Ethical Hacking v10 Module 14 – Hacking

Wireless Networks
Hacking Wireless
Networks
 • Understand Wireless Concepts
Goals • Understand Wireless Encryption Algorithms
• Understand Wireless Threats
• Understand Wireless Hacking
Methodologies
• Learn Wireless Hacking Tools
• Understand Bluetooth Hacking Techniques
• Understand Countermeasures to Wireless
Hacking
• Learn Wireless Security Tools
• Understand Wireless Penetration Testing
Module 14.0 Hacking Wireless Networks
• 14.1 Wireless Concepts
• 14.2 Wireless Discovery and Mapping
• 14.3 Wi-Fi Sniffers
• 14.4 Wi-Fi Attacks
• 14.5 Wi-Fi Cracking
• 14.6 Wireless Hacking Tools
• 14.7 Bluetooth Hacking
• 14.8 Wireless Hacking Countermeasures
• 14.9 Wireless Security Tools
• 14.10 Wireless Penetration Testing
14.1 Wireless
Concepts
Wireless Network Basics
• Wireless Local Area Networks (WLAN)
• Based on the IEEE 802.11 standard
• Uses radio channels for communication
• Devices connect to the network via a wireless network access point
• Advantages
• Disadvantages
Wireless Network Advantages and
Disadvantages
• Advantages
• Fast, easy installation
• Easy connectivity where cables can’t easily be used
• Internet access from anywhere in range of access point
• Free internet connections in many public places
• Disadvantages
• Security is a concern
• The more devices on the network the more bandwidth is compromised
• Enhancements may need new wireless access points and/or wireless cards
• Wi-Fi networks can be disrupted by some electronic equipment
Wireless Terminology
• GSM • Orthogonal Frequency-division
• Bandwidth Multiplexing (OFDM)
• BSSID • Direct-sequence Spread Spectrum
(DSSS)
• ISM Band
• Frequency-hopping Spread
• Access Point Spectrum (FHSS)
• Hotspot
• Association
How are Wired and Wireless Networks
Different?
• Most wired exploits will also work against Wi-Fi wireless
• Sniffing
• Spoofing
• MITM/Hijacking
• Deauthentication
• DoS
• There are additional wireless LAN network technologies that have their
own vulnerabilities
• RFID
• NFC
• Bluetooth
• Cellular
Wireless Network Types
• Extended to Wired Network
• LAN-to-LAN Wireless Network
• Multiple Access Points
• 3G/4G Hotspot
Accessing Wireless Networks
• 802.11a
• 802.11b
• 802.11g
• 802.11i
• 802.11n
• 802.11ac
• 802.16 (WiMAX)
• 802.15 (Bluetooth)
Service Set Identifier (SSID)
• A token used to identify a 802.11 network
• A single, shared identifier located between client and access point
• SSID is continuously broadcast from SSID
• SSID consists of text that is human-readable
• SSID on each host must be reconfigured when network SSID is changed
• Clients can use non-secure access mode to access blank, configured, or
“any” SSID
• Default values must be changed to ensure security
• SSID is secret on closed networks
Authentication Modes for Wi-Fi
• Open-System Authentication Process
• No key
• Shared-Key Authentication Process
• Password is set on WAP and clients
• 802.1x
• Typically the WAP is open
• DHCP lease
• Client browser opens/is redirected to a captive portal
• Sometimes other protocols are permitted even if browser can’t connect
• Login sent to a RADIUS/TACACS/TACACS+ server
• Client caches short-term session token
Wi-Fi Chalking
• WarWalking: Attackers on foot use Wi-Fi-enabled laptops to identify
open networks
• WarChalking: Drawing symbols in public areas to indicate open
networks
• WarFlying: Attackers use drones to identify open networks
• WarDriving: Attackers use a vehicle to move around with Wi-Fi-
enabled laptops and identify open networks
Wi-Fi Chalking Symbols
• Free Wi-Fi
• Wi-Fi with WEP
• Wi-Fi with MAC Filtering
• Wi-Fi with Multiple
Access Controls
• Restricted Wi-Fi
• Wi-Fi with Closed SSID
• Pay for Wi-Fi
• Wi-Fi Honeypot
Wireless Network Antennas
• Directional antenna
• Omnidirectional antenna
• Parabolic Grid antenna
• Yagi antenna
• Dipole antenna
14.2 Wireless
Discovery and
Mapping
Wireless Discovery
• Attackers must first discover and footprint a wireless network
• Active or Passive Footprinting a wireless network
• Finding a wireless network:
• Attacker will first check all potential networks
• Attacker will move around with wireless laptop to find active networks
Wireless Discovery Tools
• inSSIDer • iStumbler
• NetSurveyor • WiFinder
• Vistumbler • Wellenreiter
• NetStumbler • AirCheck Wi-Fi Tester
• WirelessMon • AirRaider 2
• Kismet • Xirrus Wi-Fi Inspector
• WiFi Hopper • WiFi Finder
• Wavestumbler • WeFi
InSSIDer Example
Mobile Wireless Discovery Tools
• WiFiFoFum-WiFi Scanner
• WiFi Manager
• Network Signal Info
• OpenSignal Maps
• Fing
• Overlook WiFi
GPS Mapping
• Attacker makes map and database of Wi-Fi networks
• Uses GPS to track Wi-Fi network location and uploads coordinates to
site
• Attackers share or sell information
GPS Mapping Tools
• WiGLE
• Skyhook
• TamoGraph
• WiFi Site Survey
• Fluke Airmagnet
14.3 Wi-Fi
Sniffers
Wireless Traffic Analysis
• Find Vulnerabilities
• Do Wi-Fi Reconnaissance
• Use Tool to Conduct Analysis
• Select the appropriate card/chipset
 Wireless Sniffing
• Use sniffers like Wireshark to obtain signals that
traverse the air
• Interface will by default receive transmissions
bound for it
• Put interface in promiscuous mode to capture all
available transmissions
• Sniffing can enable eavesdropping on
communications
• More viable in open Wi-Fi
• Encryption largely mitigates problems
• Some information is sent in cleartext despite
encryption modes, such as MAC address
• Use MAC address in spoofing attacks
Wireless Sniffing (cont’d)

