Part of my Capstone project for college was to interview a C-level manager. Being as I was in the Air Force and stationed in Germany, that seemed a tall task for me, but I was successful in convincing the staff that interviewing the communications commander would be sufficient. After some back and forth in scheduling, I got an interview with the colonel and we had a great conversation about where networking and data communications were going, the role security would play in the future, and a host of other topics.

One thing in particular he said stuck with me through the years. We were discussing how folks outside IT view networking and computing both inside and outside the military. He paused for a moment and walked over to the wall. He flipped the light switch on and off and said, “This is where networking is going…and where it needs to be.” He went on to explain that in his view, networking would soon be no longer a luxury but a necessity, and people would look at it and expect it to work much like electricity—just always there and ready, something so ubiquitous and commonplace it’s taken for granted.

Of course he was dead-on correct, and probably more so than he even knew. If you’d been there and told us that wireless networking would fit that bill, we would’ve both probably laughed you out of the room. Today, though, wireless is that ever-present, always-on, taken-for-granted service we all just expect to be on and ready. Want proof? Used to be if you invited someone over to you house for more than an hour’s stay they’d comment on your home, talk about family, friends, and football, and just enjoy some face-to-face time. Today, I’d bet within 30 minutes someone in their party will ask, “Hey, man, what’s your Wi-Fi password?” And half the group will be face down in a smartphone.

Back in the early 80s, wireless networking didn’t even exist, and the idea was nearly as far-fetched as the still-cool Star Trek communicators we watched on reruns. Wireless hacking back then was nothing more than crossing a signal or two, talking over someone (or listening in to them) on a telephone, or playing with CB or scanner frequencies. Today, though, we’ve got worlds of wireless to discover and play with. For example, I’d bet your network at home is still chirping away, even if you’re not there to use it, right? Surely you didn’t shut it all down before you left for the day….

Not to mention our devices are now more mobile than ever, and getting progressively smaller...and smarter. Where once mobile security concerns centered on data-at-rest encryption and pre-shared keys for wireless connectivity on the laptop, the smartphone is unquestionably the ruler of the airwaves today. People are using smartphones more and more as their primary networked interaction devices, and we need to focus our attention appropriately.

Wireless and mobile computing is here to stay, and what a benefit it is to the world. The freedom and ease of use it offers are wonderful and, truly, are changing our society day by day. However, along with that we have to use a little caution. If data is sent over the airwaves, it can be received over the airwaves—by anyone (maybe not in clear text, and maybe not easily discernable, but it can be received). Therefore, we need to explore the means of securing our data and preventing accidental spillage. And that, Dear Reader, is what this chapter is all about.

Wireless Networking

Although it’s important to remember that any discussion on wireless should include all wireless mediums (phones, keyboards, and so on), this section is going to focus primarily on wireless data networking. I’m not saying you should forget the rest of the wireless world—far from it. In the real world you’ll find as many, if not more, hacking opportunities outside the actual wireless world network. What we do want to spend the vast majority of our time on, however, are those that are testable issues. And, because EC-Council has defined the objectives this way, we will follow suit.

Wireless Terminology, Architecture, and Standards

A wireless network is built with the same concerns as any other media you decide to use. You have to figure out the physical makeup of the transmitter and receiver (NIC) and how they talk to one another. There has to be some order imposed on how clients communicate to avoid collisions and useless chatter. There also must be rules for authentication, data transfer, size of packets, and so on. In the wireless data world, these are all defined with standards, known as the 802.11 series. Although you probably won’t get more than a couple of questions on your exam referencing the standards, you still need to know what they are and basic details about them. Table 7-1 summarize these standards.

Table 7-1 Wireless Standards

One other note of interest when it comes to the standards we’re chatting about here is the method wireless networks use to encode messages onto the media in use—the airwaves. In the wired world, we can encode using various properties of the electrical signal itself (or, if using fiber, the light wave); however, in wireless there’s nothing physical for the machine to “touch.” Modulation—the practice of manipulating properties of a waveform—then becomes the encoding method of choice. There are nearly endless methods of modulating a waveform to carry a signal, but the two you’ll need to know in wireless are OFDM and DSSS (QAM is very new and isn’t touched on your exam).

Both orthogonal frequency-division multiplexing (OFDM) and direct-sequence spread spectrum (DSSS) use various pieces of a waveform to carry a signal, but they go about it in different ways, and the best way I can think to explain it comes in the form of a discussion about your cable television set. See, the cable plugged into the back of your TV is capable of carrying several different frequencies of waveforms, and all of them are plowing into the back of your TV right now. You watch one of these waveforms by tuning your TV specifically to that channel.

In this oversimplified case, the cable is split into various channels, with each one carrying a specific waveform. OFDM works in this same manner, with several waveforms simultaneously carrying messages back and forth. In other words, the transmission media is divided into a series of frequency bands that don’t overlap each other, and each of them can then be used to carry a separate signal. DSSS works differently by combining all the available waveforms into a single purpose. The entire frequency bandwidth can be used at once for the delivery of a message. Both technologies accomplish the same goal, just in different ways.

As for a basic wireless network setup, you’re probably already well aware of how it’s done. There are two main modes a wireless network can operate in. The first is ad hoc, which is much like the old point-to-point networks in the good old days. In ad hoc mode, your system connects directly to another system, as if a cable were strung between the two. Generally speaking, you shouldn’t see ad hoc networks appearing very often, but park yourself in any open arena (such as an airport or bus station) and see how many pop up.

Infrastructure mode is the one most networks are set up as and the one you’ll most likely be hacking. Whereas ad hoc connects each system one to another, infrastructure makes use of an access point (AP) to funnel all wireless connections through. A wireless access point is set up to connect with a link to the outside world (usually some kind of broadband router). This is an important consideration when you think about it—wireless devices are usually on completely different subnets than their wired cousins. If you remember our discussion on broadcast and collision domains, you’ll see quickly why this is important to know up front.

Clients connect to the access point using wireless network interface cards (NICs); if the access point is within range and the device understands what it takes to connect, it is allowed access to the network. Wireless networks can consist of a single access point or multiple ones, thus creating overlapping “cells” and allowing a user to roam freely without losing connectivity. This is also an important consideration when we get to generating wireless packets later in this chapter. The client needs to “associate” with an access point first and then “disassociate” when it moves to the next one. This dropping and reconnecting will prove vital later, trust me.

We should probably pause here for a brief introduction to a couple of terms. Keep in mind these may not necessarily be testable items as far as EC-Council is concerned, but I think they’re important nonetheless. When you have a single access point, its “footprint” is called a basic service area (BSA). Communication between this single AP and its clients is known as a basic service set (BSS). Suppose, though, you want to extend the range of your network by adding multiple access points. You’ll need to make sure the channels are set right, and after they’re set up, you will have created an extended service set (ESS). As a client moves from one AP in your subnet to another, so long as you’ve configured everything correctly, the client will disassociate from one AP and (re)associate with another seamlessly. This movement across multiple APs within a single ESS is known as roaming. Okay, enough vocabulary. It’s time to move on.

Another consideration to bring up here deals with the access points and the antennas they use. It may seem like a weird (and crazy) thing to discuss physical security concerns with wireless networks because by design they’re accessible from anywhere in the coverage area. However, that’s exactly the point: many people don’t consider it, and it winds up costing them dearly. Most standard APs use an omnidirectional antenna, which means the signal emanates from the antenna in equal strength 360 degrees from the source. Well, it’s at least close to 360 degrees anyway, since the farther away you get vertically from the signal, the exponentially worse the signal reception gets. But if you were to, say, install your AP in the corner of a building, three-quarters of your signal strength is lost to the parking lot. And the guy sitting out in the car hacking your network will be very pleased by this.

A better option may be to use a directional antenna, also sometimes known as a Yagi antenna. Unidirectional antennas allow you to focus the signal in a specific direction, which greatly increases signal strength and distance. The benefit is obvious in protecting against the guy in the parking lot. However, keep in mind this signal is now greatly increased in strength and distance, so you may find that the guy will simply drive from his corner parking spot close to the AP to the other side of the building, where you’re blasting wireless out the windows. The point is, wireless network design needs to take into account not only the type of antenna used but where it is placed and what is set up to contain or corral the signal. The last thing you want is for some kid with a Pringles can a block away tapping into your network. The so-called cantenna is very real and can boost signals amazingly. Check out Figure 7-1 for some antenna examples.

Figure 7-1 Wireless antennas

Other antennas you can use are dipole and parabolic grid. Dipole antennas have, quite obviously, two signal “towers” and work omnidirectionally. Parabolic grid antennas are one type of directional antenna and work a lot like satellite dishes. They can have phenomenal range (up to 10 miles due to their power output) but aren’t in use much. Another directional antenna type is the loop antenna, which looks like a circle. And, in case you were wondering, a Pringles can will work as a directional antenna. Google it and you’ll see what I mean.

So, you’ve installed a wireless access point and created a network for clients to connect to. To identify this network to clients who may be interested in joining, you’ll need to assign a service set identifier (SSID). The SSID is not a password and provides no security at all for your network. It is simply a text word (32 characters or less) that identifies your wireless network. SSIDs are broadcast by default and are easily obtainable even if you try to turn off the broadcast (in an effort dubbed “SSID cloaking”). The SSID is part of the header on every packet, so its discovery by a determined attacker is a given, and securing it is virtually a moot point.

Once the AP is up and a client comes wandering by, it’s time to authenticate so an IP address can be pulled. Wireless authentication can happen in more than a few ways, from the simplistic to the complicated, but for study purposes there are three main methods you should look at: Open System Authentication, Shared Key Authentication, and Centralized Authentication (for example, RADIUS). In Open System Authentication, a client can simply send an 802.11 authentication frame with the appropriate SSID to an AP and have it answer with a verification frame. In Shared Key Authentication, the client would participate in a challenge/request scenario, with the AP verifying a decrypted “key” for authentication. Both serve the purpose of proving you belong to the network and are illustrated in Figure 7-2.

Figure 7-2 Wireless authentication methods

If you want to get really crazy, you can even tie the whole thing together with an authentication server (RADIUS), forcing the client into an even more complicated authentication scenario. The key here is to remember there is a difference between association and authentication. Association is the action of a client connecting to an AP, whereas authentication actually identifies the client before it can access anything on the network.

