antennas - Uses the same SSID as the target network - They transmit a stronger beacon signal than legitimate APs

Authentication Attacks

- Steal the identity of Wi-Fi clients, their personal information, login credentials, etc. - To gain unauthorized access to network resources

Parabolic Grid Antenna

- Uses the same principle as a satellite dish but NO solid dish - Consists of a semi-dish in the form of a grid consisting of aluminum wires - Can achieve very-long-distance Wi-Fi transmissions through highly focused radio beams - Useful for transmitting weak radio signals over very long distances (10 miles) - Can receive Wi-Fi signals that are either horizontally or vertically polarized

Sniffing Tools

- Wireshark with Npcap - SteelCentral Packet Analyzer - OmniPeek Network Protocol Analyzer - CommView for Wi-Fi - Kismet

De-authentication Attack

- attacker floods station(s) with forged de-authenticates or disassociates to disconnect users from an AP

Global System for Mobile Communications (GSM)

- universal system used for mobile data transmission in wireless networks worldwide

802.11a

3.7 GHz and 5 GHz OFDM 6, 9, 12, 18, 24, 36, 48, 54 Mbps speeds 35-100 and 5000 M

WPA2

802.1X/EAP/PSK AES = Encryption algorithm CCMP = Encryption method 128, 192, 256 bits = Key size CBC-MAC = Data integrity 48 bits = IV length

WPA3

802.1X/EAP/PSK AES = Encryption algorithm CCMP = Encryption method 128/192 bits = Key size (personal/enterprise) BIP-GMAC-256 = Data integrity 48 bits = IV length

WPA

802.1X/EAP/PSK RC4 = Encryption algorithm TKIP = Encryption method 128 bits = Key size MIC and CRC-32 = Data integrity 48 bits = IV length

WarDriving

o Attackers drive around with Wi-Fi-enabled laptops installed with a wireless discovery tool to map out open wireless networks. § Send probe requests or listens for beacons - Drive the car at speeds of 35 mph or below (at higher speeds, the Wi-Fi antenna will not be able to detect Wi-Fi networks).

WarFlying

o Attackers use drones to detect open wireless networks.

Wormhole Attack

- Exploits dynamic routing protocols such as Dynamic Source Routing (DSR) and the Ad-Hoc On-Demand Distance Vector (AODV) - Attacker places themselves in the target network to sniff wireless transmissions - From this location, the attacker advertises that the malicious node has the shortest route for transmitting data - Attacker creates a tunnel to forward the data between the source and destination node - Impacting the confidentiality, integrity, and availability of network data

Key Reinstallation Attack (KRACK)

- Exploits flaws in the implementation of the four-way handshake in the WPA2 - Four-way handshake o Establish connections o Generate a fresh encryption key that will be used to encrypt the network traffic - Forcing Nonce reuse o Attacker tricks user into using already in use key o Attacker captures the victim's ANonce key that is already in use to manipulate and replay cryptographic handshake messages

Inter-Chip Privilege Escalation/Wireless Co-Existence Attack

- Exploits vulnerabilities in wireless chips - Comb Chip = designed for Bluetooth AND Wi-Fi - Attackers leverage combo chips to exploit one chip to steal the data from another chip - Bluetooth chip can capture sensitive data from the Wi-Fi chip o OR can manipulated data going through the Wi-Fi Chip

Misconfigured AP Attack

- Exposes network to attack - Difficult to detect a misconfigured AP because it is an authorized, legitimate device - SSID broadcast, Weak PW, Config errors (default configs)

(1) Wi-Fi Discovery

- Find a Wi-Fi network or device - Sing tools such as insider and NetSurveyor - Footprinting the wireless networks and finding the appropriate target

De-authentication attack

- Find an actively connected client - Attacker forces the client to disconnect from the AP - Use aireplay to capture the authentication packet when the client attempts to reconnect o Includes the pairwise master key (PMK), which the attacker can crack by dictionary or brute-force attacks

Wi-Jacking Attack

- Force user to visit malicious site by creating evil twin using KARMA o The client device's browser must store the admin interface credentials of the router. The target network's router must use an unencrypted HTTP

aLTEr Attack

- Force victim to visit malicious website using DNS spoofing - Performed on LET data in AES counter (AES-CTR mode) = NO integrity protection - Attacker installs a virtual (fake) tower between two authentic endpoints - uses this virtual tower to interrupt the data transmission between the user and real tower - Use virtual fake tower to hijack the active LTE session - Redirects the victim to malicious websites - Take control over browsing data and modifies user inputs with a spoofed DNS server

