Wireless Network Attacks & Defenses

Question 1

3 Wireless Technologies (mcq)

Answer 1

i. Infrared communication
* Line-of-sight
ii. Terrestrial microwave
* Line-of-sight
iii. Radio waves
* High-frequency and low-frequency radio technology

Question 2

Types of Wireless Networks

Answer 2

ref img

Question 3

4 Wireless Network Vulnerabilities

Answer 3

1. Shared media
   * Packets are sent in shared media, accessible to all
   * Packets can be sniffed, hijacked, inserted
2. Signal Blockage
   * Electromagnetic waves can be blocked by metals, water
   * Bandwidth can be interfered and jammed
3. No definite borders
   * Packets can be sniffed, hijacked, inserted from anywhere that
   signals can be detected
4. No fixed points
   * Hard to pin point attacker’s location

Question 4

3 Types of Wireless Network Attacks

Answer 4

1. Reconnaissance Attacks
   * Packet sniffers, Ping sweeps, Port scans
2. Access Attacks
   * Password attack, Trust exploitation, Man-in-the-middle attack
3. Denial of Service Attacks
   * Single-Message DoS attacks, Flooding DoS attacks, Distributed
   DoS attacks
   * Signal jamming

Question 5

WPAN - Bluetooth | What is Bluetooth

Answer 5

• is a Radio Frequency (RF) specification
• for short-range, point-to-point and point-to-multipoint
• for voice and data transfer

Question 6

WPAN - Bluetooth | What is it perfect for

Answer 6

1. Small
2. low power
3. low cost
4. good performance

Question 7

WPAN - Bluetooth | What is it useful for

Answer 7

• Cable replacement
• Data and voice access points
• Ad hoc networks

Question 8

4 Bluetooth Attacks

Answer 8

1. Bluejacking
   * An attacker sends unsolicited messages to Bluetooth enabled devices, more annoying than harmful
2. Bluesnarfing
   * Attack that access unauthorised information from a wireless
   device through Bluetooth connection and steals data stored in
   the device
3. Bluebugging
   * Attacker connects to target device without knowledge of owner
   and executes commands on the device
4. Blueborne
   * Attack conducted by exploiting a stack buffer overflow flaw,
   hijacking Bluetooth connections and gaining control of target
   device’s embedded content and functions

Question 9

WLAN – 802.11 | What is it

Answer 9

• The IEEE 802.11 WLAN standard defines how Radio Frequencies in the unlicensed ISM frequency bands is used for the physical layer and the MAC sublayer of wireless links
• Various implementation of the IEEE 802.11 standard have been developed over the years

TESTED - REF IMAGE

Question 10

5 WLAN Attacks (First 3)

Answer 10

1. WAR Driving / WAR Walking
   * Access Point / wireless network discovery
   * Wireless location mapping
2. Wireless Protocol Analyser
   * Captured wireless traffic are captured to decode and analyse contents of packets
   * Wireless network interface card adapters can operate in one of six modes: master (AP), managed (Client), repeater, mesh, ad-hoc, or monitor (Also called Radio Frequency Monitor RFMON)
3. RF Interference attacks
   * Use equipment to flood RF spectrum with enough interference to impact network

Question 11

5 WLAN Attacks (Last 2)

Answer 11

4. Evil Twin
   * An AP setup to mimic an authorised AP so that user’s device connect to evil twin instead
5. Rogue Access Points
   * A rogue access point is an unauthorised wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, allowing attackers to bypass network firewall security
   * Use monitoring tools to locate rogue access points

Question 12

Wired Equivalent Privacy (WEP)

Answer 12

• relies on a secret key that is shared between a wireless client device and the access point (AP)
• A WEP key is an alphanumeric character string that is used for encrypting and decrypting any packet transmitted
• provides confidentiality to wireless transmission

Question 13

WEP Encryption (btr go watch video)

Answer 13

• Integrity Check Value (ICV) is a cyclic redundancy check (CRC) value
  calculated for plaintext
• Initialization Vector (IV) is a 24-bit randomly generated value each time a packet is encrypted
• IV and the shared Secret Key are combined to ‘seed’ a random keystream that is combined through exclusive OR (XOR) with the plaintext to form the Cipher text for the packet
• IV is added to the front of the Cypher Text (“Prepended”) for receiver to decrypt message

Question 14

3 WEP Weakness (btr go watch video)

Answer 14

1. Encryption key length is too short (64-bit or 128-bit)
2. Initialization Vector (IV) is too short (24-bit)
3. WEP implementation produces a detectable pattern that
   attackers can break

Question 15

How does WEP Weakness happen

Answer 15

• 24 bit IV creates only about 16 thousand possible values (2^24)
• Reuse of same IV (called a collision) allows attacker to launch keystream
  or IV attack as the same IV and secret key will always create the same keystream
• Keystream attack is the method of determining the keystream by
  analyzing 2 packets created from the same IV

Question 16

What is used to Crack WEP Secret Key

Answer 16

AirSnort/Aircrack-ng

Question 17

How does Cracking WEP Secret Key operate

Answer 17

• It operates by passively monitoring transmissions and computing the encryption key when enough packets have been gathered
• It requires approx. 5-10 million encrypted packets to be
  gathered, in which it can guess the encryption password in under a second

Question 18

WLAN Security Solutions - WPA (Wi-Fi Protected Access)

Answer 18

• Replace WEP encryption key with Temporal Key Integrity Protocol
  (TKIP) which creates per-packet keys to prevent collision
• Unlike WEP, preshared keys (PSK) are not used for encryption but
  used as the starting point for generating encryption keys
• Replaces CRC with Message Integrity Check (MIC) which provides
  integrity check and optional client authentication

Question 19

WLAN Security Solutions - WPA2 (Wi-Fi Protected Access 2)

Answer 19

• Uses the Advanced Encryption Standard (AES) instead of RC4
  cipher
• Available key length of 128, 192 and 256 bits

Question 20

no

What is WWAN - WiMAX

Answer 20

WWAN - WiMAX
* WiMAX tower
- Similar in concept to a cell-phone tower
- Provides coverage to very large area - 8,000 km2

• A WiMAX receiver
• Receiver and antenna could be an external device or can be built
  into a laptop like what WiFi access

Question 21

no

Properties of WWAN - WiMAX

Answer 21

• Range
• 50 km radius from base station
• Speed
• 70 megabits per second
• Line-of-sight not needed between user and base station
• WiMAX operates similar to WiFi but at higher speeds, over greater
  distances and for a greater number of users

Question 22

no

4 WiMAX Security Issues

Answer 22

1. A flaw in the authentication mechanism used by WiMAX’s privacy
   and key management (PKM) protocol makes WiMAX networks
   susceptible to man-in-the-middle attacks
2. Management frames are not encrypted, allowing an attacker to
   collect information about subscribers and other potentially
   sensitive network characteristics
3. Attacker can use legacy management frames to forcibly disconnect legitimate stations
4. Physical layer denial of service attacks