MOD 16 - Hacking Wireless

Question 1

Wardriving

Answer 1

Driving around in an car while using a laptop to find wireless networks

Question 2

Zigbee

Answer 2

Short-range communications protocol (802.15.4) to deliver data infrequently, at a low rate, in a restricted area, with a max range of 100m. Examples include home automation or medical device data collection.

Question 3

WEP, WPA, WPA2

Answer 3

Wired Equivalent Privacy - was designed to be as secure as a wired LAN. Used RC4 for encryption, but never changed the key
WPA - replacement for WEP and did NOT require a hardware upgrade; simply do a firmware update on your WEP devices. Uses RC4/TKIP
WPA2 - uses AES-128/CCMP for encryption

Question 4

WPA3

Answer 4

Latest WiFi encryption standard. WPA3 Uses GCMP-256 for authenticated encryption, HMAC-SHA-384 for key derivation and confirmation, and ECDSA-384 for key establishment & authentication

Question 5

• SAE

Answer 5

Simultaneous Authentication of Equals - this the new & improved authentication method that WPA3 uses for authentication.

Question 6

Evil Twin

Answer 6

Fake WAP that pretends to be a legitimate one. Victims connect to the Evil Twin unaware. Attacker can then sniff their traffic, present fake login pages to pharm user credentials, etc.

Question 7

KRACK attack

Answer 7

Key Reinstallation AttaCK - attack against WPA2. Tricks a victim into reinstalling an already-in-use encryption key, which the attacker has. This lets MiTM view your WiFi traffic

Question 8

• Downgrade attack

Answer 8

Forces a victim to use older, less-secure protocols. For example, your users normally use WPA3 security, but an attacker sets up an Evil Twin that only allows WPA2, thus downgrading the victim’s security to use a lesser standard.

Question 9

aLTEr Attack

Answer 9

Attacks LTE devices, like cell-phones. Attacker runs a fake cell-tower between victim and real tower, which can then interrupt the victim’s transmission in an attempt to hijack an active session.

Question 10

Dragonblood

Answer 10

Set of vulnerabilities in WPA3 that allows attackers to recover keys, downgrade security mechanisms, and launch data theft attacks

Question 11

Bluetooth attacks

Answer 11

Bluejacking: Bluetooth SPAM. Bluesnarfing: Stealing someone’s info by exploiting Bluetooth vulnerabilities. Bluesmacking: Bluetooth DOS

Question 12

*BtleJack

Answer 12

Bluetooth utility to sniff, jam, or hijack Bluetooth connections. Use -d to select a a connected device to use. Use -s to sniff a connection. Use
-d selects a connected device
-c finds a new connection to sniff, then -s will sniff that connection
-t allows you to hijack a Bluetooth connection (think -t for “takeover”)

Question 13

Best-Practice WiFi configuration

Answer 13

Disable SSID broadcasts, use Port-Security (MAC filtering) to only allow authorized devices to connect, use 802.1x (port-authentication)
While it’s a great idea to disable SSID broadcasts, it’s not bullet-proof. An attacker can still connect to your WiFi by sniffing the SSID from a successful wireless association.

Question 14

802.1X

Answer 14

Port-Authentication. Forces users to supply their own credentials in order to gain access to the network through switch ports (wired or wireless)

Question 15

WIPS (Wireless IPS)

Answer 15

Can locate rogue access points and many other wireless threats

Question 16

• Ettercap

Answer 16

Comprehensive suite of tools that can be used for wireless Man in The Middle attacks and other useful tricks

Question 17

• WPS and the Wash utility

Answer 17

WPS = WiFi Protected Setup. This is a feature that makes it easy for home users to connect to a WAP. They just press a button on the WAP and enter a PIN on their device. Unfortunately, this feature is relatively easy to attack. The Wash utility scans a network to find WPS-enabled AP’s.
Wash Utility can find WPS devices and hack it.

Question 18

Best 3 ways to protect wifi

Answer 18

1. Hide SSID
2. MAC Address Filtering / Port Security
3. Use 802.1x (Enterprise)