WEP Encryption Cracking

- Gathering a large number of IVs - Done by listening to traffic - WEP packet injection o Expedites the IV-gathering process and allows capturing a large number of IVs in a short period

GNSS Spoofing

- Global Navigation Satellite System (GNSS) - Attacker modifies the target GNSS signal measurements (position, navigation, and time = PNT) - Broadcasts the same signals to the target's GNSS receiver - User's GNSS receiver believes it to be authentic - Force system to display false positions and times

Rogue AP Attack

- Installed in the network = allows unauthorized users to connect to that network - Unauthorized (or rogue) APs can allow anyone with an 802.11-equipped device to connect to a corporate network - The attacker lures the user to connect to the rogue AP by sending the SSID - If the user connects to the rogue AP under the impression that it is a legitimate AP, all the traffic from the user passes through the rogue AP - Allows attacker to sniff traffic flowing through rough AP

Confidentiality Attack

- Intercept confidential info - An attacker may attempt to break the encryption

Tools to discover Wi-Fi networks

- Laptop with a Wi-Fi card - External Wi-Fi antenna - Network discovery software - inSSIDer - NetSurveyor - Wi-Fi Scanner - Acrylic Wi-Fi Home - Wi-Fi Scanner - Acrylic Wi-Fi Home - WirelessMon - Ekahau Wi-Fi Heatmaps

Manipulation (MITM)

- Level beyond eavesdropping - Attacker receives the victim's encrypted data, manipulates it, and retransmits the manipulated data to the victim - Attacker can intercept packets with encrypted data and change the destination address to forward packets across the Internet

Availability Attacks

- Makes wireless network services unavailable to legitimate users - Obstructing the delivery of wireless services - By crippling WLAN resources or by denying them access

(2) GPS Mapping

- Map the network - Drawing a map of the network

GPS Mapping Tools

- Maptitude Mapping Software - Skyhook - ExpertGPS - GPS Visualizer - Mapwel - TrackMaker

Orthogonal frequency-division multiplexing (OFDM)

- Method of digital modulation of data - A signal is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other

Service set identifier (SSID)

- NAME of network = A 32-alphanumeric-character unique identifier given to a wireless local area network (WLAN)

Client Mis-Association - User connect to someone else

- Network client mistakenly connects to a neighboring AP

Configuration error (Misconfigured AP Attack)

- No PW configured - Errors made during installation - Configuration policies on an AP - Human errors made while troubleshooting WLAN problems - Security changes not implemented uniformly across an architecture - SSID broadcasting is a configuration error that assists attackers in stealing an SSID = makes the AP assume that the attacker is attempting a legitimate connection

WPA Cracking Techniques

- Only way to crack WPA is to sniff the PW PMK associated with the handshake auth process

Automated Spectrum Analysis Tools

- RF Explorer

Additional RFID cloning tools:

- RFIDler - RFID Mifare Cloner - Proxmark3 - Boscloner Pro

Omnidirectional Antenna

- Radiate electromagnetic (EM) energy in all directions - Provides a 360° horizontal radiation pattern - Radiates strong waves uniformly in two dimensions, but the waves are usually not as strong in the third dimension - Efficient in areas where wireless stations use time-division multiple access technology - Good for radio towers and receivers may be moving

WPA3 Encryption Cracking

- Replaces WPA2's four-way (PSK) handshake with the Dragonfly (SAE) handshake - Dragonfly SAE still vulnerable to password-cracking - Dragonblood o Set of vulnerabilities in WPA3 allowing key recover, security mechanism downgrades, info-theft - Tools = Dragonslayer, Dragonforce, Dragondrain, and Dragontime

Dipole Antenna (doublet)

- Straight electrical conductor measuring half a wavelength from end to end - Connected at the center of the radio frequency (RF) feed line - Feeds on a balanced parallel-wire RF transmission line

MAC Spoofing Tools

- Technitium MAC Address Changer - Allows a user to change (spoof) the MAC address of their NIC instantly - Has user interface and provides info on each NIC in the machine

Wireless ARP Poisoning Attack

- The ARP cache maintained by the OS is corrupted with wrong MAC addresses - Send an ARP replay packet constructed with a wrong MAC address - Impacts all the hosts in a subnet o All hosts connected to a switch or hub are susceptible to ARP poisoning attacks - Attackers IP is associated with the victim's MAC - Use Ettercap for ARP attacks

Basic service set identifier (BSSID)

- The MAC address of an access point (AP) or base station that has set up a basic service set (BSS)

Fragmentation Attack

- The aircrack-ng suite helps the attacker obtain a small amount of keying material from the packet - aircracking-ng sends a packet to the AP that the AP echoes = capture keying info

Choosing the Optimal Wi-Fi Card

- Tools such as aircrack-ng and KisMAC work only with selected wireless chipsets - Consider the following when choosing card o Determine the Wi-Fi requirements o Learn the capabilities of a wireless card o Determine the chipset of the Wi-Fi card o Verify the chipset capabilities o Determine the drivers and patches required

802.16 (WiMAX)

2 - 11 GHz SOFDMA 34 - 1000 Mbps speeds 1609.34 - M 9656.06 (1-6 miles)

Multiple input, multiple output-orthogonal frequency-division multiplexing (MIMO-OFDM)

- AKA transmission scheme or modulation scheme - Spread spectrum technique that multiplies the original data signal with a pseudo-random noise-spreading code - Protects signals against interference or jamming

Evil Twin

- AP that pretends to be a legitimate AP by imitating its SSID - Sets up a rogue AP outside the network perimeter - Lures users to sign into this AP - Uses tools: KARMA

Rouge AP

- APs an attacker installs on a network without authorization - NOT under the management of the admin o NOT configured for security - Provide backdoor access to the wireless network - Use MANA Toolkit

Tools

- Aircrack-ng - Wifiphisher - Reaver

Eavesdropping (MITM)

- An attacker in the vicinity of a wireless network can receive radio waves on the wireless network without much effort or equipment - Attacker can examine the entire data frame and store it

(3) Wireless Traffic Analysis

- Analyze the traffic - ID the vulnerabilities and susceptible victims

Sinkhole Attacka

- Attacker advertises a compromised or malicious node as the shortest possible route - Attacker places the malicious node near the base station and attracts all the neighboring nodes with fake routing path info - Sniff and manipulate data

AP MAC Spoofing

- Attacker can spoof the MAC address of the AP by programming a rogue AP to advertise the same identity information as that of the legitimate AP = bypasses MAC filtering on PA - Attack spoofs their MAC to look like authorized client --> connects to AP

Man-in-the-Middle Attack (MITM)

- Attacker intercept, read, or alter info transmitted between 2 computers

Disassociation Attack

- Attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the AP and client

GPS

- Attacker uses this GPS utility to locate and map the target wireless network in a geographical area

Meaconing Method (GNSS)

- Attackers aim to block and re-broadcast the original signals to the receiver - Effective with mono-and multi-antenna meaconers that control multiple satellites - Allows attackers to manipulate the original signal with false positioning data

Interrupting the Lock Mechanism (GNSS)

- Attackers aim to discover a GNSS receiver's new lock via a faulty signal - Start radiating a jamming signal inside the GNSS receiver, where the receiver requests for the next acquisition - A signal simulator is used to generate a false signal, transmit it to the GNSS receiver, and gain the new lock data of the receiver - Gain location data of receiver by generating a false signal to the receiver

MAC Spoofing Attack

- Attackers change their MAC address to that of an authenticated user to bypass the MAC filtering configured in an AP - To spoof a MAC address, the attacker simply needs to set the value returned by ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff

Drag-off Strategy (GNSS)

- Attackers track the receiver's position and identify the deviation from the original location to a fake one - Attacker mirrors the original navigation signals, injecting a progressive misalignment between those signals, and forwarding them to the GNSS receiver. - Protects attackers from detection by radar systems

Cancellation Methodology (GNSS)

- Attackers use dual signal transmission to cancel out individual spoofed signals by introducing false satellite data. - Used for extracting the code phase data but limited in terms of obtaining the amplitude matching and carrier phase

Directional Antenna

- Broadcast and receive radio waves from a single direction - Works effectively in only a few directions = reduces interference

WPA/WPA2 Encryption Cracking

- Can still be cracked if right packets are captured

Offline attack

- Capture the WPA/WPA2 authentication handshake - Crack encryption key offline - Capturing a full authentication handshake from a client and the AP helps in breaking the WPA/WPA2 encryption

RFID Cloning Attack

- Capturing the data from an RFID tag and then creating its clone using a new chip - Data from one RFID tag are copied into another tag by changing the tag ID (TID) - The cloned copy is different from the original RFID tag and may be easily detected - Use iCopy-X, RFIDler, etc. to clone RFID tags

Integrity Attack

- Changing data during transmission - Attackers send forged control, management, or data frames to misdirect wireless devices

(5) Wi-Fi Encryption Cracking

- Crack the WEP or WPA/WPA2 encryption

Denial-of-Service Attack

- Disrupt wireless network connections by broadcasting de-authenticate commands

Yagi Antenna (Yagi-Uda)

- Unidirectional antenna commonly used in communications at a frequency band of 10 MHz to VHF and UHF - High gain and low signal-to-noise (SNR) ratio - Unidirectional radiation and response pattern - Concentrates the radiation and response - Consists of a reflector, dipole, and many directors - Develops an end-fire radiation pattern

WPA PSK

- Uses a user-defined password to initialize the four-way handshake - User provides credentials/PW to the AP - Capture WPA-PSK handshake containing password = brute forced using a dictionary attack

WEP Cracking

- Wesside-ng = WEP cracking tool o Finds and associates with EWP network

Wi-Fi Hotspot Finder Tools

- Wi-Fi Finder - Homedale::Wi-Fi/WLAN Monitor - Fing - Network Tools - WiFi Finder - Free WiFi Map - WiFi Map - Find Wifi & Connect to Wi-Fi

Wireless Hacking Methodology

- Wi-Fi discovery - GPS mapping - Wireless traffic analysis - Launch of wireless attacks - Wi-Fi encryption cracking - Wi-Fi network compromising

Mobile-based Wi-Fi Discovery Tools

- WiFi Analyzer - Opensignal - Network Signal Info Pro - WiFi Manager - Network Refresher: Network Signal Refresher - WiFi Scanner - WiGLE

Denial-of-Service: Disassociation and De-authentication Atta

- Wireless DoS attacks include: o Disassociation attacks o De-authentication attacks

802.15.4 (ZigBee)

0.868, 0.915, 2.4 GHz O-QPSK, GFSK, BPSK 0.02, 0.04, 0.25 Mbps speeds 1 - 100 M

Unauthorized Association - someone lese connects to you

2 Forms o Accidental § Connecting to the target network's AP from a neighboring organization's overlapping network without the victim's knowledge o Malicious § Done using Soft Aps § The attacker infects the victim's machine and activates soft APs allowing an unauthorized connection to the network

802.11b

2.4 GHz DSSS 1, 2, 5.5, 11 Mbps speeds 35 - 140 M

802.11

2.4 GHz DSSS, FHSS 1 Mbps and 2 Mbps speeds 20-100 M

802.15.1 (Bluetooth)

2.4 GHz GFSK, π/4-DPSK, 8DPSK 25 - 50 Mbps speeds 10 - 240 M

802.11g

2.4 GHz OFDM 6, 9, 12, 18, 24, 36, 48, 54 Mbps speeds 38 - 140 M

802.11n

2.4 and 5 GHz MIMO-OFDM 54 - 600 Mbps speeds 70 - 250 M

802.11i

A standard for WLANs that provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards; defines WPA2-Enterprise/WPA2-Personal for Wi-Fi

802.11e

It provides guidance for prioritization of data, voice, and video transmissions enabling QoS

WEP

NO authentication RC4 = Encryption algorithm WEP = Encryption method 40 or 104 bits = Key size CRC-32 = Data integrity 24 bits = IV length

Rogue AP vs Evil Twin

Rouge PA disables SSID broadcast + setup INSIDE network Evil Twin copies and broadcasts the SSID of target network + setup OUTSIDE network

Misconfiguration Key Elements (Misconfigured AP Attack)

SSID broadcast - APs using default SSIDs are vulnerable to brute-force dictionary attacks - An unencrypted SSID broadcasts the password in plaintext Weak password - Some network admins incorrectly use SSIDs as basic passwords

WarChalking

Symbols are drawn in public places to advertise open Wi-Fi networks.

KARMA Attack

create an evil twin using KARAM tool

WarWalking

o Attackers walk around with Wi-Fi-enabled laptops installed with a wireless discovery tool to map out open wireless networks.

MAC DoS Attacks

o de-authentication flood attacks = everyone de-authenticated o virtual jamming o association flood attacks


Set pelajaran terkait

Smartbook: Chapter 2 Analyzing and Recording Transactions

View Set

Personal Finance Chapter 4 & 5 Vocabulary

View Set

Cisco Networking Basics Module 8-14 Quiz

View Set

Quelques pays francophones et leurs capitales - Europe, Af. du Nord, Afrique Occidentale

View Set