Section 8: Wireless Attacks Flashcards
Pre-Shared Key
Used when the access point and the client need to use the same
encryption key to encrypt and decrypt the data
Wireless Security Protocols
o Wired Equivalent Privacy (WEP)
▪ Original 802.11 wireless security standard that claims to be as secure as a wired network
▪ WEP was designed to use a static 40-bit pre-shared encryption key with RC4 encryption cipher
▪ WEP’s weakness is its 24-bit initialization vector (IV)
o Wi-Fi Protected Access (WPA)
▪ Replacement for WEP which uses TKIP, Message Integrity Check (MIC), and RC4 encryption
▪ WPA was flawed, so it was replaced by WPA2
o Wi-Fi Protected Access Version 2 (WPA2)
▪ 802.11i standard that provides better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking
▪ WPA2 can be operated in either personal or enterprise mode
o Wi-Fi Protected Access Version 3 (WPA3)
▪ Designed to strengthen the flaws and weakness that can be exploited inside of WPA2
What is WEP’s weakness?
WEP’s weakness is its 24-bit initialization vector (IV) that is sent in clear text.
What is the largest improvement in WPA3
The largest improvement in WPA3 is the removal of the Pre-Shared Key (PSK) exchange
Wi-Fi Protected Setup (WPS)
Designed to make setting up new wireless devices easier for consumers and end users
▪ WPS relies on an 8-digit PIN code to conduct its authentication
▪ WPS is vulnerable to attacks and should always be disabled
▪ As a penetration tester, identify those WPS-enabled devices for your engagements
“Button on router”
WiFi Protocol Weakness Table
“Open” - No security or encryption used.
WEP - Initialization Vector - Brute Force against Pre-shared Key.
WPA - RC4 and TKIP - Dictionary Attack or Brute Force against a weak PSK
WPA2 - AES and CCMP - Dictionary Attack or Brute Force against a weak PSK
WPA3 - No known weaknesses - Dragonfly (Simultaneous Authentication of Equals)
What is the most commonly used tool for conducting a
deauthentication attack?
Aireplay-ng
Airomon-NG
Used to monitor wireless frequencies to identify access points and clients
Airodump-NG
Used to capture network traffic and save it to a PCAP file
Airocrack-NG
Used to conduct protocol and password cracking of wireless encryption
Evil Twin
A fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. Also called a Rogue Access Point.
Karma Attack
Preferred Network List (PNL)
● A list of the SSIDs of any access points the device has previously
connected to and will automatically connect to when those
networks are in range
ESPortalV2
A piece of software for setting up a captive portal and redirecting
all Wi-Fi devices that connect to that portal for authentication
Captive Portals can be used to gather credentials from vicitms, making them “log in” using google before they can access the wifi.
Wifiphisher
Sets up a regular evil twin without a captive portal
Extensible Authentication Protocol (EAP)
Creates an encrypted tunnel between the supplicant and the
authentication server
