16 - Hacking Wireless Networks Flashcards
How does a Wireless network work?
Data is transmitted by means of electromagnetic waves to carry signals over the communication path.
What are some common wireless terminologies?
- GSM: Used for mobile transportation for wireless network worldwide.
- Bandwidth: Describes the amount of info that may be broadcasted over a connection
- Basic Service Set Identifier (BSSID): The MAC address of an access point that has set up a Basic Service Set (BSS)
- ISM band: Frequency band for international Industrial, Scientific, and Medical communities
- Access Point: Used to connect wireless devices to a wireless/wired network.
- Hotspot: Places where wireless network is available for public use.
- Association: The process of connecting a wireless device to an access point.
- Service Set Identifier (SSID): A 32 alphanumeric character unique identifier given to a wireless LAN.
- Orthogonal Frequency-division Multiplexing (OFDM): Method of encoding digital data on multiple carrier frequencies
- Multiple Input, Multiple Output Orthogonal Frequency Divisional Multiplexing (MIMO-OFDM): Air interface for 4G and 5G broadband wireless comms.
- Direct-sequence Spread Spectrum (DSSS): Original data signal is multiplied with a pseudo random noise spreading code.
- Frequency-hopping Spread Spectrum (FHSS): Method of transmitting radio signals by rapidly switching a carrier among many frequency channels.
What is Wi-Fi?
A WLAN that is based on IEEE 802.11 standard where it allows the device to access the network from anywhere within range of an access point.
What are some advantages/disadvantages for wireless networks?
- Advantages: Fast & easy installation, easy to provide connectivity, access can be from anywhere within range, access for the public.
- Disadvantages: Issues with security, as computers increase bandwidth suffers.
What are the different types of Wireless Networks?
- Extension to a Wired Network: By placing AP’s between wired and wireless devices to extend an network.
- Multiple Access Points: Connects computers wirelessly by using multiple AP’s.
- LAN-to-LAN Wireless Networks: Interconnecting LAN’s via AP’s.
- 3G/4G Hotspot: A type of wireless network that provides Wi-Fi access to Wi-Fi enabled devices.
What are the different wireless standards?
-
802.11 (Wi-Fi):
- Applies to wireless LANs and uses FHSS or DSSS as the frequency hopping spectrum
-
802.11a:
- Second extension to the original 802.11 and operates in the 5GHz range.
- Supports bandwidth up to 54 Mbps by using OFDM
- It is a fast standard but is sensitive to walls and other obstacles.
-
802.11b:
- Operates in the 2.4 GHz ISM band
- Supports up to 11 Mbps by using DSSS
-
802.11d:
- Enhanced version of a and b.
- The particulars of this domain can be set at the MAC layer.
-
802.11e:
- Defines QoS for wireless applications
- Standard maintains the quality of video and audio streaming, etc.
-
802.11g:
- Supports a max bandwidth of 54Mbps using OFDM and uses 2.4GHz.
- Compatible with 802.11b which means 802.11b devices can work directly with an 802.11g access point.
-
802.11i:
- Provides improved encryption for networks
- Requires protocols such as TKIP, AES
-
802.11n:
- Developed to improve 802.11g in terms of bandwidth
- Operates on 2.4 and 5 GHz and supports a max data rate up to 300Mbps.
-
802.11ac:
- Operates on 5GHz
- Faster and more reliable than 802.11n.
- Involves Gigabit networking that provides an instantaneous experience
-
802.11ad:
- Works on the 60GHz spectrum
- Transfer speed is much higher than 802.11n
-
802.12:
- Works on the demand media utilization by working on the demand priority protocol.
- Ethernet speed increases to 100Mbps
-
802.15:
- It defines the standards for a wireless personal area network (WPAN).
-
802.15.1 (Bluetooth):
- Bluetooth is mainly used for exchanging data over short distances fixed and mobile devices.
-
802.15.4 (ZigBee):
- Has a low data rate and complexity.
- Transmits long distance data through the mesh network.
- 250kbits/s
-
802.15.5:
- The standard deploys itself on a full mesh or half mesh topology.
-
IEEE 802.16:
- WiMax
- Standard for fixed broadband wireless metropolitan networks (MANs) that use a point-to-multipoint architecture.
What are the types of authentication modes for Wi-Fi?
- Open System Authentication Process: Where any wireless client can be authenticated with the AP’s.
- Shared Key Authentication Process: Where both the AP and client use the same WEP key to provide authentication.
- Centralized Authentication Server: Where a RADIUS servers sends authentication keys to both AP and client for authentication. The key enables the AP to identify a particular wireless client.
What are the types of Wireless Antennas?
-
Directional Antenna:
- Used to broadcast and obtain radio waves from a single direction
-
Omnidirectional Antenna:
- Provides 360 degree horizontal radiation.
-
Parabolic Grid Antenna:
- Based on the principle of a satellite dishes but doesn’t have solid backing, can pick up Wi-Fi signals from a distance of 10 miles.
-
Yagi Antenna:
- A unidirectional antenna for a frequency band of 10MHz to VHF and UHF.
