Chapter 15: Wireless Networking Flashcards
Cons to WiFi
1) DECREASE IN BANDWIDTH B/C MORE DEVICES CONNECTED
2) INVEST IN NW CARDS, INFRASTRUCTURE
3) INTERFERENCE W/ OTHER DEVICES
4) LESS RANGE THAN ADVERTISED (usually half the distance promised)
5) TERRAIN CAN SLOW DOWN SIGNALS
Characteristics of WiFi
1) uses RADIO WAVES to transmit data
2) works at the physical layer of the NW
Techniques to managing a connection
1) DSSS (direct-sequence spread spectrum)
2) FHSS (frequency-hopping spread spectrum)
3) IR (infrared)
4) OFDM (orthogonal frequency-division multiplexing)
WiFi Environment: Extension to an existing wired NW as either HW (HAPs) or SW (SAPs) based access points
HAPs //use device such as wireless router or dedicated wireless access point
SAPs //wireless-enabled system attached to a wired NW, which in essence shares its wireless adapter
WiFi Environment: Multiple access points
allows clients to roam from location to location
WiFi Environment: LAN-to-LAN wireless NW
wired NWs in different locations to be connected through wireless technology
WiFi Environment: 3G or 4G hot spot
provides WiFi access to WiFi enabled devices
Wireless standards
1) 802.11a 5Ghz (freq), 54 Mbps (speed), 75 ft (range)
2) 802.11b 2.4Ghz, 11 Mbps, 150 ft
3) 802.11g 2.4Ghz, 11 Mbps, 150 ft
4) 802.11n 2.4/5Ghz, 54 Mbps, ~100 ft
5) 802.16 (WiMAX) 10-66Ghz, 70-1000 Mbps, 30 miles
6) Bluetooth 2.4Ghz, 1-3 Mbps (1st Gen), 33 ft
About SSID
Service Set Identifier
32 Bytes
Embedded within header of packets
Open NWs, it’s visible
Closed NWs, not visible or “cloaked”
Common Wireless Terms:
GSM Association BSSID Hot Spot Access Point ISM Bandwidth
GSM // Global System for Mobile Communications // international standard for mobile wireless
Association //connecting a client to an access point
BSSID // basic service set identification //MAC address of an access point
Hot Spot //location that provides wireless access to public such as coffee shop or airport
Access Point //HW or SW construct that provides wireless access
ISM band// industrial scientific, and medical band //unlicensed band of frequencies
Bandwidth //speed avilable for devices
Antennas
Yagi antenna
Omnidirectional antenna
Parabolic grid antenna
Yagi antenna //unidirectional, works well transmitting and receiving signals in some directions //typically used when signal is needed from site to site instead of covering a wide area //enhances security by limiting signals to smaller areas
Omnidirectional antenna //emits signals in all directions, but some directions better than others //can transmit data in 2-D well, but not in 3-D
Parabolic grid antenna //takes form of a dish, unidirectional, sends and receives data over one axis //PRO -catches parallel signals and focuses them to a single receiving point, so gets better signal quality and over longer ranges //can receive over a distance of 10 miles
WiFi Authentication Mode: Open System Authentication
//make NW available to wide range of clients
//authentication occurs when an authentication frame is sent from a client to an access point; access point receives frame, verifies SSID, if correct access point sends verification frame back to client, allowing connection to be made
WiFi Authentication Mode: Shared Key Authentication
//each client receives key ahead of time and can connect anytime
//clients send authentication request to access point, ap returns challenge to client, client encrypts challenge using shared key, ap uses same shared key to decrypt challenge, if responses match, client validated and connected
Wireless encryption and authentication protocols:
WEP WPA WPA2 WPA2 Enterprise TKIP AES EAP LEAP RADIUS 802.11i CCMP
WEP//Wired Equivalent Privacy//oldest and weakest
WPA//WiFi Protected Access//successor to WEP, addressed many problems //uses TKIP [Temporal Key Integrity Protocol], MIC [Message Integrity Code], and AES [Advanced Encryption Standard] encryption
WPA2//address WPA probs //uses AES, CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), EAP [extensible authentication protocol], TKIP, AES [with longer keys]
WPA2 Enterprise//incorporates EAP to strengthen security and scale system up to large enterprise environments
TKIP//enhances WPA over WEP
AES//symmetric-key encryption//used in WPA2 to replace TKIP
