This is a topic I'm passionate about and have a vast background and experience with. In 2001, right after 9/11, I became unemployed. I live in a rural community in northern Utah, and we didn't have a high-speed internet service. I saw a need so decided to start up my own ISP service.
I rented space off the city water tower that can be seen for miles. Since there was no affordable high-speed internet, I decided to offer this service. So, I put two T1 lines into my garage and converted my garage from a standard garage to an office in a server room environment. I put an antenna on top of my roof, pointed it towards the water tower, and then put an array of antennas and access points (APs) on top of the water tower.
The company grew quite fast; it was one of the fastest-growing ISP services in the Mountain West area. We grew it to 600 customers; we got so busy that we ended up having to expand our service and we had to find another cell tower.
The thing about wireless is that a line of sight is critical for a strong signal. A lot of our customers couldn't get access to the internet because they didn't have a line of sight. In the case of the water tower in Syracuse, we put up several different sector-based antennas. We went and added tons of these as the company grew, including an omnidirectional antenna (we'll discuss why omnidirectional is technically not as powerful as sector-based antennas). As the company grew, we added that second tower and put in sector-based antennas as well. We were able to cover an 18 to 20 mile stretch of homes in this rapidly growing area.
After growing this company, I sold it because I saw the writing on the wall; we were finally getting Comcast, which at the time was Qwest, but I think is now CenturyLink. They're doing quite well because we have these new subdivisions popping up and the commercial ISPs can't get out there fast enough.
Kevin Mitnick, a famous hacker, says, New security loopholes are constantly popping up because of wireless networking. The cat-and-mouse game between hackers and system administrators is still in full swing. Just when you think it's safe to get back on the wireless network, we get another issue popping up. Hopefully, as you work your way through this chapter, you'll feel more prepared to deal with the rapidly growing wireless environment.
In this chapter we will cover the following topics:
Let's begin by discussing insights into the wireless world.
The wireless environment is constantly evolving. As such, let's begin by defining some key terms you will need to know. You've probably heard some of these terms before, but let's review some of them and what the acronyms stand for.
Frequency hopping spread spectrum (FHSS) was invented by Hedy Lamarr. She was not only a famous Silver Screen actress but also very intelligent. In fact, she was an inventor. It's kind of funny to watch the documentary about her. She was so beautiful that a lot of men—you must think of the time when she was around—didn't take her seriously as far as some of her inventions were concerned.
FHSS was accomplished by manipulating radio frequencies at irregular intervals between transmissions and receptions, hence hopping.
Her invention also formed an unbreakable code because it was hopping around so nobody could listen in, meaning that classified messages could be transmitted without being intercepted. Typically, FHSS operates within the 900 MHz to 2.4 GHz range.
A variation of FHSS is called adaptive frequency hopping (AFH), which is also known as Bluetooth.
With any type of spread spectrum technology, if you have a lot of devices communicating on the exact same channel, that equals degradation of signal. So, what Hedy Lamarr did is create this technology that allows the channel or the transmission to jump between the different channels. You do this with a hop sequence.
It's extremely difficult for anybody to intercept this traffic. In fact, by looking at this information or looking at a frequency hopping environment with a spectrum analyzer, it just looks like interference. Obviously, the receiving and the sending antennas must be on the same hop count, so they know which channel they are hopping to and the next data packet transmission.
The problem with FHSS is its speed limitation. It is limited to 3 MB. I know you're thinking… That's slow! Well, I know, but back in my day, we offered high-speed internet up to 512 KB and people thought that was blazing fast. They paid me $69 a month for it. It was great. My slowest speed was about 128 KB, and I charged $19.99.
Direct sequence spread spectrum (DSSS) is probably the most popular one. It has the same channels and the same frequencies, but you must select which channel both the sending and the receiving antennas are going to be on, and they stay there, which obviously makes it easier for someone to intercept traffic.
Because of how the channels overlay with each other, it can also create interference. You could also end up with interference from other wireless devices, such as cordless phones, microwaves, and even fluorescent lamps because they all cause interference.
With these channels, people ask how I select a channel that won't interfere with another channel? Well, believe it or not, there are three sweet spots. Channel 1 does not interfere with Channel 6, and it's the same between 6 and 11. There's a separation. Some people might think, Well, five would be okay because 5 doesn't necessarily interfere with 1. Well, technically, in the spectrum analyzer, that's not a clean separation.
