4. Hacking Wireless Networks Flashcards
What layers of the OSI model does 802.11 WLAN operate?
Layers 1 (Physical Layer) and 2 (Data Link Layer)
What layer of the OSI model does encryption of 802.11 occur?
Layer 2 (Data Link Layer) (other encryption is built into higher layers)
What technologies are used in 802.11 transmission at the PHYSICAL layer? (Bearing in mind that 802.11 is a wireless protocol)?
At the physical level, 802.11 defines several key transmission methods.
- Direct Sequence Spread Spectrum (DSSS)
DSSS works by spreading the data signal over a wider frequency band using a pseudo-random noise sequence. This makes the signal more resistant to interference and eavesdropping.
Primarily used in older Wi-Fi standards like 802.11b. - Frequency Hopping Spread Spectrum (FHSS)
FHSS involves rapidly changing the carrier frequency among many distinct frequencies. This minimizes interference and helps avoid signal jamming.
Rarely used in modern Wi-Fi standards, but it was part of the original 802.11 standard. - Orthogonal Frequency Division Multiplexing (OFDM)
OFDM splits the data signal into multiple smaller sub-signals that are transmitted simultaneously at different frequencies. This technique reduces interference and improves data throughput.
Widely used in 802.11a, 802.11g, 802.11n, 802.11ac, and 802.11ax standards. - Multiple-Input Multiple-Output (MIMO)
MIMO uses multiple antennas at both the transmitter and receiver ends to improve communication performance. It allows for multiple data streams to be transmitted simultaneously, increasing data rates and reliability.
A key feature in 802.11n, 802.11ac, and 802.11ax standards. - Beamforming
Beamforming focuses the Wi-Fi signal towards a specific receiving device rather than broadcasting it in all directions. This increases signal strength and range.
Implemented in 802.11ac and 802.11ax standards to enhance performance
What is the main security challenge for wireless networks and what is the general solution?
In wireless networks data is PUBLICLY BROADCAST. Anyone can listen in.
Solution is the encryption of data in transit with the strongest algorithm possible.
How does the encryption of wireless data work?
Encryption Process: Data is turned into a form that looks like random gibberish to anyone trying to intercept it (ciphertext)
Encryption Key: The data is encrypted using a special key—a string of characters known only to the sender and receiver. Think of this key as a secret password.
Encryption Algorithms: Wi-Fi uses specific algorithms to perform encryption. Some common ones are WEP, WPA and WPA2. These algorithms determine how the data is scrambled.
Decryption Process: When the encrypted data reaches its destination, the receiver uses the same encryption key to unscramble the ciphertext back into its original form, known as plaintext.
Decryption Key: The receiver uses the same key that was used for encryption. This key turns the gibberish back into meaningful data.
Decryption Algorithm: The same algorithm used for encryption is used for decryption, ensuring that the data is correctly decrypted
What is NON REPUDUATION?
Non Repuduation. This refers to ensuring that the data is recieved by the intended reipient OR proving that the data recieved is from a known and trusted sender.
Can be achieved by encryption and or a digital certificate to achieve this.
What is ultimate aim of the Encryption Process?
The ultimate aim for encryption is NON REPUDUATION and ensuring DATA INTEGRITY (proving that the data has not been altered in transmission i.e MIMA).
The encryption key needs to be generated randomly, need a long length key, the key must have a short life.
WEP: What are the key features in WEP encryption?
WEP (Wired Equivilent Privacy). No longer used.
- 40-bit or a 104-bit encryption key. Manually entered
- key is combined with a 24-bit initialization vector (IV). This is sent in PLAIN text. In ASCII this would be 3 characters long.
- So total key length is either 64-bit or 128-bit
If the key is in ASCII, then each character is 8 bits meaning the key in a 40 bit key would be 5 characters (then the IV). In a 104 bit key there would be 13 ASCII characters (then the IV)
- WEP uses the RC4 algorithm stream cipher to encrypt data.
WEP: Why is WEP not very secure?
- The IV is 24 bits which is very small so not many possible combinations (2 to the power of 24) - easy to guess
Security vulnerabilities were Identified:
- the first bytes of the output key stream were identified as ‘strongly not random’. This poor randomisation meant it was easy to guess the WEP encryption key
- the key is static and does not change each session
- Weak ICV (generated using the CRC-32 algorithm). Only 32 bits
SO DO NOT USE WEP.
What is the ICV (Integrity Check Value)?
Integrity Check Value (ICV) is a check to see if packets have been altered in transmission (i.e it checks the integrity of the data).
In WEP this is calculated using cyclic redundancy check 32 (CRC-32)
What is RC4 Encryption?
RC4 (Rivest Cipher 4):
- Used in WEP
- A symmetric key cipher (uses same key to encrypt & decrypt).
