Chapter 15: Wireless Networking Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 15: Wireless Networking > Flashcards

Flashcards in Chapter 15: Wireless Networking Deck (35):
1

Cons to WiFi

1) DECREASE IN BANDWIDTH B/C MORE DEVICES CONNECTED

2) INVEST IN NW CARDS, INFRASTRUCTURE

3) INTERFERENCE W/ OTHER DEVICES

4) LESS RANGE THAN ADVERTISED (usually half the distance promised)

5) TERRAIN CAN SLOW DOWN SIGNALS

2

Characteristics of WiFi

1) uses RADIO WAVES to transmit data

2) works at the physical layer of the NW

3

Techniques to managing a connection

1) DSSS (direct-sequence spread spectrum)
2) FHSS (frequency-hopping spread spectrum)
3) IR (infrared)
4) OFDM (orthogonal frequency-division multiplexing)

4

WiFi Environment: Extension to an existing wired NW as either HW (HAPs) or SW (SAPs) based access points

HAPs //use device such as wireless router or dedicated wireless access point

SAPs //wireless-enabled system attached to a wired NW, which in essence shares its wireless adapter

5

WiFi Environment: Multiple access points

allows clients to roam from location to location

6

WiFi Environment: LAN-to-LAN wireless NW

wired NWs in different locations to be connected through wireless technology

7

WiFi Environment: 3G or 4G hot spot

provides WiFi access to WiFi enabled devices

8

Wireless standards

1) 802.11a 5Ghz (freq), 54 Mbps (speed), 75 ft (range)

2) 802.11b 2.4Ghz, 11 Mbps, 150 ft

3) 802.11g 2.4Ghz, 11 Mbps, 150 ft

4) 802.11n 2.4/5Ghz, 54 Mbps, ~100 ft

5) 802.16 (WiMAX) 10-66Ghz, 70-1000 Mbps, 30 miles

6) Bluetooth 2.4Ghz, 1-3 Mbps (1st Gen), 33 ft

9

About SSID

Service Set Identifier

32 Bytes

Embedded within header of packets

Open NWs, it's visible

Closed NWs, not visible or "cloaked"

10

Common Wireless Terms:

GSM
Association
BSSID
Hot Spot
Access Point
ISM
Bandwidth

GSM // Global System for Mobile Communications // international standard for mobile wireless

Association //connecting a client to an access point

BSSID // basic service set identification //MAC address of an access point

Hot Spot //location that provides wireless access to public such as coffee shop or airport

Access Point //HW or SW construct that provides wireless access

ISM band// industrial scientific, and medical band //unlicensed band of frequencies

Bandwidth //speed avilable for devices

11

Antennas

Yagi antenna
Omnidirectional antenna
Parabolic grid antenna

Yagi antenna
//unidirectional, works well transmitting and receiving signals in some directions
//typically used when signal is needed from site to site instead of covering a wide area
//enhances security by limiting signals to smaller areas

Omnidirectional antenna
//emits signals in all directions, but some directions better than others
//can transmit data in 2-D well, but not in 3-D

Parabolic grid antenna
//takes form of a dish, unidirectional, sends and receives data over one axis
//PRO -catches parallel signals and focuses them to a single receiving point, so gets better signal quality and over longer ranges
//can receive over a distance of 10 miles

12

WiFi Authentication Mode: Open System Authentication

//make NW available to wide range of clients

//authentication occurs when an authentication frame is sent from a client to an access point; access point receives frame, verifies SSID, if correct access point sends verification frame back to client, allowing connection to be made

13

WiFi Authentication Mode: Shared Key Authentication

//each client receives key ahead of time and can connect anytime

//clients send authentication request to access point, ap returns challenge to client, client encrypts challenge using shared key, ap uses same shared key to decrypt challenge, if responses match, client validated and connected

14

Wireless encryption and authentication protocols:

WEP
WPA
WPA2
WPA2 Enterprise
TKIP
AES
EAP
LEAP
RADIUS
802.11i
CCMP

WEP//Wired Equivalent Privacy//oldest and weakest

WPA//WiFi Protected Access//successor to WEP, addressed many problems
//uses TKIP [Temporal Key Integrity Protocol], MIC [Message Integrity Code], and AES [Advanced Encryption Standard] encryption

WPA2//address WPA probs
//uses AES, CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), EAP [extensible authentication protocol], TKIP, AES [with longer keys]

