Wireless Network Hacking Flashcards

1
Q

802.11 series of wireless standards

A
  1. 11a 54 Mbps, 5GHZ, OFDM modulation
  2. 11b 11 Mbps, 2.4GHZ, DSSS modulation
  3. 11d variations of a and b
  4. 11e Quality of Service
  5. 11g 54 Mbps, 2.4GHZ, OFDM and DSSS modulation
  6. 11i WPA/WPA2 encryption standards
  7. 11n 100+Mbps, 2.4-5 GHZ, OFDM modulation
  8. 11ac 1000 Mbps, 5 GHZ, QAM modulatio
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Other wireless standards

A
  1. 15.1 Bluetooth
  2. 15.4 Zigbee - low power, low data rate, close proximity ad hoc network
  3. 16 Wimax - 40 Mbps, wireless metropolitan area network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Orthogonal Frequency Division Multiplexing (OFDM)

A

Transmissions media is divided into a series of frequency bands that don’t overlap each other and each can be used to carry a separate signal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Direct Sequence Spread Spectrum (DSSS)

A

Is a transmission technology used in local area wireless network transmissions. In this technology, a data signal at the sending station is combined with a high data rate bit sequence, which divides user data based on a spreading ratio. The benefits of using DSSS are resistance to jamming, sharing single channels among multiple users, less background noise and relative timing between transmitter and receivers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Wireless - Ad-hoc mode

A

System to system such as two computers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Wireless - Infrastructure mode

A

Makes use of a wireless access point (WAP). Clients need to associate with a WAP and disassociate to connect to a different WAP. With a single WAP you have a basic service area (BSA). Communication between this single WAP and its clients is known as a basic service set. If you have multiple WAPs, then you have an extended service set (ESS). Roaming involves clients disassociating from one WAP and associating with another WAP within the ESS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Basic Service Set Identifier (BSSID)

A

The MAC address of the wireless access point at the center of the basic service set (BSS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Wireless omnidirectional antennae

A

Signal emanates from the source in 360 degrees. Dipole antennas are omnidirectional.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Unidirectional antennae

A

Allows you to focus the signal in a specific direction. Yagi antennas are unidirectional. Greatly increases signal strength and distance. Parabolic grid antennas are unidirectional and work like a satellite dish. Loop antennas are also unidirectional.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cantennae

A

Antenna made from a pringles can

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Service Set Identifier (SSID)

A

A case sensitive text word that is 32 characters in length that identifies a wireless network. SSIDs are broadcast by default but can be hidden by choosing not to broadcast (SSID cloaking).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Open Systems Authentication

A

No authentication performed by a WAP of the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Shared Key Authentication

A

The wireless client participates in a challenge/response authentication with the AP verifying a decrypted key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

War Chalking

A

Drawing symbols in public areas to indicate open WAPs.
)( indicates an open network, adding a key means it is locked
$ indicates pay for access
W - WEP enabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Wired Equivalent Privacy (WEP)

A
Uses 40-232 bit keys
64 bit version uses a 40 bit key
128 bit version uses a 104 bit key
256 bit version uses a 232 bit key
Uses RC4
Uses a 24 bit initialization vector
Calculates a 32 bit integrity check value (ICV)
Easy to crack because attackers can generate enough packets to analyze the IVs and arrive at the key used.  Attackers can force dissociation from clients to generate the number of packets needed to analyze for cracking the WEP key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Wi-Fi Protected Access (WPA)

A

WPA uses Temporal Key Integrity Protocol (TKIP), a 128 bit key and the client’s MAC address for encryption. WPA changes the key every 10,000 packets. Keys are exchanged using the Extensible Authentication Protocol (EAP) which uses a four way handshake

17
Q

WPA2

A

Similar to WPA
WPA2 Personal - uses a preshared key
WPA2 Enterprise - uses Radius for authentication
Uses AES for encryption to ensure FIPS 140-2 compliance
Uses Cipher Block Chaining Message Authentication Code (CCMP) for integrity. CCMP calls them message integrity codes (MICs) and the process is called cipher block chaining message authentication code (CBC-MAC)

18
Q

Wireless Security Standards

A

WEP: RC4, 24 Bit IV, 40-232 bit key, CRC-32
WPA: RC4+TKIP, 48 bit IV, 128 bit key, Michael Algorithm+CRC-32
WPA2: AES-CCMP, 48 bit IV, 128 bit key, CBC-MAC(CCMP)

19
Q

Wireless Threats

A
  1. Access Control attacks
  2. Integrity attacks
  3. Confidentiality attacks
  4. Availability attacks
  5. Authentication attacks
20
Q

Locate wireless networks

A
WIGLE, 
Netstumbler, WifiExplorer,
WiFiFoFum,
OpenSignalMaps,
Wifinder, 
Kismet, (works by channel hopping and can sniff packets and save them to a log file for viewing by wireshark or tcpdump), 
Netsurveyor,
WeFi, 
Skyhook
21
Q

AirPCap

A

USB wireless adapter used for wireless hacking. Works with Aircrack-ng, AirPcapReplay

22
Q

Wireless Attacks

A

Rogue Access Point
Evil Twin - set to the same SSID as a legitimate WAP. AKA as a mis-association attack. Faking a well known AP is referred to as a honeyspot attack.
Ad-hoc connection attack
Jam a wireless signal
MAC spoofing - in case a MAC filter is enabled on a WAP, easily done on a Linux machine:
1. ifconfig wlan0 down
2. ifconfig wlan0 hw ether AA:BB:CC:DD:EE:FF
3. ifconfig wlan0 up

23
Q

Wireless Encryption Attack

A
  1. Start a WiFi adapter and ensure it can both sniff and inject packets
  2. Start a sniffer
  3. Use de-auth to force the creation of thousands of wireless packets
    4 Analyze the packets
    Aircrack may use a dictionary attack for brute force cracking WPA and WPA2.
    Cain and Abel can sniff wireless packets and crack also, KisMAC (for Mac OS) can brute force WEP or WPA passwords.
    WEPAttack,
    WEPCrack,
    Portable Penetrator,
    Elcomsoft’s Wireless Security Auditor tool
24
Q

Key Re-installation Attack (KRACK)

A

A replay attack that takes advantage of how WPA2 works. By repeatedly resetting and replaying a portion of traffic, the attacker can eventually learn the full key to encrypt all traffic. An attacker can repeatedly resend the third handshake of another device’s session to manipulate or reset the WPA2 encryption key.

25
Q

Wireless Sniffing tools

A
NetStumbler, 
Kismet, 
OmniPeek, 
AirMagnet WiFi Analyzer Pro, 
WiFi Pilot