Wireless Network Hacking

Question 1

802.11 series of wireless standards

Answer 1

802. 11a 54 Mbps, 5GHZ, OFDM modulation
803. 11b 11 Mbps, 2.4GHZ, DSSS modulation
804. 11d variations of a and b
805. 11e Quality of Service
806. 11g 54 Mbps, 2.4GHZ, OFDM and DSSS modulation
807. 11i WPA/WPA2 encryption standards
808. 11n 100+Mbps, 2.4-5 GHZ, OFDM modulation
809. 11ac 1000 Mbps, 5 GHZ, QAM modulatio

Question 2

Other wireless standards

Answer 2

802. 15.1 Bluetooth
803. 15.4 Zigbee - low power, low data rate, close proximity ad hoc network
804. 16 Wimax - 40 Mbps, wireless metropolitan area network

Question 3

Orthogonal Frequency Division Multiplexing (OFDM)

Answer 3

Transmissions media is divided into a series of frequency bands that don’t overlap each other and each can be used to carry a separate signal.

Question 4

Direct Sequence Spread Spectrum (DSSS)

Answer 4

Is a transmission technology used in local area wireless network transmissions. In this technology, a data signal at the sending station is combined with a high data rate bit sequence, which divides user data based on a spreading ratio. The benefits of using DSSS are resistance to jamming, sharing single channels among multiple users, less background noise and relative timing between transmitter and receivers.

Question 5

Wireless - Ad-hoc mode

Answer 5

System to system such as two computers.

Question 6

Wireless - Infrastructure mode

Answer 6

Makes use of a wireless access point (WAP). Clients need to associate with a WAP and disassociate to connect to a different WAP. With a single WAP you have a basic service area (BSA). Communication between this single WAP and its clients is known as a basic service set. If you have multiple WAPs, then you have an extended service set (ESS). Roaming involves clients disassociating from one WAP and associating with another WAP within the ESS.

Question 7

Basic Service Set Identifier (BSSID)

Answer 7

The MAC address of the wireless access point at the center of the basic service set (BSS).

Question 8

Wireless omnidirectional antennae

Answer 8

Signal emanates from the source in 360 degrees. Dipole antennas are omnidirectional.

Question 9

Unidirectional antennae

Answer 9

Allows you to focus the signal in a specific direction. Yagi antennas are unidirectional. Greatly increases signal strength and distance. Parabolic grid antennas are unidirectional and work like a satellite dish. Loop antennas are also unidirectional.

Question 10

Cantennae

Answer 10

Antenna made from a pringles can

Question 11

Service Set Identifier (SSID)

Answer 11

A case sensitive text word that is 32 characters in length that identifies a wireless network. SSIDs are broadcast by default but can be hidden by choosing not to broadcast (SSID cloaking).

Question 12

Open Systems Authentication

Answer 12

No authentication performed by a WAP of the client

Question 13

Shared Key Authentication

Answer 13

The wireless client participates in a challenge/response authentication with the AP verifying a decrypted key.

Question 14

War Chalking

Answer 14

Drawing symbols in public areas to indicate open WAPs.
)( indicates an open network, adding a key means it is locked
$ indicates pay for access
W - WEP enabled

Question 15

Wired Equivalent Privacy (WEP)

Answer 15

Uses 40-232 bit keys
64 bit version uses a 40 bit key
128 bit version uses a 104 bit key
256 bit version uses a 232 bit key
Uses RC4
Uses a 24 bit initialization vector
Calculates a 32 bit integrity check value (ICV)
Easy to crack because attackers can generate enough packets to analyze the IVs and arrive at the key used.  Attackers can force dissociation from clients to generate the number of packets needed to analyze for cracking the WEP key.

Question 16

Wi-Fi Protected Access (WPA)

Answer 16

WPA uses Temporal Key Integrity Protocol (TKIP), a 128 bit key and the client’s MAC address for encryption. WPA changes the key every 10,000 packets. Keys are exchanged using the Extensible Authentication Protocol (EAP) which uses a four way handshake

Question 17

WPA2

Answer 17

Similar to WPA
WPA2 Personal - uses a preshared key
WPA2 Enterprise - uses Radius for authentication
Uses AES for encryption to ensure FIPS 140-2 compliance
Uses Cipher Block Chaining Message Authentication Code (CCMP) for integrity. CCMP calls them message integrity codes (MICs) and the process is called cipher block chaining message authentication code (CBC-MAC)

Question 18

Wireless Security Standards

Answer 18

WEP: RC4, 24 Bit IV, 40-232 bit key, CRC-32
WPA: RC4+TKIP, 48 bit IV, 128 bit key, Michael Algorithm+CRC-32
WPA2: AES-CCMP, 48 bit IV, 128 bit key, CBC-MAC(CCMP)

Question 19

Wireless Threats

Answer 19

1. Access Control attacks
2. Integrity attacks
3. Confidentiality attacks
4. Availability attacks
5. Authentication attacks

Question 20

Locate wireless networks

Answer 20

WIGLE, 
Netstumbler, WifiExplorer,
WiFiFoFum,
OpenSignalMaps,
Wifinder, 
Kismet, (works by channel hopping and can sniff packets and save them to a log file for viewing by wireshark or tcpdump), 
Netsurveyor,
WeFi, 
Skyhook

Question 21

AirPCap

Answer 21

USB wireless adapter used for wireless hacking. Works with Aircrack-ng, AirPcapReplay

Question 22

Wireless Attacks

Answer 22

Rogue Access Point
Evil Twin - set to the same SSID as a legitimate WAP. AKA as a mis-association attack. Faking a well known AP is referred to as a honeyspot attack.
Ad-hoc connection attack
Jam a wireless signal
MAC spoofing - in case a MAC filter is enabled on a WAP, easily done on a Linux machine:
1. ifconfig wlan0 down
2. ifconfig wlan0 hw ether AA:BB:CC:DD:EE:FF
3. ifconfig wlan0 up

Question 23

Wireless Encryption Attack

Answer 23

1. Start a WiFi adapter and ensure it can both sniff and inject packets
2. Start a sniffer
3. Use de-auth to force the creation of thousands of wireless packets
   4 Analyze the packets
   Aircrack may use a dictionary attack for brute force cracking WPA and WPA2.
   Cain and Abel can sniff wireless packets and crack also, KisMAC (for Mac OS) can brute force WEP or WPA passwords.
   WEPAttack,
   WEPCrack,
   Portable Penetrator,
   Elcomsoft’s Wireless Security Auditor tool

Question 24

Key Re-installation Attack (KRACK)

Answer 24

A replay attack that takes advantage of how WPA2 works. By repeatedly resetting and replaying a portion of traffic, the attacker can eventually learn the full key to encrypt all traffic. An attacker can repeatedly resend the third handshake of another device’s session to manipulate or reset the WPA2 encryption key.

Question 25

Wireless Sniffing tools

Answer 25

``` NetStumbler, Kismet, OmniPeek, AirMagnet WiFi Analyzer Pro, WiFi Pilot ```