Chapter 7 - Wireless Network Hacking Flashcards

1
Q

List the speeds, frequencies and modulation type for the following

  1. 11a
  2. 11b
  3. 11g
  4. 11n
  5. 11ac
A
  1. 11a - 54, 5Ghz, OFDM
  2. 11b - 11, 2.4Ghz, DSSS
  3. 11g - 54, 2.4Ghz, OFDM and DSSS
  4. 11n - 100+, 2.4 - 5Ghz, OFDM
  5. 11ac - 1000, 5Ghz, QAM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Exam Tip

  1. 11i
  2. 16
A
  1. 11i - amendment for security mechanisms on WLANs

802. 16 - WiMax, speeds started at 40Mbs and are moving to gigabit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define Orthogonal Frequency Division Multiplexing (OFDM)

A

several waveforms simultaneously carry messages.

Transmission media is divided into a series of frequency bands that don’t overlap each other and each can carry a separate signal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define Direct Sequence Spread Spectrum (DSSS)

A

DSSS combines all available waveforms into a single purpose. Entire bandwidth can be used at once for the delivery of a message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define Basic Service Area (BSA)

Define Basic Service Set (BSS)

A

BSA - single access point coverage

BSS - communication between single AP and its clients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define Extended Service Set (ESS)

A

when multiple AP’s are setup with correct channels and a client can associate and disassociate from each one as it roams between them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define BSSID

A

the MAC Address of the WAP at the center of your BSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define dipole and Parabolic dish antennas

A

dipole - 23 signal ‘towers’ and are omnidirectional

parabolic dish - like a satellite dish, directional, tremendous range

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define Service Set Identifier (SSID)

A

text string that identifies the wireless network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Compare Association and Authentication for a WLAN

A

Association - act of client connecting to an AP

Authentication - client is identified before it can access anything on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Wired Equivalent Privacy (WEP) encryption notes

A

Intended to only give equivalent privacy as a wired hub

uses Initialization Vector (IV)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

WEP IV issues

A

IV does a 32 bit integrity check value (ICV) and appends it to data payload

the provides 24 bit IV, combined with key in RC4

key stream is encrypted by XOR and combined with ICV.

But IV is small and RC4 easy to break. So WEP is easily cracked. Attacker captures enough packets to analyze IV and gets the key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

WiFi Protected Access (WPA)

A

Uses TKIP, a 128 bit key and client’s MAC address for encryption

Changes the key every 10,000 packets (hence Temporary)

Keys are transferred back and forth during EAP authentication session, which 4 step handshake proves the client belongs to the AP and vice versa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

TKIP

A

Temporal Key Integrity Protocol

Originally had some vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

WiFi Protected Access 2 (WPA2)

A

Uses AES, FIPS 140-2 compliant

WPA2-Enterprise - you can tie EAP or RADIUS server into authentication

WPA2-Personal - uses preshared key

Uses CCMP (Cipher Blockchaining Message Authentication Code Protocol). Uses hashes (aka message integrity codes) to ensure integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Different Attacks

Evil Twin (aka mis-association attack)
Ad-Hoc
A

Evil Twin - setup WAP, that looks like legitimate one, have victims associate to it and use your spoofed DNS settings, capture their packets, etc.

ad-hoc - attacker sets laptop up and advertises his ad-hoc laptop network. Shouldn’t work, but often does

17
Q

“honeyspot” attack

A

faking a well-known hotspot like Starbucks or ATT

18
Q

Wireless Denial of Service attacks

disassociate
unauthorized association
jamming the wireless signal

A

disassociate - craft and send packets to client that forces them to drop their connections

unauthorized association
Use a rogue AP to have legitimate users connect, which removes their access to a legitimate AP

19
Q

Wireless sniffing tools

OmniPeek
AirMagnet
WiFi Analyzer Pro
WiFi Pilot

A

OmniPeek - also shows network activity status and monitoring

AirMagnet - from Fluke. Also has compliance reporting engine

WiFi Analyzer Pro
WiFi Pilot

20
Q

Tools for rooting Android

A

SuperOneClick

Superboot, OneClickRoot, Kingo, unprovoked, RescueRoot, UnlockRootPro

21
Q

3 Types of jailbreaking iOS

A

Userland (user-level access but not admin)

iBoot, Bootrom both grant admin privileges

22
Q

3 Techniques for jailbreaking iOS

A

untethered - kernel remains patched (jailbroken) after reboot with or without a system connection

semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used

tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix

23
Q

jailbreaking tools

A

evasi0n7

GeekSn0w

Pangu

Redsn0w

Absinthe

Cydia

24
Q

Mobile Device Management for securing mobile devices

A

can be used to push out security policies, application deployment and monitoring

XenMobile
MaaS360
AirWatch
MobiControl

25
Q

3 Techniques for jailbreaking iOS

A

untethered - kernel remains patched (jailbroken) after reboot with or without a system connection

semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used

tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix

26
Q

jailbreaking tools for iOS

A

evasi0n7

GeekSn0w

Pangu

Redsn0w

Absinthe

Cydia

27
Q

Bluetooth Tools

BlueScanner 
BT Browser
Bluesniff, btCrawler
Blooover
PhoneSnoop
A

BlueScanner - finding devices, tries to extract and display as much as possible

BT Browser - finding, enumerating devices

Bluesniff, btCrawler - similar but with GUIs

Blooover - blue bugging

PhoneSnoop - spyware on a blackberry

28
Q

Bluetooth Tools

BlueScanner 
BT Browser
Bluesniff, btCrawler
Blooover
PhoneSnoop
BBProxy
A

BlueScanner - finding devices, tries to extract and display as much as possible

BT Browser - finding, enumerating devices

Bluesniff, btCrawler - similar but with GUIs

Blooover - blue bugging

PhoneSnoop, BBProxy - spyware on a blackberry

29
Q

Personal tips

know what CCMP, EAP, MIC do

know what you need to crack WEP

know which tools are good for which techniques

which wireless protocols use which type of encryption

which tools give root on mobile devices

jailbreaking techniques

A

know what CCMP, EAP, MIC do
(MIC. Message Integrity Codes. provides integrity checking in WPA via sequence numbers. It is used by CCMP)

know what you need to crack WEP
(MAC, SSID)

know which tools are good for which techniques

which wireless protocols use which type of encryption

which tools give root on mobile devices

jailbreaking techniques

30
Q

Define Untethered Jailbreaking Technique

A

untethered - kernel remains patched (jailbroken) after reboot with or without a system connection

31
Q

Define Semi-Tethered Jailbreaking Technique

A

semi-tethered - reboot doesn’t retain patched kernel, but software is already added to device. So if admin privileges are needed, the installed jailbreaking tool can be used

32
Q

Define Tethered Jailbreaking Technique

A

tethered - reboot removes all jailbreaking patches and phone may get stuck in constant loop on startup, requiring USB (system) connection to fix