The basic service set identifier (BSSID) consists of the MAC address of the AP that has associated it with a basic service set (BSS). This is often confused with the service set identifier (SSID). Generally, users are unaware of the BSS to which they belong. When a user moves a device, the BSS used by the device could change because of a variation in the range covered by the AP, but this change may not affect the connectivity of the wireless device.
Now, the BSSID, as I mentioned before, deals with the MAC address of that device. What happens is that the BSS address gets incremented, and that is broadcasted and used for communication in the air. If you've got a wireless network that is broadcasting on multiple bandwidths, such as g, n, ac, or ax, it gets incremented again and again so it can be used for each one of those bands.
Even though you're connected to the same SSID that is supported by several APs, a device needs to know which AP to return its packets to.
If you use some type of packet capturing tool, you should be able to see the wireless MAC address floating around in the air, which should flag your hacking senses as an issue for wireless networks. You can also see the APs broadcast in the BSSIDs. This is probably more information than you really need to know; it's just information that is floating around in my head.
This is what everybody's familiar with when it comes to wireless, right? It's the network name; it can be up to 32 characters in length and it is attached to every single wireless packet that goes out onto the air. This is how you can have multiple APs transmitting data to different systems but dropping just as we see with a normal network environment. If the packet is not destined for that network, it gets dropped—it's the same concept, we just use this SSID because in the air, there's other information floating around, or maybe it's not information, just interference.
The Global System for Mobile Communications (GSM) is an open and digital cellular technology used for mobile communication. It uses four different frequency bandwidths: 850 MHz, 900 MHz, 1,800 MHz, and 1,900 MHz.
These are places where wireless networks are available for public use. Hotspots refer to areas with Wi-Fi availability, where users can enable Wi-Fi on their devices and connect to the internet.
This simply refers to the process of connecting a wireless device to an AP.
This method affects the spectral efficiency of 4G and 5G wireless communication services. The use of MIMO-OFDM reduces interference and improves the reliability of the channel.
Let's start with the negatives since they are the most significant concerns for us as wireless security experts. From a security perspective, the following are the biggest issues for us with Wi-Fi:
You've probably heard this before, but I'll say it again. Please, do yourself a favor: if you see an AP that says, Free Wi-Fi, don't get on it! Most of the time, those are rogue APs, (Figure 11.1), or an attacker trying to get you to hook into their AP. Once you do it, the attacker becomes a man in the middle who can attack you. Isn't that nice of them to give you free Wi-Fi and all they get in exchange is your bank account details?
Okay, now that I've most likely let you down and you don't want to use Wi-Fi anymore, let's get to the shiny side of things here.
Here's a list of the advantages Wi-Fi has to offer:
Types of Wi-Fi? Isn't it just all wireless? No, not really. Matter of fact, here's where we're going to play around with some terms because, today, we use terms such as APs. These are the different types of Wi-Fi:
It all started with the 802.11 family, as explained here:
There are other 802.11 technologies out there, but these are the ones you should focus on.
This has nothing to do with the type of encryption we're going to be utilizing. When IEEE released the 802.11 standards, they defined two different methods wireless devices could use to authenticate to a wireless access point (WAP) before actual network communication would take place:
So, guess what? It's time to play wireless threats, and the top-dollar question is, which authentication process is the least secure? Is it OSA or shared key? If you selected OSA, you would be wrong. Shared key is the least secure mechanism. The reason behind this is because the shared key is shared, it's transmitted.
Even though OSA sounds like it's worse, we'll use other types of mechanisms to secure the network.
Here are some different ways we can identify Wi-Fi networks. To discover them, we can use one of the following methods:
So, after we've identified those networks, we want to make sure we can share this information. This is where warchalking came into play. Again, this may be a little bit of a deprecated technology or concept because of what we've done in the digital age; most of the stuff now is online. But it got its start back in 2002 by a gentleman by the name of Matt Jones, and it was inspired by the Great Depression and the homeless community.
When the homeless traveled, they communicated by leaving behind different marks that represented different things so other homeless travelers would know. For example, that it was okay to sleep someplace, that there was a doctor that would help them, or a policeman nearby who kept an eye out. They would make these marks these using chalk or coal to the Brotherhood. Well, guess what? It's still being utilized today, but with Wi-Fi networks; we use different symbols to identify them.
Let's start off by showing you what an open and closed node symbol would look like.
I bet you can't figure out which one's which (Figure 11.2):
Open means it's typically free, while closed means it's somehow locked down.
If it's locked down, we need to identify the encryption that's used. So, either it's a WEP encryption or a paid service. We typically list the speeds with the node identification at the bottom, and we would normally see the SSID above the representation of the node. If by chance they were doing any type of filtering, we would also use this symbol to identify that in this case here, it's a MAC filtered node.