-
Dipole Antenna:
- Bidirectional antenna, used to support client connections rather that site-to-site applications.
-
Reflector Antennas:
- Used to concentrate EM energy which is radiated or received at a focal point.
What are the types of wireless encryption?
- 802.11i: amendment that specifies security mechanisms for 802.11 wireless networks
- WEP: Encryption algos for 802.11 networks
- LEAP: Proprietary version of EAP developed by Cisco
- WPA: Advanced wireless encryption protocol using TKIP and MIC.
- TKIP: Security protocol used in WAP as a replacement for WEP
- WPA2: Upgrade to WPA using AES and CCMP for encryption
- AES: Symmetric-key encryption used in WPA2
- CCMP: Encryption protocol used in WPA2
- WPA2 Enterprise: Integrates EAP standards for WPA2 encryption.
- EAP: Supports multiple encryption standards such as token cards, Kerberos, certificates, etc.
- RADIUS: Centralized authentication and authorization management system
- PEAP: Protocol that encapsulates the EAP within an encrypted tunnel and authenticated Transport Layer Security (TLS) tunnel.
What are some issues/concerns with WEP?
- IV’s is too short, 24 bits
- Identical key streams
- Lack of centralized key management
- Cipher was meant to be one time used.
- No defined method for encryption key distribution
- Prone to password cracking attacks
What are the different types of Wireless attacks?
-
Access Control Attacks: Aim to penetrate a network by evading WLAN access control measures.
- War Driving
- Rogue Access Points
- MAC Spoofing
-
Integrity Attacks: Attackers send forged control, management or data frames over a wireless network to misdirect wireless devices in order to perform another type of attack.
- WEP Injection
- Data Replay
- RADIUS Replay
-
Confidentiality Attacks: These attacks attempt to intercept confidential info sent over wireless associations, whether clear text or encrypted by Wi-Fi protocols.
- Eavesdropping
- Traffic Analysis
- Cracking WEP Key
-
Availability Attacks: Aims at obstructing the delivery of wireless services to legit users, either by crippling those resources or denying them access to WLAN resources.
- Access Point Theft
- DoS
- Authenticate Flood
-
Authentication Attacks: To steal the identity of Wi-Fi clients
- Identity Theft
- LEAP Cracking
- VPN Login Cracking
- Password Speculation
What is a rogue access point attack?
Attacker sets up AP near a target network in order to lure user’s to connect
What is client mis-association?
Attacker sets up access point in a neighboring network of the corporate perimeter and lures users to connect.
What is a honeypot access point attack?
Where an attacker sets up a legit looking network amongst many other nearby networks and lures someone to connect.
What is an AP MAC Spoofing?
Where an attacker spoofs a MAC address to connect as an authorized user.
How can a DoS attack occur on a wireless network?
An attacker sends an de-authentication request and the devices disconnect
What are the methodologies for hacking wireless networks?
- Wi-Fi Discovery: Discovery and footprinting network in passive and active way. Looking for networks in range.
- GPS Mapping: Attackers create map of discovered Wi-Fi networks and create a database with statistics such as location.
- Wireless Traffic Analysis: Analyze the traffic to identify vulnerabilities and susceptible victims in a target wireless network to help determine the appropriate strategy for a successful attack.
- Launch Wireless Attacks: Carry out various types of attacks such as fragmentation attacks, MAC spoofing attacks, DoS, etc.
-
Crack Wi-Fi Encryption:
- Start wireless interface in Monitor mode
- Test injection capability
- Use tool such as to do fake authentication with AP
- Start wifi sniffing tool to collect unique IVs
- Start a WiFi packet encryption tool in ARP request replay mode to inject packets
- Run a cracking tool to extract encryption key form the IVs
- Compromise the Wi-Fi Network
What are the active/passive methods of Wi-Fi discovery?
- Passive: Sniffing traffic
- Active: Sends out probe request with the SSID to see if an AP responds.
How does an attacker choose the right Wi-Fi card for use in an attack?
- Determine the Wi-Fi requirements: do you just want to listen or inject data
- Learn the capabilities of a wireless card: Know the manufacturer of the card and the chipset (usually different)
- Determine the chipset of the Wi-Fi card: To find out chipset, you can search the internet, look at Windows driver file names, check manufacturer name, look at chipset number, look up FCC ID
- Verify chipset capabilities: Verify chipset is compatible with OS, etc
- Determine the drivers and patches required
What is a AirPcap adapter?
It is an adapter that captures full 802.11 data, management, and control frames that can be viewed in control frames. Can also:
- Decrypt WEP/WPA-encrypted frames
- Provides multi-channel capture
- Traffic injection
- Can replay 802.11 network traffic
What is Spectrum Analysis?
Helps actively monitor the spectrum usage in a particular area and measure the power of the spectrum
What is a fragmentation attack?
Where the attacker uses a packet to generate their own packets using the PRGA (Pseudo Random Generating Algorithm) which are then used for various injection attacks.
What are the different types of DoS attacks?
