CEHv12-16 - Wireless Network Hacking

In

Wireless basics

Features

  • Access Point (AP): Device providing wireless connectivity.
  • Wireless LAN (WLAN): wireless local area network.
  • Basic Service Set Identifier (BSSID): MAC address of an access point.
  • Service Set Identifier (SSID): name of a wireless network.
  • Association: process of connecting to an AP.

Wireless standards (802.11)

802.11 is the standard for Wi-Fi. Variants have different frequency bands, ranges, and data rates.

Standard Frequency (GHz) Range (meters) Bandwidth (Mbps)
802.11a 5 35-100 54
802.11b 2.4 35-140 11
802.11g 2.4 38-140 54
802.11n 2.4 / 5 70-250 54-600
802.11ac 5 46-92 433-6933
802.11ax 2.4 / 5 / 6 Up to 9.1 574-9608 (up to 10 Gbps)

Authentication types

  1. Open Wi-Fi: no authentication required; highly insecure.
  2. Pre-Shared Key (PSK): requires a password to connect. Common in personal networks.
  3. Centralized authentication: uses systems like RADIUS. Common in enterprise networks.
  4. Captive portals: requires users to accept terms via a web browser.

Antenna types

  1. Yagi antennas: highly directional. Common in outdoor setups.
  2. Omnidirectional antennas: radiates signals in all directions. Used in typical indoor setups.
  3. Parabolic grid antennas: highly directional with a grid-like structure. Ideal for long-distance links.
  4. Reflectors: enhance signals by focusing electromagnetic waves.

Evolution of wireless encryption protocols

  1. WEP (Wired Equivalent Privacy): 24-bit static IV and RC4 cipher, weak and easily cracked.
  2. WPA (Wi-Fi Protected Access): 48-bit IV, RC4 with TKIP, improved over WEP but still vulnerable.
  3. WPA2: AES-CCMP (Counter Mode with CBC-MAC Protocol), stronger than WPA; supports personal and enterprise modes.
  4. WPA3: AES-GCMP-256 with 192-bit encryption, enhanced security for modern networks.

Wireless threats

Authentication Attacks

  • Definition: attacks aimed at the authentication mechanisms of a wireless network.
  • Method: typically involve brute-forcing the pre-shared key (PSK) or password.
  • Impact: allows attackers to gain unauthorized access by repeatedly attempting to guess the correct authentication credentials.

Rogue Access Points

  • Definition: unauthorized access points installed within a network.
  • Purpose: provides attackers with backdoor access to the internal network.
  • Example: an employee might install an access point for convenience, inadvertently creating a security vulnerability.

Evil Twin Attack

  • Definition:: an attack where a malicious access point is set up to mimic a legitimate one.
  • Method: attackers use the same SSID as the legitimate network to trick users into connecting.
  • Impact: users unknowingly connect to the attacker’s access point, exposing their data to interception.

Honeypot AP

  • Definition: an access point set up to lure attackers.
  • Purpose: attracts and traps attackers by posing as a legitimate, trusted network.
  • Impact: helps to identify and analyze malicious activities.

Soft AP (Software Access Point)

  • Definition: an access point created through software rather than hardware.
  • Method: malware turns a compromised device into an access point.
  • Impact: allows attackers to connect to the infected device and access internal network resources.

Denial of Service (DoS) Attacks

  • Definition: attacks aimed at disrupting the availability of the wireless network.
  • Methods:
    • Deauthentication attacks: sending deauthentication frames to disconnect users repeatedly.
    • Disassociation attacks: sending disassociation frames to force users to disconnect.
    • Jamming: emitting signals that interfere with the wireless communication.

Crack (Key Reinstallation Attack)

  • Definition: an attack on WPA and WPA2 protocols.
  • Method: blocking message 3 of the four-way handshake, causing the access point to resend it with the same nonce.
  • Impact: allows attackers to decipher the encryption keys by exploiting the reuse of nonces.

MAC Spoofing

  • Definition: changing the MAC address of a device to bypass MAC filtering.
  • Method: attackers sniff for allowed MAC addresses and change their device’s MAC address to match.
  • Impact: grants unauthorized access to the network by appearing as a trusted device.

Wireless hacking tools

Wi-Fi Discovery Tools

  1. InSSIDer:

    • Displays statistics about wireless networks.
    • Shows SSIDs, BSSIDs, signal strengths, and channels.
    • Helps identify less congested channels for setting up wireless networks.

  2. NetSurveyor:

    • Provides information on SSIDs, BSSIDs, channels, and signal strengths.
    • Indicates encryption types and beacon strength.

  3. Mobile tools:

    • Fing: Popular network analysis tool for mobile devices.
    • Network analyzer: Another tool for discovering and analyzing wireless networks on mobile.

GPS Mapping Tools

  1. Wiggle:

    • Displays a map of detected wireless networks.
    • Provides detailed information about the physical locations of networks.