What's funny is that whenever I teach this concept, people say, Dale, I've never seen any of these symbols around. Well, the problem is you haven't been looking for them.
Let me show you. So, what do you have here? You have an open node that's anywhere from 1 to 5 Mb, and its SSID is KYNANCE (Figure 11.3):
Now, next time you run into some kids (especially my grandkids) with laptops or tablets, you might want to be careful or pay attention to what they're drawing (Figure 11.4):
You may be familiar with only one or two of these, so, I want to make sure you understand them. It's amazing! After you study wireless, you'll start looking around as you drive, you'll start to see antennas that you never realized were there before, and they pop up in the strangest of places.
What you're trying to accomplish will determine the type of antenna you want to use.
An omnidirectional antenna is a traditional one; everybody knows about it. You have seen something that looks just like these (Figure 11.5). The one on the left is a commercial-grade AP that we install on top of a mast, and the thick one on the right is what we usually see on the back of our AP.
Omnidirectional means the signal is transmitted 360 degrees and, by default, it's broadcasted out horizontally, meaning that our beam width starts at the antenna and moves in a horizontal direction (Figure 11.6):
We know the signal goes out in a 360-degree pattern. Instead, if I take that antenna and encase it with something highly reflective, that's where we get sector-based antennas. Most of the time, it's just sheet metal. That sheet metal takes the signal that hits it, reflects it, and pushes behind the signal that's already going in that other direction and amplifies (Figure 11.7). It's kind of a cool concept when you think about it—something so simple.
This is what a parabolic grid antenna looks like (Figure 11.8):
You may have seen these quite often. You have your transmitting element in the center and the grid portion is pushing as well as receiving, almost like a big satellite dish receiving the signal and focusing it back to that center arm.
These are also more powerful than omnidirectional antennas and they're typically used for long distances, such as 10 miles or more.
This is what a Yagi antenna looks like (Figure 11.9):
This is used for extremely focused connectivity. With a parabolic antenna, you can be within a couple of degrees and pick up the signal, but with a Yagi antenna, you must be exactly on. Again, this type of antenna is for great distances.
Now that we understand more about wireless signals, let's discuss next how to encrypt those signals more securely.
Now that we've deployed our wireless environment, how do we make sure things are still secure? Well, once we've identified our weakness, we'll have strength, and that's when we get dangerous. It's so true because knowing is half the battle. Understanding where your weaknesses are helps to strengthen you.
Believe it or not, WEP encryption is still heavily used. But, let's not even pretend here, WEP stands for Wired Equivalent Privacy, but it's not. That was the initial goal, and we'll discuss why they didn't achieve it when they implemented or had this ratified.
It was designed to protect us from digital eavesdropping and to help make sure our data was protected.
It also was there to help make sure we prevented anybody from getting on the network via Wi-Fi without being authorized to do so.
To prevent unauthorized access and eavesdropping, it uses a key. The key is the problem because it is used to encrypt the packets before transmission. However, this key is shared, making it kind of a nightmare for us.
So, what happened? First, when they came up with WEP, it was not reviewed by any academia or any type of public review for any type of input, nor were any cryptologists able to review this technology. Back in the day, they were so desperate to get some type of encryption, the result was like people threw things together hoping they would work. As I just mentioned, one of its biggest downfalls is the pre-shared key issue.
One of the reasons it wasn't strong was because of the issue they had with US restrictions on the export of various cryptography technologies. This led to manufacturers restricting their devices to only 64-bit encryption, but WEP only used a 40-bit key. When the restrictions were lifted, it was increased to 128-bit, but again, WEP ended up only using a 104-bit key size. And, even though they came out with 256-bit WEP encryption, which only uses a 232-bit key size, 128-bit remains one of those common implementations today.
The other issue is the fact that WEP used the RC4 algorithm for its encryption. The problem is that RC4 is designed for randomized keys to be encrypted, but WEP is not random at all. You create one shared key, and it's the same for everybody. The result is that WEP can be cracked if enough traffic can be intercepted.
I'm not here to say that WEP is totally useless; I would much rather use WEP than nothing at all. But please, if you're using it anywhere, turn it off. Or, if you're not going to turn it off, let me know the address of your AP. I think I'd like to come to visit you!
Wi-Fi Protected Access (WPA) is like WEP all grown up, with its big boy pants on. Well, it has given us better protection than we experienced with WEP. It was formally adopted back in 2003, which was about a year before WEP was officially retired. So, it was designed to patch the issues we had with WEP.
