Wireless Hacking (Whiteboard)

[toggle_content title="Transcript"] The field of wireless penetration testing is huge this is its own field of study and there is a lot in this module. So let us take a closer look. Some of the basic concepts here are how wireless networks are integrated into basically the corporate environment. So they can often become an extension to what we considered the wired network. They typically have multiple access points so that is multiple areas of attack. We also have 3G and 4G hot spots - or they could be an extension from local area network to another local area network. Nonetheless that is great opportunities for the penetration tester. To realistically be an expert in this field you have to know a lot of the basics of the wireless transmissions. So let us look at the standards - you are going to need to know all of the 802.11 series. A B G I N & 16 so 802.11A this is first standard or series and that operated off the five gigahertz frequency. Then BG compatible was very, very popular B was a little bit slower 11 megabits per second and then G upto 54 MegaBits per second but nonetheless they operated in 2.4 Ghz spectrum then you have 802.11I this is where we introduced WPA2 we have 802.11N we have 802.11 16 which is commonly referred to as WiMax also there is a major components here. You have the SSID which is the name of our access point. You have the concept of open authentication or anybody can connect to an access point which I don't recommend because you are effectively just giving away access to that and I get a lot of people that always say - hey there is nothing on my network anyway. It doesn't matter if there is nothing private or nothing sensitive on your network. If your network gets used to go attack some target well you now are downstream liability. So that is going to be a huge problem - then there is a whole subject of shared key authentication which is pressured key that we will give to our clients and use that to connect to the access points. So ultimately wireless pen testers are interested in cracking them. Then you have authentication components and then you have BSSID's or effectively mac addresses of your access point and this is going to be pretty critical. Especially when we get into running tools like aircraft because you are going to need to get the mac address of your access point and then use that in the configurations. Before we get into the detail let us go up here to the antennas. They are different types of wireless antennas that are used. So I highly recommend just going to Google images and searching for these types of antennae that we can see a picture and be able to identify them by what they look like but the categories are directional antennas on the directional antennas, parabolic antennas, yagi antennas, these are things our grandparents might have seen hold on the televisions look at rabbit years, right and then dipole antennas. Let us move down here to attacks there is all sorts of attacks and in a second I will will break them down into confidentiality and integrity and availability style of attacks but some of the basic concepts here are we are driving around and looking for access points and receiving derivatives of that which we will talk about. Rogue access points are setting up on a unauthorized access point. Somebody connects to you the rogue access point and then you get a copy of all of the traffic as it gets relates to the real access point. Mac spoofing is an attack because effective 802.11 standard works at layer 2 of the OSI model. So one of the things we need are mac addresses. So if you can go spoof the mac address of a gateway or an access point that is huge. We are always looking for access point misconfigurations. Default settings so that is an attack within itself adhoc associations. Adhoc meaning anybody can connect promiscuous mode clients in which basically the client is in listen only modes. So they can eavesdrop on traffic and then of course client associations along with the access point mis-associations. These are important because any mis-association where it is on the client or the access point is an opportunity for the pen tester to basically go and start exploiting. Otherwise we can go up here to basic style of attacks and this is just some of the basic theory behind how do we go around and approach penetration testing for example we are driving a car looking for access points. We are flying, flying like a little drone or something looking for access points. We are walking – just walking around doing it. And I guess there could even be more bicycling if we wanted to otherwise we are chalking specifically these are symbols in which the access points can be disclosed. For example closed access points and is usually denoted as a circle open access points are like two reverse half-moons. And if there is a W in the access point that typically means there is encryption which really got it starred from originally WEP but not I would just associate that with any encryption. So to effectively attack wireless networks you are going to have to understand some basics of encryption. So this is whole category all by itself - so the first thing is the web algorithm which uses the river cipher or RC4 stream cipher and it comes in a bunch of different flavours in terms of its key size. You have 64 bit 128 bit 256 bit but because it is RC4 uses a 24 bit initialization vector. Later on WPA also used RC4 but it changed its initialization vector size to 48 bits. So an initialization vector simply stated if you look for alternative names on an initialization vector. It is basically a starting point for initialization and vector means direction and map. So starting direction of the encryption process through the algorithms. The WPA in itself changed to a 48 initialization vector because with a 24 bit initialization vector there is only 16 million 777,214 combinations of it and you could easily just exhaust 16 million of something in today’s computing power. So they changed to a 48 bit initialization vector which is a much larger keyspace - you have to understand the basics of teacab this uses a 64 bit message integrity code or MIC. What I recommend here is to just basic wikipedia on each one of these. Web TKIP AES CCMP and that is more than enough to get the back ground on where the stuff comes from. So TKIP is Temporal Integrity Protocol or the time changing of your keys. You have AES to find 802.11I which is good strong encryption as opposed to RC4 which is not really one of the best encryption algorithms. Then you have your extensible authentication protocols this is another great thing to do a wikipedia on. Because it will actually list out all of the different types of extensible authentication protocols. Then of course you have WPA2 with super cedes that of WPA and in this our first really FIPS 140-2 compliant wireless standard if you will, which can operate in a standalone mode or you can do a WPA2 Enterprise which is now connecting your wireless infrastructure to some sort of corporate infrastructure and using something like a radius or tacx to actually handle the identification authentication, authorization and accounting components. Then you have the whole leap and peep and all of the things that end in EAP. These also fall into the authentication and encryption world. So this is huge and then the whole subject of temporal keys in itself. Because you have to understand the four way handshake of - anonces and things like that. Message integrity codes or paralyzed transient keys. All of this stuff is easily looked up on a wikipedia. So I don't want to get into the details of all of the encryption. Now you absolutely are going to see the surface on which our configuring the access the points and doing our penetration test thing in a hands on format here, shortly. Before we get into some of the specific style attacks. I want to go down here to the some of the popular tools there is no shortage of tools here in the wireless