Hacking Wireless Networks Flashcards
A 32 bit identification string of the Access Point
Service Set Identifier (SSID)
SSID inserted into the ? of every ? packet
Header, data
MAC address of the Access Point
Basic Service Set Identifier (BSSID)
A frequency band dedicated to the Industrial, Scientific and Medical purpose
ISM Band
What does GSM stand for?
Global System for Mobile Communication
Name the generations of GSM
Generations: 2G (GSM), 3G (UMTS), 4G (LTE), 5G
Wi-Fi Wi-Fi is a local area networking technology based on what standard?
IEEE 802.11
Name the types of Wi-Fi authentication
Open authentication & Shared Key authentication
What is the purpose of the probe request?
The Probe Request is to discover the network
What does the probe response contain?
The Probe Response contains the parameters (SSID, data rate, encryption, …)
Name the request types associated with Wi-Fi Open System authentication
1 - Probe Request
2 - Open System Authentication Request
3 - Association Request
Name the 3 types of Wireless authentication
1 - Open Authentication - no auth
2 - Shared key - auth via shared key(password)
3 - Centralized - central auth ex. RADIUS
Name the 4 stages of Wi-Fi shared key authentication
Authentication Request
Authentication Response with Challenge Text
Encrypted Challenge Response
Successful / Unsuccessful response
Describe the shared key process and weakness
The client sends Authentication Request
The client encrypt the challenge test with his shared key
The AP decrypt the encrypted challenge test with his shared key, if the decrypted text matches, the successful authentication response frame is sent to the client
This challenge test can be captured by a hacker as a clear text, so the hacker can get the shared key
What does RC4 stand for?
RC4 - Rivest Cipher 4 Stream Cipher Algorithm
What does DSSS stand for?
Direct-Sequence Spread Spectrum (DSSS)
What kind of standard is IEEE 802.1X?
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC)
Does IEEE 802.1X provide for authentication?
Yes, It provides an authentication and access controls across wired and wireless networks
What is Direct-Sequence Spread Spectrum (DSSS)?
Combines all available waveforms into a single purpose
What does EAP stand for?
Extensible Authentication Protocol
What kind of framework is EAP?
an authentication framework frequently used in wireless networks and point-to-point connections
SSID and BSSID stand for what?
Service Set Identifier, Base Service Set Identifier
Name two types of Wireless Antennas
Directional & Omnidirectional
Name 3 types of Directional Antennas
Parabolic, Yagi-Uda, & Horn
What does FHSS mean?
Frequency-hopping spread spectrum (FHSS)
Name 3 types of Omnidirectional antennas
Whip, Rubber Ducky, & Monopole
Name 3 use cases for Omnidirectional antennas
radio broadcasting, cell phones, & GPS
What does WEP stand for?
Wired Equivalent Privacy (WEP)
Name the first wireless encryption standard
Wired Equivalent Privacy (WEP)
What type of attack was WEP designed to prevent?
Man-in-the-Middle attack
Describe Frequency-hopping spread spectrum (FHSS)
A method of transmitting radio signals by rapidly changing the carrier frequency among many distinct frequencies occupying a large spectral band.
What OSI layers is WEP used in?
Physical layer and Data Link layer
What does IV in WEP stand for?
Initialization Vector (IV)
How many bits long is the IV in WEP?
24-bits
How long is the WEP shared-secret key?
40-bits
How long is the WEP key after combining the IV and shared-secret key?
64 bits = 24 bit (IV) and 40 bits (shared-secret key)
What encryption algorithm does WEP use?
RCA RC4 PRNG algorithm
What does WPA stand for?
Wi-Fi Protected Access
How does TKIP make WPA better than WEP?
Temporal Key Integrity Protocol (TKIP) implements a key mixing function that combines the secret key with the initialization vector before passing it to the RC4 cipher. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine.
WPA’s TKIP increased WEP’s 64 bit key to what bit-length?
128-bit
WPA’s sequence counter mechanism prevents against what type of attack?
Replay attack
How long in bits is WPAs IV?
WPA IV is 48-bit long
What does CCMP in WPA2 stand for?
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)
WPA2 uses what symmetric algorithm?
AES
What are the two types of WPA versions?
WPA-Personal & WPA-Enterprise
WPA-Personal uses what cipher for authentication?
TKIP + PSK (password) = 64/128 bit RC4 MIC
WPA-Enterprise uses what cipher for authentication?
TKIP + RADIUS = 64/128 bit RC4 MIC
Name two Wireless attacks on access control
MAC spoofing & Rogue Access point
Name two Wireless attacks on data integrity
Data frame injection & replay attacks
Name two Wireless attacks on confidentiality
traffic analysis, session hijacking, MITM
WPA2 replaced WPAs TKIP with what?
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) replaced TKIP
Name two Wireless attacks on availability
flooding, ARP poisoning, De-Authentication attacks
WPA2-Personal uses what for authentication?
CCMP + PSK (Pre Shared Key)
128 bit AES MIC Encryption
WPA2-Enterprise uses what for authentication?
CCMP + RADIUS
128 bit AES MIC Encryption
What does WPA2’s CCMP provide?
CCMP provides Data confidentiality (AES), authentication, and access control
Name two Wireless attacks on Authentication
password cracking, identity theft, password guessing
What is BlueSmacking?