The most common WPA configuration is using a WPA pre-shared key (PSK). These keys are 256 bits, which is much stronger than the 64-bit and 128-bit keys we saw with WEP.
One of the biggest changes in implementing WPA included a message integrity check (MIC). What we mean by that, in non-geek terms, is the ability to check to see if an attacker had captured or altered the packets as it was passing from the AP to the client.
We do that with the Temporal Key Integrity Protocol (TKIP). What's TKIP? Well, under TKIP, a client starts with a 128-bit temporal key that is then combined with the client's MAC address. Once the TKIP has been created, it wraps itself around WEP because that's all WPA is—fixing WEP—and then unique encryption keys are created for each wireless frame, creating a more secure network connection.
However, despite the improvement WPA gives us over WEP, the ghost of WEP still haunts WPA. The cool thing about WPA back in the day is it didn't require you to go off and buy new hardware. It was simply a firmware upgrade on the networking devices. But here's the downside to it: because it had to recycle certain elements used in WEP, it ended up creating exploits. In fact, today, WPA by itself is not considered secure, just like WEP.
Then, along came our big brother, WPA2, which created much stronger protection for us.
WPA comes in two different types.
The first type of WPA is referred to as WPA-Personal. It uses a PSK, a 256-bit key for encryption, and the encryption is based on anywhere from 8 to 63 ASCII characters.
You have probably set up an AP before where you've gone through and created a passcode or a passphrase for your wireless network. Well, it's those characters that are used to help create that 256-bit key.
If you think you're safe because you are using WPA2, think again, because some of the same vulnerabilities that were the big hole in WPA armor exist with WPA2.
If on your Wi-Fi routers you're using Wi-Fi Protected Setup (WPS), it's that little button. All you must do is hit this button and you'll get your device to hook right up. WPS is burnt into the firmware, it doesn't change or rotate, and it's a code.
I could still try to break into your WPA2 network by using brute force attacks and it could take anywhere from several hours to a couple of days, maybe even a week. However, if I go after your WPS, this vulnerability can be hacked by some software called Reaver. I can crack that in anywhere from 2 to 14 hours depending on my system. So, if you can, try to disable WPS.
This other flavor of WPA2 is referred to as WPA2-Enterprise. WPA2-Enterprise addresses the concerns regarding the distribution and management of those static passphrases. It's the control access on a per-account basis by tying into some type of authentication service. Those are typically handled by either the Extensible Authentication Protocol (EAP) or the Remote Authentication Dial-In User Service (RADIUS).
This mode requires credentials such as a user's name, a certificate, and maybe a one-time password. The authentication occurs between the station and this centralized authenticating server.
The AP or the wireless controller simply monitors the connection and directs the authentication packets to the authentication server. Typically, this is going to be a RADIUS box.
This is all based on the enterprise environment, using the Advanced Encryption Standard (AES) with the Cipher Block Chaining MAC Protocol (CCMP), which is extremely strong compared to Rivest Cipher 4 (RC4).
Let's take a look at advances that have been made in our newest WPA version. WPA3 has capabilities necessary to support various deployment sizes that range from large corporate network environments down to a simple home network.
It uses encryption algorithms such as AES and TKIP, which help to ensure cryptographic consistency, and it has enhanced network resilience by using protected management frames (PMF) to deliver a strong defense against eavesdropping and forging attacks. It rejects outdated legacy protocols. Some pretty cool stuff – and it's about time.
First, WPA3's encryption/authentication security protocol is stronger and builds upon the security protocols in WP2. In this new version, there have been advancements that provide cutting-edge features to simplify Wi-Fi security. One of the reasons it's stronger is that it can be used to implement a layered security strategy that can protect all aspects of a Wi-Fi network. WPA2 was not able to protect users' passwords through the use of an offline dictionary attack if someone had enough time and processing power. Attackers would have to gain access to the password through a brute force attack by checking all possible combinations. In WPA3, passwords are encrypted through an improved key handshake protocol. The Dragonfly handshake/Society of Automotive Engineers (SAE) protocol is mandatory for WPA3 certification, and this reduces the risk of a dictionary attack.
It's important to note that the new authentication process requires devices to be in close physical proximity to the router, which means that your neighbor can't hack your wireless network if they aren't close to your house.
Just like WPA2, WPA3 also comes in two operation modes (Personal and Enterprise). If you have a device that doesn't support WPA3, the network will stay in WPA2 mode.