- Disassociation Attack: Where attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the AP and client
- Deauthentication Attack: Where the attacker floods stations with forged deauthenticates or disassociates to disconnect users from an AP.
What are the different ways a MitM attack can occur?
- Eavesdropping: Where an attacker sniffs traffic
- Manipulation: Where the attacker can receive the victims data and manipulate it
What is the Evil Twin attack?
where a wireless AP pretends to be a legit AP by replicating another network name.
What are methods to break WPA/WPA2 Encryption?
- WPA PSK: The keys can be brute forced using dictioanry attacks
- Offline Attack: Be near AP to capture WPA/WPA2 auth handshake and capture right packets with keys in them so they can be cracked offline
- De-Authentication Attack: Force client to disconnect, capture the reconnect packets so they can be brute forced
- Brute-Force WPA Keys
What is Bluetooth?
A short range wireless communication technology that replaces cables connecting portable or fixed devices while maintaining high levels of security.
What are the modes of Bluetooth?
-
Discoverable:
- Discoverable: Sends inquiry responses to all inquiries.
- Limited Discoverable: Visible for a certain period of time
- Non-Discoverable: Never answers an inquiry scan
-
Pairing:
- Non-pairable: Rejects every pairing request
- Pairable: Will pair upon request
What are the different Bluetooth attacks?
- Bluesmacking: DoS attack that overloads devices with random packets
- Bluejacking: Sending unsolicited messages over BT to BT devices
- Blue Snarfing: Theft of info from a wireless device through a BT connection
- BlueSniff: Proof of concept for a BT wardriving utility
- Bluebugging: Remotely accessing BT devices and using its features
- BluePrinting: Collecting info about BT devices
- MAC spoofing Attack: Intercepting data intended for other BT devices
- MitM/Impersonation Attack: Modifying data between BT enabled devices communicating in a Piconet
What are some BT Threats?
- Leaking calendar and address books
- Bugging devices: making unintended calls, etc
- Sending SMS messages
- Causing financial losses
- Remote Control
- Social Engineering: convince users to lower security settings
- Malicious Code
- Protocol Vulnerabilities
What are the wireless security layers?
- Wireless Signal Security: Wireless IDS, RF Spectrum Security
- Connection Security: Per-Packet Authentication, Centralized Encyrption
- Device Security: Vulnerabilities and Patches
- Data Protection: WPA2 and AES
- Network Protection: Strong Authentication
- End User Protection: Stateful Per User Firewalls
How can you defend against WPA/WPA2 Cracking?
- Use a complex, random passphrase that is a minimum of 20 characters
- Use WPA2 with AES/CCMP encryption only
- Use VPN
- Implement a Network Access Control (NAC) or Network Access Protection
How to defend against KRACK attacks?
- Update all routers to latest patches
- Auto update on all wireless devices
- Avoid using public WiFi networks
- Browse only secured websites
- Do not connect to insecure WiFi routers
- Always enable HTTPS everywhere extension
- Enable 2FA
How to detect and block rogue AP?
- RF scanning: repurposed access points that warn about wireless devices in the area
- AP scanning: Scan for AP’s in a nearby area.
- Using Wired Side Inputs: Software detects devices connected in the LAN, including Telnet, SNMP, CDP
- Launch DoS on the rogue AP
- Block switch port the rogue AP is connected
How do you defend against wireless attacks?
- Configuration Best Practices: Change default SSID and disable broadcast, set router pw, enable MAC address filtering
- SSID Settings Best Practices: Use SSID cloaking, do not use important info in SSID name, use FW between AP and intranet, limit strength of wireless network, encrypt traffic
- Authentication Best Practices: Use WPA over WEP, place Wireless AP in secure location, keep drivers updated, use centralized server
How do you defend against Bluetooth Hacking?
- Use non regular pattern as PIN keys
- Keep device in non-discoverable mode
- Do not accept unknown or untrusted pairing requests
- Always enable encryption
- Keep track of paired devices and remove unneeded ones
- Only pair in secure area
- Use AV
- Use link encryption
What is WPA3 Encryption?
Advanced implementation of WPA2 and uses AES-GCMP 256.
- WPA3-Personal: Delivers password-based authentication using SAE protocol (Dragonfly Key Exchange)
- WPA3-Enterprise: Uses HMAC-SHA-384 to generate keys and ECDSA-384 for exchanging keys
What is the aLTEr attack?
Performed on LTE devices, attackers install fake communication tower between 2 authentic endpoints intending to mislead the victim. Tower interrupts the data transmission and hijacks the session.
What are the Wormhole and Sinkhole attacks?
- Wormhole: Exploits dynamic routing protocols where attacker locates himself in the network to sniff and record transmissions. Attacker creates tunnel to forward data between 2 endpoints
- Sinkhole: Attacker uses malicious code and advertises this node as shortest possible route and attracts all neighboring nodes.
How can you crack WPA3 Encryption Cracking?
Dragonblood is a set of vulnerabilities in the WPA3 that allows attackers to recover keys, etc.