Time
23 hours 21 minutes
Difficulty
Intermediate
CEU/CPE
23

Video Transcription

00:01
Hi. Welcome back to the course. And the last module we covered sequel injection at a very high level
00:06
in Marshall 12. We're gonna talk about hacking WiFi and Bluetooth.
00:11
So what is a wireless network? Well, basically, it's a wireless data connection between two network nodes.
00:17
So instead of us plug it in like a cable into our machine. You know, from the computer to the router, we would basically just kind of being a single, so to speak, from the router to or wireless access access point to our particular device.
00:30
One of the main advantages of this is cost reduction.
00:36
So different types of wireless standards for your surf unethical hacker examination. You just want to be familiar with the frequencies of each standards. So, for example, 802.11 n. You want to know that it's 2.4 to 5 gigahertz
00:50
S s i d So service that identify where this helps identify the wireless networking, mostly the wireless access point. So,
00:58
for years, Sam, you just want to understand on this particular thing that it doesn't provide any security all so just keep in mind that s s I d does not actually provide security.
01:10
So where are the South indication? We've got a couple of different protocols here, so open set of some authentication and then a shared key authentication methods.
01:19
So open system authentication. So basically, it's gonna make the network available to a wide range of clients.
01:23
The authentication frame. It's gonna be sent from the client to the access point. And once an access point verifies the S S I d, it's gonna then send a verification frame to the client to say, Okay, I recognize who you are
01:37
shared kill authentication. So each client knows ahead of time that Hey, here's my key. Here's my key, and this is what we're gonna use.
01:44
And so it allows us to connect as needed because we both understand the key
01:52
Three different forms here and we actually have W W P. A three here in 2018 that's come out as well of a Web W p A. In W. P. A. To
02:02
so wet or wired equivalent privacy. It's very vulnerable, basically uses in the initialization vector for the integrity and con tradition reality,
02:12
and then it also uses a 32 bit integrity check value,
02:15
so as you mentioned flaws and so basically, we're just very, very small amount of modification. Packer Kinta, an attacker Excuse me, can take control on modified different packets on a consistent basis.
02:28
So it's susceptible of that plane. Texted taxes. Well, a denial of service attacks.
02:34
So everyone got concerned over that. So they came out with a w p A.
02:38
So why fight protective access? So one of the key things here is that uses temporal key integrity Protocol S O T kit,
02:46
which basically make make should change out the key after every single frame
02:50
and the keys are transferred back and forth during the extensible authentication protocol. Now. So flaws with this or users choose and weak keys, right? And then also we can have weaknesses like packet spoofing.
03:01
So then we got W p A. To now this one uses a E s encryption
03:07
and it's complying with Fitz 1 40 dash to and also use a CCMP, which is a cipher block chaining message, authentication, code protocol. Say that three times fast for the integrity check.
03:17
And then there's a couple different forms, like the personal or the enterprise version of it, which uses a server for key management in authentication.
03:25
And one of the major flaws here is that you could do a diesel authentication attack with a tool like Why fight? So basically, all that means is that you use this tool. It's gonna transmit a bunch of packets that are intended to kick all the clients off of the wireless network access point and that once those clients try to really authenticate,
03:44
you're gonna be able to monitor the handshake that they undergo with that
03:46
while it's access point.
03:51
So risk mitigation for weapon W p A. We can use complex passwords or even passed phrases as a key for the access point. We also can use things like server validation on the client side that's going to allow the client you have a positive i d on the access point that is gonna be connecting to it. So that way, we know we're not
04:09
connecting to a rogue. Jack has access point or something like that.
04:12
We want to eliminate the user of weapon Excuse me, the use of weapon w p. A. And also and move into W p. A. Two. Or even as I mentioned, W. P. A. Three has come out
04:23
and then also use encryption
04:26
so wireless, hacking some of the things we want to keep in mind for the exam or Rogue Access point, Miss Configuration Client, Ms Association and then Honey Spot as well. You may or may not have to worry about ad hoc or jamming attacks.
04:42
So a rogue asked Excess point, especially where the attacker installed some kind of new access point behind the company's firewall. So it could be that they snuck their way in is like a janitor to the building. And they put one, you know, somewhere in the bathroom on. And that's you know, of course, that's behind the company's firewall. In some capacity, they figured out how to get past that.
05:00
So what it does is it allows the attacker access to the network so far in this example here of the Attackers out in their car. But you could be still in the building and the, you know, sitting in the bathroom, hacking and hacking and getting information. You could even be around the corner, whatever the case might be. But basically a lot of that inner point behind the company's firewall.