So, if things are encrypted, how do we break that encryption? Well, that's going to depend on the type of encryption you're using. When it comes to WEP, one of the biggest issues we have is the feeble initialization vectors (IVs) that are out there.
First is the fact that WEP uses RC4. While RC4 itself isn't weak, the problem is how WEP uses RC4. It utilizes it using a key scheduling algorithm (KSA) to create the IV and it is added to the base key.
Unfortunately, the first few bits are clear text, so it becomes very easy to predict what the IVs are going to be. Therefore, if I intercept enough traffic with WEP, I'll be able to figure out what your key is.
The other issue is the IVs are not explicit. They're reused over and over on your devices. So, if you get one key, you have everything. It's like one ring to rule them all.
Another weakness in the IV is the IV itself is appended to the beginning of the security key, which makes it vulnerable to Fluher, Mantin, and Shamir (FMS) attacks. It takes advantage of the weaknesses in the RC4 key scheduling algorithm to reconstruct the messages to determine what the key is, and we do this with simple scripts. It's so simple. In fact, a lot of the tools we use for hacking wireless networks, such as Aircrack-ng and AirSnort, can exploit this type of weakness.
Another weakness in the IV is the fact there's no way to detect that the message has been tampered with. There might be some other methods, such as check values, that can look at the message integrity, but they have their own drawbacks as well.
One of the most critical weaknesses is probably the use of short IVs. Basically, within a few hours of traffic—I can simulate the traffic to speed the timeframe up—the same IV will repeat itself. And, I can see those repeats using sniffing tools, capture the encrypted packets with the same key, and then use a tool such as Aircrack-ng or WEPCrack to decrypt the weak IV, which would then give me the base key. Again, the base key is the base key for everyone. So, knowing that these IVs exist, it's very easy to crack WEP.
Now, because WPA is basically a grownup version of WEP, it does make it a little bit tougher, but I can still brute force attack it if I'm able to capture enough packets.
The same applies to doing an offline attack. To implement this, we must be near the AP—only for a matter of seconds—to capture the WPA and the WPA2 authentication handshake. By capturing the right number of packets, we can then try to crack this offline.
The biggest advantage an attacker has is time. As an attacker, I don't have to sit there and be on your network consistently.
If you want to get tricky, we can do something called a de-authentication attack. With this, I'll find an active client and force them off or disconnect them from the AP. I'll then use some of my tools to capture the authentication packet when the client tries to reconnect to the AP, which normally happens within just a few seconds of it being disconnected. That authentication packet includes the Pairwise Master Key (PMK), which I can then brute force or dictionary attack to recover the WPA key. And, just like WEP, we can brute force the WPA keys.
Some of the tools we utilize for this process include Aircrack-ng, KisMAC, and Reaver, which grabs the WPS.
Okay, it sounds like we should just never use Wi-Fi now. Well, no, that's not really what I'm saying, because we can do some things to defend ourselves against cracking on wireless.
Again, there is nothing that is completely secure but knowing what your risks are helps to make you stronger or safer. So, let's talk about how implementing some very basic things can beef up your security. Most people have the tendency of overlooking them, yet they can help you in securing your wireless network.
If you make the passphrases in WPA complicated, make them long as well. Get a passphrase with 20 characters, if not longer. Don't use real words that can be found in a dictionary.
Lastly, look at the client settings. Use WPA2 with AES and cipher block chaining (CCM) encryption only. Also, when it comes to the client settings for the validation server, make sure you use a specific server address.
Next, let's discuss threats from wireless technology.
Wireless is a great technology. So, how do we evaluate the threats, or the possibility of threats, that we expose our networks to?
Let's look at some of the integrity attacks you could be a victim of. They can be summed up in several different categories.
These types of attacks are designed to gain access to your network without your wireless security solutions detecting them or being able to bypass them altogether:
Let's look at some of the integrity attacks you could be a victim of. They can be summed up in several different categories:
These attacks are designed to intercept sensitive data. I told you it was going to get scary! These attacks include the following:
These attacks include the following:
The goal of authentication attacks is to steal the identities of Wi-Fi clients, their personal information, and their login credentials, so that the attackers can get into network resources without permission:
Let's look at some of the possible AP attacks:
Sometimes, these rogue APs are deployed by employees who just want better reception. But from the attacker's perspective, they set up a rogue AP and place it near the target network. When the user turns their computer on, the rogue AP offers up a connection to the user's wireless network interface controller (WNIC).
If the user connects to the rogue AP as the legitimate AP, it's going to try to authenticate itself, and therefore, the rogue AP picks up that whole communication channel.
Somebody who may be curious—not saying I may or may not have done this before—but an attacker could simply duplicate the MAC address and be allowed access to the network. I know you're already thinking, I'd better look to see if Dale's on my flight!
These are simple, and we'll start off with the most basic:
Jamming is extremely popular, especially when it comes to dealing with criminal activities. This is a jammer that does several frequencies including, not only cell but Wi-Fi, Bluetooth—everything (Figure 11.10):
Next, let's talk about the methods we use in wireless hacking.
Believe it or not, there is a methodology when it comes to hacking wireless networks.
This is the first step in the methodology of hacking wireless networks. We always look at this the same way we do with standard networks—that we need to first see what's going on around the environment itself. If you remember, one of the first steps is the process of footprinting or reconnaissance. All we're doing is looking around.
I like to refer to this process as a looky-loo. If you're not familiar with that term, I'll give you a description. In my state it just so happens if you're driving down the freeway and there's an accident on the other side and you can't see it, you're required to slow down and see if you can see what's going on, thereby slowing down traffic on the opposite side, which is nothing but totally frustrating and creates some road rage. We refer to those folks as looky-loos.
If you remember, when it comes to footprinting, this is simply where we're trying to locate and understand the network itself. We do that in a couple of different ways:
Either way, to accomplish footprinting, you'll need a couple of things. You'll need applications, including desktop applications, and some of the newer ones based on mobile.
Some of the more common desktop applications include Insider, which is an open source, multi-platform Wi-Fi scanning software. It gives the attacker information such as the proper channeling of wireless networks, signal strength if the AP is filtered, and of course, we can export the Wi-Fi GPS data out to an XML file that we can then use inside Google Earth.
Another product out there is called NetSurveyor. This is a network discovery tool used to find WAPs in real time. It's a little bit more GUI as far as its interface is concerned, so it's a little prettier.
WiGLE.net is one of my favorites. It is an open platform and a website for collecting information about different wireless hotspots around the world. It started back in 2000, and by 2013, it had over 170 million recorded Wi-Fi networks in its database. Out of that 170 million, 105 million have GPS coordinates.
We also have Kismet. This is a layer 2 wireless network detector, sniffer, and IDS environment. There are probably more by now; it's like they're coming out daily.
After discovering our wireless networks, and using our GPS mapping to get their locations, the next step is doing wireless traffic analysis and determining any vulnerabilities that may be in the network. Tools such as PRTG Network Monitor (https://www.paessler.com/howto-free-network-monitoring) and Microsoft's Wi-Fi Analyzer and Scanner (https://www.microsoft.com/en-us/p/wifi-analyzer-and-scanner/9nblggh5qk8q) are great solutions, and there are also several tools available on the mobile apps stores.
We're going to do this in a couple of different ways. The first thing we'll do is look for vulnerabilities. This can be done just like we normally do on our wired networks. Again, our whole purpose is to determine an appropriate strategy for attacking the network.
The other thing you need to remember, and I've mentioned it a couple of times, is this is wireless, so traffic itself is just flowing through the air and it isn't serialized, which makes it extremely easy to sniff and analyze the packets.
The next step of the attack is doing a little bit more in-depth reconnaissance. We'll be looking for SSIDs, whether they're hidden or being broadcasted. We'll also look at APs—like how many there are, the encryption being utilized, as well as the authentication they're trying to use.
Why do we need to know how many APs they have? Well, two-fold. First, it gives us a layout of the network infrastructure itself. However, more importantly, I'm going to be looking to see if all the APs have been patched. Often, when companies have multiple APs, they may do firmware upgrades for one or two, but they may forget one, and that could be my door into their network.
There are more cool tools out there that will help us to determine all these reconnaissance requirements or issues. Those include things we've already seen including Wireshark; because packets are going through the network, Wireshark can sniff that out.
We also have some very specific products out there for wireless including AirMagnet, OmniPeek, and AirSnort.
Are you ready to start launching the attack? Well, for us to accomplish this, we can use probably one of the most powerful tools out there, Aircrack-ng. It's not just a simple application, it's a suite of applications designed to target the wireless environment. By suite, I mean, there are several different products inside the product. It's open source, and what's cool is it's free. It's done through the GNU General Public License.
As we said, Aircrack-ng is made up of several utilities. The ones you should be aware of for your exam would be the following:
Now, you may never use some of these programs within the Aircrack-ng suite. I just want you to understand that, because it has so many utilities inside of it, you could say it's a sweet suite.
