Chapter 15: Wireless Networking

Question 1

Cons to WiFi

Answer 1

1) DECREASE IN BANDWIDTH B/C MORE DEVICES CONNECTED
2) INVEST IN NW CARDS, INFRASTRUCTURE
3) INTERFERENCE W/ OTHER DEVICES
4) LESS RANGE THAN ADVERTISED (usually half the distance promised)
5) TERRAIN CAN SLOW DOWN SIGNALS

Question 2

Characteristics of WiFi

Answer 2

1) uses RADIO WAVES to transmit data

2) works at the physical layer of the NW

Question 3

Techniques to managing a connection

Answer 3

1) DSSS (direct-sequence spread spectrum)
2) FHSS (frequency-hopping spread spectrum)
3) IR (infrared)
4) OFDM (orthogonal frequency-division multiplexing)

Question 4

WiFi Environment: Extension to an existing wired NW as either HW (HAPs) or SW (SAPs) based access points

Answer 4

HAPs //use device such as wireless router or dedicated wireless access point

SAPs //wireless-enabled system attached to a wired NW, which in essence shares its wireless adapter

Question 5

WiFi Environment: Multiple access points

Answer 5

allows clients to roam from location to location

Question 6

WiFi Environment: LAN-to-LAN wireless NW

Answer 6

wired NWs in different locations to be connected through wireless technology

Question 7

WiFi Environment: 3G or 4G hot spot

Answer 7

provides WiFi access to WiFi enabled devices

Question 8

Wireless standards

Answer 8

1) 802.11a 5Ghz (freq), 54 Mbps (speed), 75 ft (range)
2) 802.11b 2.4Ghz, 11 Mbps, 150 ft
3) 802.11g 2.4Ghz, 11 Mbps, 150 ft
4) 802.11n 2.4/5Ghz, 54 Mbps, ~100 ft
5) 802.16 (WiMAX) 10-66Ghz, 70-1000 Mbps, 30 miles
6) Bluetooth 2.4Ghz, 1-3 Mbps (1st Gen), 33 ft

Question 9

About SSID

Answer 9

Service Set Identifier

32 Bytes

Embedded within header of packets

Open NWs, it’s visible

Closed NWs, not visible or “cloaked”

Question 10

Common Wireless Terms:

GSM
Association
BSSID
Hot Spot
Access Point
ISM
Bandwidth

Answer 10

GSM // Global System for Mobile Communications // international standard for mobile wireless

Association //connecting a client to an access point

BSSID // basic service set identification //MAC address of an access point

Hot Spot //location that provides wireless access to public such as coffee shop or airport

Access Point //HW or SW construct that provides wireless access

ISM band// industrial scientific, and medical band //unlicensed band of frequencies

Bandwidth //speed avilable for devices

Question 11

Antennas

Yagi antenna
Omnidirectional antenna
Parabolic grid antenna

Answer 11

Yagi antenna 
//unidirectional, works well transmitting and receiving signals in some directions 
//typically used when signal is needed from site to site instead of covering a wide area 
//enhances security by limiting signals to smaller areas

Omnidirectional antenna
//emits signals in all directions, but some directions better than others
//can transmit data in 2-D well, but not in 3-D

Parabolic grid antenna
//takes form of a dish, unidirectional, sends and receives data over one axis
//PRO -catches parallel signals and focuses them to a single receiving point, so gets better signal quality and over longer ranges
//can receive over a distance of 10 miles

Question 12

WiFi Authentication Mode: Open System Authentication

Answer 12

//make NW available to wide range of clients

//authentication occurs when an authentication frame is sent from a client to an access point; access point receives frame, verifies SSID, if correct access point sends verification frame back to client, allowing connection to be made

Question 13

WiFi Authentication Mode: Shared Key Authentication

Answer 13

//each client receives key ahead of time and can connect anytime

//clients send authentication request to access point, ap returns challenge to client, client encrypts challenge using shared key, ap uses same shared key to decrypt challenge, if responses match, client validated and connected

Question 14

Wireless encryption and authentication protocols:

WEP
WPA
WPA2
WPA2 Enterprise
TKIP
AES
EAP
LEAP
RADIUS
802.11i
CCMP

Answer 14

WEP//Wired Equivalent Privacy//oldest and weakest

WPA//WiFi Protected Access//successor to WEP, addressed many problems
//uses TKIP [Temporal Key Integrity Protocol], MIC [Message Integrity Code], and AES [Advanced Encryption Standard] encryption

WPA2//address WPA probs
//uses AES, CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), EAP [extensible authentication protocol], TKIP, AES [with longer keys]