EAP //incorpoaated into multiple authentication methods //such as tokent cards, Kerberos, certificates
LEAP //Lightweight Extensible Authentication Protocol //made by cisco
RADIUS //Remote Authentication Dial-in User Service //centralized authentication and authorization mgmt system
802.11i //IEEE standard that species security mechs for 802.11 wireless NWs
CCMP //uses 128bit keys, with 48bit initialization vector (IV) for replay detection
WEP
failed all: //intended to provide security on same level as wired NWs //defeat eavesdropping on communications //check integrity of data as it flows access NW //use shared key to encrypt packets prior to transmission //provide confidentiality, access control
problems: //protocol was designed without input from academic community or public and professional cryptologists //attacker can easily uncover key with ciphertext and plaintext //CRC32 //Cyclic Redundancy Check //integrity checking sis flaws and ez to modify packets //IVs//initialization vectors are only 24 bits, so an entire pools of IVs can be exhausted in short time //vulnerable to DoS attack through messages not authenticated by WEP
// WEP uses IVs a lot; randomized value used with the secret key for data encryption purposes, when these two values are combined, they form a # used once (nonce)
Cracking WEP
intercept as many IVs as possible through sniffing, analyze packets, retrieve key
make take a while, to speed up, perform packet injection
1) Start wireless interface on the attacking system in monitor mode on the specific access point channel; this mode is used to listen to packets in the air
2) probe the target NW with wireless device to determine if packet injection can be performed
3) select tool such as aireplay-ng to perform fake authentication with access point
4) Start WiFi sniffing tool to capture IVs such as aireplay-ng, ARP requests can be intercepted and reinjected back into NW causing more packet generation
5) Run a tool such as Cain and Able or aircrack-ng to extract encryption keys from IVs
AirPcap
AirPcap //used to sniff wireless frames in ways that standard WiFi cannot //good for auditing wireless NWs
WPA & cracking WPA
most important development introduced as TKIP** it changes the key after ever frame
flaws: //weak keys chosen by user //packet spoofing //authentication issues with MS-CHAP v2 [microsoft challenge handshake authentication protocol version 2]
Cracking WPA
REAVER //free in Kali, one of the best tools for cracking WPA
WPA2 and its two modes
full compatibility with 802.11i standards for security
Can function in two modes:
1) WPA2-Personal //relies on input of key into each station
2) WPA2-Enterprise //uses server to perform key mgmt and authentication for wireless clients, common components include RADIUS
Types of attacks on WPA and WPA2
Offline Attack
Deauthentication attack
Brute-force WPA keys
OFFLINE ATTACK //close proximity to access point to observe handshake between client and access point; can capture handshake and recover keys by recording and cracking them offline
DEAUTHENTICATION ATTACK //forcing a reconect
BRUTE-FORCE WPA KEYS //keep trying username and PW combinations over and over again, tools such as aircrack-ng, aireplay-ng, KisMAC
Risk Mitigation of WEP and WPA cracking
1) COMPLEX PW
2) USE SERVER VALIDATION ON CLIENT SIDE
3) ELIMINATE WEP AND WPA2, MOVE TO WPA2
4) USE ENCRYPTION STANDARDS SUCH AS CCMP, AES, TKIP
An attack against wireless NW can be passive or active
Passive //sniffing information that is transmitted
Active //using probe requests to elicit a response
Types of attacks
WARDRIVING ROGUE ACCESS POINTS REVERSE SSH TUNNELING with Raspberry Pi MAC SPOOFING AD HOC MISCONFIGURATION CLIENT MISASSOCIATION PROMISCUOUS CLIENT JAMMING ATTACKS HONEYSPOT ATTACK
WARDRIVING //driving around area with computing device to detect wireless clients and APs
Site Survey Tools KisMAC,NetStumbler, Kismet, WaveStumbler, InSSIDer
//common for these types of tools to connect to GPS to pinpoint location
Warflying // Warballooning //Warwalking //warchalking
ROGUE ACCESS POINTS //attacker installs new AP completely unsecure behind company firewall
REVERSE SSH TUNNELING //device such as raspberry pi opens connection from inside NW out to attacker to bypass FW restrictions