Once we have the SSID, the next thing we need to do is look at cracking the encryption. Now, as an attacker who may have gotten unauthorized access to the target network by doing things such as placing rogue APs, evil twins, and finding out what the hidden SSIDs are, the next step is to crack the security that's stopping us.
How we achieve this totally depends on the encryption that's being utilized, and there are many tools based on our requirements. We obviously know about Aircrack-ng and its suite of tools. On the macOS platform, we have something called KisMAC that is basically a playoff of Kismet, which is designed to run on a Linux environment.
We also know about Kali Linux, which has a plethora of tools. We've just talked about Aircrack-ng, but it has a ton of tools as far as wireless cracking is concerned.
It also has KillerBee, Blueport, BlueRanger, RedFang, and WiFiHoney – we could spend hours going over that information. And, of course, if you're on the Windows platform, good old Cain and Abel also can do some cracking for us.
Let's discuss Bluetooth next.
Bluetooth is not normally something we would consider an attack vector, but it really is. It's a technology that allows for devices to share data over somewhat short distances. We're about to look at how Bluetooth works, the security mechanisms it has, the threats it provides or creates, and, of course, it can't be complete unless we talk about tools and attacks. Cheer up and let's get going!
I know by now your little brain is overloaded with tons of acronyms and terms, but you must make room for some new ones, especially when it comes to Bluetooth:
You might want to make sure you have a couple of these terms at your fingertips for your immediate future, particularly, Bluesmacking, Bluejacking, and Bluesnarfing.
Besides using frequency hopping as a security mechanism, remember both the master and slave must know the hop sequence; we have the PSK that's exchanged at pairing.
With Bluetooth, we have three different modes:
There are two pairing modes that are available as well:
What we mean by this is we allow an attacker to intercept or listen in or on communications between two or more devices. Now, here's where the frequency hopping comes into play; it makes it a little bit more difficult for us to listen in since it's hopping around. If I can figure out the frequency hopping algorithm you're using, or the hops sequence, I can simply listen in. In fact, to just circumvent the frequency hopping algorithm, all I have to do is use another Bluetooth listening device that's modified to listen to all frequencies. And I bet you'll guess that I got a tool for that, right? It turns the device into a sniffer for Bluetooth.
We need to be concerned about person-in-the-middle (PITM) attacks. Whoa, wait, I thought it was a man-in-the-middle attack? Well, it's basically the same thing, where the attacker who already has the link keys of the two Bluetooth devices can intercept the communication and initiate new communications to both devices posing as each other. With Bluetooth, there must be a master and a slave. Typically, your phone would be the master, your headset would be the slave, and that creates what they refer to as a piconet. Did I hear you say, Oh, come on, Dale, you're making things up now? Well, that's what we call it, it's an ad hoc network. By doing a person-in-the-middle attack, we end up creating two piconets since both devices are considered slaves and masters.
Now that we've talked about the big scary wireless, let's talk about countermeasures, shall we? By now, you know why we need to have countermeasures. I think the Dalai Lama summed it up best when he said, Forgiveness doesn't mean forget what happened. If something is serious, and it's necessary to take countermeasures, you have to take countermeasures. Such a wise statement.
The first thing you want to do includes obvious things such as not using default pins like 1234 or 1111 and making sure your Bluetooth devices are kept in the non-discoverable mode because if an attacker can't see it, they won't connect to it. Better yet, if you don't need it, turn it off. I only have my Bluetooth on when I feel like I'm in my safe zone, which is getting smaller and smaller all the time.
Also, check your paired devices to make sure there's nothing random suddenly showing up as a device that you've paired with, and don't accept any unexpected requests. If your device supports it, make sure you implement linking encryption on all connections.
Every time I hear six layers, I always think of the Six Degrees of Kevin Bacon (oracleofbacon.org), and I'm sure if I start with APs within six layers, I'll be able to get to Kevin Bacon, but let's talk about wireless security here:
Let's briefly discuss these layers:
In wireless networks, the continuous monitoring and managing of the RF spectrum within your environment helps to identify threats and makes you aware of its capabilities. You may want to invest in something like an IDS system or even in a wireless intrusion detection system (WIDS). Previously, I discussed how to limit the length of the transmission of your wireless network by using a reflector of some sort.
I've also heard of users removing antennas from APs. Just because the antenna isn't physically attached, doesn't mean the AP doesn't continue to operate. It just gives it a stronger signal. If the signal is going too far, do yourself a favor: try taking the antenna off and looking at its transmission distance.