• In WPA/WPA2 networks, use deauthentication to

capture four-way handshake
• Client must perform handshake when
reconnecting
• Capture PSK exchanged in handshake
• Try cracking PSK
• airodump-ng to sniff for handshake:
• airodump-ng -c <channel> --
bssid <MAC address> -w capture
wlan0
Wi-Fi Packet Sniffers
• Wireshark with AirPcap • ApSniff
• SteelCentral Packet Analyzer • NetworkMiner
• OmniPeek Network Analyzer • Airview
• CommView for Wi-Fi • Observer
• Sniffer Portable Professional • WifiScanner
Analyzer • Mognet
• Capsa • AirTraf
• PRTG Network Monitor
14.4 Wi-Fi
Attacks
Wireless Threats
• Access Control Attack
• Integrity Attack
• Confidentiality Attack
• Availability Attack
• Authentication Attack
• Rogue Access Point Attack
• Client Mis-association
• Misconfigured WAP
• Unauthorized Association
• Ad Hoc Connection Attack
• HoneySpot Access Point Attack
• AP MAC Spoofing
• DoS Attack
• Jamming Signal Attack
• Wi-Fi-Jamming Devices
• MITM
• Evil Twin
Launch Wireless Attacks
• Aircrack-ng Suite • Wireless ARP Poisoning Attack
• Reveal Hidden SSIDs • Rogue Access Point
• Fragmentation Attack • Evil Twin
• MAC Spoofing Attack
• Deauthentication Attack
• Disassociation Attack
• Man-in-the-Middle Attack
• MITM Attack using Aircrack-ng
Evil Twin Attacks
• Evil Twin Attacks are a type of attack
where a rogue access point attempts to
deceive users into believing that it is a
legitimate access point
• A form of social engineering
• Often facilitated through
deauthentication
• Attacker knocks client off real
network
• Client reconnects to rogue AP
• Can launch all manner of attacks
against connected victim
Evil Twin Attacks (cont’d)
• Effective because it's not always easy to
determine the correct network
• Real and fake can have same SSID
• Can use same encryption protocol
• Fake can be placed close to victim so it
shows up as a strong signal
• Evil twins are usually open so as not to require
a password
• Specific attacks leverage evil twin to make it
more effective
Evil Twin Attacks (cont’d)
• Karma attack:
• Some client devices send out probe
requests for known Wi-Fi networks
• Doesn't wait passively for AP to send
beacon frame
• Attacker listens for request and responds
with their rogue AP
• Client doesn't need to be close to real AP
• Attacker doesn't need to broadcast
spoofed SSID
Evil Twin Attacks (cont’d)
• Downgrade attack:
• Also called SSL strip
• Entice victim to connect to evil twin
• Victim navigates to HTTPS site
• Evil twin acts as a proxy with secure
connection to site
• Site responds, proxy intercepts
response, modifies it to use HTTP
• Proxy forwards response to user,
who believes they have a secure
connection
• User's transmissions sent in
cleartext back to proxy
WiFi-Pumpkin Evil Twin Example
14.5 Wi-Fi
Cracking
WEP Cracking
• Weak implementation of RC4 algorithm
• Uses Initialization Vectors IVs to stretch the pre-shared key
• IV pseudo-random generation has a bias
• Can run a statistical analysis if you capture enough Ivs
• 20,000 IVs for 40-bit key (64-bit encryption)
• 40,000 IVs for 104-bit key (128-bit encryption)
• No digital signatures
• No sequencing
• Can capture a client ARP request and replay to accelerate IV generation
• Chosen ciphertext attack
• Replay attack
WEP Cracking Example
WPA/WPA2 Cracking
• Introduced TKIP (key rotation)
• Uses much stronger encryption (AES/CCMP)
• Uses sequence numbers so replay can’t be used
• Still susceptible to dictionary attack
• WPA2 KRACK Attack forces the WAP to “reinstall” a zero length key
• Done during WPA2 handshake
• Key is installed several times
• Can be forced down if key is believed to be “dropped”
WPA2 Enterprise
• 802.1x
• RADIUS server
 The image The image The image
part with part with part with
relationshi relationshi relationshi
p ID rId1 p ID rId3 p ID rId5
was not was not was not
found in found in found in
the file. the file. the file.

