Chapter 8. Wireless Technologies, Mobile Security, and Attacks

This chapter covers the following topics:

  • Wireless Technologies: Wireless devices are extremely popular. From traditional LANs to Bluetooth, NFC, and other RF-based technologies, these technologies are crucial for today’s environment and must be deployed securely.

  • Mobile Security: Mobile security is an increasingly important part of security. More people bank online on mobile devices than on home computers. Mobile phones are all around us, and so is the potential for attack.

  • Wireless LANs: This technology is popular at home and at businesses and offers attackers an easy way to target a network. Securing this technology is of critical importance.

This chapter introduces you to the world of wireless communication. Wireless communication plays a big role in most people’s lives—from laptops, tablets, mobile devices, and smart watches to wearables and IoT devices, wireless technologies are ubiquitous. Most of you probably use wireless Internet at the local coffee shop or maybe a cordless phone at your house. Some of you may even have a femtocell to boost the strength of your cell connection at home. Do you ever think about the security of these systems after the information leaves the local device?

Securing wireless communication and mobile devices is an important aspect of any security professional’s duties. During an ethical hack or pen test, you might be asked to examine the types of wireless communications that the organization uses or offer advice on securing mobile devices. You might even find that although the organization does not officially allow users to bring your own device (BYOD), those users might have connected personal devices without permission.

After starting the chapter with a discussion of the different types of wireless technologies, wireless LANs, mobile device operation and security are examined. For the exam, you need to know the basic types of wireless LANs that the standard wireless networks are built to, the frequencies they use, and the threats they face. The original protection and encryption mechanism that was developed for wireless networks was the Wired Equivalent Privacy (WEP) protocol. This chapter covers the weaknesses and vulnerabilities of WEP. Next, this chapter covers all the versions of the Wi-Fi Protected Access (WPA) protocol. WPA was created to address the vulnerabilities introduced by WEP. In this chapter you learn the different weaknesses and attacks against WPA versions 1 and 2 implementations and how WPA version 3 addresses those deficiencies. Knowing the primary protection schemes of wireless networks isn’t enough to ace the exam, so we turn our attention to the ways you can secure mobile devices. Finally, some of the more popular wireless hacking tools are examined.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 8-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 8-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Mobile Device Operation and Security

1–4

Wireless LANs

5–6

Wireless LAN Threats

7–10

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following is a wireless technology in line with the IMT-2020 specification and providing a maximum bandwidth of 20 Gbps and latency of 1 millisecond (ms)?

a. 4G LTE

b. 5G

c. 3G

d. Wi-Fi

2. Which of the following is a concern in mobile devices?

a. Data exfiltration

b. Mobile malware

c. Bump attacks

d. All of the above

3. Which of the following is an environment in which each application on a mobile device is allowed to store its information, files, and data securely and protected from other applications?

a. container

b. sandbox

c. virtual env

d. None of the answers above are correct.

4. Which of the following is an example of an Android malicious application?

a. DroidSheep

b. Dalvik

c. KingoRoot

d. All of the above

5. Which of the following are two common modes in wireless configurations? (Choose two.)

a. Ad Hoc mode

b. Infrastructure mode

c. Ad-wire mode

d. NFC mode

e. None of the answers are correct.

6. Which of the following is the symmetric encryption standard and uses either a 64-bit or a 128-bit key used by WEP?

a. RC4

b. RSA

c. ElGamal

d. DES

7. Which of the following is the term for when the attacker creates a rogue access point and configures it exactly as the existing corporate network?

a. Evil Twin attack

b. AP Twin attack

c. PNL attack

d. KARMA attack

8. Which of the following tools can be used to perform a deauthentication attack?

a. Kismet

b. Aireplay-ng

c. Wiggle

d. Metasploit

9. Attackers can use the _________ to listen to client requests trying to connect to saved wireless networks (SSIDs) in their systems. Then the attacker can impersonate such wireless networks in order to make the clients connect to the attacker’s wireless device and eavesdrop in their conversation or to manipulate their communication.

a. WEP cracking list

b. WPA2 cracking list

c. Preferred Network List (PNL)

d. None of the above are correct.

10. __________ is a methodology used by attackers to find wireless access points wherever they might be.

a. Sniffing

b. Banner Grabbing

c. War driving

d. IV attack

Foundation Topics

Wireless Technologies

Image

Each time a new wireless technology is released, there seems to be a tendency to forget the past. Wireless hacking didn’t begin when the first 802.11 equipment rolled out; it has been going on for years. With the advent of the Internet of Things (IoT), wireless technologies are used in most environs.

Mobile Device Operation and Security

Mobile device security isn’t a problem that is going to go away on its own. From a physical security standpoint, mobile devices are small and portable, which also means they are easily lost or stolen. Such lost or stolen devices can be thought of as ticking time bombs until they can be deactivated. To make things worse, some companies do not enforce encryption and lockout policies on mobile devices. This is just the tip of the iceberg. Service providers, similar to the other wireless industries discussed, have been fighting a war against hackers since the 1980s. During this time, cell phones have gone through various advances, as have the attacks against these systems. The first cell phones are considered to be first-generation (1G) technology. These analog phones worked at 900 MHz. These cell phones were vulnerable to a variety of attacks. Tumbling is one of these attacks. This technique makes the attacker’s phone appear to be a legitimate roaming cell phone. It works on specially modified phones that tumble and shift to a different pair of electronic serial number (ESN) and mobile identification number (MIN) after each call.

1G cell phones were also vulnerable to eavesdropping. Eavesdropping is simply the monitoring of another party’s call without permission. Other types of cell phone attacks include cell phone cloning, theft, and subscription fraud. Cloning requires the hacker to capture the ESN and the MIN of a device. Hackers use sniffer-like equipment to capture these numbers from an active cell phone and then install these numbers in another phone. The attacker can then sell or use this cloned phone. Theft occurs when a cellular phone is stolen and used to place calls. With subscription fraud, the hacker pretends to be someone else, uses his or her Social Security number, and applies for cell phone service in that person’s name but the imposter’s address.

These events and others led the Federal Communications Commission (FCC) to pass regulations in 1994 that banned manufacturing or importing scanners into the United States that can pick up frequencies used by cellular telephones or that can be readily altered to receive such frequencies. This, along with the passage of U.S. federal law 18 USC 1029, makes it a crime to knowingly and intentionally use cellular telephones that are altered and to allow unauthorized use of such services. The federal law that addresses subscription fraud is part of 18 USC 1028, Identity Theft and Assumption Deterrence.

For the exam, you should know that U.S. federal law 18 USC 1029 is one of the primary statutes used to prosecute hackers. It gives the U.S. federal government the power to prosecute hackers who produce, use, or traffic in one or more counterfeit access devices.

Besides addressing this problem on the legal front, cell phone providers have also made it harder for hackers by switching to spread-spectrum technologies, using digital signals, and implementing strong encryption. Spread spectrum was an obvious choice because the military used it as a way to protect their transmissions. Table 8-2 shows common cell phone technologies.

Table 8-2 Cell Phone Technologies

Technology

Generation

Advance Mobile Phone System (AMPS)

1G

Total Access Communication System (TACS)

1G

Global System for Mobile (GSM)

2G

Code-Division Multiple Access (CDMA)

2G

General Packet Radio Service (GPRS)

2.5G

Enhanced Data Rates for GSM Evolution (EDGE)

3G

Worldwide Interoperability for Microwave Access (WiMAX)/Long Term Evolution (LTE)

4G

ITU IMT-2020 specification

5G

These cell phone technologies support some of the following features:

  • 1G: This generation of phones allowed users to place analog calls on their cell phones and continue their conversations as they moved seamlessly from cell to cell around an area or region.

  • 2G: The second generation changed the analog mechanisms over to digital cell phones. Deployed in the 1990s, these phones were based on technologies such as GSM and CDMA.

  • 3G: The third generation changed the phone into a mobile computer, with fast access to the Internet and additional services. Downstream speeds ranged from 400 Kbps to several megabits per second.

  • 4G: 4G mobile devices were designed to support video streaming services in real time, as well as data downloads at much higher speeds. However, depending on the environment, some indoor or fringe environments may be as low as 100 Mbps. Two of the most widely deployed standards in this category include Mobile WiMAX and LTE. Today, most cell phones are 4G. However, 5G provides much higher speeds and capacity, and much lower latency, than 4G networks.

  • 5G: The fifth generation of wireless technology is in line with the IMT-2020 specification and provides a maximum bandwidth of 20 Gbps and latency of 1 millisecond (ms).

Users worldwide now spend more time using the Internet and apps in their mobile devices than talking over the phone.

Mobile Device Concerns

Mobile phone technology has revolutionized connectivity, but it also has given rise to security concerns for organizations as more companies must consider what controls to place on mobile devices. Some common concerns include the following:

  • Data exfiltration: Mobile device users usually have emails, attachments, PDFs, spreadsheets, and other documents on their devices. This information can be easily moved in and out of the company. This presents another real concern of intellectual property and sensitive data being stored on mobile devices that can be potentially compromised.

  • Mobile malware: Employees may be enticed to install malware disguised as a free app. Some vendors such as Apple have a centralized application store, but Android devices can download applications from anywhere. This can make these systems a potential target by attackers.

Note

The majority of mobile malware is found on Android devices. This malware typically is delivered in repackaged apps and malicious apps and is more prevalent on Android devices because of the lack of centralized control such as found in Apple’s environment.

  • Geolocation and location-based services: This technology includes the ability to geotag the location of photographs but can also be used by applications to identify a user’s exact location. The idea is that that you can identify a user by his or her location for service or revenue. Examples include coupons from nearby coffee shops and restaurants. However, the security concern is that hackers or others might be able to track the location of specific individuals. For example, an article posted on ZDNet reported that more than 67 percent of apps published on China’s various Android app stores track users’ mobile data without them knowing; see http://www.zdnet.com/article/67-percent-of-china-android-apps-track-users-data/.

  • Bump attacks: By exploiting vulnerabilities in near-field communication (NFC) systems built into many of today’s mobile devices, attackers can electronically hijack handsets that are in close proximity.

  • Jailbreaking: Although not everyone agrees on the ethical concerns of jailbreaking a device, there is a real concern related to the elimination of security controls.

  • Application sandbox issues: These concerns relate to the way in which applications interact with the mobile OS. For example, Android has security features built in to the operating system that significantly reduce these concerns by sandboxing applications. To avoid some security issues, Android is designed so that applications have default low-level system and file permissions.

Tip

A sandbox is an environment in which each application on a mobile device is allowed to store its information, files, and data securely and protected from other applications. The sandbox forms and maintains a private environment of data and information for each app.

Mobile Device Platforms

Image

Devices such as mobile phones, smart watches, and other wearables have gained in popularity and are now connected to the Internet 24 hours a day, each and every day of the year. Attackers have taken advantage of mobile device technologies to perform numerous attacks, such as using devices like the Stingray device that is also used by law enforcement. This device can masquerade as a cell phone tower and is used for man-in-the-middle attacks. Mobile devices make it much easier to move information and data. There are also mobile device forensic tools, such as Cellebrite, that allow for almost instant analysis of cell phones and all their data. Cell phone extenders can also be targeted for a high-tech man-in-the-middle attack. By using a modified femtocell, it’s possible to trick your phone into thinking the hacker’s network is the local cell phone tower. This cell tower “spoofing” is pretty alarming, and anyone who gets physical access to the device can attempt it. Although the chances of this happening are somewhat low, it just goes to show that there are many ways to target mobile devices.

It is also important to realize that more and more companies are starting to allow employees to bring their own devices or technology to work. The idea is that the company can lower its expenses because it does not have to provide phones and tablets to employees. But this BYOD approach has risks, including the following:

  • Confidential data: BYOD means that confidential data will be stored on personal devices.

  • Data leakage: Mobile devices are easily lost and stolen, which means there is the possibility of data leakage.

  • Support of different devices: Implementing BYOD means the organization will need to determine what devices it will support.

  • Mixing personal and private data: BYOD means that personal and company data will be comingled on one device. Should a lawsuit or forensic investigation occur, all data may have to be examined.

  • Disposal: These devices now have both personal and company data. At the end of a device’s life, it must be determined how the device will be wiped or sanitized.

This means that companies must have the policies and controls in place before BYOD is implemented. This will require that the company develop policies to define requirements and determine what security controls must be present in user devices. The policies must also detail requirements for encryption, remote wipe, and what apps will be allowed or banned. Typically, access control, a clear separation between business and personal data, must be enforced, along with the requirement that no jailbroken or rooted devices will be allowed to connect to the company infrastructure. A host of mobile device management tools are available to help corporations manage employee devices that are allowed to access company resources.

Android

Android is a Google platform and can be described as “a software stack for mobile devices that includes an operating system, middleware, and key applications.” It is much more than that, though. It is truly the first open source and free mobile device platform. Because it is open source and used by so many mobile device manufacturers, it’s implemented in many ways. This fragmentation means that vulnerabilities may not be immediately addressed. Starting with Android 2.2, the Device Administration API was added. This API enables developers to develop security-aware applications and can strengthen the security of the OS. The API allows for such things as mandatory passwords, disabling the camera, remote device wiping, encryption requirements, and so forth. Google generally gives update priority to its own devices. Thus, it is entirely possible that at any given moment, there are Android devices that have well-known vulnerabilities that have not been patched.

Android controls the rights that applications are given with a sandbox design. This allows users to give rights to some applications and not others. These rights can allow applications to take pictures, use the GPS, make phone calls, and so on. Applications are issued a user identifier (UID) when installed. The UID is used by the kernel to control access to files, devices, and other resources. Applications will always run as their given UID on a particular device. Android’s runtime system tracks which permissions are issued to each application. These permissions are either granted when the OS is installed or upon installation of the application by the user. Figure 8-1 shows an example of the Android OS framework.

An overview of the Android OS framework is depicted.

Figure 8-1 Android OS Framework

Tip

The Device Administration API is one of the key features that makes it possible to lock down an Android device, especially when being used in a work environment.

Some security-related and malicious Android applications you should be aware of include the following:

  • DroidSheep: A session-hijacking tool

  • FaceNiff: Used to sniff session IDs

  • Tramp.A: A mobile keystroke and password theft application

  • Obad: An Android Trojan

  • PremiumSMS: A Trojan that generates revenue via SMS messages

  • AndroRAT: An Android Trojan designed to gain control of the device

  • Dendroid: An HTTP Trojan that harvests data, passwords, and information from the mobile device

  • FakeToken: Malware designed to steal the mobile transaction authentication number (mTANs) and other passwords from a mobile device

While jailbreaking is typically associated with Apple devices, Android devices can be rooted. Rooting an Android device is often performed with the goal of overcoming limitations that carriers and hardware manufacturers put on some devices. Rooting also allows for root access of the device. Tools used for this purpose include the following:

  • SuperOneClick

  • Superboot

  • Unrevoked

  • KingoRoot

Android phones running Nougat or later use hardware-based lock screen verification. Android compromised apps have been extremely problematic in the past. Subsequently, Google has created the Google Play Protect program, which automatically scans all the apps on Android phones and works to prevent harmful apps from ever reaching them, making it the most widely deployed mobile threat protection service in the world. Additional Android security resources and architectural references can be found at https://www.android.com/security-center/.

iOS

Perhaps the most influential mobile device to enter the market in recent years is Apple’s iPhone. It wasn’t long after the first iPhone was released that users started jailbreaking phones. Jailbreaking is performed for several reasons. First, it removes sandbox restrictions, allows the execution of unsigned code, and allows the free modification of the underlying file system. Second, it can aid carrier unlocking, thus allowing users to use the iPhone with the carrier of their choosing. Finally, users may jailbreak to obtain functionality that is not currently offered. Apple’s official stance on jailbreaking is that it “…eliminates security layers designed to protect your personal information and your iOS device and is a violation of the iOS end-user software license agreement and is grounds for Apple to deny service for the device.” With this security removed from your iOS device, hackers may steal your personal information, damage your device, attack your network, or introduce malware, spyware, or viruses. Jailbreaking techniques have been developed to work with both untethered and tethered devices. Well-known jailbreaking applications include the following:

  • Cydia: A software application designed for jailbreaking

  • Redsn0w: Another jailbreaking application designed to jailbreak both tethered and untethered devices

  • Absinthe: Designed to jailbreak untethered devices

  • Sn0wbreeze: Jailbreaking tool that allows for the creating of a custom pre-jailbroken firmware file

  • PwnageTool: Jailbreaking tool that allows you to update firmware

Windows Mobile Operating System

Windows mobile devices employ multiple layers of security, such as chambers and capabilities. Chambers provide a security boundary in which processes are created and execute. Capabilities are a security-sensitive feature that can be granted to code that runs in a chamber. One such feature is the secure boot process. This ensures safe launching of the OS and only allows trusted components to get loaded. This is handled in part by the Unified Extensible Firmware Interface (UEFI). UEFI can secure the boot process by preventing the loading of drivers or OS loaders that are not signed or deemed secure.

Additional information about the Windows 10 Mobile platform specifications can be obtained at https://www.microsoft.com/en-us/windows/windows-10-mobile-specifications.

Tip

Jailbreaking phones can be a big security problem because it will most likely break all security updates. The result may very well be that the user runs old or vulnerable software.