MAC SPOOFING //for APs that use Mac filtering, you can use Mac Spoofing; Mac filtering is used to blacklist or whitelist MAC addresses of clients; attacker can spoof address of an apprived client or switch their MAC to a client that is not blocked
Tools SMAC, ifconfig, changemac.sh
AD HOC //use of WiFi adapter to connect direct to another wireless-enabled system; two systems can interact with each other; main threat is users do not know the difference between infrastructure and ad hoc NW and so may attach to an unsecure NW
MISCONFIGURATION
CLIENT MISASSOCIATION //WiFi propagate though walls and structures; client attches to AP that is on a NW other than theirs, accidentally or unintentionally;
PROMISCUOUS CLIENT //offers irresistibly strong signal intentionally for malicious purposes
JAMMING ATTACKS //works on any type of wireless NW, essentially DoS attack; can use a specifically designed HW device that can transmit signals that interfere with 802.11 NWs
HONEYSPOT ATTACK //attacker sets up rogue access point in range of several legit ones
HW device WiFi Pineapple from Hak5
Modes of Bluetooth
Some attacks that have been made on users
DISCOVERABLE //allows device to be scanned and located by other bluetooth
LIMITED DISCOVERABLE //discovered for short period of time
NONDISCOVERABLE //cannot be located, however if another device has previously found the system it will still be able to
PAIR or NONPAIR //can or cannot pair with another device
some attacks include:
leaking calendar, address book, activate cameras, microphones, control a phone to make calls, connect to internet
Types of Bluetooth Attacks
BLUEJACKING
BLUESNARFING
BLUEJACKING //sending an anonymous text message via Bluetooth to a victim
1) go to contacts in ur device’s address book
2) create a new contact & enter message as name
3) save the contact w/ a name but w/ out a phone #
4) choose send Via bluetooth
5) choose a phone from the list of devices & send the msg
BLUESNARFING //extract information at a distance (address book, call info, text info, other data)
Which of the following operates at 5 GHz?
a) 802.11a
b) 802.11b
c) 802.11g
d) 802.11i
a) 802.11a is the ony that operates at 5 Ghz, where as b and g operate at 2.4Ghz, and the newest n can operate at both frequencies; and then WiMAX is 10-66 and bluetooth is 2.4 Ghz
What is a client-to-client wireless connection called?
a) infrastructure
b) client-server
c) peer-to-peer
d) ad hoc
d) ad hoc
When a wireless client is attached to an access point, it is known as which of the following?
a) infrastructure
b) client-server
c) peer-to-peer
d) ad hoc
a) infrastructure
A __________ is used to attack an NIDS
a) NULL session
b) DoS
c) Shellcode
d) port scan
B. A denial of service (DoS) is used to overwhelm an
NIDS, tying up its resources so it cannot perform
reliable analysis of traffic and thus allowing
malicious packets to proceed unabated.
Which of the following uses a DB of known attacks?
a) signature
b) anomaly
c) behavior
d) sniffer
A. Signature files are used by IDS systems to match
traffic against known attacks to determine if an attack
has been found or if normal traffic is present
AirPcap is used to do which of the following?
a) assist in sniffing of wireless traffic
b) allow for NW traffic to be analyzed
c) allow for the identification of wireless NWs
d) attack a victim
a) assist in sniffing of wireless traffic
what is a rogue access point?
a) access point not managed by company
b) unmanaged access point
c) second access point
d) honeypot device
a) access point not managed by company
At which layer of OSI does a packet filtering firewall work?
a) 1
b) 2
c) 3
d) 4
c) Layer 3 at NW layer
What is a PSK?
a) pw for the nw
b) cert for nw
c) key entered into each client
d) distributed pw for each user
C. A PSK is entered into each client that is going to
access the wireless network. It is commonly found in
WEP, WPA, and WPA2 deployments. PSKs
represent a security risk as they can be extracted from
a compromised client and then allow a malicious
party to access the network.
Which of the following device is used to peform DoS on wireless nw?
a) wpa jammer
b) wpa2 jammer
c) wep jammer
d) wi-fi jammer
d) wifi jammer