An attack that uses the L2CAP protocol to transfer an oversized ECHO packet to the Bluetooth enabled devices resulting in Denial Of Service.
What is BlueBugging?
exploiting bugs in Bluetooth devices to gain remote access
What is BlueJacking?
send unsolicited data to Bluetooth devices
What is BluePrinting?
extract information about the device
What is BlueSnarfing?
steal data from target device
What does WPA use for encryption?
RC4 with TKIP (Temporal Key Integrity Protocol
Initialization Vector (IV) is larger and an encrypted hash
Name 5 WiFi countermeasures
Check paired devices
Turn off visibility / turn off Bluetooth if not used
Use strong PIN
Use encryption
Don’t accept unknown requests
Bluetooth Class 1 is what power and range?
100mW (20 dBm) & 100 m
Bluetooth Class 2 is what power and range?
2.5 mW (4 dBm) & 10 meters
Bluetooth Class 3 is what power and range?
1 mW (0 dBm) & 1 meter
What is the size of the IV and key length in WEP?
24 bits & 40/140 bits
What is the size of the IV and key length in WPA and WPA2?
48-bits & 128 bits
What is the size of the IV and key length in WPA3?
48-bits & 128/256 bits
Name 5 Wi-Fi security auditing tools
What is the purpose of confidentiality attacks?
The role of attacks targeting the confidentiality of the information, is simply to break the encryption model
Which encryption is better, TKIP or CCMP? Why?
CCMP because it uses AES versus TKIP which uses weaker RC4
What is the goal of integrity attacks?
To tamper with the data
What are the 2 countermeasures against integrity attacks?
encryption (so that attacker would not be able to read the message at all) and Message Integrity Codes (MICs) that are basically hashing function like MD5 or SHA1 that take a footprint of the whole message and create a hash of 128 bits (MD5) or 160 bits (SHA1)
What is the purpose of access control attacks?
The concept of access control is all about controlling, who and what devices have access to the network, and who does not. It prevents malicious 3rd parties (unauthorized) from associating to the wireless network
What 4 enhancements does TKIP provide over WEP?
It uses temporal, dynamically created keys instead of static ones used by WEP.
It uses sequencing to defend against replay and injection attacks.
It uses an advanced key mixing algorithm in order to defeat IV collisions and weak-key attacks in WEP.
It introduces Enhanced Data Integrity (EDI) to defeat bit-flipping attack possible in WEP.
What is an attack that aims to penetrate a network by evading WLAN access control measures such as AP MAC filters and Wi-Fi port access controls?
Access control attack
What is an attack where an attacker sends forged control, management, or data frames over a wireless network to misdirect the wireless devices to perform another type of attack?
Integrity attack
What is an attack that attempts to intercept confidential information sent over wireless associations, regardless of whether they were sent in clear text or encrypted by Wi-Fi protocols?
Confidentiality attack
What is an attack that aims at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources?
Availability attack
What is an attack that attempts to steal the identify of Wi-Fi clients to gain unauthorized access to the network?
Authentication attack
What are the 6 phases of the wireless hacking methodology?
- Wi-Fi discovery
- GPS mapping
- Wireless traffic analysis
- Launch of wireless attacks
- Wi-Fi encryption cracking
- Compromise the Wi-Fi network
What tool does the material recommend for detecting WPS-enabled APs?
Wash
What 3 Wi-Fi discovery tools does the material recommend?
- inSSIDer Plus
- NetSurveyor
- Wi-Fi Scanner
What mobile Wi-Fi discovery tool does the material recommend?
WiFi Analyzer
What 2 GPS mapping tools does the material recommend?
- WiGLE
- Maptitude Mapping Software
What Wi-Fi hotspot finder tool does the material recommend?
Wi-Fi Finder
What war driving tool does the material recommend?
WiGLE
What must be enabled on your Wi-Fi card to sniff wireless traffic?
Monitor mode
What tool does the material recommend for performing spectrum analysis?
RF Explorer
What is an attack that can obtain 1500 bytes of the pseudo random generation algorithm, which can be used with packetforge-ng to perform various injection attacks?
Wireless fragmentation attack
Name the following attack.
- A client is authenticated and associated with an AP
- An attacker sends a disassociate request packet to take the client offline
Disassociation denial of service attack
Name the following attack.
- A client is authenticated and associated with an AP
- An attacker sends a de-authenticate request packet to take a single client offline
De-authentication denial-of-service attack
What are the 4 steps of launching a MITM attack using aircrack-ng?
- Run airmon-ng in monitor mode
- Start airodump to discover SSIDs on interface
- De-authenticate the client using aireplay-ng
- Associate your wireless card with the AP you are accessing with aireplay-ng
What tool can be used for wireless ARP poisoning?
Ettercap
Provide 3 benefits of DSSS
more bandwidth
data encoding
low power density
noise like signals
hard to detect and jam
What is DSSS?
Direct Sequence Spread Spectrum
What are two ways for an endpoint to discover a WiFi network?
Either by passively waiting and listening for announcements (beacon frames) from access points or by sending prove requests which actively ask every WiFi device around if they are a network
A type of denial-of-service(availability) attack that disconnect devices from a network. The motive is either capturing reconnection handshakes or diminishing the network’s quality of service
Deauthentication attack
Sequencing helps defend against what kind of attacks?
replay and injection attacks.