WPS is an attempt to Clients use 8-digit PIN to
streamline Wi-Fi connect.
setup/device enrollment
Each PIN half is calculated
separately
Only 11,000 possible values
Easy to crack within hours
Lockout policies can hamper
PIN cracking online
Might take a couple weeks, but
still feasible
Lockout may look for MAC
address, so spoofing could be
used to bypass
Brute forcing may trigger DoS on
certain WAPs

Wi-Fi Protected Setup (WPS) Attacks

 The image part The image part
with relationship with relationship
ID rId1 was not ID rId3 was not
found in the file. found in the file.

Pixie Dust offline PIN cracking: Reaver Pixie Dust attack:

- Recover PIN in minutes reaver -i wlan0 -b <AP MAC> -c <AP
channel> -K 1
- Several values create two hashes AP uses to
authenticate to client
- Nonces E-S1 and E-S2 may be weak in some
vendors' APs
- Nonces + PIN + other values = hashes
- If nonces are known, you can match hashes
to discover the PIN

WPS Exploits
Cracking Wireless Encryption – WPA/WEP
Cracking Tools
• Aircrack-ng • Portable Penetrator
• Besside-ng • CloudCracker
• KisMAC • coWPAtty
• Cain & Abel • Wifite
• Elcomsoft Wireless Security Auditor • WepCrackGui
• WepAttack • Penetrate Pro
• Wesside-ng • Fern WiFi Cracker
• Reaver Pro
• WEPCrack
• WepDecrypt
WPS Reaver Attack Example
14.6 Wireless
Hacking Tools
Sniffers
• Kismet
• Wireshark
• Airodump-ng
• Vericode
• Monitis
Wardriving Tools
• Airbase-ng
• ApSniff
• WiFiFoFum
• MiniStumbler
• WarLinux
• MacStumbler
• WiFi-Where
• AirFart
• AirTraf
• 802.11 Network Discover Tools
Monitors
• NetworkManager
• KWiFiManager
• NetworkControl
• Sentry Edge II
• WaveNode
• xosview
• RF Monitor
• DTC-340 RFXpert
• RF Explorer
• Home Curfew RF Monitoring System
• SigMon
Analyzer Tools
• AirMagnet WiFi Analyzer
• OptiView XG Network Analysis Tablet
• Observer
• Ufasoft Snif
• vxSniffer
• OneTouch AT Network Assistant
• Capsa Network Analyzer
• SoftPerfect Netowrk Protocol Analyzer
• OmniPeek Network Analyzer
• CommView for WiFi
Packet Capturing Tools
• WirelessNetView
• Tcpdump
• Airview
• RawCap
• Airodump-ng
Spectrum Analysis Tools
• Cisco Spectrum Expert
• AirMedic USB
• AirSleuth-Pro
• BumbleBee-LX Spectrum Analyzer
• Wi-Spy
MITM / Evil Twin Tools
• Karma
• Wi-Fi Pumpkin
• Wi-Fi Pineapple
Mobile Hacking Tools
• WiHack
• Backtrack Simulator
• Wps Wpa Tester
14.7 Bluetooth
Hacking
Bluetooth Modes
• Discoverable Modes:
• Discoverable
• Limited Discoverable
• Non-discoverable
• Pairing Modes
• Non-pairable
• Pairable
Bluetooth Threats
• Leaking Personal Information
• Controlling Device Remotely
• Device Bugging
• Social Engineering
• Sending False SMS Messages
• Introduction of Malicious Code
• Hiking Up Phone Bill Causing Financial Stress
• Taking Advantage of Vulnerabilities in Protocols
Bluetooth Attacks
• Bluejacking
• Sending unsolicited messages to Bluetooth-enabled devices
• Bluesnarfing
• Unauthorized information access on a device
• Bluebugging
• Unauthorized system access to a device
• BlueBorne
• Collection of overflow attacks that could result in arbitrary code execution
