Lesson 10 - Testing Wireless Networks Flashcards
What is the attack that can use a Spoofed Mac Address to disrupt the signal to gain access to
DE authenticating (deauth) attack
Will boot the victims from AP and forced them to reauthenticate. This will allow the malicious actors to capture the four-way handshake and get the pre-shared key (PSK)
What tool provides the ability to capture 801.11 frames and then use the output to identify the Basic Service Set ID (MAC Address) of the AP and Victim device
Airodum-ng
What is a Python script that can jam or disrupt the signals of all WAP in an area
wifi jammer
Describe the circumstances that can be used to attack the password for WPA and WPA2
WPA - susceptible to dictionary attacks if a weak passkey has been chosen
WPA2 - using a key reinstallation attack (KRACK) which can intercept and manipulate the WPA2 4 way handshake
What tool can be used to attack the WPS function of a WAP and what are some of its limitations?
Reaver - CLI tool used to perform brute force attacks against WPS-enabled access points
It is slow and many WAP’s have a lockout function that activates after a certain number of failures
What is an offline attack against a WPS on a WAP called and what tool can be used
Pixie Dust
Bully - takes advantage of the way some routers generate random numbers
Describe the 3 main entities of 802.1X and the many variations of the Extensible Authentication Protocol (EAP)
Supplicant - Wifi Client in EAP architecture requesting access
Authenticator - genearlly the WAP or Router that activates the EAPoL and passes authentication data to an authenticating server - Radius
Authentication Server - Radius
Protected Extensible Authentication Protocol (PEAP)
EAP with Tunneled TLS (EAP-TLLS)
EAP with Flexible Authentication via secure tunneling (EAP-FAST)
What is the EAP protocol implementation that uses a server-side certificate to create a secure tunnel for user Authenticating and what is this referred to as
Protected Extensible Authentication Protocol (PEAP)
Inner Method and uses MS-CHAPv2 or EAP-GTC (Generic Token Card)
two requirements:
The inner must be protected and secure
client must validate the server certificate
What is the term for a rogue access point used to trick users into believing that it is legitimate
Evil Twin
Name the principal tools of Aircrack-ng
Airmon-ng - will enable/disable monitor mode on a wireless interface
Airodump-ng - provides the ability to captures 802.11 frames and then uses the output to identify the MAC Address of AP and client
Aireplay-ng - inject frames to perform an attack to obtain authentication credentials for an AP. - deauthentication attack
What is the tool included in Kali Linux that is a wireless sniffer, network detector, and intrusion detection system
Kismet - functions mostly on Linux and OSX. For Windows would need a Wi-Fi Pineapple
What is a good wireless auditing tool that can be used to do a site survey, attack and audit
Wifite2
Common attacks
WPS brute force PIN
WPS offline - Pixie
WPA offline crack
WPA Pairwise Master Key Identifier (PMKID)
What is a tool that can spoof or clone a Bluetooth enabled device and what makes Bluetooth different that other wireless technolgies
Spooftooph
Bluetooth uses adaptive frequency hopping so attempting to lock into a traditional signal is not possible.
note: command in Linux to configure Bluetooth is hciconfig
What is the Python Based commercial program used to test wireless networks and runs on Linux OS and what dependencies does it have?
Fern -
requires:
Python
Aircrack-NG
Macchanger
What is the other Python Based toolkit with a range of features and can attack WPA2-Enterprise 802.11a or 802.11n
EAPHammer
Requires
apache2, dnsmasq, and libssl-dev
good for Evil Twin and stealing radius credentials