- Uses KSA (Key Scheduling Algorithm). This initilises the set up of the RC4 algorithm using the provided key. Generates a pseudo random ordered array of all possible byte values (0 to 255)
and
- PRGA (Pseudo Random generation Algorithm) which produces bytes (keystream) that are then XORDed with the plain text bytes to produce the ciphertext (encrypted data). To decrypt the data the same process is used (XORing the ciphertext with the same keystream)
WEP: What is the Fluhrer, Mantin & Shamir (FMS) Attack?
The Flhurer, Mantin and Shamir attack exploited the weakness in RC4 Key Scheduling Algorithm to recover the key from encrypted messages.
AirSnort & AirCrack tools exploit this weakness to crack WEP WLANs
WEP: What is an ARP Request Replay Attack?
An effective way to generate new Initialisation Vectors (IVs) to crack a WEP key
An ARP replay attack listens for an ARP packet and retransmits back it to the access point (AP)
The Access Point (AP) then sends it back with a new IV
(Remmeber ARP Adress Resolution Protocol is used by TCP/IP to convert a logical IP address to a physical MAC address)
What was the solution to the weaknesses found in WEP?
WPA and then WPA2
WPA and WPA2: What Authentification process is used?
- Authentification is via a Pre Shared Key (PSK)
The PSK is a 256 bit key
The user does not need to remember the key and instead can use a password or phrase that is 8 to 63 ASCII characters.
This means that WPA and WPA2 requires entering a password that matches that on the access point.
Security problems:
- The PSK is static and not regularly updated by the user.
- It is cached / stored locally on the device so anyone using that device can access the PSK.
- There is no lockout on the WLAN if mulitple incorrect passwords are entered so it can be sucessiptable to brute force and dictionary attacks
WPA: What are the key features of this encryption?
Interim measure.
WPA uses RC4 with TKIP (Temporal Key Integrity Protocol).
This means that unlike WEP’s static key, TKIP generates a new encryption key for each data packet. Every data packet therefore has a unuique encryption key
WPA2: What are the key features of this encryption?
Introduced in 2004.
RC4 was replaced by AES (Advanced Encryption Standard)
TKIP was replaced by CCMP Authentication - CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol)
WPA2: What is WPA2 Enterprise?
WPA2 Enterprise was an advanced version of WPA2 designed for larger and more secure networks. It also uses AES encryption.
- Uses a RADIUS server for centralised authentication (RADIUS = Remote Authentication Dial-In User Service)
RADIUS is a networking protocol that operates at port 1812.
Uses 802.1x and EAP authentication protocol
PSK is NOT used at enterprise level (vulnerable to dictionary attacks) and
WPA2 Enterprise: What is 802.1x and EAP Enterprise Authentication?
It allows individual user accounts so that admins can implement different user controls and monitoring.
Router does not store login credentials
These are stored on a central AAA server
The Wireless Access Points are not responsible for amanaging access - access requests get forwarded to the RADIUS server.
EAP (Extensible Authentication protocol) which uses multifactor authentication.
Users are authenticated by MicroSoftCHAP version2 (MSCHAPV2)
PEAP (Protected Entensible Authentication Protocol) allows use of digical certificate sbetween server and clients. Also supports use of smartcards / biometric identification and tokens.
Roam throughout a large building area using ESSID (Extended SSID)
Supports wireless VLANs so clients can be segreted based on access needs.
Supports discovery of rougue access points.
List some wireless hacking tools
Aircrack (most popular best known for 802.11 WEP and WPA PSK keys - captures packets then attempts to recover the PWs from them using the FMS attack in RC4 encrypted streams)
Kismet (802.11a/b/g/n layer 2 sniffer and IDS. Works on MAC Windows Linux and BST. Passive)
KisMac is the mac version
Netstumbler (Windows). PW cracking tool. Not as effective today hasn’t been updated since 2014.
WireShark (Windows, Linux, MAC Solaris and BST OS) . Capture and analysis
Debookee (macOS capture and analysis)
AirSnort (cracks web keys on 802.11b network)
Cain & Able (wireless sniffing tool)
Others:
Fern WiFi Wireless Cracker
CoWPAtty
Airjack
WepAttack
inSSIDer
Wifiphisher
Reaver
Wifite
Summarise the encryption methods and authentification in all types of wireless encryption.
WEP:
Encryption = RC4
Authentication: Open System Authentication (grants access to any device attempting to connect).
WPA:
Encryption = RC4 with TKIP
Authentication = PSK
WPA2:
Encryption = AES and CCMP
Authentication = PSK
WPA2 Enterprise:
Encryption = AES and CCMP
Authentication = 801x and EAP / PEAP
