Section 6.2 Wireless Security
As you study this section, answer the following questions:
- What is the difference between passive and active footprinting?
- What is a rogue access point?
- What two pieces of information does a hacker need to break into a wireless network?
- What should you perform before access points are installed?
In this section, you will learn to:
- Detect a rogue device
- Scan for open ports from a remote computer
- Discover a hidden network
- Discover a rogue DHCP server
- Locate a rogue wireless access point
The key terms for this section include:
Description of the Table
Term | Definition |
---|---|
Rogue access points | An unauthorized access point that may be set up by employees to bypass existing restrictions or installed by an attacker who has gained physical access to the building. |
Evil twin attack | An attack where the rogue access point is configured with the same SSID as the organization's SSID. Users are knocked off the legitimate network, and when re-connecting, they unknowingly connect to the attacker's access point. |
Access point misconfiguration | Occurs when the access points are not properly configured, opening a wireless network to attackers. |
Jamming attacks | The deliberate use of radio noise or signals in an attempt to block or interfere with authorized wireless communications. |
Deauthentication attack | An attack that sends fake deauthentication packets to knock people off the network. |
Wardriving | The act of driving around and searching for wireless networks to attempt to break into. |
MAC spoofing | The act of changing the MAC address of a network interface card to match a legitimate address and obtain network access. |
Promiscuous client | A client that is set up and advertised using an extremely strong signal, attracting users who may be opening themselves up to an attack. |
Passive footprinting | The use of a wireless listening device, known as a sniffer, to capture packets in an attempt to discover critical information needed for an attack. |
Active footprinting | The use of information obtained with the passive technique to get more aggressive in the attack on the network. |
inSSIDer Plus | A wireless network scanner application that runs on Windows platforms, developed by MetaGeek, LLC. |
WiFi Explorer | A tool developed by Nuts About Nets for discovering and mapping wireless networks. |
This section helps you prepare for the following certification exam objectives:
Exam | Objective |
---|---|
CompTIA CySA+ CS0-003 | 1.2 Given a scenario, analyze indicators of potentially malicious activity
|
TestOut CyberDefense Pro | 1.1 Monitor networks
2.2 Detect threats using analytics and intelligence
|
6.2.1 Wireless Hacking
Click one of the buttons to take you to that part of the video.
Wireless Hacking 00:00-00:30 Wireless networks are designed to provide users with easy network access wherever they go so that they aren't tethered to a physical connection. But this ease of access does create a larger attack surface. With wireless networking, any attacker that's relatively close by is considered a threat.
In this lesson, I'll cover a few of the most common Wi-Fi attacks. Then I'll talk about the methodology and tools hackers use to compromise wireless networks.
Wi-Fi Attacks 00:30-00:42 Because network security is a top priority, it's common for network administrators to implement stringent rules and limit access to websites. Some users find this very frustrating.
Rogue Access Point 00:42-01:40 To try to evade these rules, they sometimes install an access point on their own computer. This is known as a soft access point. A hacker who's gained network access, perhaps from MAC spoofing, might do the same. This is called a rogue access point or an unauthorized association.
Here's the big problem—most employees don't understand the importance of securing their soft access point or even how to do so, and they end up leaving it open to hackers' breaching attempts. When an attacker discovers a rogue access point, he or she's able to run various types of vulnerability scanners from outside the company, perhaps from a car or adjacent building, or maybe even from several miles away.
Keep in mind that if a hacker can gain some type of physical access to your company, they can also hide a physical rogue access point as well. This is often done by configuring an extremely compact and powerful hardware device called a Raspberry Pi as an access point.
Evil Twin Attack 01:40-01:47 A rogue access point placed on a network can run what's called an evil twin attack. Here's how this works:
Evil Twin Attack 01:47-02:34 Let's say that your organization has a wireless network with a service set identifier, or SSID, of MyCompanyWiFi. The employees are currently attached to this network for company use, but an attacker configures his or her own access point with the same SSID and places it near the building. The attacker can then use a jamming or disassociation attack to knock users off the legitimate network. When users reconnect, they're now connecting to the attacker's access point.
Once a victim is connected to the rogue access point, the attacker can monitor all data that flows through. The user shouldn't notice anything different since their internet is still running like normal. These attacks are extremely dangerous as the attacker has immediate access to all sorts of sensitive information.
Access Point Configuration 02:34-03:06 The other big problem with wireless access points is their configuration. Many wireless attacks are achieved simply because a network administrator didn't properly configure their legitimate access points. Access points usually include great security options, but if they aren't enabled or configured properly, they can't deflect attacks. It's as simple as that.
