Chapter 7 - Wireless Network Hacking

Question 1

List the speeds, frequencies and modulation type for the following

802. 11a
803. 11b
804. 11g
805. 11n
806. 11ac

Answer 1

802. 11a - 54, 5Ghz, OFDM
803. 11b - 11, 2.4Ghz, DSSS
804. 11g - 54, 2.4Ghz, OFDM and DSSS
805. 11n - 100+, 2.4 - 5Ghz, OFDM
806. 11ac - 1000, 5Ghz, QAM

Question 2

Exam Tip

802. 11i
803. 16

Answer 2

802. 11i - amendment for security mechanisms on WLANs

802. 16 - WiMax, speeds started at 40Mbs and are moving to gigabit

Question 3

Define Orthogonal Frequency Division Multiplexing (OFDM)

Answer 3

several waveforms simultaneously carry messages.

Transmission media is divided into a series of frequency bands that don’t overlap each other and each can carry a separate signal

Question 4

Define Direct Sequence Spread Spectrum (DSSS)

Answer 4

DSSS combines all available waveforms into a single purpose. Entire bandwidth can be used at once for the delivery of a message

Question 5

Define Basic Service Area (BSA)

Define Basic Service Set (BSS)

Answer 5

BSA - single access point coverage

BSS - communication between single AP and its clients

Question 6

Define Extended Service Set (ESS)

Answer 6

when multiple AP’s are setup with correct channels and a client can associate and disassociate from each one as it roams between them.

Question 7

Define BSSID

Answer 7

the MAC Address of the WAP at the center of your BSS

Question 8

Define dipole and Parabolic dish antennas

Answer 8

dipole - 23 signal ‘towers’ and are omnidirectional

parabolic dish - like a satellite dish, directional, tremendous range

Question 9

Define Service Set Identifier (SSID)

Answer 9

text string that identifies the wireless network

Question 10

Compare Association and Authentication for a WLAN

Answer 10

Association - act of client connecting to an AP

Authentication - client is identified before it can access anything on the network

Question 11

Wired Equivalent Privacy (WEP) encryption notes

Answer 11

Intended to only give equivalent privacy as a wired hub

uses Initialization Vector (IV)

Question 12

WEP IV issues

Answer 12

IV does a 32 bit integrity check value (ICV) and appends it to data payload

the provides 24 bit IV, combined with key in RC4

key stream is encrypted by XOR and combined with ICV.

But IV is small and RC4 easy to break. So WEP is easily cracked. Attacker captures enough packets to analyze IV and gets the key

Question 13

WiFi Protected Access (WPA)

Answer 13

Uses TKIP, a 128 bit key and client’s MAC address for encryption

Changes the key every 10,000 packets (hence Temporary)

Keys are transferred back and forth during EAP authentication session, which 4 step handshake proves the client belongs to the AP and vice versa

Question 14

TKIP

Answer 14

Temporal Key Integrity Protocol

Originally had some vulnerabilities

Question 15

WiFi Protected Access 2 (WPA2)

Answer 15

Uses AES, FIPS 140-2 compliant

WPA2-Enterprise - you can tie EAP or RADIUS server into authentication

WPA2-Personal - uses preshared key

Uses CCMP (Cipher Blockchaining Message Authentication Code Protocol). Uses hashes (aka message integrity codes) to ensure integrity

Question 16

Different Attacks

Evil Twin (aka mis-association attack)
Ad-Hoc

Answer 16

Evil Twin - setup WAP, that looks like legitimate one, have victims associate to it and use your spoofed DNS settings, capture their packets, etc.

ad-hoc - attacker sets laptop up and advertises his ad-hoc laptop network. Shouldn’t work, but often does

Question 17

“honeyspot” attack

Answer 17

faking a well-known hotspot like Starbucks or ATT

Question 18

Wireless Denial of Service attacks

disassociate
unauthorized association
jamming the wireless signal

Answer 18

disassociate - craft and send packets to client that forces them to drop their connections

unauthorized association
Use a rogue AP to have legitimate users connect, which removes their access to a legitimate AP

Question 19

Wireless sniffing tools

OmniPeek
AirMagnet
WiFi Analyzer Pro
WiFi Pilot

Answer 19

OmniPeek - also shows network activity status and monitoring

AirMagnet - from Fluke. Also has compliance reporting engine

WiFi Analyzer Pro
WiFi Pilot

Question 20

Tools for rooting Android

Answer 20

SuperOneClick

Superboot, OneClickRoot, Kingo, unprovoked, RescueRoot, UnlockRootPro

Question 21

3 Types of jailbreaking iOS

Answer 21

Userland (user-level access but not admin)

iBoot, Bootrom both grant admin privileges

Question 22

3 Techniques for jailbreaking iOS

Answer 22

untethered - kernel remains patched (jailbroken) after reboot with or without a system connection

semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used

tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix

Question 23

jailbreaking tools

Answer 23

evasi0n7

GeekSn0w

Pangu

Redsn0w

Absinthe

Cydia

Question 24

Mobile Device Management for securing mobile devices

Answer 24

can be used to push out security policies, application deployment and monitoring

XenMobile
MaaS360
AirWatch
MobiControl

Question 25

3 Techniques for jailbreaking iOS

Answer 25

untethered - kernel remains patched (jailbroken) after reboot with or without a system connection

semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used

tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix

Question 26

jailbreaking tools for iOS

Answer 26

evasi0n7

GeekSn0w

Pangu

Redsn0w

Absinthe

Cydia

Question 27

Bluetooth Tools

BlueScanner 
BT Browser
Bluesniff, btCrawler
Blooover
PhoneSnoop

Answer 27

BlueScanner - finding devices, tries to extract and display as much as possible

BT Browser - finding, enumerating devices

Bluesniff, btCrawler - similar but with GUIs

Blooover - blue bugging

PhoneSnoop - spyware on a blackberry

Question 28

Bluetooth Tools

BlueScanner 
BT Browser
Bluesniff, btCrawler
Blooover
PhoneSnoop
BBProxy

Answer 28

BlueScanner - finding devices, tries to extract and display as much as possible

BT Browser - finding, enumerating devices

Bluesniff, btCrawler - similar but with GUIs

Blooover - blue bugging

PhoneSnoop, BBProxy - spyware on a blackberry

Question 29

Personal tips

know what CCMP, EAP, MIC do

know what you need to crack WEP

know which tools are good for which techniques

which wireless protocols use which type of encryption

which tools give root on mobile devices

jailbreaking techniques

Answer 29

know what CCMP, EAP, MIC do
(MIC. Message Integrity Codes. provides integrity checking in WPA via sequence numbers. It is used by CCMP)

know what you need to crack WEP
(MAC, SSID)

know which tools are good for which techniques

which wireless protocols use which type of encryption

which tools give root on mobile devices

jailbreaking techniques

Question 30

Define Untethered Jailbreaking Technique

Answer 30

untethered - kernel remains patched (jailbroken) after reboot with or without a system connection

Question 31

Define Semi-Tethered Jailbreaking Technique

Answer 31

semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used

Question 32

Define Tethered Jailbreaking Technique

Answer 32

tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix