MOD 16 - Hacking Wireless Flashcards
Wardriving
Driving around in an car while using a laptop to find wireless networks
Zigbee
Short-range communications protocol (802.15.4) to deliver data infrequently, at a low rate, in a restricted area, with a max range of 100m. Examples include home automation or medical device data collection.
WEP, WPA, WPA2
Wired Equivalent Privacy - was designed to be as secure as a wired LAN. Used RC4 for encryption, but never changed the key
WPA - replacement for WEP and did NOT require a hardware upgrade; simply do a firmware update on your WEP devices. Uses RC4/TKIP
WPA2 - uses AES-128/CCMP for encryption
WPA3
Latest WiFi encryption standard. WPA3 Uses GCMP-256 for authenticated encryption, HMAC-SHA-384 for key derivation and confirmation, and ECDSA-384 for key establishment & authentication
- SAE
Simultaneous Authentication of Equals - this the new & improved authentication method that WPA3 uses for authentication.
Evil Twin
Fake WAP that pretends to be a legitimate one. Victims connect to the Evil Twin unaware. Attacker can then sniff their traffic, present fake login pages to pharm user credentials, etc.
KRACK attack
Key Reinstallation AttaCK - attack against WPA2. Tricks a victim into reinstalling an already-in-use encryption key, which the attacker has. This lets MiTM view your WiFi traffic
- Downgrade attack
Forces a victim to use older, less-secure protocols. For example, your users normally use WPA3 security, but an attacker sets up an Evil Twin that only allows WPA2, thus downgrading the victim’s security to use a lesser standard.
aLTEr Attack
Attacks LTE devices, like cell-phones. Attacker runs a fake cell-tower between victim and real tower, which can then interrupt the victim’s transmission in an attempt to hijack an active session.
Dragonblood
Set of vulnerabilities in WPA3 that allows attackers to recover keys, downgrade security mechanisms, and launch data theft attacks
Bluetooth attacks
Bluejacking: Bluetooth SPAM. Bluesnarfing: Stealing someone’s info by exploiting Bluetooth vulnerabilities. Bluesmacking: Bluetooth DOS
*BtleJack
Bluetooth utility to sniff, jam, or hijack Bluetooth connections. Use -d to select a a connected device to use. Use -s to sniff a connection. Use
-d selects a connected device
-c finds a new connection to sniff, then -s will sniff that connection
-t allows you to hijack a Bluetooth connection (think -t for “takeover”)
Best-Practice WiFi configuration
Disable SSID broadcasts, use Port-Security (MAC filtering) to only allow authorized devices to connect, use 802.1x (port-authentication)
While it’s a great idea to disable SSID broadcasts, it’s not bullet-proof. An attacker can still connect to your WiFi by sniffing the SSID from a successful wireless association.
802.1X
Port-Authentication. Forces users to supply their own credentials in order to gain access to the network through switch ports (wired or wireless)
WIPS (Wireless IPS)
Can locate rogue access points and many other wireless threats