05:18
And also the attacker wants to discourage, right? So, like if we were hiding in the bathroom, we wouldn't set it on top of the toilet, See, for everybody to find we want maybe you reach up in the ceiling and put in in one of the ceiling panels and then close the panel back where nobody knows that we messed with it.
05:33
So Mac spoofing just like anyone, anywhere else with Max moving. This is where the Attackers gonna spoof the Mac address of an approved clients. So that way, they can get past any type of filtering we have in place so some to their several tools you can do out there. But some tools are smack ff config and then change Mac
05:53
so ad hoc. So basically, this relies on the attacker using a WiFi adapter to directly connect to another wireless system. So basically, most users are going to be unaware that this is gonna be some kind of malicious connection. So they might just connect to this wireless access point,
06:10
Miss configuration. That's pretty much common sense, right? So if you if you don't set things up properly, that's gonna be a vulnerability
06:17
Climates association. Another thing, as I mentioned you're gonna want to know for the exam. So basically, the client attaches to an access point That's not a part of their network. So it could be something that the attacker is kind of boosting their signal or something, but the user doesn't understand that. Hey, that's not really your network. And a lot of times the attacker is gonna put a similar name. So let's just say you're
06:36
your company Network was, You know, we'll just pick on Microsoft again. So Microsoft
06:42
Ah, you know, underscore one is a company wireless network name.
06:46
So all the attacker does It says, Well, okay, well, you know, Microsoft underscore too, you know. So if you're a new user user, that doesn't really pay attention. You may connect to this that second network there, which is actually the Attackers, more or less Access boy.
06:59
And so what? This can lead to If people do that, the attacker can actually gain access to the protected company network,
07:06
and then we have jamming attacks. So essentially, this is a denial of service attack on the goal Here is the overwhelming deny the availability of that particular access point by the legitimate users.
07:18
So the honey spot attack. And basically the attacker sets up a rogue access point with a stronger signal than others. And so that with the the users are like, Oh, this is the best WiFi out there, you know, let me go ahead and connect to this. So that's another way they can do that.
07:31
You'll see this a lot actually
07:33
out there. You know, if someone sitting out like a Starbucks or something like that in their car and attacker, and they will boost the signal. So people said that the Starbucks jump on their axis pointed in the attacker could start harvesting data.
07:47
So different types of wireless hacking tools out there Air, crack and G and kiss MIT are kind of more popular. Ones on, of course, can enable as well from a sniffing standpoint.
07:58
So air crack. Angie, this is kind of what it looks like here. A CZ. You're getting data out of it.
08:03
Same with can't enable again, I mentioned it gives you the ability to kind of sniff and capture packets,
08:11
kiss mitt,
08:13
and then we also have wife. Fight is well,
08:16
and if you remember wife eyes when I mentioned when we were talking about that de authentication attack or the attacker sending a bunch of packets to bump off everybody from the network connection and then capturing the handshake as they reconnect.
08:30
So I just want a quick post assessment question. So t campus scene in which one is that gonna be wept? W p a door W p a to
08:39
So you're correct If you said w p a again that one of the specialties t kip W p A to uses a s.
08:50
So hacking Bluetooth So Bluetooth itself could be in different modes so discoverable that allows devices around you to be scanned The devices that are Bluetooth enabled to scan your device I'm limited discoverable. So basically, you're you're discoverable for purity time by other Bluetooth enabled devices. But then it stops
09:07
and then, you know, for a period time and then it starts again
09:11
for another purity Time stops again, et cetera, et cetera,
09:13
and then not discoverable. So the device can't be located, however, if it's already been located by another device before. So let's say you and your friend are sitting in the room, and you you make your device not discoverable. If your friends you know wants to discover you they can, because you've been located already by that device.
09:31
So different types of Bluetooth threats that we have a blue blue jacking. This basically you know where I can send through through a Bluetooth message. I can send anonymous techno text messages to whatever victim I want. So it's it's Ah, it's not necessarily a fun thing to do, like in a crowded room, but it is something you could do in kind of a crowd
09:50
blue snarfing that's gonna extract information at a distance from a Bluetooth device. So that's essentially somebody taking your information on Bluetooth Honey pots and I'm in a tool like blue pot can be used to draw in malware and also blew different Bluetooth devices.
10:05
So in this module we talked about WiFi hacking a little bit about wireless networks, and then also we talked about Bluetooth as well.
10:13
In the next month, we're gonna talk about a mobile hacking and mobile security

Up Next

Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor