Presentation on theme: "Wireless technology hit the American market more than 60 years ago during World War I and World War II Today its the IEEE 802.11 standard, also known."— Presentation transcript:
Wireless technology hit the American market more than 60 years ago during World War I and World War II Today its the IEEE 802.11 standard, also known as “Wi-Fi,” - not be confused with its cousin Bluetooth (IEEE 802.15.1), which was developed in September 1998 The 802.11 networks currently transmit on the 2.4GHz and 5GHz bands. There are different versions now starting from 802.11a, b, g, n and now ac on up to ax versions on the market 802.11 Uses a 2.4 GHZ Bandwidth Spectrum Speed is 2 to 11 MBPS and wireless radio frequencies are in the range of 3 Hz to 300 GHz.– The Distance covered goes from 100 to 300 feet. There are 5GHz wireless networks now, but 2.4 GHZ still is the standard. The 802.11 platform which was developed quickly and includes the Wired Equivalent Privacy (WEP) algorithm to encrypt data, has numerous, cracks in its security structure making it a hackers dream
Foot Printing Wireless networks or access points (APs) are some of the easiest targets to footprint There is a lot of sophisticated tools on the market now that one can use with a multiple band high-powered antenna to help you create a footprint of wireless networks in your area. If you every heard the term war-driving! Its a simple means driving around your town with your new antenna and laptop looking for wireless devices, particularly AP broadcast signals. There is different ways of scanning for wireless networks. One is a passive approach, and the other is a more active method. Passive tools monitor airwaves on given channels, example: what clients are talking to which AP. Active tools send out probe request trying to get responses. Passive is the more effective method, but depends on the target and the hardware/software setup you have installed.
Wireless Cards and Chipsets There are many different types of wireless cards on the market. Here is just a few things to look for when selecting a card. Can the card be put in RFMON or what is generally called monitor mode. In addition, you need a card that lets you do packet injection and can read prism headers. The software, and hardware setup you use, along with drivers installed will effect what you can scan for and what you will pick-up within the different frequencies in the 802.11 structure. In picking a Wireless Card look at the chipset inside first, and what operating system your working on; Windows, UNIX, Linux, or OS X platforms. Finally: Three main things to consider when picking a card. 1) Transmitting Power 2) Sensitivity 3) Antenna Support
Antennas There are three types of antennas one can use for finding wireless networks: directional, multidirectional, and omni-directional. Directional Antennas In general, directional antennas are used when communicating or targeting a specific area and are not very effective for war-driving Directional antennas are also the type of antennas that are most effective in long-range packet capturing because the power and waves are tightly focused in one direction. Multidirectional antennas Are similar to directional antennas in the sense that both use highly concentrated and focused antennas for their transceivers. In most cases, multidirectional antennas are bidirectional (a front and back configuration) or quad- directional.
How to distinguish a good antenna from a bad one. The wireless term gain describes the energy of a directionally focused antenna. Realize that all transceiver antennas have gain in at least two directions: the direction they are sending information and the direction they are receiving it. If your goal is to communicate over long distances, you will want a narrow focus, high-gain antenna. Yet, if you do not require a long link, you may want a wide focus, low-gain antenna (omni). Very few antennas are completely unidirectional because in most cases this would involve a stationary device communicating with another stationary device Omnidirectional antennas Are what most think of when they think of antennas. An omnidirectional antenna is the most effective in close city driving because it transmits and receives signals from all directions, thereby providing the largest angular range.
This is one of the newer Antennas that can also pick up the new AC channel. 3X the range and speed of standard Wi-Fi adapters High power amplifiers and high gain antennas Next generation, ultra-fast AC1200 Wi-Fi speeds provide fast HD streaming and instant data transfers Works with all brands of 802.11a/b/g/n/ac 2.4GHz or 5.0GHz networks Omnidirectional antennas High Power 500mW Dual Band AC Wi-Fi USB Adapter
A global positioning system (GPS) is the wireless equivalent of using a network- mapping tool or application on wired network assessments. Most GPS devices wrap into the war-driving software via timestamp comparisons. The GPS software keeps a real-time log of the device’s position by mapping the longitude and latitude coordinates of all the AP locations you find in your war driving adventure. GPS Device
Wired Equivalent Privacy (WEP) is a standard derived by the IEEE to provide an Open System Interconnection (OSI) The Service Set Identifier (SSID) is used as an identifier to distinguish one access point from another. You can think of it as something similar to a domain name for wireless networks. The Media Access Control (MAC) address is the unique address that identifies each node of a network. In WLANs, it can be used as a source for client access control. The Initialization Vector (IV) of a Wired Equivalent Privacy (WEP) packet is included after the 802.11 header and is used in combination with the shared secret key to encrypt the packet’s data. Wi-Fi Protected Access (WPA), a Wi-Fi standard that was designed to improve upon the security features of WEP. The technology is designed to work with existing Wi-Fi products that have been enabled with WEP. Acronyms Wireless technology acronyms, including WEP, SSID, MAC, IV and WPA.
WEP Protocol Wired Equivalent Privacy (WEP) is a standard derived by the IEEE to provide an OSI Layer 2 protection schema for 802.11 wireless networks. The goal of WEP is not to completely secure the network but rather to protect the data from others passively and unknowingly eavesdropping on the WLAN. Many people mistake the WEP algorithm for a security solution that encompasses secure authentication and encryption, a goal that the 802.11 standard did not intend to address. The WEP algorithm relies on a secret key that is shared between the AP and the client node, most commonly a wireless card on a laptop. WEP then uses that shared secret to encrypt all data between the nodes. The common misconception is that WEP provides network authentication via the use of a shared secret. If a WLAN is enforcing WEP, then any party that does not obtain that shared secret may not join that network. Therefore, the network is thought to be secure. The WEP algorithm does not encrypt the 802.11 header, nor does it encrypt the Initialization Vector (IV) or ID portions of the packet SNAP stands for Sub-Network Attachment Point and is part of the LLC 802 standard and is the layer between the Network layer and the MAC layer. It hold bytes of org code and 2 bytes of message type which indicates the type of data being sent. The WEP protocols major flaw was you could use a replay attack to gain access to the wireless network. IEEE 802.11 packet structure
SSID The Service Set Identifier (SSID) is used as an identifier to distinguish one access point from another. You can think of it as something similar to a domain name for wireless networks. Its a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the Basic Service Set ( BSS). The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network. Basic Service Set is a component of the IEEE 802.11 WLAN architecture. This network architecture is built around a Basic Service Set (BSS), which is actually a set of STAs (the component that connects to the wireless medium such as a network adapter or NIC) that communicate with each other. When one access points (AP) is connected to wired network and a set of wireless stations it is referred to as a Basic Service Set (BSS).
MAC – Access Control The Media Access Control (MAC) address is the unique address that identifies each node of a network. In WLANs, it can be used as a source for client access control. Its a hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sub-layers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network medium. Consequently, each different type of network medium requires a different MAC layer. On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.
Initialization Vector (IV) The Initialization Vector (IV) of a Wired Equivalent Privacy (WEP) packet is included after the 802.11 header and is used in combination with the shared secret key to encrypt the packet’s data. In cryptography, an initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go through a (usually lengthy) re-keying process. The size of the IV depends on the encryption algorithm and on the cryptographic protocol in use and is normally as large as the block size of the cipher or as large as the encryption key. The IV must be known to the recipient of the encrypted information to be able to decrypt it. This can be ensured in a number of ways: by transmitting the IV along with the cipher- text, by agreeing on it beforehand during the key exchange or the handshake (used in hardware authentication tokens such as RSA SecurID, VASCO Digipass, etc.), IDs such as sender's and/or recipient's address or ID, file ID, the packet, sector or cluster number, etc. A number of variables can be combined or hashed together, depending on the protocol.
WPA Protocol How does WPA and WPA-PSK Work? WPA resolves the issue of weak WEP headers, which are called initialization vectors (IV), and provides a way of insuring the integrity of the messages passed through MIC (called Michael or message integrity check) using TKIP (the Temporal Key Integrity Protocol) to enhance data encryption. WPA-PSK is a special mode of WPA for home users without an enterprise authentication server and provides the same strong encryption protection. In simple terms, WPA-PSK is extra-strong encryption where encryption keys are automatically changed (called rekeying) and authenticated between devices after a specified period of time, or after a specified number of packets has been transmitted. This is called the rekey interval. WPA-PSK is far superior to WEP and provides stronger protection for the home/SOHO user for two reasons. The process used to generate the encryption key is very rigorous and the rekeying (or key changing) is done very quickly. This stops even the most determined hacker from gathering enough data to break the encryption. The Temporal Key Integrity Protocol (TKIP) takes over after the initial shared secret is entered in your wireless devices and handles the encryption and automatic rekeying.
