In the previous chapter, we learned about network protocols, such as LAN, IP, and TCP/UDP-based attacks, in which the attacker targets network-based protocols, and how to protect against them. This chapter talks about wireless-based attacks and how to harden your wireless networks against them. By the end of this chapter, you will understand the risks to wireless networks and devices and know how to protect against these risks.
In wireless networks, we focus on protocols such as IEEE 802.11, various bands, such as /b/g/n (as discussed in the Wireless standards – IEEE 802.11 section), encryption standards, such as WEP, WPA, and WPA2, and their key weaknesses, such as creating rogue Access Points (APs), dumping hashes, and automating complete tasks. We also need to know how we can protect ourselves against these attacks.
This chapter starts with an explanation of the WLAN protocol—what the WLAN frame constitutes, the frames to focus on, and a demonstration of the WLAN packets in a network. Then, we will discuss the various encryptions that wireless supports and the key weaknesses of those encryption standards. A few other attacks, such as rogue APs, Pair-wise Master Key Identifier (PMKID) attacks, and Man in the Middle (MITM), will also be discussed.
In this chapter, we will cover the following main topics:
In this section, we will talk about wireless standards, such as IEEE 802.11, and amendments, also known as wireless bands a/b/g/n/f, and their corresponding frequencies on which wireless or Wi-Fi operate in different countries or zones. So, let's try to understand the various standards of wireless and amendments.
IEEE stands for Institute of Electrical and Electronics Engineering. Now, the 802.11 standard is split up into two anomalies, named committees and working groups:
Now, these standards have some amendments built in and are represented as 802.11/b/g/n/ac/ad/a, which are normally in practice.
The following are some of the frequency bands that are commonly used around the globe:
Frequency Bands | |
Amendment |
Frequency |
802.11 /b/g |
2.4 GHz (most important) |
802.11 /y |
3.65 GHz (licensed) |
802.11 /a |
5 GHz |
802.11 /p |
5.9 GHz (licensed) |
For further details, please check https://en.wikipedia.org/wiki/List_of_WLAN_channels.
Let's analyze the types of wireless LAN infrastructure implemented using Wi-Fi Analyzer, which can be downloaded from the App Store or Play Store for mobile phones or Windows Store for Windows.
So, as shown in the preceding screenshot, the frequency band of 2.412 GHz with amendment 802.11n is currently being used on channel 1.
The channel is a very important part of the network as it is the path where the data packets are being transmitted. Now, the frequency bands defined previously are divided into multiple size ratios and are called channels in real time. The following diagram illustrates what a channel looks like in a network:
Important Note
Currently, channel bonding is not required for this book or this chapter, but it's an essential topic in order for network administrators to understand the core depth of frequency formations. Kindly follow this link to understand this better: https://www.rfwireless-world.com/Terminology/Advantages-and-Disadvantages-of-Channel-Bonding.html.
Before starting on the practical demonstrations, let's quickly understand the basics of WLAN frame architecture, which will require an understanding of wireless encryptions.
Important Note
As this book talks about the security aspects of wireless networks, we assume that the WLAN frame architecture is already known to you. If it is not or you require a recap, it's time to revisit the frame architecture. To read more on this, please follow this link: https://subscription.packtpub.com/book/cloud_and_networking/9781119425786/16/ch16lvl1sec03/802-11-frame-body.
Now, from a wireless security perspective, the Type field is the most important field in the frame control and has three possible options:
Now, enough of the theory; we want to jump to the interesting part of actually performing wireless penetration testing. But before that, let's prepare our weapons, that is, get our lab set up.
In red teams, there is a saying: behind every successful breach are hours or days that were spent on preparation and setting up the right tools, scripts, code, images, and so on. Wireless penetration is similar. So, before deep-diving into real-world scenarios to breach wireless networks, let's first prepare our lab. The bare minimum setup required is as follows:
Important Note
Now, as this book is for those working on networks, pentesters, and red teamers, you are expected to do the installation and configuration. If you have an issue with the configuration, please follow the Kali Linux installation in the VMware guide: https://www.makeuseof.com/install-kali-linux-in-vmware/.
Now, I believe our lab is successfully set up, so let's test whether everything is ready for real action.
It is clear that our external WLAN card is working fine and is ready for some action.
So, let the games begin!
Sniffing wireless networks is defined as reading the ongoing communication between wireless clients and APs. Sniffing wireless packets helps attackers to perform various attacks, such as MITM. Now, before jumping into the practical demonstrations, let's first understand some basic terminologies and tools that will be helpful here:
So, without wasting time, let's sniff some wireless packets or frames:
Now, as we have seen the various frames, let's sniff the wireless packets in real time.
Now, before the action starts, let's understand some basic terms:
To dump wireless packets, follow these steps:
Now that we have successfully performed sniffing in real time, let's move on to a more advanced topic where an attacker will inject malformed packets into an ongoing transmission in real time.
Key Point
We can now analyze ongoing packets on network channels. As we go deeper, we will analyze the packets in more depth. If you look carefully at the packets, there are DHCP requests and responses, followed by ARP requests. Many times, these packets help in analyzing network traffic in user hunting, brute-forcing the user's domain credentials, and much more during our red team assessments, especially when 802.1x Enterprise Wireless encryptions are being set up by the network administrators.
In wireless networks, packet injection is a technique in which an attacker injects malformed packets into an ongoing transmission. These packets will look like legitimate data packets to perform certain tasks, such as intercepting the communication. Packet injection can be performed by many means and methods, but for this chapter, we will use the Scapy module:
Tip
This can be verified in Wireshark with filters – wlan.bssid == CA:58:C0:13:2E:5F) && !(wlan.fc.type_subtype == 0x08. Please feel free to explore this further.
Now, let's move forward and do some real stuff that red teamers do in real-time injections. There are many techniques available on the internet to create our packets to perform some specific tasks, but in Python, there is a very beautiful module named Scapy, which I will be using . But you are free to explore and come up with new techniques.
fake_attacker_addr = 'aa:bb:cc:dd:ee:ff' \ setting fake attacker's MAC address
target_access_point = 'CA:58:C0:13:2E:5F' \ setting up target access point
interface = 'wlan0' \ setting up the monitor mode wireless interface
Target_SSID = 'WirelessRed' \ Target SSID
probe_req_pkt = RadioTap() / Dot11(addr1=target_access_point, addr2=fake_attacker_addr, addr3=fake_attacker_addr) / Dot11ProbeReq() / Dot11Elt(ID='SSID', info=Target_SSID, len=len(Target_SSID)) \ creating fake probe packets
sendp(probe_req_pkt, inter=0.1, count=10, iface=interface) \sending packets in the network
Similarly, you can create fake packets with messages, to perform deauthentication attacks, replay attacks, fake beacon packets, packet flooding, and so on, and inject them into an ongoing wireless communication without even connecting to the wireless network. Please feel free to explore this further as it is very important in real-world scenarios.
Now, most network administrators think that hiding wireless SSIDs is the most robust step in protecting a network against attacks. But this is not the case because within minutes, an attacker will discover the hidden SSIDs. How does this happen? Now, from the wireless frame architecture, we know that beacon frames contain the wireless SSIDs omitted by the APs. This helps client machines or wireless cards to discover the SSIDs in the network. In a hidden SSID configuration, these beacon frames do not contain the SSIDs, hence only clients who know the SSIDs can connect to it. But this hidden SSID security can be easily bypassed.
To bypass this, we need to wait for a legitimate client to connect to the wireless network. Once the user connects, based on the probe request and response, the hidden SSID will be discovered and will be visible on screen.
Or, during wireless penetration testing, the SSIDs are usually given by the customers, and hence filters using airodump-ng on SSIDs can also be applied with the -a attribute, which will display the STAs as soon as users connect to it.
There is another method where, if the SSID is known, then deauthentication packet requests using aireplay-ng or Scapy can be used to send the deauthentication packets:
Important Note
In my red team experience, to discover hidden SSIDs if <length+0> is seen, this can be a hidden network, and using the airodump-ng –bssid <> filter, you can apply to quickly discover the hidden SSIDs.
Now that we have successfully discovered hidden SSIDs, let's move on to the next section, on compromising open authentication wireless networks.
In my long experience of penetration testing and red team activities, I've often discovered open networks, also known as guest networks. These networks are usually designed to provide guests with internet access without having a password set to authenticate the wireless network. However, often, captive portals are implemented to authenticate customers or guests to the internet.
Captive portals are authentication portals that pop up when any user connects to an open authentication wireless network to enter the credentials provided by the owner. These captive portals are usually implemented in coffee shops, hotels, colleges, and so on.
Myth
Now, network administrators usually implement MAC filtering on open authentication networks; for example, they will take the MAC of the guest's phone or laptop and apply a filter on it as a security measure. Or, if there is a captive portal implemented, organizations will create a password and share it with guests, and then, once the guests connect to the open SSID and enter the provided password in the pop-up page (captive portal), the network administrators capture the MAC addresses and whitelist them to provide the network. Hence, this leads to network administrators thinking that MAC filtering will protect their wireless auth from breaches.
As explained previously, MAC filtering can be easily bypassed by spoofing the MAC address of already connected clients. So, let's first see how to bypass MAC filtering:
Now that we have successfully bypassed MAC filtering, let's see what else we can do in open authentication networks.
In my red team experience, many times I have seen network administrators implement guest networks on a parallel line to the corporate wireless network, via Wireless LAN Controllers (WLCs), which makes it easy for attackers to hop onto the different LAN where the corporate network is implemented via VLAN hopping techniques, then compromise corporate user machines, sniff their ongoing data, and so on. Hence, while implementing open authentication networks, administrators should properly implement the VLANs, or better, implement them via a completely different WLC.
Some of the steps that can be performed to compromise a corporate network via open authentication networks are as follows:
Now, as we performed the MITM attack in a wireless network, let's move on to another aspect of WLAN encryptions and how we can compromise wireless networks.
Even with the best research and implementation of highly protected algorithms, once algorithms are made public, there is always a way to penetrate them. This is especially true for wireless algorithms, as these algorithms were made with good intentions and to provide users around the globe with a secure channel to access data over the internet, but with time, the WLAN encryption algorithms started getting penetrated. The first algorithm that was broken was Wired Equivalent Privacy (WEP), which used a single key (static) to encrypt packets and then send them over the channel; hence, an attacker, after dumping a good amount of data packets, can decipher the key within a few minutes. Something better was required, and so WPA/WPA2 was introduced.
Important Note
WEP is outdated technology and is no longer used in organizations. Hence, we will focus on currently running wireless encryptions.
WPA, or WPAv1, uses Temporal Key Integrity Protocol, better known as the TKIP encryption algorithm, which replaces WEP static key encryption without modifying or adding any new hardware. This encryption algorithm is not commonly used in organizations these days; however, in my experience, some small-scale industries still use WPA as a standard.
WPA2 runs on mandatory AES-CCMP encryption, which is robust and more influential than TKIP. Both WPA and WPA2 support the Pre-Shared Key (PSK) and RadiusX servers Enterprise as an authentication-based schema. Here, we will look into all the aspects from the red team perspective.
But before diving deep, let's first clear some of the basics. Both WPA and WPA2 work on a four-way handshake between the client and AP; the steps are as follows:
Important Note
The whole four-way handshake and process of breaking WPA/WPA2 are largely the same; the only difference is in the encryption algorithms. In addition to this, we also expect you to know about four-way handshaking.
This is what it looks like in Wireshark:
The preceding screenshot shows that the four messages were successfully captured in Wireshark in real time using the eapol filter. Let's now move forward to crack the WPA2 encryption.
To crack WPA/WPA2, the process is very simple:
So, without wasting time, let's simply crack the WPA/WPA2 encryption:
sudo airodump-ng wlan0 --essid WirelessRed -a --bssid CA:58:C0:13:2E:5F --channel 1 --write WirelessRed-crack-WPA2-PSK
aireplay-ng -a CA:58:C0:13:2E:5F wlan0 --deauth 0
Now that we have successfully cracked the WPA2 by brute forcing the four-way handshakes, let's move forward with more advanced techniques for cracking WPA2 using PMKID attacks.
Important Note
In my red team experience, I successfully cracked the wireless password many times, even if it was long or random, because organizations are often in the habit of keeping well-known passwords or passwords that are derived from the organization's name or even the SSID name itself. For example, if the organization's name is WirelessRed, using the crunch tool (https://linuxconfig.org/creating-wordlists-with-crunch-on-kali-linux), we can generate a huge list of passwords that contain WirelessRed in them.
Now, as we have seen previously in our WPA/WPA2 cracking methodology, we can capture data packets that contain the four-way handshake, which is a bit of a complex method; for example, if there is no user connected, the attacker has to wait for a client to connect, or many times, no handshake gets captured as no client authenticates. Then, the attacker has to deauthenticate the clients and once they connect back, the attacker captures the four-way handshake. There could also be cases where a client types an incorrect password. So, to avoid this, there is a bit of an easier method to crack the key known as a PMKID attack, which can be achieved by using PMK caching.
PMK caching is a technique in which the routers or APs cache the PMKID so that if any user disconnects and re-authenticates, the AP will directly ask the client for PMK Security Association (PMKSA), and then the AP will verify and then re-associate the client with the AP rather than performing the complete four-way handshake. This usually helps in a corporate network for enhanced roaming, where, for example, an employee's laptop is connected to AP1 and, when they have to rush to a meeting room on a different floor, the employee will immediately get connected to AP2. This whole process happens if the AP caches the PMKID; otherwise, the client has to perform four-way handshaking every time.
So, what is a PMKID? A PMKID is a unique key identifier that is used by APs to keep track of the PMK that is being registered to the client's machine. So, the following formula is used to calculate the PMKID:
PMKID = HMAC-SHA1 [PMK, PMK Name + MAC (Authenticator) + MAC (Supplicant)]
Where:
So, which APs or routers are vulnerable?
APs that have the roaming feature enabled are the only ones vulnerable. Hence, an attacker would send the associated packets to the APs, the APs would reply with the PMKID in the form of a hash, and then the attacker would crack the hash using the hashcat or John the Ripper tool.
The following screenshots show that the PMKID is captured successfully:
As shown in Figure 11.25, the PMKID is found. Let's check the PMKID value:
As shown in Figure 11.26, the PMKID value of the access point is captured. So, let's crack the captured hash.
The following screenshot shows that using the hashcat tool, the hash captured from the PMKID is decrypted:
Now that we have successfully cracked WPA2 encryptions with basic techniques and looked at more advanced topics, such as the PMKID, let's compromise enterprise management protocols, such as PEAP.
Extensible Authentication Protocol (EAP) is an authentication mechanism protocol that is accepted by all organizations, as it provides a secure medium of communication and is also compatible with the Active Directory, which means employees can authenticate to the domain network with the same domain credentials. However, even if it provides a secure medium of communication, it is still vulnerable to many attacks, especially revealing internal domain information via probing. The following are the most common authentication mechanisms used by organizations:
Important Note
To understand more about 802.1x MGT (Management) protocols and authentication methods, please follow this link: https://www.intel.com/content/www/us/en/support/articles/000006999/wireless/legacy-intel-wireless-products.html.
The following attacks can be performed in MGT-based protocols:
Now that we have seen how we can crack or attack management wireless encryption protocols with various attacks, let's move forward to learn how we can perform network jamming via DOS/DDOS attacks.
The most common way of jamming a wireless network is by sending a continuous series of deauthentication packets, which will disconnect clients from the AP and also prohibit clients from connecting back to the AP. This attack is also helpful during honeypot attacks.
Another approach could be to send disassociation packets. The difference between these two management frames is that the deauthentication packet will inform the attacker that the user is disconnected from the network. However, the disassociation packet will disconnect any node that is connected to the AP while the AP is down or rebooting.
So, to perform this, we will be using aireplay-ng, as shown in the following screenshot:
Now that we have seen network jamming attacks using deauthentication or disassociation attacks, let's move forward with an advanced topic, honeypots, which attackers perform in real time to compromise wireless networks if the credentials are not being cracked.
An evil twin attack is a very common attack where an attacker creates a rogue AP with the same ESSID and the same or different BSSID (depending on the security architecture of the victim's organization) to lure victims into thinking the attacker's AP is legitimate. The attacker does this by amplifying the rogue AP signals in such a manner that the victim's machines automatically connect to the fake AP.
The whole idea behind creating a fake AP is very simple but depends on the organization's implementation of the target SSID as well. Take the following examples:
So, the whole picture looks like this:
Important Note
In my penetration testing experience, choosing the SSID is very important because we might only have one chance of compromising the key or the password depending on the security solutions deployed to monitor the wireless networks. So, we generally choose our target as the organization's SSID (configured with EAP encryption protocols) that authenticates the users to the internal domain network. Once we are connected to the internal production or domain network, it is then a matter of time to compromise either low-hanging fruit or the complete data center.
So, let's create a fake AP with the WirelessRed SSID and capture the credentials, as shown in the following screenshot:
The following screenshot shows that once the user gets disconnected and tries to connect back to the rogue AP with their legitimate domain (production) credentials from their machine, the attacker immediately captures the credentials:
Similar approaches can also be tried for other encryption protocols.
These types of attacks in wireless networks are based on attacking users rather than APs; this includes users who might have connected to open networks or our target networks anytime in the past. These attacks come in handy when we are targeting the users of an organization. Let's say we are targeting organization A, and we know an employee who goes to Starbucks at the end of the day to grab a cup of coffee, work on their emails, and open some of their internal organization's websites, perhaps for timesheet entry. So, rather than directly targeting the organization, we can target that user by probing the list of the organization's wireless network, and then capturing or monitoring the user's activity.
The following are some of the attacks that we can perform in our day-to-day red team activity:
eaphammer -i wlan0 --cloaking full --mana --mac-whitelist mac.txt --auth WPA-PSK –creds
eaphammer -i wlan0 --cloaking full --mana --loud --auth WPA-PSK –creds
eaphammer -i wlan0 --mana --loud --known-beacons --known-ssids-file known-ssids.txt --auth WPA-PSK --creds
Important Note
As part of this book, our primary targets to attack are the wireless AP, encryption standards, and protocols. However, please feel free to try out new methods for KARMA-based attacks.
Now, as we have successfully performed various wireless attacks, such as WPA/WPA2 cracking, sniffing wireless networks, and creating honeypots, let's focus on some points that can be helpful while implementing wireless networks.
While implementing a secured wireless network, choosing the best encryption standard or a centralized approach is a bit of a difficult task because there will be a lot of parameters that will be required to be taken into consideration. Let's focus on a few parameters that will help us to implement and keep the wireless network secure from attackers:
In this chapter, we have learned about various wireless standards and loopholes or misconfigurations that can lead to serious network hijacks. As, nowadays, almost all organizations implement production environments or corporate networks on wireless networks, it is very important to protect wireless perimeters from attackers. The most common way to compromise a wireless network is by cracking the password; once the attacker has guessed the password, there is no way to stop them from compromising the corporate network. Hence, the passphrase implemented should be strong. Another common attack that attackers use if they are not able to compromise the wireless network is to create an evil twin to let users connect to that evil twin's SSID. Therefore, to protect against such attacks, WIPS plays an important role, triggering a fake AP based on multiple parameters, such as BSSID. Implementing a secure wireless network is a bit of a tedious task, but not that difficult. Therefore, choosing a strong authentication mechanism with a secure protocol and setting different VLANs with proper segmentation keeps wireless networks secure from attackers and attacks such as VLAN hopping.
This chapter helps network administrators, network penetration testers, and red teamers to perform security testing in real time and identify flaws in their currently implemented wireless network architecture to implement it more securely.
The next chapter will talk about network routing protocols, where we will learn about the workings of the Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Interior Gateway Protocol (IGP), and other related protocols, their flaws, how an attacker would identify loopholes to exploit them, and how to protect networks from such attacks.