  2. Wi-Fi map:

    • Shows wireless networks along with passwords if available.
    • Useful for mapping and locating specific networks.

Traffic Analysis Tools

  • Wireshark:
    • Captures and analyzes network traffic.
    • Useful for seeing unencrypted data transmitted over wireless networks.

Wireless Attack Tools

  1. Aircrack-ng suite:

    • Comprehensive suite of tools for wireless network security testing.
    • Includes tools like Airbase-ng, Aircrack-ng, Airdecap-ng, and others.

  2. Fern Wi-Fi cracker:

    • GUI-based tool for wireless security auditing.
    • Automates the process of network discovery and attacking.

  3. WiFite:

    • Automates wireless auditing and penetration testing.
    • Scans for networks and attempts to crack WEP/WPA keys.

Wireless hacking

  • MAC Spoofing: MAC spoofing is a technique used to impersonate a trusted device on a network by spoofing its MAC address. The process is as follows:

    1. Enable monitor mode on the wireless interface: 
      1
      sudo airmon-ng start wlan0
    2. Begin capturing packets to find the SSIDs available: 
      1
      sudo airodump-ng wlan0mon
    3. Once we have the BSSID of the AP, filter the captured packets to focus on a specific channel and BSSID (AP’s MAC address) to identify allowed devices’ MAC addresses: 
      1
      sudo airodump-ng -c <channel> --bssid <BSSID> -w output wlan0mon
    4. Use MAC Changer to spoof the MAC address and connect to the AP bypassing the mac filtering.

  • Deauthentication Attacks: deauthentication attacks disrupt the connection between a client and an access point by sending deauthentication frames. The procedure involves:

    1. Use aireplay-ng to send deauthentication packets to the target client: (we need to follow the first 3 steps again to get client mac address) 
      1
      sudo aireplay-ng --deauth 25 -a <AP-BSSID> -c <Client-MAC> wlan0mon

  • WPA Cracking: WPA cracking aims to capture a WPA handshake and then crack the passphrase. The hosts outlined the steps as follows:

    1. If necessary, use Aireplay-ng to force a handshake by deauthenticating clients.
    2. Capture the WPA handshake by sniffing network traffic on a specific channel and BSSID: 
      1
      sudo airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0mon
    3. Once the handshake is captured, attempt to crack the WPA password using aircrack-ng: 
      1
      sudo aircrack-ng -a2 -b <BSSID> -w /path/to/wordlist capture.cap

Wireless hacking countermeasures

Wireless security controls

Measures to improve system security, including:

  • Technical controls: patches, updates, encryption protocols.
  • Administrative controls: audits, policy enforcement.
  • Procedural controls: incident response and change management.

Patches and updates

  • Regularly update:
    • Client devices (e.g., laptops, mobile phones).
    • Firmware and software for Access Points (APs).
  • Importance:
    • Fixes bugs and vulnerabilities.
    • Enhances device security.
  • e.g. TP-Link updates include security enhancements and bug fixes.

Changing default configurations

  • Default settings are predictable and exploitable:
    • Default SSIDs (e.g., “Linksys”).
    • Default admin passwords.
    • Standard DHCP configurations.
  • Recommendations:
    • Modify SSID to non-identifiable names.
    • Change admin credentials.
    • Avoid broadcasting SSID (security through obscurity).
    • Use strong, randomly generated passphrases.

Enable strong encryption

  • Use at least WPA2-Personal for encryption.
  • Enterprise environments should consider WPA2-Enterprise: employs RADIUS and certificate-based authentication for added security.
  • Avoid deprecated protocols like WEP.

Limit remote access

  • Disable remote login unless absolutely necessary.
  • If enabled, use HTTPS to secure connections and employ strong authentication mechanisms.

Network Access Control (NAC) and segmentation

  • NAC tools:
    • e.g. PacketFence (open-source NAC solution).
    • Enforce strict access policies for devices connecting to the network.
  • Network segmentation:
    • Divide networks into segments.
    • Restrict access between segments to prevent lateral movement.

Additional measures

  • VPN usage:
    • Encrypts data over untrusted networks.
    • Ideal for remote workers or public WiFi scenarios.
  • Firewalls, IDS, IPS:
    • e.g. Cisco Adaptive Wireless IPS for enterprise wireless security.
    • Detect and prevent intrusions or anomalies.

Physical security

  • Protect access points and devices:
    • Secure in locked areas.
    • Limit access to authorized personnel.
  • Prevent tampering or theft, especially in IoT deployments.

Scheduled audits and baselines

  • Conduct regular WiFi surveys and heat maps:
    • Identify signal bleed into untrusted areas.
    • Optimize signal strength and placement.
  • Compare current configurations to established baselines.
  • Update baselines after approved changes.

Public WiFi guidelines

  • Avoid connecting enterprise devices to public WiFi.
  • Educate users on risks and enforce policies against usage.