Wireless threats and attacks
Wireless threatsβ
- Access control attacks
- Evading access control measures such as Access Point MAC filters, port access control
- Integrity attacks
- Sending forged frames
- E.g. data frame injection, bit-flipping.
- Confidentiality attacks
- Intercepting confidential information transmitted over the network
- E.g. traffic analysis, session hijacking, MITM, etc...
- Availability attacks
- Attempting to prevent users from accessing WLAN resources.
- E.g. flooding, ARP poisoning, De-Authentication attacks
- Authentication attacks
- Steal identity information or impersonating clients
- E.g. password cracking, identity theft, password guessing
- See also Authentication attacks |Β Hacking Web Applications
- Misconfigured access point attack
- Accidents for configurations that you can exploit
- AD Hoc connection attack
- Connecting directly to another device via ad-hoc network.
- Not very successful as the other user has to accept connection
- Honeyspot access point attack
- Using multiple WLANs in area and use same SID.
- AP MAC spoofing
- MAC spoofing to mask an authorized client
- Jamming signal attack
- Jamming or blocking the wireless communication, causing a denial of service
De-authentication attackβ
- Also known as deauthentication attack
- Used to capture the handshake traffic.
- Can also be used to DoS the client by continuously de-authenticating the device.
Evil twin attackβ
- Also known as client mis-association
- π A rogue access point outside the place with the legitimate one
- E.g. can lure the employees of the organization to connect with it
- Can be done using Airsnarf
Honeyspot attackβ
- Faking a well-known hotspot on a rogue AP
- E.g. as McDonald's or Starbucks free Wi-Fi spot
Rogue Access Point Attackβ
- Fake AP with same SSID as legitimate one.
- Allows hijacking connections and acting as a middle man sniffing
- Differs from evil twin attack as it focuses on MITM instead of WiFi passwords.
Sinkhole attackβ
- Compromised node tries to attract network traffic by advertise its fake routing update.
- Allows traffic to be directed away from its target.
- Can be used to launch other attacks like dropping or altering routing information.
DNS sinkholeβ
- Also known as a sinkhole server, Internet sinkhole, or Blackhole DNS
- DNS server that gives out a false result for a domain name.
- Used to attack on sensor/IoT device networks
- Can be prevented by owning own DNS server or hardcoding IP addresses.
- E.g. WannaCry malware was stopped spreading as a worm by Marcus Hutchins who discovered kill switch in the malware and Registering a domain name for a DNS sinkhole.
Wireless hacking methodologyβ
- Wi-Fi Discovery
- find wireless networks
- GPS mapping
- List of discovered Wi-Fi networks
- Wireless Traffic Analysis
- Capture the packets to reveal any information (SSID, authentication method, ...)
- Launch Attacks
- E.g. ARP poisoning, MAC spoofing, De-Authentication, Rogue access point, MITM.
Wireless discoveryβ
- Also known as Wi-Fi discovery
- Wardriving: Using a mobile vehicle to detect WiFi networks
- π E.g. T.J. Maxx Data Theft where 45 million credit/debit card data was stolen because of weak WEP encryption.
- Also used: warbiking, warcycling, warwalking.
- Warchalking: drawing of symbols in public places to advertise an open Wi-Fi network.
- Tools such as WiFiExplorer, WiFiFoFum, OpenSignalMaps, WiFinder
- WIGLE: map for wireless networks
- NetStumbler: Windows tool to find networks
- Kismet
- Wireless network detector, sniffer, and intrusion detection system.
- Works without sending any packets (passively)
- NetSurveyor: Windows tool similar to NetStumbler and Kismet
- Silica: Discovers and shows vulnerabilities
Wireless encryption attacksβ
WEP crackingβ
- Weak IV (Initialization Vectors)
- Small
- Get reused frequently
- Are sent in clear text during transmission
- Can take a few seconds to discover the shared secret key.
- The goal is to collect as many IVs as possible
- π‘ Inject packets to speed it up
- π Can be cracked using Aircrack-ng:
- Listen to the traffic
- Start a compatible adapter with injection and sniffing capabilities
airmon-ng start <interface-name>
- Start a sniffer to capture packets
airodump-ng --bssid <AP-MAC-address> -c 11 -w <output-file> <interface-name>
- Create more packets to escalate the process to collect more IV
- Inject ARP traffic:
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 mon0
- Inject ARP traffic:
- Run a cracking tool to extract encryption keys from the collected IVs
aircrack-ng <output-file>.cap
- Default method is PTW (Pyshkin, Tews, Weinmann), other (older) supported methods include:
- FMS (Fluhrer, Mantin, Shamir) attacks: statistical techniques
- Korek attacks: statistical techniques
- Brute force
- Listen to the traffic
- Using separate tools for sniffing and cracking:
- Gathering packets through e.g. Wireshark or Prismdump
- Crack using e.g. WEPCrack, AirSnort, Aircrack-ng, and WEPLab
WPA/WPA2 crackingβ
- Much more difficult than WEP
- Uses a constantly changing temporal key and user-defined password
- Key Reinstallation Attack (KRACK)
- Replay attack that uses third handshake of another device's session
- Most other attacks are simply brute-forcing the password that take a lof time.
Sniffing 4-way handshakeβ
- 4-way handshake is the ceremony between AP and the device
- Vulnerability in WPA and WPA-Personal (WPA-PSK, pre-shared key)
- During WPA handshake, password is shared in encrypted form (called PMK (pairwise master key))
- Flow:
- Client tries to connect to an AP (access point)
- If the client is already connected then deauthentication attack can be used to disconnect the client and sniff when client is reconnecting.
- Grab packets while client goes through a 4-step process of authentication
- Crack WPA keys from recorded packets
- Can be an offline attack e.g. utilizing a cloud virtual machine.
- E.g. using
hashcat
- Client tries to connect to an AP (access point)
- Steps
- Recording and deauthenticating using
aircrack-ng
- π€ Used often in movies as it looks cool
airmon-ng start <interface-name>
to create a new interface and enable monitor modeairmon-ng <interface-name>
to list access points with BSSID, encryption (WPA2 etc.) and more.airmon-ng -c2 -w capture -d <BSSID> <interface-name>
to listen- Shows each client MAC and logs their traffics notifying handshakes.
airplay-ng -deauth 100 -a <BSSID> -c <client-MAC> <interface-name>
to inject packets to de-authenticate the client
- Crack the password using
hashcat
- Convert log files from
airmon-ng
from.cap
to.hccapx
using e.g. an online tool - Run
hashcat.bin -a 3 -m 2500 converted-file.hccapx ?d?d?d?d?d
-m 2500
: hash mode forWPA-EAPOL-PBKDF2
-a 3 ?d?d?d?d?d
: attack mode: bruteforce with mask telling 5 any characters.
- Convert log files from
- Recording and deauthenticating using
WPA3β
- More secure against sniffing, brute force and WPS attacks.
- However has implementation bugs that can be exploited using:
Tools for wireless encryption attacksβ
Aircrack-ngβ
- π Sniffer, detector, traffic analysis tool and a password cracker
- Official webpage | Source code
- Uses dictionary attacks for WPA and WPA2.
- Other attacks are for WEP only
Cain and Abelβ
- Also known as Cain & Abel or Cain
- π Windows tool to sniff packets and crack passwords
- Relies on statistical measures and the PTW technique to break WEP
- See also β’Β Cain and Abel | Web server threats and attacks β’ Cain and Abel | Sniffing tools