WPA2 Enterprise//incorporates EAP to strengthen security and scale system up to large enterprise environments

TKIP//enhances WPA over WEP

AES//symmetric-key encryption//used in WPA2 to replace TKIP

EAP //incorpoaated into multiple authentication methods
//such as tokent cards, Kerberos, certificates

LEAP //Lightweight Extensible Authentication Protocol //made by cisco

RADIUS //Remote Authentication Dial-in User Service //centralized authentication and authorization mgmt system

802.11i //IEEE standard that species security mechs for 802.11 wireless NWs

CCMP //uses 128bit keys, with 48bit initialization vector (IV) for replay detection

15

WEP

failed all:
//intended to provide security on same level as wired NWs
//defeat eavesdropping on communications
//check integrity of data as it flows access NW
//use shared key to encrypt packets prior to transmission
//provide confidentiality, access control

problems:
//protocol was designed without input from academic community or public and professional cryptologists
//attacker can easily uncover key with ciphertext and plaintext
//CRC32 //Cyclic Redundancy Check //integrity checking sis flaws and ez to modify packets
//IVs//initialization vectors are only 24 bits, so an entire pools of IVs can be exhausted in short time
//vulnerable to DoS attack through messages not authenticated by WEP

// WEP uses IVs a lot; randomized value used with the secret key for data encryption purposes, when these two values are combined, they form a # used once (nonce)

16

Cracking WEP

intercept as many IVs as possible through sniffing, analyze packets, retrieve key

make take a while, to speed up, perform packet injection

1) Start wireless interface on the attacking system in monitor mode on the specific access point channel; this mode is used to listen to packets in the air

2) probe the target NW with wireless device to determine if packet injection can be performed

3) select tool such as *aireplay-ng* to perform fake authentication with access point

4) Start WiFi sniffing tool to capture IVs such as *aireplay-ng*, ARP requests can be intercepted and reinjected back into NW causing more packet generation

5) Run a tool such as *Cain and Able* or *aircrack-ng* to extract encryption keys from IVs

17

AirPcap

AirPcap //used to sniff wireless frames in ways that standard WiFi cannot //good for auditing wireless NWs

18

WPA & cracking WPA

most important development introduced as TKIP**** it changes the key after ever frame

flaws:
//weak keys chosen by user
//packet spoofing
//authentication issues with MS-CHAP v2 [microsoft challenge handshake authentication protocol version 2]

Cracking WPA
REAVER //free in Kali, one of the best tools for cracking WPA

19

WPA2 and its two modes

full compatibility with 802.11i standards for security

Can function in two modes:
1) WPA2-Personal //relies on input of key into each station

2) WPA2-Enterprise //uses server to perform key mgmt and authentication for wireless clients, common components include RADIUS

20

Types of attacks on WPA and WPA2

Offline Attack
Deauthentication attack
Brute-force WPA keys

OFFLINE ATTACK //close proximity to access point to observe handshake between client and access point; can capture handshake and recover keys by recording and cracking them offline

DEAUTHENTICATION ATTACK //forcing a reconect

BRUTE-FORCE WPA KEYS //keep trying username and PW combinations over and over again, tools such as *aircrack-ng, aireplay-ng, KisMAC*

21

Risk Mitigation of WEP and WPA cracking

1) COMPLEX PW

2) USE SERVER VALIDATION ON CLIENT SIDE

3) ELIMINATE WEP AND WPA2, MOVE TO WPA2

4) USE ENCRYPTION STANDARDS SUCH AS CCMP, AES, TKIP

22

An attack against wireless NW can be passive or active

Passive //sniffing information that is transmitted

Active //using probe requests to elicit a response

23

Types of attacks

WARDRIVING
ROGUE ACCESS POINTS
REVERSE SSH TUNNELING with Raspberry Pi
MAC SPOOFING
AD HOC
MISCONFIGURATION
CLIENT MISASSOCIATION
PROMISCUOUS CLIENT
JAMMING ATTACKS
HONEYSPOT ATTACK

WARDRIVING //driving around area with computing device to detect wireless clients and APs
Site Survey Tools *KisMAC,NetStumbler, Kismet, WaveStumbler, InSSIDer*
//common for these types of tools to connect to GPS to pinpoint location

Warflying // Warballooning //Warwalking //warchalking

ROGUE ACCESS POINTS //attacker installs new AP completely unsecure behind company firewall