• Pairing and discoverability are not required on the target
• Requires no user interaction
Bluesnarfing Example
Bluetooth Attacks (cont’d)
• Bluesmacking
• DoS
• BluePrinting
• Remotely discover details about Bluetooth enabled devices
• MAC Spoofing Attack
• Man-in-the-Middle/Impersonation Attack
Bluetooth Hacking Tools
• PhoneSnoop • CIHwBT
• BlueScanner • BT Audit
• BH BlueJack • Blue Alert
• Bluesnarfer • Blue Sniff
• btCrawler
• Bluediving
• Blooover II
• btscanner
 14.8 Wireless
Hacking
Countermeasures
Defending Against Bluetooth Hacking
• Ensure PIN keys use non-regular patterns
• Ensure device is always in hidden mode
• Keep track of all past paired devices and delete suspicious devices
• Ensure BT is kept disabled unless required
• Never accept pairing requests from unknown devices
• Ensure encryption is enabled when connecting to a PC
Defending Against Bluetooth Hacking (cont’d)
• Keep device network range at its lowest
• Only pair with other devices in a secure area
• Ensure antivirus is installed
• Ensure default security settings are changed to the best possible
standard
• Ensure all BT connections use Link Encryption
• Ensure encryption is empowered for multiple wireless
communications
Wireless Security Layers
• Connection Security
• Wireless Signal Security
• Device Security
• End-user Protection
• Data Protection
• Network Protection
Defending Against Wireless Attacks
Configuration Best Practices:
• Ensure default SSID is changed once WLAN is configured
• Ensure remote router login is disabled
• Ensure router access password is set and firewall protection is
enabled
• Ensure MAC Address filtering is enabled on routers/access points
• Ensure SSID broadcasts are disabled at access points and passphrase
is changed frequently
Defending Against Wireless Attacks (cont’d)
SSID Settings Best Practices:
• Always use SSID cloaking
• Keep passphrases free of SSID, network/company name, or anything
that is easy to figure out
• Ensure there is a firewall/packet filter between AP and Intranet
• Keep wireless network strength low enough avoid detection outside
organization
• Regularly ensure there are no issues with setup/configuration
• Use extra traffic encryption
Defending Against Wireless Attacks (cont’d)
Authentication Best Practices:
• Use WPA instead of WEP
• Ensure access points are in secure locations
• Use WPA2 if possible
• Ensure all wireless drivers are up-to-date
• Ensure network is disabled when it isn’t needed
• Ensure authentication via a centralized server
14.9 Wireless
Security Tools
Wireless Security Auditing Tools
• AirMagnet WiFi Analyzer
• Motorola’s AirDefense Services Platform (ADSP)
• Adaptive Wireless IPS
• Aruba RFProtect
Wireless Intrusion Prevention Systems
• Extreme Networks Intrusion Prevention System
• AirMagnet Enterprise
• Dell SonicWALL Clean Wireless
• HP TippingPoint NX Platform NGIPS
• AirTight WIPS
• Network Box IDP
• AirMobile Server
• Wireless Policy Manager (WPM)
• ZENworks Endpoint Security Management
• FortiWiFi
Wireless Predictive Planning Tools
• AirMagnet Planner