section again again this could take months and months and months to really master this content. But you do have some common tools that I want to highlight tools like insider, net surveyor, net stumbler, wireless monitor or even commercial tools like com view or even web sites like wigg or wiggly or even something like kisszet it is a great carrier backtrack scanner or wire shark which we talked about that in the sniffing modules. Other than that there is really two other categories you have air crack NG that it is own suite of tools which will take you months to master in itself and it is tough because there is a lot of configuration options there. And then there is also the whole subject of mobile tools. These mobile tools and mobile surveying tools and sniffing tools and hacking and exploitation tools. They have come years ahead of themselves in the last five years or so being 2014 now. Otherwise the next best thing to do is to really look at the style of wireless attacks from the principles. Meaning confidentiality, integrity, authentication availability and things like that. So let us take a look at some availability style attacks. My favorite is jamming the signal you have hardware jammers you have software jammers but nonetheless but basically the principals here is knocking someone offline or they can't play either. You could just steal the access point - you could force all of the clients to do a disassociation therefore knocking everybody offline. You could flood the device with EAP failures. Therefore overwhelming the access point - you could do beacon floods, again overwhelming the access point, knocks it offline or makes it temporarily unavailable. You could a distributed denial of service style attack or denial of service attack. You could de authenticate - you send a bunch of de authentication requests these are called de authentication floods to the access point. You could intervene with a routing style attack. You could not only flood it with de authentication floods but also with authentication floods. You could manipulate the arp cash of the access point You could try to send the signal to the access point to put it in power savings mode. So just shut it down or you can do into specific exploits like TKIP and MIC attacks. And you can look these up within meta splade framework and things like that. Confidentiality style attacks focusing on disclosure oriented attacks this is where you have things like eaves dropping using a packet sniffer. Something like a wire shark or T shark or something to that effect or just you could chop that up to traffic analysis. You could try to crack the web key, if the web key is disclosed to you or the encryption key is disclosed to you that is now no longer secret. You could setup an evil twin access point. So everybody connects to your evil twin and then you forward the traffic on to the real access point therefore getting a copy of everybody's traffic. You could setup honey pod or honey net even - you could do a session hijacking attack. Let someone connect to your wireless network legitimately and then just take over their existing section. You could masquerade as someone else or you could go just full blown man in the middle attack. Meanwhile you have integrity style attacks like data frame injections. The key to an integrity attack is it is changing modifying or altering something within the network traffic. So data frame injecting you are inserting in therefore changing the integrity of the network or the traffic therefore that is the attack. WEP injection, data replays, initialization vector attacks even bit flipping attacks or access point replay attacks or even replaying server information or even creating your network virus. Then you could focus just on authentication like focusing on how does the access point share its pre shared key. You could focus on the type of authentication like peep or leap or go after the login portal itself like a VPN login portal or the access point login or try to correct the domain information. If it is linked to something like kerberos which ultimately could result in things like identity theft or steal somebody else's identity and then you can pretend to be them when you are actually logging in or simply just guess the key otherwise that is the basic framework of what happens in the wireless world. So let us look at some basic counter measures here if you would have try to stop the penetration tester. What could you possibly do I would personally have not much. But let us start somewhere - try using non regular pin keys. In other words we normally go to our key pads and we can do like a 1,2,3,4 A,B,C,D but there is certain out sequences that we can also use that are non-standard this definitely slows the penetration tester down. You should use the latest, greatest and strongest encryption probably goes without saying I personally laugh when I see something that is encrypted with WEP because I only need about five minutes to crack the key. You should always monitor any sort of pairing of the devices between the client and the server. So monitor the traffic, monitor the relationship of the client and server. Put your devices in a non-discoverable mode or hidden mode now that can be a deterrent but to me it is just why are they trying to hide t things. Simply stated if you turn off your SSID broadcasts you are probably trying to hide something. Something a little more valuable and probably going to go after you - just first shutting it off. As opposed to the run of the mill person who has their SSID in broadcast mode. So that is a little controversial in itself - you should use strong authentication meaning something that you have and something that you know. Use a multi layered security like for example the OSI model - so don't just rely on layer two techniques like mac filtering or layer three techniques like route filtering but use as many layers as you possibly can otherwise it is known as defense and depths. The best practices will suggest you could turn off SSID broadcast but you guys already know how I feel about that. Shut off the remote access capabilities of it. So you have to physically access it and that creates its own set of challenges. You should absolutely change the defaults anytime you have a default that is something I can go after as a pen tester. You should use mac filters or time of day filters. Physically secured in a IOC like bunny years popping out of the ceiling I wouldn't consider that physically secured. If you can put in wiring closet where it is actually physically blocked. In theory you can use isolation but the counter measure to that is I can use some sort of amplification to get access or increase the signal strength. Also you should use intrusion detection or intrusion prevention systems or just start penetration testing practices or best practices in themselves. So as you can see there is a lot that goes on in the wireless world. This is absolutely its own field of studies there are several certifications that map to this but what I find in the world of computer people is either there are really good people with the wireless or there is not at all. There is no like no middle ground and so we are trying to change that you know - we want to get everybody familiar with the basics of wireless. Not everybody has to a wireless pen tester but some simple basics go a very, very long way into stopping people from eavesdropping or doing integrity attacks or availability attacks or disclosure attacks on your network. To keep all of this in mind let us look at some hands on examples. [/toggle_content] This whiteboard lecture video covers wireless hacking in-depth. Wireless technology is continually growing whether it be with wireless LAN technology and WiFi or in other applications such as cordless telephones, smart homes, and embedded devices. Each of these new technologies comes with its own set of security issues and new opportunities for attackers.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?