REVERSE SSH TUNNELING //device such as raspberry pi opens connection from inside NW out to attacker to bypass FW restrictions

MAC SPOOFING //for APs that use Mac filtering, you can use Mac Spoofing; Mac filtering is used to blacklist or whitelist MAC addresses of clients; attacker can spoof address of an apprived client or switch their MAC to a client that is not blocked
Tools *SMAC, ifconfig, changemac.sh*

AD HOC //use of WiFi adapter to connect direct to another wireless-enabled system; two systems can interact with each other; main threat is users do not know the difference between infrastructure and ad hoc NW and so may attach to an unsecure NW

MISCONFIGURATION

CLIENT MISASSOCIATION //WiFi propagate though walls and structures; client attches to AP that is on a NW other than theirs, accidentally or unintentionally;

PROMISCUOUS CLIENT //offers irresistibly strong signal intentionally for malicious purposes

JAMMING ATTACKS //works on any type of wireless NW, essentially DoS attack; can use a specifically designed HW device that can transmit signals that interfere with 802.11 NWs

HONEYSPOT ATTACK //attacker sets up rogue access point in range of several legit ones
HW device *WiFi Pineapple from Hak5*

24

Modes of Bluetooth

Some attacks that have been made on users

DISCOVERABLE //allows device to be scanned and located by other bluetooth

LIMITED DISCOVERABLE //discovered for short period of time

NONDISCOVERABLE //cannot be located, however if another device has previously found the system it will still be able to

PAIR or NONPAIR //can or cannot pair with another device

some attacks include:
leaking calendar, address book, activate cameras, microphones, control a phone to make calls, connect to internet

25

Types of Bluetooth Attacks

BLUEJACKING
BLUESNARFING

BLUEJACKING //sending an anonymous text message via Bluetooth to a victim

1) go to contacts in ur device's address book
2) create a new contact & enter message as name
3) save the contact w/ a name but w/ out a phone #
4) choose send Via bluetooth
5) choose a phone from the list of devices & send the msg

BLUESNARFING //extract information at a distance (address book, call info, text info, other data)

26

Which of the following operates at 5 GHz?

a) 802.11a
b) 802.11b
c) 802.11g
d) 802.11i

a) 802.11a is the ony that operates at 5 Ghz, where as b and g operate at 2.4Ghz, and the newest n can operate at both frequencies; and then WiMAX is 10-66 and bluetooth is 2.4 Ghz

27

What is a client-to-client wireless connection called?

a) infrastructure
b) client-server
c) peer-to-peer
d) ad hoc

d) ad hoc

28

When a wireless client is attached to an access point, it is known as which of the following?

a) infrastructure
b) client-server
c) peer-to-peer
d) ad hoc

a) infrastructure

29

A __________ is used to attack an NIDS

a) NULL session
b) DoS
c) Shellcode
d) port scan

B. A denial of service (DoS) is used to overwhelm an
NIDS, tying up its resources so it cannot perform
reliable analysis of traffic and thus allowing
malicious packets to proceed unabated.

30

Which of the following uses a DB of known attacks?

a) signature
b) anomaly
c) behavior
d) sniffer

A. Signature files are used by IDS systems to match
traffic against known attacks to determine if an attack
has been found or if normal traffic is present

31

AirPcap is used to do which of the following?

a) assist in sniffing of wireless traffic
b) allow for NW traffic to be analyzed
c) allow for the identification of wireless NWs
d) attack a victim

a) assist in sniffing of wireless traffic

32

what is a rogue access point?

a) access point not managed by company
b) unmanaged access point
c) second access point
d) honeypot device

a) access point not managed by company

33

At which layer of OSI does a packet filtering firewall work?

a) 1
b) 2
c) 3
d) 4

c) Layer 3 at NW layer

34

What is a PSK?

a) pw for the nw
b) cert for nw
c) key entered into each client
d) distributed pw for each user

C. A PSK is entered into each client that is going to
access the wireless network. It is commonly found in
WEP, WPA, and WPA2 deployments. PSKs
represent a security risk as they can be extracted from
a compromised client and then allow a malicious
party to access the network.

35

Which of the following device is used to peform DoS on wireless nw?

a) wpa jammer
b) wpa2 jammer
c) wep jammer
d) wi-fi jammer

d) wifi jammer