WPA2 Enterprise//incorporates EAP to strengthen security and scale system up to large enterprise environments

TKIP//enhances WPA over WEP

AES//symmetric-key encryption//used in WPA2 to replace TKIP

EAP //incorpoaated into multiple authentication methods
//such as tokent cards, Kerberos, certificates

LEAP //Lightweight Extensible Authentication Protocol //made by cisco

RADIUS //Remote Authentication Dial-in User Service //centralized authentication and authorization mgmt system

802.11i //IEEE standard that species security mechs for 802.11 wireless NWs

CCMP //uses 128bit keys, with 48bit initialization vector (IV) for replay detection

Question 15

WEP

Answer 15

failed all:
//intended to provide security on same level as wired NWs
//defeat eavesdropping on communications
 //check integrity of data as it flows access NW
//use shared key to encrypt packets prior to transmission
//provide confidentiality, access control

problems:
//protocol was designed without input from academic community or public and professional cryptologists
//attacker can easily uncover key with ciphertext and plaintext
//CRC32 //Cyclic Redundancy Check //integrity checking sis flaws and ez to modify packets
//IVs//initialization vectors are only 24 bits, so an entire pools of IVs can be exhausted in short time
//vulnerable to DoS attack through messages not authenticated by WEP

// WEP uses IVs a lot; randomized value used with the secret key for data encryption purposes, when these two values are combined, they form a # used once (nonce)

Question 16

Cracking WEP

Answer 16

intercept as many IVs as possible through sniffing, analyze packets, retrieve key

make take a while, to speed up, perform packet injection

1) Start wireless interface on the attacking system in monitor mode on the specific access point channel; this mode is used to listen to packets in the air
2) probe the target NW with wireless device to determine if packet injection can be performed
3) select tool such as aireplay-ng to perform fake authentication with access point
4) Start WiFi sniffing tool to capture IVs such as aireplay-ng, ARP requests can be intercepted and reinjected back into NW causing more packet generation
5) Run a tool such as Cain and Able or aircrack-ng to extract encryption keys from IVs

Question 17

AirPcap

Answer 17

AirPcap //used to sniff wireless frames in ways that standard WiFi cannot //good for auditing wireless NWs

Question 18

WPA & cracking WPA

Answer 18

most important development introduced as TKIP** it changes the key after ever frame

flaws:
//weak keys chosen by user
//packet spoofing
//authentication issues with MS-CHAP v2 [microsoft challenge handshake authentication protocol version 2]

Cracking WPA
REAVER //free in Kali, one of the best tools for cracking WPA

Question 19

WPA2 and its two modes

Answer 19

full compatibility with 802.11i standards for security

Can function in two modes:
1) WPA2-Personal //relies on input of key into each station

2) WPA2-Enterprise //uses server to perform key mgmt and authentication for wireless clients, common components include RADIUS

Question 20

Types of attacks on WPA and WPA2

Offline Attack
Deauthentication attack
Brute-force WPA keys

Answer 20

OFFLINE ATTACK //close proximity to access point to observe handshake between client and access point; can capture handshake and recover keys by recording and cracking them offline

DEAUTHENTICATION ATTACK //forcing a reconect

BRUTE-FORCE WPA KEYS //keep trying username and PW combinations over and over again, tools such as aircrack-ng, aireplay-ng, KisMAC

Question 21

Risk Mitigation of WEP and WPA cracking

Answer 21

1) COMPLEX PW
2) USE SERVER VALIDATION ON CLIENT SIDE
3) ELIMINATE WEP AND WPA2, MOVE TO WPA2
4) USE ENCRYPTION STANDARDS SUCH AS CCMP, AES, TKIP

Question 22

An attack against wireless NW can be passive or active

Answer 22

Passive //sniffing information that is transmitted

Active //using probe requests to elicit a response

Question 23

Types of attacks

WARDRIVING
ROGUE ACCESS POINTS
REVERSE SSH TUNNELING with Raspberry Pi
MAC SPOOFING
AD HOC
MISCONFIGURATION
CLIENT MISASSOCIATION
PROMISCUOUS CLIENT
JAMMING ATTACKS
HONEYSPOT ATTACK

Answer 23

WARDRIVING //driving around area with computing device to detect wireless clients and APs
Site Survey Tools KisMAC,NetStumbler, Kismet, WaveStumbler, InSSIDer
//common for these types of tools to connect to GPS to pinpoint location

Warflying // Warballooning //Warwalking //warchalking

ROGUE ACCESS POINTS //attacker installs new AP completely unsecure behind company firewall