• Cisco Prime Infrastructure
• AirTight Planner
• LANPlanner
• RingMaster
• Connect EZ Predictive RF CAD Design
• Ekahau Site Survey (ESS)
• ZonePlanner
• Wi-Fi Planning Tool
• TamoGraph Site Survey
Wireless Vulnerability Scanning Tools
• Zenmap
• Nessus
• OSWA-Assistant
• Network Security Toolkit
• Nexpose Community Edition
• WiFish Finder
• Penetrator Vulnerability Scanning Appliance
• SILICA
• WebSploit
• Airbase-ng
Bluetooth Security Tools
• No automatic pairing
• Turn off discovery
• Bluetooth Firewall
Mobile Wi-Fi Security Tools
• WiFi Protector
• WiFiGuard
• Wifi Inspector
14.10 Wireless
Penetration
Testing
Steps to Penetration Testing Wireless
• Discover WAPs with Airmon-ng
• Query WAPs for protocols
• Use directional antennas for better signal gain
• Use Wireshark to capture unencrypted traffic
• Use Aircrack-ng suite, Fern Wi-Fi, or Bessiden-ng to crack WEP, WPA,
WPA2
• Use Karma for MITM attacks
• Use Reaver/Pixie Dust to crack WPS
• Use social engineering/evil twins to capture user passwords wirelessly
 • IEEE 802.11 Wi-Fi networks used for data
transfer/communication across radio network
• Wi-Fi infrastructure made of software and
hardware
Wireless • Most used encryption WPA, WPA2, and WEP –
Hacking WPA2 most secure
• WEP uses 24-bit IV, stream cipher RC4, and
Review CRC-32 checksum
• WPA uses TKIP, stream cipher RC4 128-bit and
62-bit keys; WPA2 uses 256-bit key with AES
encryption
• WEP is vulnerable to analytical attacks
• Countermeasures to Wi-Fi attack are wireless
IDS systems and best practices for
configuration, SSID, and authentication
 Penetrating Wireless
Networks Review
• Use aircrack-ng to crack keys on Wi-Fi
networks secured with WEP
• Use a replay attack to obtain a repeated
24-bit IV
• Speed up WEP cracking with a
fragmentation attack using aireplay-ng
• Use the PRGA obtained from fragmentation
to craft a packet with packetforge-ng
• Send a crafted packet to an AP to easily
obtain thousands of IVs
• Check the laws in your area before using
radio jamming devices
 Penetrating Wireless
Networks Review (cont’d)
• Use a tool like aireplay-ng to knock clients off a
WAP
• Spoof MAC addresses in deauthentication
attacks
• Use evil twins to entice users to connect to
your rogue AP
• Use Karma attacks by sending a probing
request to trick client into connecting to evil
twin
• Use SSL strip with evil twin to downgrade a
user's HTTPS session
• Place your wireless interface in promiscuous
mode to receive all available signals
• Use airodump-ng to sniff four-way wireless
handshake for WPA/WPA2 key cracking
 Penetrating Wireless
Networks Review (cont’d)

• Use online brute forcing to crack a WPS PIN

• Use Pixie Dust attack to conduct offline
cracking of vulnerable APs
• Use bluejacking to send unsolicited messages
to discoverable Bluetooth devices
• Use bluesnarfing to read sensitive information
from discoverable Bluetooth devices
• Use bluebugging to gain system access to a
Bluetooth enabled device
• Use blueborne to gain access to a Bluetooth
enabled device without involving the victim
Lab 14: Hacking
Wireless