Wireless Encryption

Lastly, after everything is set up and engineered appropriately, you’ll want to take some steps toward security. This may seem like a laughable concept because the media is open and accessible to anyone within range of the AP, but there are some alternatives available for security. Some are better than others, but as the old saying goes, some security is better than none at all.

There are a host of wireless encryption topics and definitions to cover. I briefly toyed with an exhaustive romp through all of them but decided against it after thinking about what you really need to know for the exam. Therefore, I’ll leave some of the “in-the-weeds” stuff for another discussion, and many of the definitions to the glossary, and just stick with the big three here: WEP, WPA, and WPA2.

WEP stands for Wired Equivalent Privacy and, in effect, doesn’t effectively encrypt anything. Now I know you purists are jumping up and down screaming about WEP’s 40- to 232-bit keys, yelling that RC4 is an encryption algorithm, and questioning whether a guy from Alabama should even be writing a book at all. But trust me, it’s not what WEP was intended for. Yes, “encryption” is part of the deal, but WEP was never intended to fully protect your data. It was designed to give people using a wireless network the same level of protection someone surfing over an Ethernet wired hub would expect: if I were on a hub, I wouldn’t expect that the guy in the parking lot could read what I send and receive because he wouldn’t have physical access to the wire.

Now think about that for a moment—wired equivalent privacy. No minimally educated security person walking upright and capable of picking glazed doughnuts over cake ones would ever consider a hub secure. Granted, it’s harder than sitting out in the hallway with an antenna and picking up signals without even entering the room, but does it really provide anything other than a discouragement to casual browsers? Of course not, and so long as it’s implemented that way, no one can be upset about it.

WEP uses something called an initialization vector (IV) and, per its definition, provides for confidentiality and integrity. It calculates a 32-bit integrity check value (ICV) and appends it to the end of the data payload and then provides a 24-bit IV, which is combined with a key to be input into an RC4 algorithm. The “keystream” created by the algorithm is encrypted by an XOR operation and combined with the ICV to produce “encrypted” data. Although this all sounds well and good, it has one giant glaring flaw: it’s ridiculously easy to crack.

WEP’s initialization vectors are relatively small and, for the most part, get reused pretty frequently. Additionally, they’re sent in clear text as part of the header. When you add this to the fact that we all know the cipher used (RC4) and that it wasn’t ever really designed for more than one-time usage, cracking becomes a matter of time and patience. An attacker simply needs to generate enough packets in order to analyze the IVs and come up with the key used. This allows him to decrypt the WEP shared key on the fly, in real time, and renders the encryption useless.

Does this mean WEP is entirely useless and should never be used? As far as your exam goes, that answer may as well be yes, but how about in the real world? Is a WEP-protected connection in a hotel better than the wired outlet provided to you in the room? That’s probably something you need to think about. You may prefer the protection the WEP connection gives you over the complete absence of anything on the wired connection. Not to mention, you don’t really know what’s on the other end of that port. The point is that while WEP shouldn’t be considered a secured network standard for your organization, and it will be roundly destroyed on the exam as being worthless, there are still plenty of uses for it, and it may turn out to be the best choice for specific situations in your adventures.

A better choice in encryption technology is Wi-Fi Protected Access (WPA) or WPA2. WPA makes use of something called Temporal Key Integrity Protocol (TKIP), a 128-bit key, and the client’s MAC address to accomplish much stronger encryption. The short of it is, WPA changes the key out (hence the “temporal” part of the name) every 10,000 packets or so, instead of sticking with one and reusing it, as WEP does. Additionally, the keys are transferred back and forth during an Extensible Authentication Protocol (EAP) authentication session, which makes use of a four-step handshake process to prove the client belongs to the AP, and vice versa.

WPA2 is much the same process; however, it was designed with the government and the enterprise in mind. In something called WPA2 Enterprise, you can tie EAP or a RADIUS server into the authentication side of WPA2, allowing you to make use of Kerberos tickets and other offerings. But what if you just want to use it at home or on your small network and don’t want to bother with all those additional, and costly, authentication measures? No worries, WPA2 Personal is your bag, baby. Much like other encryption offerings, you simply set up a pre-shared key and give it only to those people you trust on your network.

A couple final notes on WPA2 include encryption and integrity. Whether Enterprise or Personal, it uses AES for encryption, ensuring FIPS 140-2 compliance—not to mention AES is just plain better. As for integrity, believe it or not, TKIP had some irregularities originally. WPA2 addresses these by using something called the Cipher Block Chaining Message Authentication Code Protocol (CCMP), which sounds really technical and awesome. What CCMP really does is something everyone has been doing forever to ensure integrity—it simply uses something to show the message hasn’t been altered during transit. The rest of us call them hashes, but CCMP calls them message integrity codes (MICs), and the whole thing is done through a process called cipher block chaining message authentication code (CBC-MAC).

So, there you have it. WEP, WPA, and WPA2 are your wireless encryption measures. WEP is relatively easy to crack and according to your exam probably should never be used. However, on your home network you may be okay—especially if you take other, common sense, (and dare I say it) defense-in-depth measures to protect yourself. WPA and WPA2 are much better choices from an overall security standpoint. The answer to the question “How do you crack WPA2?” is, unfortunately, not very easily. In fact, if the password in use is long or particularly complex, it’s improbable you can get it done in any reasonable timeframe at all since the key has absolutely nothing to do with the password. It’s not completely impossible; it’s just really tough with AES. The only real way to accomplish this is to use a tool that creates the crypto key based on the password (which, of course, you don’t have). You must capture the authentication handshake used in WPA2 and attempt to crack the pair master key (PMK) from inside (tools such as Aircrack and KisMAC, a macOS tool, can help with this), but it’s just not that easy to do. A comparison of WEP, WPA, and WPA2 is shown in Table 7-2.

Table 7-2 Wireless Encryption Comparison

Wireless Hacking

When it comes to hacking wireless networks, the truly great news is you may not have much of it to do. Many networks have no security configured at all, and even those that do have security enabled don’t have it configured correctly. According to studies recently published by the likes of the International Telecommunications Union (ITU) and other equally impressive organizations, more than half of all wireless networks don’t have any security configured at all, and of the remainder, nearly half could be hacked within a matter of seconds. Granted, a large number of those are home networks that do not represent much of a valued target for hackers; however, the numbers for organization and business use are equally as eye-popping. If you think that’s good news for hackers, the follow-up news is even more exciting: wireless communication is expected to grow tenfold within the next few years. Gentlemen, and ladies, start your engines.

In versions past, ECC has spent a lot of time concentrating on finding wireless networks to hack. Thankfully, at least on this one thing, they’ve recognized reality and pulled back the reins. Spending a lot of time talking about finding wireless networks makes as much sense as talking about how to find air. So we’re not talking about finding any wireless network—that’s too easy. What we are hoping to cover here is how you can find the wireless network you’re looking for—the one that’s going to get your team inside the target and provide you with access. The rest of this is just good-to-know information.

First up in our discussion of wireless network discovery are the “war” options. No matter which technique we’re talking about, the overall action is the same: an attacker travels around with a Wi-Fi-enabled laptop looking for open wireless access points/networks. In war driving, the attacker is in a car. War walking has the attacker on foot. War flying? I’m betting you could guess it involves airplanes.

Another option in wireless network discovery is the use of a wide array of tools created for that very purpose. In particular is the seemingly endless array of mobile-based tools available. One such is WifiExplorer (nutsaboutnets.com). It collects info about nearby WAPs and displays the data in five clear diagnostic views for your use. Others include WiFiFoFum (play.google.com), OpenSignalMaps (opensignal.com), and WiFinder (play.google.com). Throw a couple on your smartphone and check out what you can find on the wireless signals in your house.

Before we cover the system-based tools you’ll see mentioned on your exam, it’s relevant at this point to talk about the wireless adapter you’ll need for most of them to work. No matter how great the tool is, if the wireless adapter can’t pull the frames out of the air in the correct manner, all is lost. Some tools are built this way and work only with certain chipset adapters, which can be frustrating at times.

The answer for many in wireless hacking is to invest in an AirPcap dongle (www.cacetech.com)—a USB wireless adapter that offers several advantages as well as software support (see Figure 7-3). Sure, it’s expensive, but it’s worth it. In addition to capturing all data, management, and control frames (wireless sniffing in Windows without something like this can be maddening), it works seamlessly with Aircrack-ng and other sniffing/injection wireless hacking applications. It also provides a useful software distribution that can be very helpful in decrypting WEP and WPA frames. AirPcapReplay is included in this and offers the ability to replay traffic from a captured file across the wireless network.

Figure 7-3 AirPcap USB

Barring this, you may need to research and download new and different drivers for your particular card. The madwifi project (http://madwifi-project.org) has some legacy drivers that may help in certain situations, but you should also check Linux development websites themselves (for drivers like ath5k and ath9k). At any rate, just keep in mind that, much like the ability of wired adapters to use promiscuous mode for your sniffing efforts, discussed earlier in this book, not all wireless adapters are created equal, and not all will work with your favorite tool. Be sure to check the user guides and man pages for lists and tips on correctly configuring your adapters for use.

I’ve already made mention of WIGLE (http://wigle.net) and how teams of miscreant hackers have mapped out wireless network locations using GPS and a tool called NetStumbler (see Figure 7-4). NetStumbler (www.netstumbler.com), the tool employed in this endeavor, can be used for identifying poor coverage locations within an ESS, detecting interference causes, and finding any rogue access points in the network (we’ll talk about these later). It’s Windows based, easy to use, and compatible with 802.11a, b, and g.

Figure 7-4 NetStumbler

Although it’s usually more of a wireless packet analyzer/sniffer, Kismet is another wireless discovery option. It works on Linux-based systems and, unlike NetStumbler, works passively, meaning it detects access points and clients without actually sending any packets. It can detect access points that have not been configured (and would then be susceptible to the default out-of-the-box admin password) and will determine which type of encryption you might be up against. You might also see two other interesting notables about Kismet on your exam: First, it works by “channel hopping,” to discover as many networks as possible. Second, it has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.

Another great network discovery tool is NetSurveyor (see Figure 7-5). This free Windows-based tool provides many of the same features as NetStumbler and Kismet. Additionally, it supports almost all wireless adapters without any significant additional configuration, which is of great benefit to hackers who can’t afford, or don’t have, an AirPcap card. NetSurveyor acts as a great tool for troubleshooting and verifying proper installation of wireless networks. To try it, simply download and install the tool and then run it. It will automatically find your wireless adapter and begin scanning. Click through the different menu options and check out all the information it finds without you needing to configure a thing!

Figure 7-5 NetSurveyor

Attacks

First things first: wireless hacking does not need to be a complicated matter. Some simple attacks can be carried out with a minimum of technical knowledge and ability. Sure, there are some really groovy and, dare I say, elegant wireless hacks to be had, but don’t discount the easy ones. They will probably pay as many dividends as the ones that take hours to set up.

For example, take the concept of a rogue access point. The idea here is to place an access point of your own somewhere—heck, you can even put it outside in the bushes—and have legitimate users connect to your network instead of the original. Just consider the possibilities! If someone were to look at his wireless networks and connect to yours, because the signal strength is better or yours is free whereas the others are not, he’s basically signing over control to you. You could configure completely new DNS servers and have your AP configure them with the DHCP address offering. That would then route users to fake websites you create, providing opportunities to steal authentication information. Not to mention, you could funnel everything through a packet capture.

Sometimes referred to as “evil twin” (assuming the SSID on the rogue box is set similar to the legitimate one), an attack like this is incredibly easy to pull off. The only drawback is they’re sometimes really easy to see, and you run a pretty substantial risk of discovery. You’ll just have to watch out for true security-minded professionals because they’ll be on the lookout for rogue APs on a continual basis and (should) have plenty of tools available to help them do the job.

Another truly ridiculous attack is called the “ad hoc connection attack.” To be honest, it shouldn’t ever be successful, but after years in the security management business, I’ve seen users do some pretty wild things, so almost nothing surprises me anymore. An ad hoc connection attack occurs when an attacker simply sits down with a laptop somewhere in your building and advertises an ad hoc network from his laptop. Believe it or not, people will, eventually, connect to it. Yes, I know it’s tantamount to walking up to a user with a crossover cable in hand and asking, “Excuse me, would you please plug this in to your system’s NIC? The other end is in my computer and I’d like easy access to you.” But what can you do?

Another attack on the relatively easy side of the spectrum is the denial-of-service effort. This can be done in a couple of ways, neither of which is particularly difficult. First, you can use any number of tools to craft and send de-authenticate (disassociate) packets to clients of an AP, which will force them to drop their connections. Granted, they may try to immediately climb back aboard, but there’s nothing stopping you from performing the same action again. Or you can employ a rogue AP to have legitimate users connect, thereby removing their access to legitimate networked resources (in ECC lingo, an unauthorized association).

The other easy DoS wireless attack is to jam the wireless signal altogether, using some type of jamming device and, usually, a high-gain antenna/amplifier. All wireless devices are susceptible to some form of jamming and/or interference—it’s simply a matter of placing enough signals out in the airwaves that the NICs can’t keep up. Tons of jammer options are available (a quick Google search on wireless jammers will show you over 3 million pages on the subject), ranging from 802.11 networks to Bluetooth and other wireless networking technologies. No, the giant jar of jam used in the movie Spaceballs won’t work, but anything generating enough signals in the 2.4 GHz range would definitely put a crimp in an 802.11b network.

One defense wireless network administrators attempt to use is to enforce a MAC filter. Basically it’s a list of MAC addresses that are allowed to associate to the AP; if your wireless NIC’s address isn’t on the list, you’re denied access. The easy way around this is to monitor the network to figure out which MAC addresses are in use on the AP and simply spoof one of them. On a Unix/Linux machine, all you need do is log in as root, disable the interface, enter a new MAC, and reenable the device:

Tons of tools are also available for MAC spoofing. A couple of the more easy-to-use ones are SMAC and TMAC. Both allow you to change the MAC address with just a couple of clicks and, once you’re done, to return things to normal with a click of the mouse.

Wireless Encryption Attacks

Cracking WEP is ridiculously easy and can be done with any number of tools. The idea revolves around generating enough packets to effectively guess the encryption key. The weak initialization vectors discussed already are the key—specifically, the fact that they’re reused and sent in clear text. Regardless of the tool, the standard WEP attack follows the same basic series of steps:

1.   Start a compatible wireless adapter on your attack machine and ensure it can both inject and sniff packets.

2.   Start a sniffer to capture packets.

3.   Use some method to force the creation of thousands and thousands of packets (generally by using “de-auth” packets).

4.   Analyze these captured packets (either in real time or on the side) with a cracking tool.

I thought about putting step-by-step examples of the process in here, using specific tools, but it wouldn’t serve any point. Each situation is unique, and any steps using a specific tool I put in here may not work for you at your location. This tends to lead to confusion and angst. The best advice I can give you is set up a lab and practice yourself. Don’t have an extra wireless access point to play with? Try hacking your own WAP (just make very sure you own it; otherwise, unless you have permission to do so, leave it alone). If you get lost along the way or something doesn’t seem to make sense, just check out any of the online videos you can find on WEP cracking. There are bajillions of them out there.

WEP is easy to crack, and more than a few tools are available for doing so. The Aircrack-ng suite of tools is probably one of the more “famous,” and it will definitely show up on your exam somewhere. Aircrack-ng provides a sniffer, a wireless network detector, a password cracker, and even a traffic analysis tool and can run on both Windows and Linux. If you really want to dig into the toolset, Aircrack uses different techniques for cracking different encryption standards. On WEP, for instance, it can use a dictionary technique or a variety of weirdly named algorithmic processes called PTW, FMS, and the Korek technique.

Cain and Abel will do the job easily, just sniffing packets and cracking as stated earlier, although it may take a little longer than some other tools. KisMAC (a macOS application) can be used to brute-force WEP or WPA passwords. Other tools include WEPAttack (wepattack.sourceforge.com), WEPCrack (wepcrack.sourceforge.com), Portable Penetrator (a mobile tool of all things; www.secpoint.com), and Elcomsoft’s Wireless Security Auditor tool.

WPA and WPA2 are exponentially more difficult. Both rely on and use a pre-shared, user-defined password alongside a constantly changed temporal key to provide protection. In WPA, the process of cracking this is really, really hard and basically comes down to one thing: brute force. Much like WEP, force a bunch of packets to be sent and store them, then run them through an offline cracker (like Aircrack) to brute-force against those packets until you’re successful.

Another method of attack you’re almost guaranteed to see questioning on is the Key Reinstallation Attack (a.k.a. KRACK). KRACK is basically a replay attack that takes advantage of the way WPA2 works. In 2016 a couple of Belgian researchers discovered that by repeatedly resetting and replaying a portion of traffic they could eventually learn the full key used to encrypt all traffic.

See, WPA2 uses a four-way handshake to establish a nonce; a one-time-use shared secret for the communication session. Since wireless isn’t as reliable as a wired connection and occasionally you’ll have drop-offs and disconnections, and since the standard takes into account these disconnections could occur during the handshake, WPA2 allows reconnection using the same value for the third handshake. And because WPA2 doesn’t require a different key to be used each time in this type of reconnection, an attacker can repeatedly re-send the third handshake of another device’s session to manipulate or reset the WPA2 encryption key.

Each time this is reset it causes data to be encrypted using the same values. Therefore, blocks with the same content can be seen and matched, and over time worked backward for keychain clues. Since each repeated reset reveals more and more of the keychain, the attacker can gradually match encrypted packets seen before and, over time, learn the full keychain used to encrypt the traffic. Voilà!

Wireless Sniffing

Much about sniffing a wireless network is the same as sniffing its wired counterpart. The same protocols and authentication standard weaknesses you looked for with Wireshark off that switch port are just as weak and vulnerable on wireless. Authentication data, passwords, and other information can be gleaned just from watching the air, and although you are certainly welcome to use Wireshark, a couple of tools can help you get the job done.

Just a few of the tools specifically made for wireless sniffing include some we’ve already talked about, such as NetStumbler and Kismet, and some that we haven’t seen yet, including OmniPeek, AirMagnet WiFi Analyzer Pro, and WiFi Pilot. Assuming you have a wireless adapter that is compatible and can watch things in promiscuous mode, OmniPeek is a fairly well-known and respected wireless sniffer. In addition to the same type of traffic analysis you would see in Wireshark, OmniPeek provides network activity status and monitoring in a nice dashboard for up-to-the-minute viewing.

AirMagnet WiFi Analyzer, from Fluke Networks, is an incredibly powerful sniffer, traffic analyzer, and all-around wireless network-auditing software suite. It can be used to resolve performance problems and automatically detect security threats and vulnerabilities. Per the company website (www.airmagnet.com/products/wifi_analyzer/), AirMagnet includes the “only suite of active WLAN diagnostic tools, enabling network managers to easily test and diagnose dozens of common wireless network performance issues including throughput issues, connectivity issues, device conflicts and signal multipath problems.” And for you compliance paperwork junkies out there, AirMagnet includes a compliance reporting engine that maps network information to requirements for compliance with policy and industry regulations.

The point here isn’t to rehash everything we’ve already talked about regarding sniffing. What you need to get out of this is the knowledge that sniffing is beneficial to wired and wireless network attacks, and you need to be able to recognize the tools mentioned here. Again, I recommend you go out and download these tools. Most, if not all, are either free or have a great trial version for your use. Read the usage guides and determine your adapter compatibility; then fire them up and see what you can capture. You won’t necessarily gain much, exam-wise, by running them, but you will gain valuable experience for your “real” work.

Chapter Review

In the wireless world, the 802.11 series of standards is very important. 802.11a can attain speeds up to 54 Mbps and uses the 5 GHz range. 802.11b has speeds of 11 Mbps at 2.4 GHz, and 802.11g is 54 Mbps at 2.4 GHz. 802.11n has speeds over 100 Mbps and uses a variety of ranges in MIMO format between 2.4 GHz and 5 GHz. Two other standards of note are 802.11i (an amendment to the original 802.11 series standard that specifies security mechanisms for use on the WLAN) and 802.16 (global development of broadband wireless metropolitan area networks, WiMAX). 802.11an and 802.11ax are next on the horizon.

Modulation—the practice of manipulating properties of a waveform—is the encoding method of choice in wireless networks. Both orthogonal frequency-division multiplexing (OFDM) and direct-sequence spread spectrum (DSSS) use various pieces of a waveform to carry a signal. OFDM works with several waveforms, simultaneously carrying messages back and forth: the transmission media is divided into a series of frequency bands that don’t overlap each other, and each of them can then be used to carry a separate signal. DSSS works differently by combining all the available waveforms into a single purpose; the entire frequency bandwidth can be used at once for the delivery of a message.

In ad hoc mode, wireless systems connect directly to other systems, as if a cable were strung between the two. Infrastructure mode uses an access point (AP) to funnel all wireless connections through, and clients associate and authenticate to it. Wireless networks can consist of a single access point or multiple ones, thus creating overlapping cells and allowing a user to roam freely without losing connectivity. The client needs to associate with an access point first and then disassociate when it moves to the next one.

When there is a single access point, its footprint is called a basic service area (BSA). Communication between this single AP and its clients is known as a basic service set (BSS). If you extend the range of your network by adding multiple access points, the setup is known as an extended service set (ESS). As a client moves from one AP in your subnet to another, so long as everything is configured correctly, it’ll disassociate from one AP and (re)associate with another seamlessly. This movement across multiple APs within a single ESS is known as “roaming.”

Wireless network design needs to take into account not only the type of antenna used but where it is placed and what is set up to contain or corral the signal. Physical installation of access points is a major concern because you will want to avoid spillage of the signal and loss of power. Most standard APs use an omnidirectional antenna, which means the signal emanates from the antenna in equal strength 360 degrees from the source. Directional antennas allow you to focus the signal in a specific direction, which greatly increases signal strength and distance. Other antennas you can use are dipole and parabolic grid. Dipole antennas have, quite obviously, two signal “towers” and work omnidirectionally. Parabolic grid antennas work a lot like satellite dishes and can have phenomenal range (up to 10 miles) but aren’t in use much.

To identify a wireless network to clients who may be interested in joining, a service set identifier (SSID) must be assigned. The SSID is not a password and provides no security at all for your network. It is a text word (32 characters or less) that only distinguishes your wireless network from others. SSIDs are broadcast by default and are easily obtainable even if you try to turn off the broadcast (in an effort dubbed “SSID cloaking”). The SSID is part of the header on every packet, so its discovery by a determined attacker is a given, and securing it is virtually a moot point.

Wireless authentication can happen in more than a few ways, from the simplistic to the complicated. There are three main methods: Open System Authentication, Shared Key Authentication, and Centralized Authentication (for example, RADIUS). In Open System Authentication, a client can simply send an 802.11 authentication frame with the appropriate SSID to an AP and have it answer with a verification frame. In Shared Key Authentication, the client would participate in a challenge/request scenario, with the AP verifying a decrypted “key” for authentication. And you can even tie the whole thing together with an authentication server (RADIUS), forcing the client into an even more complicated authentication scenario. Association is the action of a client connecting to an AP, whereas authentication actually identifies the client before it can access anything on the network.

WEP stands for Wired Equivalent Privacy and provides weak security for the wireless network. Using 40-bit to 232-bit keys in an RC4 encryption algorithm, WEP’s primary weakness lies in its reuse of initialization vectors (IVs)—an attacker can simply collect enough packets to decode the WEP shared key. WEP was never intended to fully protect your data; it was designed to give people using a wireless network the same level of protection that someone surfing over an Ethernet wired hub would expect. WEP’s initialization vectors are relatively small and, for the most part, get reused pretty frequently. Additionally, they’re sent in clear text as part of the header. An attacker simply needs to generate enough packets in order to analyze the IVs and come up with the key used.

A better choice in encryption technology is Wi-Fi Protected Access (WPA) or WPA2. WPA makes use of Temporal Key Integrity Protocol (TKIP), a 128-bit key, and the client’s MAC address to accomplish much stronger encryption. The short of it is, WPA changes the key out (hence the “temporal” part of the name) every 10,000 packets or so, instead of sticking with one and reusing it. Additionally, the keys are transferred back and forth during an Extensible Authentication Protocol (EAP) authentication session, which makes use of a four-step handshake process in proving the client belongs to the AP, and vice versa.

WPA2 is much the same process; however, it was designed with the government and the enterprise in mind. In something called WPA2 Enterprise, you can tie EAP or a RADIUS server into the authentication side of WPA2, allowing you to make use of Kerberos tickets and additional offerings. WPA2 uses AES for encryption, ensuring FIPS 140-2 compliance. As for integrity, WPA2 addresses this by using the Cipher Block Chaining Message Authentication Code Protocol (CCMP), with message integrity codes (MICs), in a process called cipher block chaining message authentication code (CBC-MAC).

An AirPcap dongle is a USB wireless adapter that offers several advantages as well as software support. WIGLE (http://wigle.net) helps in identifying geographic locations of wireless networks; teams of hackers have mapped out wireless network locations using GPS and a tool called NetStumbler. NetStumbler (www.netstumbler.com) can be used for identifying poor coverage locations within an ESS, detecting interference causes, and finding any rogue access points in the network. It’s Windows based, easy to use, and compatible with 802.11a, b, and g.

Kismet is another wireless discovery option. It works on Linux-based systems and, unlike NetStumbler, works passively, meaning it detects access points and clients without actually sending any packets. It can detect access points that have not been configured (and would then be susceptible to the default out-of-the-box admin password) and will determine which type of encryption you might be up against. It works by “channel hopping” to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.

Another great network discovery tool is NetSurveyor. This free Windows-based tool provides many of the same features as NetStumbler and Kismet. Additionally, it supports almost all wireless adapters without any significant additional configuration—which is of great benefit to hackers who can’t afford, or don’t have, an AirPcap card. NetSurveyor acts as a great tool for troubleshooting and verifying optimal installation of wireless networks. A few of the tools specifically made for wireless sniffing include NetStumbler, Kismet, OmniPeek, AirMagnet WiFi Analyzer Pro, and WiFi Pilot.

The rogue access point is an easy attack on a wireless network whereby an attacker sets up an access point near legitimate APs and tricks users into associating and authenticating with it. Sometimes referred to as an “evil twin,” an attack like this is easy to attempt. The use of rogue APs (evil twins) may also be referenced as a “mis-association attack.” Additionally, faking a well-known hotspot on a rogue AP (for example, McDonald’s or Starbucks free Wi-Fi spots) is referred to as a “honeyspot attack.”

Denial-of-service efforts are also easy attacks to attempt. In addition to other attacks, you can jam the wireless signal altogether, using some type of jamming device and, usually, a high-gain antenna/amplifier. All wireless devices are susceptible to some form of jamming and/or interference—it’s simply a matter of placing enough signal out in the airwaves that the NICs can’t keep up.

Cracking WEP is ridiculously easy and can be done with any number of tools. The idea revolves around generating enough packets to effectively guess the encryption key. The weak initialization vectors we discussed already are the key; that is, they’re reused and sent in clear text. Tools for cracking WEP include Cain and Abel and Aircrack (both use Korek, but Aircrack is faster) as well as KisMAC, WEPCrack, and Elcomsoft’s Wireless Security Auditor tool. KisMAC runs on macOS and can be used to brute-force WEP or WPA. On WEP, Aircrack can use a dictionary technique, or a variety of weirdly named algorithmic processes called PTW, FMS, and the Korek technique, while only dictionary can be used against WPA and WPA2.

Questions

1.   A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key?

A.   Capture the WPA2 authentication traffic and crack the key.

B.   Capture a large amount of initialization vectors and crack the key inside.

C.   Use a sniffer to capture the SSID.

D.   WPA2 cannot be cracked.

2.   You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security?

A.   Unauthorized users will not be able to associate because they must know the SSID in order to connect.

B.   Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast.

C.   Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode.

D.   Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string.

3.   You are discussing wireless security with your client. She tells you she feels safe with her network as she has implemented MAC filtering on all access points, allowing only MAC addresses from clients she personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable?

A.   WEP keys are easier to crack when MAC filtering is in place.

B.   MAC addresses are dynamic and can be sent via DHCP.

C.   An attacker could sniff an existing MAC address and spoof it.

D.   An attacker could send a MAC flood, effectively turning the AP into a hub.

4.   What information is required in order to attempt to crack a WEP AP? (Choose two.)

A.   Network SSID

B.   MAC address of the AP

C.   IP address of the AP

D.   Starting sequence number in the first initialization vector

5.   Which of the following protects against man-in-the-middle attacks in WPA?

A.   MIC

B.   CCMP

C.   EAP

D.   AES

6.   Which of the following is the best choice for detecting wireless LANs using the 802.11a/b/g/n WLAN standards on a Linux platform?

A.   Kismet

B.   Nessus

C.   NetStumbler

D.   Cain and Abel

7.   A user calls with a problem. Her laptop uses the same hardware and software as many of the other clients on the network, and she can see the wireless network, but cannot connect. You run a sniffer, and results show the WAP is not responding to the association requests being sent by the wireless client. Of the following choices, which is the most likely source of the problem?

A.   The wireless client does not use DHCP.

B.   The wireless client is on the wrong wireless channel.

C.   The WAP has MAC filtering engaged and does not recognize the MAC.

D.   SSID Security is preventing the connection.

8.   Which of the following provides for integrity in WPA2?

A.   AES

B.   CCMP

C.   TKIP

D.   RADIUS

9.   Which of the following is a true statement?

A.   Configuring a strong SSID is a vital step in securing your network.

B.   An SSID should always be more than eight characters in length.

C.   An SSID should never be a dictionary word or anything easily guessed.

D.   SSIDs are important for identifying networks but do little to nothing for security.

10.   Which wireless encryption technology makes use of temporal keys?

A.   WAP

B.   WPA

C.   WEP

D.   EAP

11.   Which wireless technology uses RC4 for encryption?

A.   WAP

B.   WPA

C.   WEP

D.   WPA2

E.   All of the above

Answers

1.   A. WPA2 is a strong encryption method, but almost everything can be hacked, given enough time. Capturing the password pairwise master key (PMK) during the handshake is the best way to do it, and even then it’s virtually impossible if it’s a complicated password.

2.   D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.

3.   C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available.

4.   A, B. The MAC address of the AP and the SSID are required for attempting a WEP crack.

5.   A. MIC provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any frames arrive out of sequence, the whole session is dropped.

6.   A. Kismet is your best option here, as the other tools simply don’t fit the bill.

7.   C. There may be more to the story, but given everything we know, MAC filtering is probably the culprit here. Given the same hardware and software setup, it’s unlikely it’s a channel issue, and the other options make no sense at all.

8.   B. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (say that three times fast) uses message integrity codes (MICs) for integrity purposes.

9.   D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.

10.   B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.

11.   C. WEP uses RC4, which is part of the reason it’s so easily hacked and not considered a secure option.