For many of these wireless attacks to work, the attacker needs to kick everyone off the legitimate network and prevent them from reconnecting. This is possible with jamming or disassociation attacks.
Jamming Attack 03:06-03:42 Wi-Fi jamming is the deliberate use of radio signals in an attempt to interfere with authorized wireless communications. Hackers can perform jamming attacks by analyzing the spectrum used by wireless networks and then transmitting a powerful signal to interfere with communication on the discovered frequencies. In essence, the jammer is trying to be the loudest voice or signal in the room so nearby devices can't see the legitimate wireless network. The attacker's hope is that the devices disconnect and can't reconnect afterward. Thankfully, jamming devices are illegal and difficult to come by.
Disassociation Attack 03:42-04:40 A disassociation or deauthentication attack, on the other hand, can be performed with a laptop. When a device connects to a wireless network, special unencrypted management packets are sent back and forth. A deauthentication attack takes advantage of this unencrypted process by sending fake malicious deauthentication packets to kick people off the network. The attacker can select individual users or kick everyone off. Jamming and deauthentication attacks have the same result but use very different methods.
We see Wi-Fi in use everywhere today and, as you can see, attackers are always working on methods to exploit weaknesses in the connection. Our best bet to protect our networks is to be proactive and constantly hunting for threats. You should perform regular site surveys to locate rogue access points and be constantly monitoring your network for irregular traffic. Proactive threat-hunting helps reduce a network's attack surface area.
Wireless Hacking Methodology and Tools 04:40-09:05 Now that we've talked about the different types of wireless attacks you can expect to see, let's turn to some of the methods and tools hackers use to find every way possible to break into our wireless networks.
The first step for an attacker is to find a network to hack in to. This is called Wi-Fi discovery and footprinting. To footprint a wireless network, an attacker needs to identify the basic service set, or BSS, provided by the access point. Before an attacker can identify the BSS, they need to know the wireless network's SSID. An attacker can use either passive or active methods to detect this.
Passive methods involve the hacker detecting access points by sniffing packets from the airwaves. The hacker doesn't try to connect with any device or inject any packets.
Active methods involve the hacker sending a probe request with the SSID to an access point and waiting for a response. The probe request can be blank if the SSID isn't known, and the access point might end up responding with the missing information. Basically, as long as the attacker knows the BSS, they can get the SSID.
A hacker can use a variety of tools to carry out Wi-Fi discovery and footprinting. One common tool is inSSIDer Plus,
which is a Wi-Fi network scanner application that runs on Microsoft Windows platforms. With this tool, someone can scan for wireless networks using their laptop's wireless adapter. As networks are found, their signal strengths are presented visually, and the attacker can see which channels a person is using.
A similar tool that's designed to run on Android mobile devices is WifiExplorer. Since mobile devices have built-in 802.11 radio capabilities, you could use WifiExplorer to collect information about nearby wireless access points. As you can see here, the data you collect can be displayed in many useful ways.
So once a hacker has discovered a wireless network to target, he or she needs to gain access. This means they need to crack the security. Most wireless networks today are protected using WPA2 encryption, which is what hackers train to get around.
To crack WPA2, an attacker needs to capture the necessary packets and then perform cracking attacks on them. They do this with deauthentication attacks and offline password attacks.
A deauthentication attack is carried out against a client that's connected to the target network. To make this work, the attacker sends a deauthenication frame to the client, which disconnects the user from the network. When the client reconnects, the hacker intercepts the four-way handshake that contains the encrypted password key.
A common way to carry out these attacks is with the Aircrack-ng tool set. These tools can be used to monitor wireless networks, perform deauthentication attacks, and intercept four-way handshake packets. Once the hacker has the needed packets, they can perform an offline password-cracking attack to get the wireless key.
An offline password-cracking attack simply means that the hacker is using tools on their local machine to crack the password file. Attackers have different techniques at their disposal to do this, including brute force attacks, dictionary attacks, rainbow tables, and more. These techniques are all tedious and time-consuming, so hackers use automated tools, like Hashcat.
Hashcat is a password-cracking utility that works on multiple operating systems and can work with many different types of hashes and password files. The problem with password-cracking is that these techniques can take years if a strong password is used.
For a more secure environment, routers often use the Wi-Fi Protected Access, or WPA, Protocol. This is easy to configure without having to enter a long password. You do this with a personal identification number, or PIN, that's hard-coded into the device. But an open-source tool named Reaver takes advantage of a weakness found in this protocol that allows the program to find the PIN. To crack the password, Reaver tries a series of PINs on the router in brute-force attempts, one after another. Once the correct PIN is found, the router sends Reaver its password and the attacker can start exploiting the access point and network.
As you can see, there are a variety of methods and tools an attacker could use to gain wireless network access. As a security analyst, you must be aware of these techniques so you can prevent them from being used against your networks.
Summary 09:05-09:26 That's it for this lesson. In this lesson, we looked at some of the more common attacks a hacker might perform against a wireless network, including rogue access points, jamming, and deauthentication attacks. We also talked about the methods and tools hackers use to compromise wireless networks.
6.2.2 Wireless Hacking Facts
Wireless networks are designed to provide easy network access wherever users go. This ease of access creates a larger attack surface. Security specialists need to be aware of the methods attackers use to gain unauthorized access to wireless networks.
This lesson covers the following topics:
- Wi-Fi attacks
- Methods and tools
Wi-Fi Attacks
The following table lists many of the common types of wireless attacks.
Wireless Attack Type | Description |
---|---|
Rogue access points | A rogue access point is an unauthorized access point. Rogue access points:
|
Evil twin attack | Rogue access points can be used to run an evil twin attack.
|
Access point misconfiguration | Wireless attacks are often successful because the access points are not properly configured. This is known as access point misconfiguration.
|
Jamming attacks | Wi-Fi jamming is the deliberate use of radio noise or signals in an attempt to block or interfere with authorized wireless communications. Key points are:
|
Deauthentication attack | A deauthentication attack is similar to a jamming attack, except this can be performed with only a laptop.
|
Wardriving | In wardriving, an attacker uses a laptop or smartphone to drive around and search for wireless networks to attempt to break into. Although wardriving is defined as using a car for this purpose, any means of transportation, such as biking, walking, and jogging can be used. These are then referred to as warbiking, warwalking, and warjogging. |
MAC spoofing | A media access control (MAC) address is a number that uniquely identifies a network interface card.
However, many network drivers allow the MAC address to be changed.
|
Promiscuous client | A promiscuous client is often used in conjunction with many of the other types of attacks.
|
Methods and Tools
An attacker uses a process of discovery and footprinting to find a wireless network and obtain information that will help to breach it. Two of the most important things an attacker needs to break into a wireless network are the Basic Service Sets (BSS) and the service set identifier (SSID). Both are provided by access points.
The process of footprinting can be done either passively or actively, as described in the following table.
Footprinting Process | Description |
---|---|
Passive footprinting | Uses some type of wireless listening device, known as a sniffer, to capture packets in an attempt to discover the critical information needed.
|
Active footprinting | Allows an attacker to use information obtained with the passive technique to get more aggressive in the attack on the network. For example, an attacker may send packets to the access point using a discovered SSID or send a probing packet without the SSID. When an access point answers a probing packet that does not have an SSID, it includes the BSS. |
There are many tools to discover and map wireless networks. The following table describes two popular tools:
Wi-Fi Discovery Tool | Description |
---|---|
inSSIDer Plus | inSSIDer Plus is a wireless network scanner application that runs on Windows platforms. It was developed by MetaGeek, LLC.
|
WiFi Explorer | WiFi Explorer (developed by Nuts About Nets) is another Wi-Fi scanning tool designed to run on Android phones and tablets.
|
After gathering information on the wireless network, the attacker will attempt to gain access to it. Since many networks are protected using WPA2 encryption, the attacker will need to crack the encryption.
The first step in this process is to capture a packet that contains the WPA2 passphrase. To do this:
- A deauthentication attack is carried out against a client connected to the target network.
- When the client reconnects, the attacker can intercept the four-way handshake containing the encrypted password key.
- A common tool used to carry out these attacks is the Aircrack-ng set of tools.
- These tools can be used to discover and monitor wireless networks, perform deauthentication attacks, and intercept four-way handshake packets.
With the intercepted packets, the attacker can perform an offline password-cracking attack to get the wireless key. In an offline password-cracking attack, the attacker uses a local machine to crack the password file. Different types of password-cracking techniques can be attempted, including:
- Brute force
- Dictionary
- Rainbow table
Password cracking is an extremely tedious and time-consuming process. Automated tools such as Hashcat can be used to automate and simplify the process.
- Hashcat is a password-cracking utility that works on multiple operating systems.
- It can work with many different types of hashes and password files.
The good news for security professionals is that a strong password can take years to crack using these techniques.
An attacker may be able to attack WPS if it is being utilized on the router.
- Reaver is a powerful tool tested against many different access points and WPS implementations.
- Reaver can scan all WPS PINs available until it finds a match.
- Once a match is found, it will exploit the AP to give the attacker access to the network.
6.2.3 Detect a Rogue Device
Click one of the buttons to take you to that part of the video.
Detect a Rogue Device 00:00-00:28 When a device on your network isn't under the administrative control of the network staff, it's called a rouge device. Rogue devices are often completely malicious. They exist for the sole purpose of stealing sensitive information like credit card numbers and passwords. It could be a rogue wireless access point, server, and so on. In our scenario, we have a rogue DCHP server on our network, and we're going to use Wireshark to detect it.
Rogue DHCP 00:28-00:50 As clients connect to the network, both the rogue and real DHCP server offer them IP addresses as well as the other network settings. If the information provided by the rogue DHCP differs from the information provided by the real one, clients accepting IP addresses from it may experience network access problems or have their network traffic sniffed as part of a man-in-the-middle attack.
Use Wireshark to Examine the DHCP Traffic 00:50-01:10 All right. I have Kali Linux opened here, and I'm going to run Wireshark to see what's happening. I'll go to Applications, down to sniffing, and over to Wireshark. Once Wireshark launches, I'll click on the shark fin to start sniffing traffic. It's running, so I'm going to jump over to the client machine and investigate why that client can't get to the internet.
View IP Info from Windows 10 Client 01:10-01:54 Okay. I'm on the client machine that belongs to the employee that can't connect to the internet. I have a command prompt here, and I'm going to do an 'ipconfig' on the machine. Now, as I look up, I have an IP address of 10.10.10.11. The subnet mask is correct, but there's no default gateway. Also, my domain isn't CorpNet.xyz. This one, here, says BadDomain.com, so I seem to be having some problems. Just to double-check, I'm going to do an 'ipconfig /release'. Now, let's do an 'ipconfig /renew'. I'm getting the exact same information, so I'm going to investigate. Now I'm going to jump over to another workstation and see what IP addresses they're getting from the DHCP server.
View IP Info from Second Client 10 Client 01:54-03:47 Okay. I'm on a different Windows 10 system. It's one that I use occasionally. I'm going to do an 'ipconfig'. I get some information. This domain, CorpNet.xyz, is actually the correct domain. Down here, this IP ends with 195, which is in the range of my real DHCP server. When we checked the other machine, that one ended in .11. That's not in in the right IP range for my DHCP server. Here, I have my default gateway. The information down here is from another demo I did it's not relevant here.
So, I'm going to go turn off my real DHCP for a few minutes, come back here, and renew the IP address to see if I pick up something from the rogue DHCP that appears to be running on this network.
Okay. I went in and turned off the DHCP server. I'm going to do an 'ipconfig /release'. I get a message saying I need elevated privileges, too. Let's close this and reopen the command prompt with elevated privileges. I'll say yes to the User Account Control and move the window up a little. Let's try that again. That's 'ipconfig /release', and then I'll do 'ipconfig /renew'. Now I'll just do an 'ipconfig'. And when I do, we get BadDomain.com. This IP certainly isn't coming from my DHCP server. It's not even in the IP range that I've set up. That tells me I have a rogue DHCP server. I'm going to turn on my real DHCP server again, so I don't forget.
All right. Let's turn the DHCP back on. I'm going to try to obtain a new IP address again. I'll do 'ipconfig /release' and then 'ipconfig /renew'. Now it looks like my real DHCP server beat the rogue DHCP server. This gateway and IP info is from the correct DHCP server. But I still need to find out more about this rogue DHCP server. At this point, we're going to go back to Wireshark on the Kali Linux system and see what's going on there.
View Wireshark Data 03:47-04:49 I'm back on the Kali Linux machine, where Wireshark has been running the entire time. First, let's stop sniffing. I want to filter the traffic and just see the DHCP events. We can filter things in Wireshark. If I type in 'dhcp', the filter area turns into a salmon color. That means that this filter isn't correct. I want to type in 'bootp', the filter for DHCP traffic. When I do, I get the filter to work.
Here's something I know: my DHCP server's IP is 10.10.10.1. That's what I should be seeing here. Instead, I'm getting a DHCP Offer from 10.10.10.10, which isn't my DHCP server.
If I scroll down there a bit, I can see 10.10.10.197 getting a request for an IP from the real DHCP server, 10.10.10.1.
If I scroll down more, I can see a mixture of traffic from the rogue DHCP and the real DHCP. So, somewhere on this network, I have a rogue DHCP server with the IP of 10.10.10.10.
Prevent Rogue DHCP Server 04:49-05:29 Now, come down here, and I can see the MAC address for that device. It says it's the source MAC address. To fix this on a temporary basis, I can kick that device off the network based on the MAC address. Long-term, I need to prevent this from happening in the first place.
Rogue DHCP servers can be stopped by an IPS with appropriate signatures, as well as by certain multilayer switches configured to drop the packets. One method for dealing with rogue DHCP servers is DHCP snooping. DHCP snooping drops DHCP messages that aren't trusted from a DHCP server. You can configure DHCP snooping on LAN switches to prevent rogue DHCP servers from operating.
Summary 05:29-05:54 That's it for this demo. In this demo, we investigated a rogue device on the network. First, we identified an IP address that was assigned by the rogue device. Then we verified that there was a rogue device from a second system. After that, we viewed our filtered Wireshark traffic and identified the rogue DHCP server's IP and MAC addresses.
6.2.4 Rogue Devices Facts
A rogue device is any unauthorized electronic equipment attached anywhere in an organization's environment.
This lesson covers the following topics:
- Types of rogue devices
- Rogue device detection
- Protecting against rogue devices
- Scan & sweep events
Types of Rogue Devices
Rogue devices can include a USB storage device attached to a computer to copy sensitive data, an extra Wi-Fi adapter installed on an employee's workstation and used to establish a wireless hotspot or an employee's personal, unsecured smartphone connected to the network. Examples of rogue device types include the following:
Rogue Device Type | Description |
---|---|
Network taps | A physical device might be attached to cabling to record packets passing over that segment. Once attached, taps cannot usually be detected from other devices inline with the network, so physical inspection of the cabled infrastructure is necessary. |
Wireless access points (WAP) | While there are dedicated pen test rogue WAPs, such as the Wi-Fi Pineapple ( shop.hak5.org/products/wifi-pineapple ), anyone with access to the network can create a WAP, even from a non-specialized device like a laptop or smartphone. The WAP can be used to intentionally mislead others into connecting to the rogue access point, opening the door for on-path attacks. |
Servers | An attacker may also use a server as a malicious honeypot to harvest credentials and data. This type of attack often requires some method of traffic diversion, usually either through ARP poisoning or corrupted name resolution. |
Wired and wireless clients | End-user devices may introduce malware, perform network reconnaissance, or enable data exfiltration. Most user devices also include cameras and microphones. |
Software | Rogue servers and applications, such as malicious DHCP or DNS servers, may be installed covertly on authorized hardware. |
Virtual machines | Virtual machines make deploying rogue servers much simpler, as virtualization software is available for many different operating systems and device types. |
Smart appliances | Devices such as printers, webcams, and VoIP handsets often contain exploitable vulnerabilities in their firmware. These devices can be used as a vector for attack. Smart appliances, including TVs, refrigerators, and "streaming sticks," are often installed in facilities with little oversight or restriction. |
Rogue Device Detection
Rogue system detection refers to identifying (and removing) unauthorized devices. There are several techniques available to perform rogue machine detection:
Technique | Description |
---|---|
Visual inspection of ports/switches | Simply looking for out-of-place devices or odd cabling connections is very effective. Looking inside cabinets and under desks for tape-mounted Raspberry Pi and other microcomputers is very important. |
Network mapping/host discovery | Network scans can identify hosts and use banner grabbing and fingerprinting to collect valuable information. DHCP logs are also very helpful. |
Wireless monitoring | Discover unknown or unidentifiable service set identifiers (SSIDs) showing up within range of the office. |
Packet sniffing and traffic flow | Reveal the use of unauthorized protocols on a network and suspicious peer-to-peer communication. |
NAC and intrusion detection | Security suites and appliances can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. |
Protecting Against Rogue Devices
Rogue devices depend upon network access. By implementing port-based access control or 802.1x network access control, unauthorized devices are much less likely to be able to gain network access. Additionally, implementing these controls can help make identifying rogue devices easier.
Scan & Sweep Events
The initial stages of an attack often include network scans and ping sweeps to identify hosts and services on the network, including any exploitable vulnerabilities. The term scan can refer specifically to a port scan directed at a single host (also known as fingerprinting) to enumerate which ports are open and the software and firmware in use. A sweep refers to probing a range of IP addresses to discover hosts.
Authorized network scans should be performed from pre-authorized devices. Scans and network sweeps are useful tools in the security analyst's arsenal as they help to identify issues such as unauthorized devices and software or misconfigured hosts. Scans originating from unauthorized locations and devices should be immediately investigated. Intrusion detection systems can detect most types of scanning activity, though there are some methods of evading detection, such as sparse scanning.
Scan sweeps on internet-facing systems are a common occurrence and less likely to be prioritized for investigation. Identification of other indicators of compromise can be compared to historical data to determine if the intrusion correlates to scanning activity and reveals additional information about the attacker.