Hacking Equipment Standard Wireless Hackers Setup Professionals Setup
NetStumbler - (http://www.netstumbler.com) Is a Windows-based war-driving tool that will detect wireless networks and mark their relative position with a GPS. NetStumbler uses an 802.11 Probe Request sent to the broadcast destination address which causes all access points in the area to issue an 802.11 Probe Response containing network configuration information, such as their SSID and WEP status. When hooked up to a GPS, NetStumbler will record a GPS coordinate for the highest signal strength found for each access point. Weakness is that it relies on one form of wireless network detection, the Broadcast Probe Request. Wireless equipment vendors will usually offer an option to disable this 802.11 feature Software Kismet - (http://www.kismetwireless.net) Is a Linux- and BSD-based wireless sniffer that has war-driving functionality. It allows you to track wireless access points and their GPS locations like NetStumbler, but it offers many other features as well. Kismet is a passive network-detection tool that cycles through available wireless channels looking for 802.11 packets that indicate the presence of a wireless LAN, such as Beacons and Association Requests. Weakness there aren’t many. Kismet is currently the best war-driving tool available and will find networks that NetStumbler routinely misses
Software AirCrack – for windows/Linux - http://aircrack-ng.org/ Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks. Airjack AirJack is a device driver (or suit of device drivers) for 802.11(a/b/g) raw frame injection and reception. It’s a development tool or 802.11 applications that need to access the raw protocol WireShark - https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It runs on Linux, OS X, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. LORCON (Loss Of Radio connectivity) Lorcon is an open source network tool. It is a library for injecting 802.11 (WLAN) frames, capable of injecting via multiple driver frameworks, without the need to change the application code. There are other software/drivers on the market - this list is just the top players to get you started…! Backtrack 5 – Linux, and Windows on a VM box. Very good for penetration testing and security auditing, and it also has many features one can use for hacking ranging from port scanning, forensics, privilege escalation, Stress testing to Reverse Engineering…etc.
Gaining Access – Packet Analysis After you have gone war-driving, identified target access points, and captured loads of WEP, WPA-encrypted and non-encrypted packets with your new antenna and software. It is time to start the next stage of the hacking process - packet analysis..! Is the most technically demanding aspect of wireless hacking because it requires you to be able to use and understand a packet sniffer and, in some cases, decipher the transmission itself. Initially the single most important piece of data you should have about your identified access point is its SSID. In just about all cases this is how you will reference the identified AP. After you gain the SSID, the next goal is to determine and classify the types of data you’ve sniffed off the WLAN. The data can be logically divided by access point and then further subdivided by AP client. During packet analysis, you will quickly notice if the data you received from the initial war-drive is encrypted. If so, you must determine whether the data is encrypted via a WEP or WPA-implementation scheme, such as SSL over HTTP. If a WEP/WPA-based encryption scheme is being used, the next step is identifying the length of the key. In most cases, the length is either 64-bit (sometimes referred to as 40-bit) or 128, but some implementations allow for stronger keys, such as 256, 1024, or 2048. Here are the basic encryption options in most WAPs today:
In the realm of wireless and 802.11, gaining system access is significantly different when compared to “wired” systems. In most cases, this is due to a lack of strong WEP- or WPA-enforced encryption, thereby allowing the attacker to crack weak keys and obtain pertinent transmitted data. If the attacker has gained access to the AP’s WEP key, the WLAN is all but Hacked..! Once you have the SSID name, you’ll need to reconfigure your wireless interface to use it. On Windows operating systems, the card vendor will usually provide a utility to reconfigure the card settings or an interface to change the name of the Linksys of the SSID network you want to connect too. All SMC wireless card and its driver settings will let you change the network name to Linksys, which is the SSID of the network we wish to connect to. Most drivers will support the iwconfig interface. iwconfig is a wireless version of the ifconfig command used to configure basic 802.11 network parameters such as the SSID. Gaining Access
Summary the basics – Part 1 Now with your new equipment, tools, and knowledge You will quickly be able to determine whether a system is without security or considered to be an “Open system,” A NICE PLACE TO VISIT..! You learned about the types of equipment you need to get started. You learned key sling words used in wireless systems. You also learned about the key components that make up a IEEE packet. You learned the key acronyms used to describe and connect to a WLAN. Some of the software you will need, along with info on selecting a wireless card. The type of skill-set required to hack a wireless network. Lets go HACKING …..!
What’s Next - Part 2 Part 2 will dive even more into frequency analysis, coding techniques, hardware and software setups. Just what to look for when analyzing the data returned from your scans. Defenses against the far side. Hacking your favorite coffee shops wireless network? Smart Phones…things that go bump on the network. Run Silent Go Deep..!