REVERSE SSH TUNNELING //device such as raspberry pi opens connection from inside NW out to attacker to bypass FW restrictions

MAC SPOOFING //for APs that use Mac filtering, you can use Mac Spoofing; Mac filtering is used to blacklist or whitelist MAC addresses of clients; attacker can spoof address of an apprived client or switch their MAC to a client that is not blocked
Tools SMAC, ifconfig, changemac.sh

AD HOC //use of WiFi adapter to connect direct to another wireless-enabled system; two systems can interact with each other; main threat is users do not know the difference between infrastructure and ad hoc NW and so may attach to an unsecure NW

MISCONFIGURATION

CLIENT MISASSOCIATION //WiFi propagate though walls and structures; client attches to AP that is on a NW other than theirs, accidentally or unintentionally;

PROMISCUOUS CLIENT //offers irresistibly strong signal intentionally for malicious purposes

JAMMING ATTACKS //works on any type of wireless NW, essentially DoS attack; can use a specifically designed HW device that can transmit signals that interfere with 802.11 NWs

HONEYSPOT ATTACK //attacker sets up rogue access point in range of several legit ones
HW device WiFi Pineapple from Hak5

Question 24

Modes of Bluetooth

Some attacks that have been made on users

Answer 24

DISCOVERABLE //allows device to be scanned and located by other bluetooth

LIMITED DISCOVERABLE //discovered for short period of time

NONDISCOVERABLE //cannot be located, however if another device has previously found the system it will still be able to

PAIR or NONPAIR //can or cannot pair with another device

some attacks include:
leaking calendar, address book, activate cameras, microphones, control a phone to make calls, connect to internet

Question 25

Types of Bluetooth Attacks

BLUEJACKING
BLUESNARFING

Answer 25

BLUEJACKING //sending an anonymous text message via Bluetooth to a victim

1) go to contacts in ur device’s address book
2) create a new contact & enter message as name
3) save the contact w/ a name but w/ out a phone #
4) choose send Via bluetooth
5) choose a phone from the list of devices & send the msg

BLUESNARFING //extract information at a distance (address book, call info, text info, other data)

Question 26

Which of the following operates at 5 GHz?

a) 802.11a
b) 802.11b
c) 802.11g
d) 802.11i

Answer 26

a) 802.11a is the ony that operates at 5 Ghz, where as b and g operate at 2.4Ghz, and the newest n can operate at both frequencies; and then WiMAX is 10-66 and bluetooth is 2.4 Ghz

Question 27

What is a client-to-client wireless connection called?

a) infrastructure
b) client-server
c) peer-to-peer
d) ad hoc

Answer 27

d) ad hoc

Question 28

When a wireless client is attached to an access point, it is known as which of the following?

a) infrastructure
b) client-server
c) peer-to-peer
d) ad hoc

Answer 28

a) infrastructure

Question 29

A __________ is used to attack an NIDS

a) NULL session
b) DoS
c) Shellcode
d) port scan

Answer 29

B. A denial of service (DoS) is used to overwhelm an
NIDS, tying up its resources so it cannot perform
reliable analysis of traffic and thus allowing
malicious packets to proceed unabated.

Question 30

Which of the following uses a DB of known attacks?

a) signature
b) anomaly
c) behavior
d) sniffer

Answer 30

A. Signature files are used by IDS systems to match
traffic against known attacks to determine if an attack
has been found or if normal traffic is present

Question 31

AirPcap is used to do which of the following?

a) assist in sniffing of wireless traffic
b) allow for NW traffic to be analyzed
c) allow for the identification of wireless NWs
d) attack a victim

Answer 31

a) assist in sniffing of wireless traffic

Question 32

what is a rogue access point?

a) access point not managed by company
b) unmanaged access point
c) second access point
d) honeypot device

Answer 32

a) access point not managed by company

Question 33

At which layer of OSI does a packet filtering firewall work?

a) 1
b) 2
c) 3
d) 4

Answer 33

c) Layer 3 at NW layer

Question 34

What is a PSK?

a) pw for the nw
b) cert for nw
c) key entered into each client
d) distributed pw for each user

Answer 34

C. A PSK is entered into each client that is going to
access the wireless network. It is commonly found in
WEP, WPA, and WPA2 deployments. PSKs
represent a security risk as they can be extracted from
a compromised client and then allow a malicious
party to access the network.

Question 35

Which of the following device is used to peform DoS on wireless nw?

a) wpa jammer
b) wpa2 jammer
c) wep jammer
d) wi-fi jammer

Answer 35

d) wifi jammer