BlackBerry

BlackBerry is a mobile device brand developed by Research in Motion (RIM), now known as BlackBerry Limited. BlackBerry uses a Java-based application framework and takes advantage of J2ME mobile information device profile and connected limited device configuration. Some potential attack vectors include Java Application Descriptor (JAD) file exploits, malicious code signing, memory manipulations, SMiShing exploits, and personal information data attacks. While JAD files are used as a standard way to provide over the air and wired updates, attackers can use crafted JAD files with fake information to install malicious applications. Well-known hacking tools include the following:

  • Bugs and Kisses: BlackBerry spyware

  • PhoneSnoop: BlackBerry Trojan

  • ZitMo: A mobile version of the Zeus bot that can run on Android and BlackBerry devices

Mobile Device Management and Protection

Controls are really at the heart of mobile security processes. Today’s mobile devices and tablets are more like mini computers, and the same controls that you would use for a laptop or desktop should also be applied to your mobile devices. These controls can be placed into three broad categories:

  • Physical controls: These include items such as mandatory username and password. Password attempts should only be allowed a limited number of times. Typically, after three to five attempts, the device’s storage media should be encrypted.

  • Technical controls: Here again, encryption should be used, as should the ability for remote wipe. Antivirus is another option. Enable autolock and set a short lockout time such as 1 minute. Centralized device management and restricting user access are other options. Finally, when wireless is used, a virtual private network (VPN) should be utilized.

  • Administrative controls: These include the policies, procedures, and training on proper usage.

Without security controls in place, hackers are well positioned to exploit vulnerable devices. Security tools available include the following:

  • BullGuard Mobile Security

  • Lookout Mobile Endpoint Security

  • WISeID

Bluetooth

Bluetooth technology was originally conceived by Ericsson to be a standard for a small, cheap radio-type device that would replace cables and allow for short-range communication. Bluetooth started to grow in popularity in the mid to late 1990s because it became apparent that Bluetooth could also be used to transmit between computers, to printers, between your refrigerator and computer, and a host of other devices. The technology was envisioned to allow for the growth of personal-area networks (PANs). PANs allow a variety of personal and handheld electronic devices to communicate. The four classifications of Bluetooth are as follows:

  • Class 1: Has the longest range (up to 100 meters) and has 100mW of power.

  • Class 2: Although not the most popular, it allows transmission of up to 10 meters and has 2.5mW of power.

  • Class 3: This is the most widely implemented and supports a transmission distance of 1 meter and has 1mW of power.

  • Class 4: The newest version of Bluetooth implemented. It supports a transmission distance of .5 meter and has .5mW of power.

Bluetooth operates at a frequency of 2.45 GHz and divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency. Bluetooth devices can operate in discoverable, limited discoverable, or nondiscoverable mode. Its pairing modes include nonpairable and pairable. Even if two devices have been paired, it’s possible that the attacker may be able to target the authentication process. One example of this is BTCrack. This Bluetooth PIN-cracking tool can be used to crack PINs captured during the pairing process.

There have been several versions of the Bluetooth technologies:

  • Bluetooth 1.0 and 1.0B: The original versions of Bluetooth technology, which had many problems, and manufacturers had difficulty making their products interoperable. Versions 1.0 and 1.0B also enforced Bluetooth hardware device address (BD_ADDR) transmission in the Connecting process (rendering anonymity impossible at the protocol level). This introduced several constraints for companies trying to implement Bluetooth technology.

  • Bluetooth 1.1: Introduced as an IEEE Standard (802.15.1–2002) that addressed several of the drawbacks introduced by its predecessor.

  • Bluetooth 1.2: Introduced major enhancements for faster connection and discovery, including adaptive frequency-hopping spread spectrum (AFH).

  • Bluetooth 2.0 + EDR: Introduced the Enhanced Data Rate (EDR) technology that allows for faster data transfer.

  • Bluetooth 2.1 + EDR: Introduced secure simple pairing (SSP), which improved the pairing experience for Bluetooth devices and also introduced several security enhancements.

  • Bluetooth 3.0 + HS: Introduced a solution to use a Bluetooth connection for negotiation and establishment and a separate channel of communication over an 802.11 link to provide high data rates.

  • Bluetooth 4.0: The Bluetooth special interest group (SIG) introduced the Bluetooth Core Specification version 4.0 named as “Bluetooth Smart” that includes classic Bluetooth, Bluetooth high speed, and Bluetooth Low Energy (BLE) protocols. Bluetooth high speed is based on Wi-Fi, and Classic Bluetooth consists of legacy Bluetooth protocols. Bluetooth Low Energy is used by many IoT devices nowadays.

  • Bluetooth 4.1: An incremental software update to Bluetooth Specification v4.0, not a hardware update. Version 4.1 introduced several features for IoT implementations.

  • Bluetooth 4.2: Introduced additional features for IoT implementations, including Low Energy Secure Connection with Data Packet Length Extension, Link Layer Privacy with Extended Scanner Filter Policies, and Internet Protocol Support Profile (IPSP) version 6 ready for Bluetooth Smart things to support connected home.

  • Bluetooth 5: Introduced options that can double the speed (2 Mbps burst) at the expense of range and adds functionality for connectionless services, such as location-relevant navigation of BLE connections.

Many companies overlook the security threat posed by Bluetooth devices. Although significant effort may be spent on securing mobile devices in other ways, Bluetooth may be left unsecured.

Bluejacking is an attack that can be performed using Bluetooth to vulnerable devices in range. An attacker sends unsolicited messages to the victim over Bluetooth that include a contact card (VCard), which typically contains a message in the name field. This is done using the OBject EXchange (OBEX) protocol. A VCard can contain names, addresses, telephone numbers, email addresses and related web URLs. This attack has been mostly performed as a form of spam over a Bluetooth connection.

Note

You can find an excellent paper describing Bluejacking at http://acadpubl.eu/jsi/2017-116-8/articles/9/72.pdf.

Another Bluetooth-based attack is Bluesnarfing. Bluesnarfing attacks can be performed to obtained unauthorized access of information from a Bluetooth device. An attacker can launch Bluesnarfing attacks to access calendars, contact lists, emails and text messages, pictures, or videos from the victim.

As you can see, Bluesnarfing is considered riskier than Bluejacking. This is because Bluejacking attacks only transmit data to the victim device, and Bluesnarfing attacks actually steal information from the victim device.

Bluesnarfing attacks can also be used to obtain the international mobile equipment identity (IMEI). This enables the attackers to divert incoming calls and messages to another device without the user’s knowledge.

The following command shows how to obtain the name (omar_phone) of a Bluetooth enabled device with address DE:AD:BE:EF:12:23 using the bluesnarfer tool.

[email protected]:~# bluesnarfer -b DE:AD:BE:EF:12:23 -i
device name: omar_phone

Additional tools used to attack Bluetooth include the following:

  • Super Bluetooth Hack: A small mobile Bluetooth hacking program that operates as a Trojan.

  • Bluesniff: A proof-of-concept tool for Bluetooth war driving.

  • BlueScanner: A Bluetooth scanning program that can do inquiry and brute-force scans, identify Bluetooth devices that are within range, and export the scan results to a text file and sort the findings.

  • BlueBug: A tool that exploits a Bluetooth security loophole on some Bluetooth-enabled cell phones. It allows the unauthorized downloading of phone books and call lists, in addition to the sending and reading of SMS messages from the attacked phone.

What’s important to note about each of the mobile device technologies covered in this section is that the companies offering them have a long history of deploying products with weak security controls. Only after time, exposed security weaknesses, and pressure to increase security do we see systems start to be implemented to protect this technology. Wireless LANs, a widely deployed and attacked technology, are discussed next.

Radio-frequency Identification (RFID) Attacks

Radio-frequency identification (RFID) is a technology that uses electromagnetic fields to identify and track “tags.” These tags hold electronically stored information. There are active and passive RFID tags. Passive tags use energy from RFID readers (via radio waves), and active tags have a local power source and can operate from longer distances. RFID tags are used by many organizations to track inventory or in badges used to enter buildings or rooms. RFID tags can even be implanted into animals or people to read specific information that can be stored in such tags.

Low Frequency (LF) RFID tags and devices operate at frequencies between 120 kHz and 140 kHz and exchange information at distances lower than 3 feet. High Frequency (HF) RFID tags and devices operate at the 13.56 MHz frequency and exchange information at distances between 3 to 10 feet. Ultra-High-Frequency (UHF) RFID tags and devices operate at frequencies between 860 MHz and 960 MHz (Regional) and exchange information at distances of up to 30 feet.

There are a few common attacks against RFID devices:

  • Silently stealing an RFID information (such as a badge or a tag) with an RFID reader, such as the Proxmark3 (https://store.ryscc.com/products/new-proxmark3-kit), by just walking near an individual or any tag.

  • Creating and cloning an RFID tag.

  • Implanting skimmers behind RDIF card readers in a building or a room.

Wireless LANs

The most popular standard for wireless LAN services is the 802.11 family of specifications. It was developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless LAN technology in 1997. Wireless LANs (WLAN) are data communication systems that were developed to transmit data over electromagnetic waves. WLANs have become popular because of several factors, primarily cost and convenience.

Wireless equipment costs are similar to those of their wired counterparts, except that no cable plant costs are associated with WLANs. The cable plant is made up of the physical wires of your network infrastructure. Therefore, a business can move into a new or existing facility without cabling and incur none of the usual costs of running a LAN drop to each end user. Besides cost savings, wireless equipment is more convenient. Just think about that last group meeting or 35 students in a classroom, with each requiring a network connection. Wireless makes using network services much easier and allows users to move around freely.

This section starts off by discussing some wireless basics and then moves on to wireless attack hacking tools and some ways to secure wireless networks.

Wireless LAN Basics

A simple WLAN consists of two or more computers connected via a wireless connection. The wireless connection does not consist of a cable or wired connection. The computers are connected via wireless network cards (NIC) that transmit the data over the airwaves. Figure 8-2 shows a WLAN example.

A figure shows an example of Ad Hoc Wireless LAN connection between two computers.

Figure 8-2 Ad Hoc Wireless LAN

Figure 8-2 shows an example of two computers operating in ad hoc mode. This is one of two modes available to wireless users; the other one is infrastructure mode. Ad hoc mode doesn’t need any equipment except wireless network adaptors. Ad hoc allows a point-to-point type of communication that works well for small networks and is based on a peer-to-peer style of communication. Ad hoc wireless communication is considered peer to peer.

Infrastructure mode is centered around a wireless access point (AP). An AP is a centralized wireless device that controls the traffic in the wireless medium. Figure 8-3 shows an example of a WLAN setup with an AP.

A figure shows an example of Infrastructure Wireless LAN connection between two computers.

Figure 8-3 Infrastructure Wireless LAN

Each device communicates to the AP, which then forwards the data to the appropriate computer. For a computer to communicate or use the WLAN, it must be configured to use the same service set ID (SSID). The SSID distinguishes one wireless network from another. It can be up to 32 bits and is case sensitive. The SSID can be easily sniffed. Compared to ad hoc wireless networks, infrastructure mode networks are more scalable and offer centralized security management.

WLANs present somewhat of a problem to basic carrier sense multiple access with collision detection (CSMA/CD) Ethernet. In a wired network, it’s easy for any one of the devices to detect if another device is transmitting. When an AP is being used, the AP hears all the wireless devices, but individual wireless devices cannot hear other wireless devices. This is known as the hidden node problem. To get around this problem, carrier sense multiple access with collision avoidance (CSMA/CA) is used. The station listens before it sends a packet, and if it detects that someone is transmitting, it waits for a random period and tries again. If it listens and discovers that no one is transmitting, it sends a short message known as the ready-to-send (RTS).

Wireless LAN Frequencies and Signaling

Some of the popular standards used for WLANs are shown in Table 8-3.

Table 8-3 802.11 WLAN Types

IEEE WLAN Standard

Over-the-Air Estimates

Transmission Scheme

Frequencies

802.11b

11 Mbps

DSSS

2.4000–2.2835 GHz

802.11a

54 Mbps

OFDM

5.725–5.825 GHz

802.11g

54 Mbps

OFDM/DSSS

2.4000–2.2835 GHz

802.11n

540 Mbps

MIMO-OFDM

2.4000–2.2835 GHz

802.11ac

433.3 Mbps

MIMO-OFDM

5 GHz band

802.11ad

7 Gbps

OFDM

60 GHz band

802.11ax

Pending

MIMO-OFDM

Pending

802.11ay

20 Gbps

OFDM

60 GHz band

The 802.11b, 802.11g, and 802.11n systems divide the usable spectrum into 14 overlapping staggered channels whose frequencies are 5 MHz apart. The channels available for use in a particular country differ according to the regulations of that country. For example, in North America, 11 channels are supported, whereas most European countries support 13 channels.

Most wireless devices broadcast by using spread-spectrum technology. This method of transmission transmits data over a wide range of radio frequencies. Spread spectrum lessens noise interference and enables data rates to speed up or slow down, depending on the quality of the signal. This technology was pioneered by the military to make eavesdropping difficult and increase the difficulty of signal jamming. Currently, several technologies are used:

  • Direct-sequence spread spectrum (DSSS): This method of transmission divides the stream of information to be transmitted into small bits. These bits of data are mapped to a pattern of ratios called a spreading code. The higher the spreading code, the more the signal is resistant to interference, but the less bandwidth is available. The transmitter and the receiver must be synchronized to the same spreading code.

  • Frequency-hopping spread spectrum (FHSS): This method of transmission operates by taking a broad slice of the bandwidth spectrum and dividing it into smaller subchannels of about 1 MHz. The transmitter then hops between subchannels, sending out short bursts of data on each subchannel for a short period of time. This is known as the dwell time. For FHSS to work, all communicating devices must know the dwell time and must use the same hopping pattern. Because FHSS uses more subchannels than DSSS, it can support more wireless devices.

  • Orthogonal frequency-division multiplexing (OFDM): This splits the signal into smaller subsignals that use a frequency-division multiplexing technique to send different pieces of the data to the receiver on different frequencies simultaneously.

Wireless LAN Security

The wireless nature and the use of radio frequency for networking makes securing WLANs more challenging than securing a wired LAN. Originally, the Wired Equivalent Privacy (WEP) protocol was developed to address this issue. It was designed to provide the same privacy that a user would have on a wired network. WEP is based on the RC4 symmetric encryption standard and uses either a 64-bit or a 128-bit key. However, the keys are not really that many bits because a 24-bit initialization vector (IV) is used to provide randomness. So, the “real key” is actually 40 or 104 bits long. There are two ways to implement the key. First, the default key method shares a set of up to four default keys with all the wireless APs. Second is the key-mapping method, which sets up a key-mapping relationship for each wireless station with another individual station. Although slightly more secure, this method is more work. Consequently, most WLANs use a single shared key on all stations, which makes it easier for a hacker to recover the key. Now, let’s take a closer look at WEP and discuss the way it operates.

To better understand the WEP process, you need to understand the basics of Boolean logic. Specifically, you need to understand how XORing works. XORing is just a simple binary comparison between 2 bits that produce another bit as a result of the XORing process. When the 2 bits are compared, XORing looks to see if they are different. If they are different, the resulting output is 1. If the 2 bits are the same, the result is 0.

All this talk about WEP might leave you wondering how exactly RC4 and XORing are used to encrypt wireless communication. To better explain those concepts, let’s look at the seven steps of encrypting a message:

  1. The transmitting and receiving stations are initialized with the secret key. This secret key must be distributed using an out-of-band mechanism, such as sending it in an email, posting it on a website, or writing it on a piece of paper (the way many hotels do).

  2. The transmitting station produces a seed, which is obtained by appending the 40-bit secret key to the 24-bit IV, for input into a pseudo-random number generator (PRNG).

  3. The transmitting station inputs the seed to the WEP PRNG to generate a key stream of random bytes.

  4. The key stream is XORed with plain text to obtain the cipher text.

  5. The transmitting station appends the cipher text to the IV and sets a bit to indicate that it is a WEP-encrypted packet. This completes WEP encapsulation, and the results are transmitted as a frame of data. WEP only encrypts the data. The header and trailer are sent in clear text.

  6. The receiving station checks to see if the encrypted bit of the frame it received is set. If so, the receiving station extracts the IV from the frame and appends the IV with the secret key.

  7. The receiver generates a key stream that must match the transmitting station’s key. This key stream is XORed with the cipher text to obtain the sent plain text.

To get a better idea of how WEP functions, consider the following example. Let’s assume that our preshared key is hacker. This word would be merged with qrs to create the secret key of qrshacker. This value would be used to encrypt a packet. The next packet would require a new IV. Therefore, it would still use hacker, but this time it would concatenate it with the value mno to create a new secret key of mnohacker. This would continue for each packet of data created. This should help you realize that the changing part of the secret key is the IV, which is what WEP cracking is interested in. A busy AP that sends a constant flow of traffic will use up all possible IVs after 5 or 6 hours. After a hacker can begin to capture reused keys, WEP can be easily cracked.

WEP does not encrypt the entire transmission. The header and trailer of the frame are sent in clear text. This means that even when encryption is used, a MAC address can be sniffed.

To passively crack WEP, the hacker has to capture 5 to 10 million packets, which would take some time on most networks. This changed in August 2004, when a hacker known as KoreK released a new piece of attack code that sped up WEP key recovery by nearly two orders of magnitude. Instead of using the passive approach of collecting millions of packets to crack the WEP key, KoreK’s concept was to actively inject packets into the network. The idea was to solicit a response from legitimate devices from the WLAN. Even though the hacker can’t decipher these packets in an encrypted form, he can guess what they are and use them in a way to provoke additional traffic-generating responses. This makes it possible to crack WEP in less than 10 minutes on many wireless networks.

Tip

The lack of centralized management makes it difficult to change WEP keys with any regularity.

These problems led the wireless industry to speed up the development of the planned replacement of WEP. Wi-Fi Protected Access (WPA) was developed as an interim solution. WPA delivers a level of security way beyond what WEP offers. WPA uses Temporal Key Integrity Protocol (TKIP). TKIP scrambles the keys using a hashing algorithm and adds an integrity-checking feature verifying that the keys haven’t been tampered with. WPA improves on WEP by increasing the IV from 24 bits to 48. WPA eliminated rollover, which means that key reuse is less likely to occur. WPA also avoids another weakness of WEP by using a different secret key for each packet. Another improvement in WPA is message integrity. WPA added a message integrity check (MIC) known as Michael. Michael is designed to detect invalid packets and can even take measures to prevent attacks.

In 2004, the IEEE approved the real successor to WEP, which is WPA2. It is officially known as 802.11i. This wireless security standard makes use of the Advanced Encryption Standard (AES). Key sizes of up to 256 bits are now available, which is a vast improvement from the original 40-bit encryption WEP used. It also includes built-in RADIUS support.

In 2018, the Wi-Fi alliance introduced the Wi-Fi Certified WPA3 that has new capabilities to enhance Wi-Fi security in personal and enterprise implementations. WPA3-Personal addresses several of the security problems in WPA and WPA2. It has a more resilient, password-based authentication even when users choose weak passwords. WPA3 uses Simultaneous Authentication of Equals (SAE), a key establishment protocol between devices that provides mitigations against password guessing and brute force attacks. WPA3-Enterprise provides the equivalent of 192-bit cryptographic strength.

Installing Rogue Access Points
Image

One of the most simplistic wireless-based attacks is when an attacker installs a rogue access point (AP) in the network to fool users to connect to it. Basically, the attacker can use that rogue AP to create a backdoor and obtain access to the network and its systems, as illustrated in Figure 8-4.

An illustration depicts how the attacker access the systems connected in the network through Rogue Access Point (AP).

Figure 8-4 Rogue Wireless Access Points

Evil Twin Attacks

An evil twin attack is when the attacker creates a rogue access point and configures it the same as the existing corporate network, as illustrated in Figure 8-5.

An illustration represents the example of an Evil Twin attack.

Figure 8-5 Evil Twin Attack

Typically, the attacker will use DNS spoofing to redirect the victim to a cloned captive portal or a website. When users are logged on the evil twin, a hacker can easily inject a spoofed DNS record into the DNS cache, which changes the DNS record for all users on the fake network. When users log in to the evil twin, they will be redirected by the spoofed DNS record injected into the cache. When you perform a DNS poisoning attack, you want to get the DNS cache to accept a spoofed record. Some ways to defend against DNS spoofing are packet filtering, cryptographic protocols, and spoofing detection features provided by modern wireless implementations.

Deauthentication Attacks
Image

An attacker can cause legitimate wireless clients to deauthenticate from legitimate wireless APs or wireless routers to either perform a denial of service condition or to make those clients connect to an evil twin.

A service set identifier (SSID) is the name or identifier associated with an 802.11 wireless local area network (WLAN). SSID names are included in plain text in many wireless packets and beacons. A wireless client needs to know the SSID in order to associate with the wireless AP. You can configure wireless passive tools like Kismet or KisMAC to listen and capture SSIDs and any other wireless network traffic. You can also use tools such as airmon-ng (which is part of the aircrack-ng suite) to perform this reconnaissance. The aircrack-ng suite of tools can be downloaded from https://www.aircrack-ng.org.

Figure 8-6 shows the airmon-ng tool.

A terminal window of the airman-ng tool is displayed. The output of the airmon-ng command shows wlan0mon interface. The output of ifconfig shows eth0 flags, inet address, netmask address, broadcast address, inet6 address, ether address, RX packets, RX errors, TX packets, etc.

Figure 8-6 The airmon-ng Tool

In Figure 8-6, you can see that airmon-ng command output shows that the wlan0 interface is present and used to monitor the network. The ip -s -h -c link show wlan0 command can be used to verify the state and configuration of the wireless interface. When you put a wireless network interface in monitoring mode, airmonng will automatically check for any interfering processes. To stop any interfering process, use the airmon-ng check kill command.

The airodump-ng tool (part of the aircrack-ng suite) can be used to sniff and analyze the wireless network traffic, as shown in Figure 8-7.

A terminal window of the airodump-ng tool is shown, which displays the information of BSSID, PWR, Beacons, number of data, CH, MB, ENC, CIPHER, AUTH, ESSID, Station, rate, lost, frames, probe, etc.

Figure 8-7 The airodump-ng Tool

You can use the airodump-ng tool to sniff the wireless networks and obtain their SSIDs, along with the channels that they are operating.

Many corporations and individuals configure their wireless APs to not advertise (broadcast) their SSIDs and not to respond to broadcast probe requests. However, if you sniff on the wireless network long enough, you will eventually catch a client trying to associate with the AP and get the SSID. In Figure 8-7 you can see the basic service set identifier (BSSID) and the extended basic service set identifier (ESSID) for all available wireless networks. Basically, the ESSID identifies the same network as the SSID does. You also see the ENC (encryption protocol). The encryption protocols can be Wi-Fi Protected Access (WPA) version 1 or WPA version 2 (WPA2), Wired Equivalent Privacy (WEP), or open (OPN). You learn the differences between these protocols later in this chapter.

Let’s take a look on how to perform a deauthentication attack. In Figure 8-8 you can see two terminal windows. The top terminal window displays the output of the airodump utility on a specific channel (channel 11) and one ESSID (corp-net). In that same terminal window, you can see a wireless client (station) in the bottom, along with the BSSIDs to which it is connected (08:02:8E:D3:88:82 in this example).

A terminal window shows the launch of deauthentication attack with aireplay-ng command.

Figure 8-8 Performing a Deauthentication Attack with aireplay-ng

Now you want to launch a deauthentication attack using the aireplay-ng utility included with the aircrack-ng suite, as demonstrated in the bottom terminal window in Figure 8-8. The victim station has the MAC address DC:A4:CA:67:3B:01, and it is currently associated with the network on channel 11 with the BSSID 08:02:8E:D3:88:82. After the aireplay-ng command is used, you can see the deauthentication (DeAuth) messages sent to the BSSID 08:02:8E:D3:88:82. The attack can also be accelerated by sending the deauthentication packets to the client using the –c option.

The 802.11w standard defines the Management Frame Protection (MFP) feature. MFP protects wireless devices against spoofed management frames from other wireless devices that might otherwise deauthenticate a valid user session. In other words, MFP helps defend against deauthentication attacks. MFP is negotiated between the wireless client (supplicant) and the wireless infrastructure device (AP, wireless router, and the like).

Tip

Many wireless adapters will not allow you to inject packets into a wireless network. I have compiled a list of wireless adapters and their specifications to help you build your wireless lab in the GitHub repository at https://theartofhacking.org/github.

Attacking the Preferred Network Lists

Operating systems and wireless supplicants (clients), in many cases, maintain a list of trusted or preferred wireless networks. This is also referred to as the preferred network list (PNL). This list includes the wireless network SSID, clear-text passwords, or WEP or WPA passwords. Clients use these preferred networks to automatically associate to wireless networks when they are not connected to an AP or a wireless router.

You can listen to these client requests and impersonate such wireless networks in order to make the clients connect to your wireless device and eavesdrop on their conversation or to manipulate their communication.

Jamming Wireless Signals and Causing Interference

The purpose of jamming wireless signals or causing wireless network interference is to cause a full or partial denial-of-service condition in the wireless network. This is very disruptive (if successful). Most modern wireless implementations provide built in features that can help immediately detect such attacks. To jam a Wi-Fi signal or any other types of radio communication, you basically generate random noise on the frequencies that wireless networks use. With the appropriate tools and wireless adapters that support packet injection, an attacker can cause legitimate clients to disconnect from wireless infrastructure devices.

War Driving

War driving is a methodology used by attackers to find wireless access points wherever they might be. The term war driving is used because the attacker can drive around (or just walk) and obtain a significant amount of information over a very short period of time.

Tip

A popular site among wireless war drivers is WiGLE (https://wigle.net). The site allows you to detect Wi-Fi networks and upload information about such networks to their site using a mobile app.

Attacking WEP
Image

An attacker can cause some modification on the Initialization Vector (IV) of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plain text of a single packet and generate another encryption key that then can be used to decrypt other packets using the same IV. WEP is susceptible to many different attacks, including IV attacks.

WEP is susceptible to many different attacks, and it is considered an obsolete wireless protocol. WEP must be avoided, and many wireless network devices no longer support it. WEP keys exists in two sizes: 40-bit (5 byte) and 104-bit (13 byte). In addition, WEP uses a 24-bit initialization vector (IV), which is prepended to the pre-shared key (PSK). When you configure a wireless infrastructure device with WEP, the IVs are sent in the clear.

WEP has been defeated for decades. WEP uses RC4 in a manner that allows an attacker to crack the PSK with little effort. The problem is how WEP uses the IVs in each packet. When WEP uses RC4 to encrypt a packet, it prepends the IV to the secret key before including the key into RC4. Subsequently, the attacker has the first three bytes of an allegedly “secret” key used on every packet. To recover the PSK, you just need to collect enough data from the air. You can accelerate this attack by injecting ARP packets (because the length is predictable) allowing you to recover the PSK much faster. After you recover the WEP key, you can use it to access the wireless network.

You can also use the aircrack-ng set of tools to crack (recover) the WEP PSK. To perform this attack using the aircrack-ng suite, first launch airmon-ng, as shown in Example 8-1.

Example 8-1 Using airmon-ng to Monitor the Wireless Network

Click here to view code image

[email protected]# airmon-ng start wlan0 11

In Example, 8-1 the wireless interface is wlan0, and the selected wireless channel is 11. Now we want to listen to all communications directed to the BSSID 08:02:8E:D3:88:82, as shown in Example 8-2. The command in Example 8-2 writes all the traffic to a capture file called omar_capture.cap. You only have to specify the prefix for the capture file.

Example 8-2 Using airodump-ng to Listen to All Traffic to the BSSID 08:02:8E:D3:88:82

Click here to view code image

[email protected]# airodump-ng -c 11 --bssid 08:02:8E:D3:88:82 -w omar_capture
  wlan0

Use aireplay-ng to listen for ARP requests, and then “replay” or “inject” them back into the wireless network, as shown in Example 8-3.

Example 8-3 Using aireplay-ng to Inject ARP Packets

Click here to view code image

[email protected]# aireplay-ng -3 -b 08:02:8E:D3:88:82 -h 00:0F:B5:88:AC:82
  wlan0

Use aircrack-ng to crack the WEP PSK, as demonstrated in Example 8-4.

Example 8-4 Using aircrack-ng to Crack the WEP PSK

Click here to view code image

[email protected]# aircrack-ng -b 08:02:8E:D3:88:82 omar_capture.cap

After aircrack-ng cracks (recovers) the WEP PSK, the output in Example 8-5 is displayed. The cracked (recovered) WEP PSK is shown in the highlighted line.

Example 8-5 The Cracked (Recovered) WEP PSK

Click here to view code image

                                               Aircrack-ng 0.9


                               [00:02:12] Tested 924346 keys (got
99821 IVs)

 KB    depth   byte(vote)
  0    0/  9   12(  15) A9(  25) 47(  22) F7(  12) FE(  22) 1B(  5)
77(   3) A5(   5) F6(   3) 02(  20)
  1    0/  8   22(  11) A8(  27) E0(  24) 06(  18) 3B(  26) 4E(  15)
E1(  13) 25(  15) 89(  12) E2(  12)
  2    0/  2   32(  17) A6(  23) 15(  27) 02(  15) 6B(  25) E0(  15)
AB(  13) 05(  14) 17(  11) 22(  10)
  3    1/  5   46(  13) AA(  20) 9B(  20) 4B(  17) 4A(  26) 2B(  15)
4D(  13) 55(  15) 6A(  15) 7A(  15)

                         KEY FOUND! [ 56:7A:15:9E:A8 ]
      Decrypted correctly: 100%
Attacking WPA
Image

WPA and WPA version 2 (WPA2) are susceptible to different vulnerabilities. WPA3 addresses all such vulnerabilities, and many wireless professionals are recommending it to many organizations and individuals. WPA3-Personal has a more resilient, password-based authentication even when users choose weak passwords. In addition, WPA3 uses Simultaneous Authentication of Equals (SAE), a key establishment protocol between devices that provides mitigations against password guessing and brute force attacks. WPA3-Enterprise provides the equivalent of 192-bit cryptographic strength.

All versions of WPA support different authentication methods, including PSK. WPA is not susceptible to the IV attacks that affect WEP; however, you can capture the WPA 4-way handshake between a client and the wireless infrastructure device and brute-force WPA PSK.

Figure 8-9 demonstrates the WPA 4-way handshake.

A figure illustrates an overview of the WPA-4 way handshake.

Figure 8-9 The WPA 4-Way Handshake

Figure 8-9 illustrates the following steps:

  1. An attacker monitors the Wi-Fi network and finds wireless clients connected to the corp-net SSID.

  2. The attacker then sends de-auth packets to deauthenticate the wireless client.

  3. The attacker captures the WPA 4-way handshake and cracks the WPA PSK. You can use wordlists and tools like aircrack-ng to perform this attack, as shown in Figure 8-10.

An architecture depicts an overview of capturing the WPA 4-way handshake and cracking the PSK.

Figure 8-10 Capturing the WPA 4-Way Handshake and Cracking the PSK

Let’s take a look at how to perform this attack using the aircrack-ng suite of tools.

Step 1. Use airmon-ng to start the wireless interface in monitoring mode the same way that you did when cracking WEP in the previous section with the airmon-ng start wlan0 command.

Step 2. Figure 8-11 displays three terminal windows. The second terminal window from the top shows the output of the airodump-ng wlan0 command displaying all adjacent wireless networks.

A terminal window shows the use of airodump-ng to view the available wireless networks and then capturing traffic to the victim BSSID.

Figure 8-11 Using airodump-ng to View the Available Wireless Networks and Then Capturing Traffic to the Victim BSSID

Step 3. After locating the corp-net network, use the airodump-ng command, as shown in the first terminal window displayed in Figure 8-11, to capture all the traffic to a capture file called wpa_capture specifying the wireless channel (channel 11, in this example), the BSSID, and the wireless interface (wlan0).

Step 4. Use the aireplay-ng command as shown in Figure 8-12 to perform a deauthentication attack against the wireless network.

A terminal window shows the use of aireplay-ng to disconnect the wireless clients.

Figure 8-12 Using aireplay-ng to Disconnect the Wireless Clients

Step 5. In the terminal shown in the top of Figure 8-13, you can see that we have collected the WPA handshake. Use the aircrack-ng command to crack the WPA PSK using a wordlist, as shown in Figure 8-13 (the filename is words, in this example).

A terminal window shows collecting the WPA handshake using airodump-ng command.

Figure 8-13 Collecting the WPA Handshake Using airodump-ng

Step 6. The tool will take a while to process, depending on your computer power and the complexity of the PSK. After it cracks the WPA PSK a window similar to the one shown in Figure 8-14 will be displayed showing the WPA PSK (corpsupersecret in this example).

A terminal window shows the cracking of WPA PSK using aircrack-ng command.

Figure 8-14 Cracking the WPA PSK Using aircrack-ng

Tip

A newer attack technique can be used to crack WPA PSKs using the WPA PMKID. The attacker directly communicates with the AP, and with this attack, you do not need to collect a complete 4-way handshake between the regular user and the AP. This attack is demonstrated at https://hashcat.net/forum/thread-7717.html.

Wireless Networks Configured with Open Authentication

Can it get any worse than this? Sure, it can. If a wireless network is configured as open systems authentication, any wireless client can connect to the AP. Wireless equipment can be configured as Open System Authentication (OSA) or Shared Key Authentication (SKA). OSA means that no authentication is used. Some wireless equipment sold defaults to this setting. If used in this state, hackers are not only free to sniff traffic on the network, but also to connect to it and use it as they see fit. If there is a path to the Internet, the hacker might use the victim’s network as the base of attack. Anyone tracing the IP address will be led back to the victim, not the hacker.

Many hotels, business centers, coffee shops, and restaurants provide wireless access with open authentication. In these situations, it is excessively easy for a hacker to gain unauthorized information, conduct resource hijacking, or even introduce back doors into other systems. Just think about it: one of the first things most users do after connecting to a Wi-Fi network is check their email. This means that usernames and passwords are being passed over a totally unsecure network.

KRACK Attacks

Mathy Vanhoef and Frank Piessens, from the University of Leuven, found and disclosed a series of vulnerabilities that affect WPA and WPA2. These vulnerabilities were also referred to as “KRACK” (Key Reinstallation AttaCK) and details were published at: https://www.krackattacks.com.

Exploitation of these vulnerabilities depends on the specific device configuration. Successful exploitation could allow unauthenticated attackers the reinstallation of a previously used encryption or integrity key (either by the client or the access point, depending on the specific vulnerability). After a previously used key has successfully been reinstalled (by exploiting the disclosed vulnerabilities), an attacker may proceed to capture traffic using the reinstalled key and attempt to decrypt such traffic. In addition, the attacker may attempt to forge or replay previously seen traffic. An attacker can perform these activities by manipulating retransmissions of handshake messages.

Tip

I published a blog providing details about these vulnerabilities at https://blogs.cisco.com/security/wpa-vulns.

Most of wireless vendors have provided patches addressing the KRACK attacks, and WPA3 also addresses these vulnerabilities.

Attacking Wi-Fi Protected Setup (WPS)

Wi-Fi Protected Setup (WPS) is a protocol that simplifies the deployment of wireless networks. It is used so that users can simply generate a WPA PSK with little interaction with the wireless device. Typically, a PIN printed on the outside of the wireless device or in the box that it came in is used to provision the wireless device. Most implementations do not care if you incorrectly enter millions of PIN combinations in a row, making it susceptible to brute force attacks.

A tool called Reaver makes this attack very simple and easy to execute. You can download Reaver from https://github.com/t6x/reaver-wps-fork-t6x.

KARMA Attack

KARMA is a man-in-the-middle attack that creates a rogue AP allowing an attacker to intercept wireless traffic. KARMA stands for Karma Attacks Radio Machines Automatically. A radio machine could be a mobile device, a laptop, or any Wi-Fi enabled device.

In a KARMA attack scenario, the attacker listens for the probe requests from wireless devices and intercepts them to generate the same SSID for which the device is sending probes. This can be used to attack the PNL that we discussed earlier in this chapter.

Fragmentation Attacks

Wireless fragmentation attacks can be used to acquire 1500 bytes of pseudo random generation algorithm (PRGA) elements. Wireless fragmentation attacks can be launched against WEP configured devices. These attacks do not recover the WEP key itself, but they can use the PRGA to generate packets with tools like packetforge-ng (part of the aircrack-ng suite of tools) to perform wireless injection attacks. Example 8-6 shows the packetforge-ng tool options.

Example 8-6 The packetforge-ng Tool Options

Click here to view code image

[email protected]:~# packetforge-ng
  Packetforge-ng 1.2  - (C) 2006-2018 Thomas d'Otreppe
  Original work: Martin Beck
  https://www.aircrack-ng.org

  Usage: packetforge-ng <mode> <options>
  Forge options:
      -p <fctrl>      : set frame control word (hex)
      -a <bssid>      : set Access Point MAC address
      -c <dmac>       : set Destination MAC address
      -h <smac>       : set Source MAC address
      -j               : set FromDS bit
      -o               : clear ToDS bit
      -e               : disables WEP encryption
      -k <ip[:port]>  : set Destination IP [Port]
      -l <ip[:port]>  : set Source IP [Port]
      -t ttl           : set Time To Live
      -w <file>        : write packet to this pcap file
      -s <size>        : specify size of null packet
      -n <packets>     : set number of packets to generate

  Source options:
      -r <file>        : read packet from this raw file
      -y <file>        : read PRGA from this file

  Modes:
      --arp            : forge an ARP packet (-0)
      --udp            : forge an UDP packet (-1)
      --icmp           : forge an ICMP packet (-2)
      --null           : build a null packet (-3)
      --custom         : build a custom packet (-9)
      --help           : Displays this usage screen
Please specify a mode.
[email protected]:~#

Note

You can find a paper describing and demonstrating this attack at http://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf.

Additional Wireless Hacking Tools

The first step for the attacker is to find targets to attack. Generally, the attacker needs a laptop, a tablet, or a mobile device with Wi-Fi and a discovery program. Just listing all the available tools could easily fill a chapter, but some of the more well-known tools are discussed here:

  • NetStumbler: This Windows-only tool is designed to locate and detect WLANs using 802.11b, 802.11a, and 802.11g WLAN standards. It is used for war driving, verifying network configurations, detecting rogue APs, and aiming directional antennas for long-haul WLAN links.

  • Mognet: An open source Java-based wireless sniffer that was designed for handhelds but will run on other platforms as well. It performs real-time frame captures and can save and load frames in common formats, such as Wireshark, Libpcap, and TCPdump.

  • Omnipeek: A Windows-based commercial WLAN analyzer designed to help security professionals deploy, secure, and troubleshoot WLANs. Omnipeek has the functionality to perform site surveys, security assessments, client troubleshooting, WLAN monitoring, remote WLAN analysis, and application layer protocol analysis.

  • WaveStumbler: Designed for Linux, it reports basic information about APs, such as channel, SSID, and MAC.

  • inSSIDer: Another sniffing tool designed for Windows, it provides a wealth of information about wireless APs.

  • THC-Wardrive: A Linux tool for mapping wireless APs; it works with a GPS.

Performing GPS Mapping

The idea behind GPS mapping is that the attacker creates a map of known APs and their location. Some site survey tools can be used for this purpose, but there are also a number of websites that can help, including WiFi Finder for Android, at https://play.google.com/store/apps/details?id=org.speedspot.wififinder. Also, websites like WiGLE can be used to search for mapped wireless networks, at https://wigle.net/.

Wireless Traffic Analysis

Wireless traffic analysis is used to determine what type of traffic is being sent over the wireless network and what wireless security controls are in place. Packet sniffers are used to analyze wireless traffic and can be used to locate SSIDs, identify APs, recover hidden SSIDs, and determine authentication methods. Some of the packet-sniffing tools to be used at this point include the following:

  • Wireshark with AirPcap adaptor

  • SteelCentral Packet Analyzer

  • Omnipeek

  • CommView for Wi-Fi

Launch Wireless Attacks

After discovery and analysis is completed, the attack can be launched. This might include revealing hidden SSIDs, fragmentation attacks, MAC spoofing, DoS attacks, man-in-the-middle attacks, or even an evil-twin attack. Several popular tools are shown here:

  • Aircrack-ng Suite: You learned about the tools included in the Aircrack-ng Suite earlier in this chapter.

  • Airsnarf: Airsnarf is a simple rogue wireless AP setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots (snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP).

  • Void11: An older wireless network penetration utility that implements deauthentication DoS attacks against the 802.11 protocol. It can be used to speed up the WEP cracking process.

Crack and Compromise the Wi-Fi Network

Now the attacker can identify the encryption method used and attempt to crack it. WEP cracking is one simple attack that is easy to launch. Soon after WEP was released, problems were discovered that led to ways in which it can be cracked. Although the deficiencies of WEP were corrected with the WPA protocol, those APs still running WEP are extremely vulnerable. Tools available to crack encryption include the following:

  • AirSnort: A Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions and then computing the encryption key when the program captures enough packets.

  • coWPAtty: Used to recover WPA encryption keys.

  • Cain and Abel: Used to recover WEP and WPA encryption keys with an associated AirPcap adaptor (available only on Windows).

  • Kismet: A useful Linux-based 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting masked networks, and inferring the presence of nonbeaconing networks via data traffic.

  • AirTraf: A packet-capture decode tool for 802.11b wireless networks. This Linux tool gathers and organizes packets and performs bandwidth calculation, as well as signal strength information, on a per-wireless node basis.

  • Elcomsoft Wireless Security Auditor: Used to crack WPA encryption.

Securing Wireless Networks

Securing wireless networks is a challenge, but it can be accomplished. Wireless signals don’t stop at the outer walls of the facility. Wireless is accessible by many more individuals than have access to your wired network. Although we look at some specific tools and techniques used to secure wireless, the general principles are the same as those used in wired networks. It is the principle of defense in depth.

Site Survey

The goal of a site survey is to gather enough information to determine whether the client has the right number and placement of APs to provide adequate coverage throughout the facility.

It is also important to check to see how far the signal radiates outside the facility. Finally, you will want to do a thorough check for rogue APs. Too often, APs show up in locations where they should not be. These are as big a threat, if not bigger, than the weak encryption you might have found. A site survey is also useful in detecting the presence of interference coming from other sources that could degrade the performance of the wireless network. The six basic steps of a site survey are as follows:

Step 1. Obtain a facility diagram.

Step 2. Visually inspect the facility.

Step 3. Identify user areas.

Step 4. Use site survey tools to determine primary access locations and that no rogue APs are in use.

Step 5. After installation of APs, verify signal strength and range.

Step 6. Document findings, update policies, and inform users of rules regarding wireless connectivity.

Robust Wireless Authentication

802.1x provides port-based access control. When used with Extensible Authentication Protocol (EAP), it can be used to authenticate devices that attempt to connect to a specific LAN port. Although EAP was designed for the wired world, it’s being bundled with WPA as a means of communicating authentication information and encryption keys between a client or supplicant and an access control server such as RADIUS. In wireless networks, EAP works as follows:

  1. The wireless AP requests authentication information from the client.

  2. The user supplies the requested authentication information.

  3. The AP forwards the client-supplied authentication information to a standard RADIUS server for authentication and authorization.

  4. The client is allowed to connect and transmit data upon authorization from the RADIUS server.

EAP can be used in other ways, depending on its implementation. Passwords, digital certificates, and token cards are the most common forms of authentication used. EAP can be deployed as EAP-MD5, Cisco’s Lightweight EAP (LEAP), EAP with Transport Layer Security (EAP-TLS), Public Key EAP (PEAP) or EAP with Tunneled TLS (EAP-TTLS). Table 8-4 provides an overview of some of the various EAP types and services.

Table 8-4 EAP Types and Services

Service

EAP-MD5

LEAP

EAP-TLS

EAP-TTLS

PEAP

Server authentication

No

Uses password hash

Public key certificate

Public key certificate

Public key certificate

Supplicant authentication

Uses password hash

Uses password hash

Smart card or public key certificate

PAP, CHAP, or MS-CHAP

Any EAP type such as public key certificate

Dynamic key delivery

No

Yes

Yes

Yes

Yes

Security concerns

Vulnerable to man-in-the-middle attack, session hijack, or identity exposure

Vulnerable to dictionary attack or identity exposure

Vulnerable to identity exposure

Vulnerable to man-in-the-middle attack

Vulnerable to man-in-the-middle attack

Misuse Detection

Intrusion detection systems (IDS) have a long history of use in wired networks to detect misuse and flag possible intrusions and attacks. Because of the increased numbers of wireless networks, more options are becoming available for wireless intrusion detection. A wireless IDS works much like wired intrusion detection in that it monitors traffic and can alert the administrator when traffic is found that doesn’t match normal usage patterns or when traffic matches a predefined pattern of attack. A wireless IDS can be centralized or decentralized and should have a combination of sensors that collect and forward 802.11 data. Wireless attacks are unlike wired attacks in that the hacker is often physically located at or close to the local premises. Some wireless IDSs can provide a general estimate of the hacker’s physical location. Therefore, if alert data is provided quickly, security professionals can catch the hacker while launching the attack. Some commercial wireless IDS products include Airdefense RogueWatch and Internet Security Systems RealSecure Server Sensor and Wireless Scanner. For those lacking the budget to purchase a commercial product, a number of open source solutions are available, including products such as AirSnare and Kismet, which are described here:

  • AirSnare: Alerts you to unfriendly MAC addresses on your network and will also alert you to DHCP requests taking place. If AirSnare detects an unfriendly MAC address, you have the option of tracking the MAC address’s access to IP addresses and ports or by launching Wireshark upon detection.

  • Kimset: Designed to search and analyze wireless traffic.

Summary

In this chapter, you learned the fundamentals of wireless technologies, mobile security, and related attacks. Wireless technology is not going away. Wireless is the future of networking and will continue to change this market. Wireless networking is something that an ethical hacker will want to look closely at during a penetration testing engagement. Wireless LANs can be subject to eavesdropping, encryption cracking, man-in-the-middle attacks, and several other attacks. All these pose a threat to the network and should be considered when developing protective mechanisms.

Protecting wireless systems of any type requires building defense in depth. Mobile malware and malicious applications are on the rise. This means that defense in depth and the layering of countermeasures will become increasingly important. These countermeasures might include MAC filtering, using WPA3, using strong authentication in WPA2 implementations, disabling the SSID, building zone security, installing wireless IDSs, and practicing good physical security. With these types of countermeasures in place, wireless networks and devices can be used securely.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here, Chapter 12, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 8-5 lists a reference of these key topics and the page numbers on which each is found.

Image

Table 8-5 Key Topics for Chapter 8

Key Topic Element

Description

Page Number

Section

Explains how wireless technologies operate

410

Paragraph

Describes mobile device technologies

413

Section

Explains rogue wireless access points

428

Section

Describes deauthentication attacks

429

Section

Explains techniques for attacking WEP

433

Section

Explains techniques for attacking WPA

435

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

802.11 standard

access point spoofing

ad hoc mode

bluejacking

bluesnarfing

Bluetooth

cloning

Data Encryption Standard (DES)

defense in depth

eavesdropping

electronic serial number (ESN)

Extensible Authentication Protocol (EAP)

infrastructure mode

intrusion detection system (IDS)

MAC filtering

personal-area network (PAN)

promiscuous mode

rogue access point

service set ID (SSID)

site survey

tumbling

war chalking

war driving

Wi-Fi Protected Access (WPA)

Wired Equivalent Privacy (WEP)

KARMA attacks

evil twins

Review Questions

1. An attacker can cause some modification on the __________ of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plain text of a single packet and generate another encryption key that then can be used to decrypt other packets.

a. Initialization Vector (IV)

b. WEP key

c. WPA key

d. WPS key

2. Which of the following attacks is performed by the following command?

aireplay-ng -3 -b 08:22:33:44:55:66 -h 00:0A:A9:8C:FC:48 wlan0

a. WPS attack.

b. KRACK attack.

c. Deauthentication attack.

d. KARMA attack.

3. Which method of transmission hops between subchannels, sending out short bursts of data on each subchannel for a short period of time?

a. Direct-sequence spread spectrum

b. Plesiochronous digital hierarchy

c. Time-division multiplexing

d. Frequency-hopping spread spectrum

4. At what frequency does Bluetooth operate?

a. 2.54 GHz

b. 5 GHz

c. 2.45 GHz

d. 900 Hz

5. You have enabled MAC filtering at the wireless access point. Which of the following is most correct?

a. MAC addresses can be spoofed.

b. MAC addresses cannot be spoofed.

c. MAC filtering is sufficient if IP address filtering is used.

d. MAC filtering will prevent unauthorized devices from using the wireless network.

6. After reading an online article about wireless security, Jay attempts to lock down the wireless network by turning off the broadcast of the SSID and changing its value. Jay’s now frustrated when he realizes that unauthorized users are still connecting. What is wrong?

a. Jay’s solution would work only if the wireless network were in ad hoc mode.

b. The unauthorized users are using the default SSID.

c. Jay is still running DHCP.

d. The SSID is still sent in packets exchanged between the client and the wireless AP.

7. Which of the following is a wireless reconnaissance tool that can also be used for troubleshooting?

a. Void11

b. RedFang

c. THC-Wardrive

d. Kismet

8. Which of the following is the best option to prevent hackers from sniffing your information on the wired portion of your network?

a. Kerberos, defense in depth, and EAP

b. PAP, passwords, and Cat 5 cabling

c. 802.1x, cognitive passwords, and WPA

d. WEP, MAC filtering, and no broadcast SSID

9. Which of the following EAP types only uses a password hash for client authentication?

a. EAP-TLS

b. PEAP

c. EAP-TTLS

d. EAP-MD5

10. WPA2 uses which of the following encryption standards?

a. RC4

b. RC5

c. AES

d. MD5

11. Which of the following mobile devices is susceptible to JAD file exploits?

a. Android devices

b. BlackBerry devices

c. Apple iOS devices

d. Windows Phones

12. Which of the following phone security models is built around the concept of chambers and capabilities?

a. Android

b. BlackBerry

c. Apple iOS

d. Windows Phone

13. Which of the following is not a true statement?

a. Bluesnarfing is an attack against Bluetooth devices.

b. Bluejacking is an attack against Bluetooth devices.

c. BlueBugging is an attack against Bluetooth devices.

d. Bluedriving is an attack against Bluetooth devices.

14. Which of the following correctly describes jailbreaking and rooting?

a. Rooting allows root access to the OS and subsystem. Jailbreaking provides the ability to use CDMA carriers.

b. Rooting allows Android users to attain privileged control within Android’s subsystem. Jailbreaking provides full access to the OS of Apple devices and permits download of third-party applications.

c. Rooting allows the ability to use GSM carriers. Jailbreaking provides root access to the OS and subsystem.

d. Rooting allows Android users to attain privileged control within Apple’s iOS and its subsystem. Jailbreaking provides full access to the OS of Android devices and permits download of third-party applications.

15. Which of the following is a platform for distribution of applications, data, and configuration settings for all types of mobile devices?

a. Mobile device management

b. Code signing

c. Sandboxing

d. Cellular device management

Suggested Reading and Resources

https://www.wi-fi.org/discover-wi-fi/wi-fi-6: Discover Wi-Fi

http://lifehacker.com/5771943/how-to-jailbreak-your-iphone-the-always-up-to-date-guide-ios-61: Jailbreaking iPhones

http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html: Building a Bluetooth sniper rifle

http://www.aircrack-ng.org/doku.php?id=newbie_guide: Using aircrack-ng to crack wireless

http://www.opus1.com/www/whitepapers/whatswrongwithwep.pdf: Weaknesses in the WEP encryption standard makes hacking easier

http://www.computerworld.com/article/2581074/mobile-wireless/how-802-1x-authentication-works.html: 802.1x explained

https://developer.android.com/guide/topics/admin/device-admin.html: Android Device Administration API

https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/: Tracking and eavesdropping on mobile devices

http://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html: Hacking the iPhone

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project: OWASP Mobile Security Project

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10: OWASP Mobile Top 10

https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Main: OWASP Mobile Security Testing Guide

https://hashcat.net/forum/thread-7717.html: New Attack on WPA and WPA2 using PMKID

http://www.androidcentral.com/help-my-android-has-malware: Android malware

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset