3.2 Attacks & exploits: Wireless Attacks

Question 1

Wireless Security: when should you use a pre-shared key to enhance security?

Answer 1

Used when the access point and the client need to use the same encryption key to encrypt and decrypt the da

Question 2

Wireless Security: what is WEP and why it is no longer secure ?

Answer 2

Wired Equivalent Privacy (WEP)
▪ Original 802.11 wireless security standard that claims to be as secure as a wired network
▪ WEP was designed to use a static 40-bit pre-shared encryption key with RC4 encryption cipher
▪ WEP’s weakness is its 24-bit initialization vector (IV)

Question 3

Wireless Security: what is WPA and why is it no longer secure?

Answer 3

Wi-Fi Protected Access (WPA)
▪ Replacement for WEP which uses TKIP, Message Integrity Check (MIC), and RC4 encryption
▪ WPA was flawed (= defectueux), so it was replaced by WPA2

Question 4

Wireless Security: what is WPA2?

Answer 4

Wi-Fi Protected Access Version 2 (WPA2)
▪ 802.11i standard that provides better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking
▪ WPA2 can be operated in either personal or enterprise mode

Question 5

Wireless Security: what is WPA3 and what are the different type of WPA3 (2)?

Answer 5

▪ Designed to strengthen the flaws and weakness that can be exploited inside of WPA2
▪ Types:
● WPA3 Enterprise (256-bit AES with SHA-384)
● WPA3 Personal (128-bit AES with CCMP)

Question 6

Wireless Security: what is the largest improvement of WPA3 ?

Answer 6

The largest improvement in WPA3 is the removal of the Pre-Shared Key (PSK) exchange

Question 7

Wireless Security: in WPA3, what Simultaneous Authentication of Equals (SAE) is used for ?

Answer 7

Uses a secure password-based authentication and a password authenticated, key agreement methodology to secure networks

Question 8

Wireless Security: in WPA3, what Forward Secrecy/Perfect Forward Secrecy is for?

Answer 8

A feature of a key agreement protocol that provides assurance that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised

Question 9

Wireless Security: explain the process of Forward Secrecy/Perfect Forward Secrecy

Answer 9

o AP and the client use a public key system to generate a pair of long-term keys
o AP and the client exchange a one-time use session key
o AP sends client messages and encrypts them using the created session key
o Client decrypts received messages using the same one-time use session key
o Process repeats for each message being sent, starting at Step 2 to ensure forward secrecy

Question 10

Wireless Security: what is Wi-Fi Protected Setup (WPS) and how does it works?

Answer 10

▪ Designed to make setting up new wireless devices easier for consumers and end users
▪ WPS relies on an 8-digit PIN code to conduct its authentication

Question 11

Wireless Security: is Wi-Fi Protected Setup (WPS) secure ?

Answer 11

No, WPS is vulnerable to attacks and should always be disabled.
As a penetration tester, identify those WPS-enabled devices for your engagements

Question 12

Wireless Security: what is MAC filtering for?

Answer 12

Defines a list of devices and only allows those on your Wi-Fi network

Question 13

Signal Exploitation: why should you do signal exploitation?

Answer 13

Aims to collect, manipulate, and exploit the wireless radio waves and signals that are passing freely throughout a given location

Question 14

Signal Exploitation: list the type and antenna from which you can collect wireless radio and explain how they work (2)?

Answer 14

▪ Omnidirectional:
● Radiates power equally in all directions
● Omnidirectional is the least secure method of transmission
● An omnidirectional antenna is what is connected by default to your laptop’s Wi-Fi card

▪ Unidirectional (e.g., Yagi antenna):
● Focuses power in one direction for covering greater distances
● You can use omnidirectional antenna to identify targets, then switch to unidirectional antenna

Question 15

Signal Exploitation: what is Decibels Per Isotropic (dBi)?

Answer 15

▪ Amount of forward gain of a given antenna
▪ As the forward gain increases, the signal becomes more directional

Question 16

Signal Exploitation: list the different ways to exploit a signal (3)?

Answer 16

▪ Eavesdropping
▪ Deauthentication
▪ Jamming

Question 17

Signal Exploitation: what is Eavesdropping type of signal exploitation?

Question 18

Signal Exploitation: what useful information can you retrieve while doing Eavesdropping type of signal exploitation?

Answer 18

o Network client MAC addresses
o Type of encryption used
o Network client devices

Question 19

Signal Exploitation: what is Deauthentication type of signal exploitation and what can you use to do that?

Answer 19

● Used to boot a victim wireless client off an access point so that it is forced to reauthenticate
● Deauthentication attacks are mostly used in conjunction with other attacks
● Aireplay-ng: The most commonly used tool for conducting a deauthentication attack

Question 20

Signal Exploitation: what is Jamming type of signal exploitation and what can you use to do that?

Answer 20

● Disrupts a Wi-Fi signal by broadcasting on the same frequency as the target access point to block signals that a wireless transceiver attempts to send or receive
● Check the scope and the legal restrictions in your location before conducting jamming as part of an engagement
● Wi-Fi Jammer: A Python script capable of disrupting signals of all wireless access points in an area

Question 21

WEP Hacking: why should you hack the WEP?

Answer 21

WEP is extremely insecure due to its use of a 24-bit initialization vector (IV)

Question 22

WEP Hacking: how an you hack the WEP?

Answer 22

▪ Monitor the area to determine which access points and clients are in use
▪ Capture all the network traffic into a PCAP file to crack it offline later
▪ Conduct a deauthentication attack to generate handshakes to capture
▪ Crack the encryption protocol to identify the plain text pre-shared key

Question 23

WEP Hacking: what tools can you use to do the hacking (2)?

Answer 23

o Airomon-NG: Used to monitor wireless frequencies to identify access points and clients
o Airodump-NG: Used to capture network traffic and save it to a PCAP file

Question 24

WPA/WPA2 Hacking: how to hack the WPA/WPA2?

Answer 24

▪ Place the wireless network adapter into monitor or promiscuous mode
▪ Discover the WPA/WPA2 enabled networks in range
▪ Capture the network traffic and write it to a PCAP file
▪ Conduct a deauthentication attack to generate handshakes to capture
▪ Conduct a dictionary attack to identify the plain text version of the pre-shared key

Question 25

WPA/WPA2 Hacking: what tools can you use to do it (4)?

Answer 25

o Airomon-NG: Used to place the network adapter into monitor or promiscuous mode
o Airodump-NG: Used to identify clients and access points, capture network traffic, and save it to a PCAP file
o Aireplay-NG: Used to conduct a deauthentication attack by sending spoofed deauth requests to the access point
o Airocrack-NG: Used to conduct protocol and password cracking of wireless encryption

Question 26

WPS PIN Attacks: why is the WPS are vulnerable?

Answer 26

o The implementation used in WPS is flawed and vulnerable to attack
o WPS is great for operations, but horrible for security
o WPS uses an 8-digit PIN with the 8th digit reserved as a checksum
o 107 options mean there are 10,000,000 passwords (The flaw is that WPS breaks the PIN into two smaller sections)
o 104 options mean there are 10,000 unique PINs
o WPS is enabled by default in many consumer-grade and small business environments

Question 27

Evil Twins: what is Evil Twins attack?

Answer 27

A fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications

Question 28

Evil Twins: what is Karma Attack?

Answer 28

Exploits the behavior of Wi-Fi devices due to a lack of access point authentication protocols being implemented

Question 29

Evil Twins: what is Preferred Network List (PNL)?

Answer 29

A list of the SSIDs of any access points the device has previously connected to and will automatically connect to when those networks are in range

Question 30

Evil Twins: what is a Captive Portal?

Answer 30

A web page that the user of a public-access network is obliged to view and interact with before access is granted

Question 31

Evil Twins: what tools can be used to perform the 3 types of evil twins (3)?

Answer 31

▪ ESPortalV2: A piece of software for setting up a captive portal and redirecting all Wi-Fi devices that connect to that portal for authentication
▪ Wifiphisher: Sets up a regular evil twin without a captive portal
▪ Wi-Fi Pineapple: A device that can be used to automate Wi-Fi auditing with different types of campaigns and even created vulnerability reports at the conclusion of your engagement

Question 32

On-Path and Relay Attacks: what is On-Path Attack (formerly Man-in-the-Middle Attack) and how to do it?

Answer 32

▪ Occurs when an attacker puts themself between the victim and the intended destination
▪ Monitors and captures data

Question 33

On-Path and Relay Attacks: what is Relay Attack and how to do it?

Answer 33

▪ Captures, modifies, and sends data
▪ One of the easiest methods to execute an on-path or relay attack is to execute an evil twin attack

Question 34

On-Path and Relay Attacks: what is Extensible Authentication Protocol (EAP) and what are the different EAP ?

Answer 34

▪ Creates an encrypted tunnel between the supplicant and the authentication server
▪ Protected Extensible Authentication Protocol (PEAP)
▪ EAP with Tunneled (EAP-TTLS)
▪ EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

Question 35

Bluetooth Attacks: what is Bluejacking and how to do it?

Answer 35

▪ Sending unsolicited messages to a Bluetooth device
▪ No special tools or software is required to conduct bluejacking
▪ Sending information

Question 36

Bluetooth Attacks: what is Bluesnarfing and how to do it?

Answer 36

▪ Making unauthorized access to a device via Bluetooth connection
▪ Aims to read sensitive data or information from a victim device
▪ Stealing and receiving information

Question 37

Bluetooth Attacks: what is BlueBorne ?

Answer 37

Allows the attacker to gain complete control over a device without even being connected to the target device

Question 38

Bluetooth Attacks: what is Bluetooth Low Energy (BLE) ?

Answer 38

▪ A Bluetooth variation that uses less energy and communicates wirelessly over shorter distances
▪ BLE is extremely popular in smart home devices, motion sensors, and other Internet of Things devices

Question 39

Bluetooth Attacks: what secures the Bluetooth protocol from attackers?

Answer 39

The Bluetooth protocol uses frequency hopping to prevent attackers from easily capturing data being sent and received

Question 40

Bluetooth Attacks: what tools are you using to conduct a Bluetooth attack (5)?

Answer 40

▪ HCICONFIG: Configures Bluetooth interface
▪ HCITOOL: Scans and discovers devices in range
▪ BLEAH: Enumerates Bluetooth devices
▪ GATTTOOL/BETTERCAP/BLUEPY: Interacts and communicates with Bluetooth devices
▪ Spooftooph: Automates the spoofing or cloning of a Bluetooth device’s name, class, and address

Question 41

RFID and NFC Attacks: what is Radio Frequency Identification (RFID) and how does it works?

Answer 41

▪ A form of radio frequency transmission modified for use in authentication systems
▪ Has two components, called the tag and the reader
▪ Should include a second authentication factor
▪ Newer RFID badges used in most modern authentication systems use higher frequencies that provide higher data rates and can support encryption

Question 42

RFID and NFC Attacks: what is Near Field Communication (NFC) and how does it works?

Answer 42

Uses radio frequency to send electromagnetic charge containing the transaction data over a short distance