This is another layer within wireless security. Obviously, we've talked about the use of WPA2 and, yes, these encryption algorithms should help to protect your data during transmission. Again, it's not foolproof because of weaknesses and other subsystems.
This is another layer, not only the physical layer of the device but also making sure that the device is up to date via patch management and scanning these devices for vulnerabilities. When I say scanning for vulnerabilities, I'm not necessarily saying hitting the device itself but doing research to see if there are any vulnerabilities that have been listed by the manufacturer or third parties.
Connection security per frame, or packet authentication, provides protection against man-in-the-middle attacks. It makes it almost impossible to accomplish. It does not allow the attacker to sniff data when two authorized users are communicating with each other. I would also look at centralizing the encryption method. Obviously, the centralization of this encryption, like a RADIUS server, requires additional security on the backend.
This means strong authentication ensures that only authorized users can access the network and its resources. When we say strong authentication, we're not only talking about the encryption and authentication mechanisms, but we're also talking about how long the passcodes or passphrases are. Weaknesses at that level make us extremely vulnerable.
I know it's hard to wrap your head around it, but believe it or not, if an attacker is able to associate with an AP, the personal firewalls installed on the end user's system on Wi-Fi networks can prevent attackers from gaining access to files.
Moving onto countermeasures next!
Typically, this is where we have the most control as security professionals.
When it comes to wireless, do yourself a favor and change the default SSID. In fact, this might be a great opportunity to practice something I always talk about, and that is misdirection. For example, if I have a D-Link router, I know the default SSID is called D-Link. I'll switch it to Linksys or Tsunami, a different manufacturer, because when the attacker is wardriving through my neighborhood or a business environment and he sees D-Link, he'll throw D-Link attacks or vulnerabilities at that device, which obviously won't work.
Again, this will not stop an attacker, but that's not your job because that job is impossible. Your job is to slow them down. The attacker dared to be looking for a hidden SSID.
The last thing you want is for the attacker to be able to gain access to the device wirelessly. Let's make it a little bit harder for them. Make it so you have to be on the physical wired network to manage this device.
This is very similar to disabling the SSID broadcasting. It's not necessarily going to stop them, but it is going to slow them down. In fact, if I slow them down enough, I will hopefully discourage them
Make sure you update drivers on all the Wi-Fi devices. Again, I go back to how we are all so much aware of updating our applications, especially on our mobile devices, or we update our OS on the famous Patch Tuesday for Microsoft, right? But, I always ask people, When was the last time you updated the firmware or the drivers on the Wi-Fi devices? This should be done at a minimum of at least once a year; I would preferably see this on a task list, to be done every quarter.
We've already talked about creating a centralized authentication server. Remember our RADIUS server? That's also going to require some best practices regarding locking it down.
You may not have thought of this, but guess what? If you're not using it, turn it off, please. Just because you can be wireless doesn't mean you have to have it turned on.
Let's discuss some of the best practices when using SSID settings.
We've mentioned changing the default SSID and hiding it. This is also known as SSID cloaking. I once read an article on the internet that listed three reasons why hiding your wireless SSID was a bad idea. One of the three reasons was that hiding your wireless SSID tempts bad guys. Guess what? You're already tempting them by having a wireless network. We can also argue whether it's a waste of time because as we've seen, we can detect those, but that does require a different level of attacker.
Also, when you name your SSID, please, for the love of Pete, don't use anything identifiable such as the company name, address, or your last name, for example. At that point, you're just making things almost too easy.
As far as layout is concerned, you should also make sure you place a firewall or a packet filter between the AP and the corporate network.
Other encryption technologies we can use with wireless include, for example, IPsec for wireless, or setting up VPN tunnels between wireless users and APs—anything to slow the attacker down.
Now, I do need to probably give you a caveat here and that is, every time we add additional protections to our systems, we end up affecting performance, as well as creating some complexity. And as you probably know, anytime we hear the word complexity, we must associate it with the possibility of additional security holes being made. It takes a very vigilant IT security professional to keep up on all of this. But hey, that's what you're here for, right?
In this chapter, we discussed the various wireless network environments we experience. We shared insights into the evolution of wireless and wireless networking. We discussed the great advantages and some of the disadvantages of wireless networks. We shared insights into what makes wireless networks vulnerable to security issues and some countermeasures we can do to better protect ourselves from threats we face. We discussed the methodology of hacking wireless and Bluetooth devices.
In the next chapter, we will learn about hacking mobile platforms.
As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix: