Vicky's PageVicky's Page
Vivian
Recipe
Tools
English
Semester 3
Vivian
Recipe
Tools
English
Semester 3
  • Main Pages

    • Basic
    • General
    • Block Chain
  • CyberDefense Pro - 1.0 Introduction

    • 1.1 Introduction to TestOut CyberDefense Pro
  • CyberDefense Pro - 2.0 Vulnerability Response, Handling, and Management

    • 2.1 Regulations and Standards
    • 2.2 Risk Management
    • 2.3 Security Controls
    • 2.4 Attack Surfaces
    • 2.5 Patch Management
    • 2.6 Security Testing
  • CyberDefense Pro - 3.0 Threat Intelligence and Threat Hunting

    • 3.1 Threat Actors
    • 3.2 Threat Intelligence
    • 3.3 Threat Hunting
    • 3.4 Honeypots
  • CyberDefense Pro - 4.0 System and Network Architecture

    • 2.1 Regulations and Standards
    • 4.2 Network Architecture
    • Section 4.3 Identity and Access Management (IAM)
    • 4.4 Data Protection
    • 4.5 Logging
  • CyberDefense Pro - 5.0 Vulnerability Assessments

    • 5.1 Reconnaissance
    • 2.1 Regulations and Standards
    • 5.3 Enumeration
    • 5.4 Vulnerability Assessments
    • 5.5 Vulnerability Scoring Systems
    • 5.6 Classifying Vulnerability Information
  • CyberDefense Pro - 6.0 Network Security

    • 2.1 Regulations and Standards
    • 6.2 Wireless Security
    • 6.3 Web Server Security
    • 2.1 Regulations and Standards
    • 6.5 Sniffing
    • 6.6 Authentication Attacks
    • 6.7 Cloud Security
    • 6.8 Email Security
    • 2.1 Regulations and Standards
    • 6.10 Industrial Computer Systems
  • CyberDefense Pro - 7.0 Host-Based Attacks

    • 7.1 Device Security
    • 7.2 Unauthorized Changes
    • 27.3 Malware
    • 7.4 Command and Control
    • 2.1 Regulations and Standards
    • 7.6 Scripting and Programming
    • 2.1 Regulations and Standards
  • CyberDefense Pro - 8.0 Security Management

    • 8.1 Security Information and Event Management (SIEM)
    • 8.2 Security Orchestration, Automation, and Response (SOAR)
    • 8.3 Exploring Abnormal Activity
  • CyberDefense Pro - 9.0 Post-Attack

    • 9.1 Containment
    • 2.1 Regulations and Standards
    • 9.3 Post-Incident Activities
  • A.0 CompTIA CySA+ CS0-003 - Practice Exams

    • A.1 Prepare for CompTIA CySA+ Certification
    • A.2 CompTIA CySA+ CS0-003 Domain Review (20 Questions)
    • A.3 CompTIA CySA+ CS0-003 Practice Exams (All Questions)
  • B.0 TestOut CyberDefense Pro - Practice Exams

    • Section B.1 Prepare for TestOut CyberDefense Pro Certification
    • B.2 TestOut CyberDefense Pro Exam Domain Review
  • Glossary

    • Glossary
  • CYB400

    • Chapter 01
    • Chapter 02
    • Chapter 03
    • Chapter 04
    • Project 01
  • CYB402

    • lab
    • essay
  • CYB406

    • lab 01
    • lab 02
    • lab 03
    • lab 04
    • lab 05
    • lab 06
  • CYB300 Automobility Cybersecurity Engineering Standards

    • Schedule
    • Tara PPT
    • MidTerm Notes
    • Questions
  • ISO 21434

    • Introduction
    • Forward
    • Introduction
    • Content
  • CYB302 Automobility Cybersecurity

    • Week 01
    • Week 02
    • Week 03
    • Week 04
    • Chapter 5 - AUTOSAR Embedded Security in Vehicles
    • Chapter 6
    • Chapter 7
    • Chapter 8
    • How to Write
    • Review 5
  • CYB304 Project Management For Cybersecurity In Automobility

    • Unit 1 Introduction
    • Unit 1 Frameworks
    • Unit 1 Methodologies
    • Unit 1 Standards
    • Unit 1 Reqirements
    • Unit 2 Scheduling
    • Unit 2 Scheduling 2
    • Unit 2 Trends
    • Unit 2 Risk
    • Unit 2 Project Monitoring & Controlling
    • Unit 2 Budgeting
    • Unit 2 Closure
  • Project Manager

    • Resource
    • Gantt Charts
    • Intrduction
    • First Things
    • Project Plan
    • Project Schedule
    • Agile
    • Resource
  • CYB306 Cyber-Physical Vehicle System Security

    • Chapter 1
    • Chapter 2
    • Chapter 3
    • Chapter 4
    • Chapter 5
    • Chapter 6 - Infrastructure for Transportation Cyber-Physical Systems
    • Chapter 7
    • Chapter 8
    • Chapter 9
    • Chapter 10
    • Chapter 11
    • Case 3
    • Case 4
    • Discussion 4
    • Discussion 5
  • CYB308 Cybersecurity System Audits

    • Week 01
    • Week 02
    • Week 03
    • Week 04
    • Week 05
    • C 4
    • C 5
    • C 5 Business Resilience
    • C 6
    • C 6-2
    • Review
    • Questions
  • CYB308 TextBook

    • CHAPTER 1 Becoming a CISA
    • CHAPTER 2 IT Governance and Management
    • CHAPTER 3 The Audit Process
    • CHAPTER 4 IT Life Cycle Management
    • Input Controls
    • CHAPTER 5 IT Service Management and Continuity
    • Business Resilience
    • CHAPTER 6 Information Asset Protection
    • Encryption
    • Appendix A
    • Appendix B
    • Appendix C

Section 6.2 Wireless Security

As you study this section, answer the following questions:

  • What is the difference between passive and active footprinting?
  • What is a rogue access point?
  • What two pieces of information does a hacker need to break into a wireless network?
  • What should you perform before access points are installed?

In this section, you will learn to:

  • Detect a rogue device
  • Scan for open ports from a remote computer
  • Discover a hidden network
  • Discover a rogue DHCP server
  • Locate a rogue wireless access point

The key terms for this section include:

Description of the Table

Description of the Table
Term Definition
Rogue access pointsAn unauthorized access point that may be set up by employees to bypass existing restrictions or installed by an attacker who has gained physical access to the building.
Evil twin attackAn attack where the rogue access point is configured with the same SSID as the organization's SSID. Users are knocked off the legitimate network, and when re-connecting, they unknowingly connect to the attacker's access point.
Access point misconfigurationOccurs when the access points are not properly configured, opening a wireless network to attackers.
Jamming attacksThe deliberate use of radio noise or signals in an attempt to block or interfere with authorized wireless communications.
Deauthentication attackAn attack that sends fake deauthentication packets to knock people off the network.
WardrivingThe act of driving around and searching for wireless networks to attempt to break into.
MAC spoofingThe act of changing the MAC address of a network interface card to match a legitimate address and obtain network access.
Promiscuous clientA client that is set up and advertised using an extremely strong signal, attracting users who may be opening themselves up to an attack.
Passive footprintingThe use of a wireless listening device, known as a sniffer, to capture packets in an attempt to discover critical information needed for an attack.
Active footprintingThe use of information obtained with the passive technique to get more aggressive in the attack on the network.
inSSIDer PlusA wireless network scanner application that runs on Windows platforms, developed by MetaGeek, LLC.
WiFi ExplorerA tool developed by Nuts About Nets for discovering and mapping wireless networks.

This section helps you prepare for the following certification exam objectives:

Exam Objective
CompTIA CySA+ CS0-0031.2 Given a scenario, analyze indicators of potentially malicious activity
  • Network-related
    • Rogue devices on the network
    • Activity on unexpected ports
TestOut CyberDefense Pro1.1 Monitor networks
  • Monitor network ports and sockets

2.2 Detect threats using analytics and intelligence

  • Use a protocol analyzer and packet analysis to determine threats

6.2.1 Wireless Hacking

Click one of the buttons to take you to that part of the video.

Wireless Hacking 00:00-00:30 Wireless networks are designed to provide users with easy network access wherever they go so that they aren't tethered to a physical connection. But this ease of access does create a larger attack surface. With wireless networking, any attacker that's relatively close by is considered a threat.

In this lesson, I'll cover a few of the most common Wi-Fi attacks. Then I'll talk about the methodology and tools hackers use to compromise wireless networks.

Wi-Fi Attacks 00:30-00:42 Because network security is a top priority, it's common for network administrators to implement stringent rules and limit access to websites. Some users find this very frustrating.

Rogue Access Point 00:42-01:40 To try to evade these rules, they sometimes install an access point on their own computer. This is known as a soft access point. A hacker who's gained network access, perhaps from MAC spoofing, might do the same. This is called a rogue access point or an unauthorized association.

Here's the big problem—most employees don't understand the importance of securing their soft access point or even how to do so, and they end up leaving it open to hackers' breaching attempts. When an attacker discovers a rogue access point, he or she's able to run various types of vulnerability scanners from outside the company, perhaps from a car or adjacent building, or maybe even from several miles away.

Keep in mind that if a hacker can gain some type of physical access to your company, they can also hide a physical rogue access point as well. This is often done by configuring an extremely compact and powerful hardware device called a Raspberry Pi as an access point.

Evil Twin Attack 01:40-01:47 A rogue access point placed on a network can run what's called an evil twin attack. Here's how this works:

Evil Twin Attack 01:47-02:34 Let's say that your organization has a wireless network with a service set identifier, or SSID, of MyCompanyWiFi. The employees are currently attached to this network for company use, but an attacker configures his or her own access point with the same SSID and places it near the building. The attacker can then use a jamming or disassociation attack to knock users off the legitimate network. When users reconnect, they're now connecting to the attacker's access point.

Once a victim is connected to the rogue access point, the attacker can monitor all data that flows through. The user shouldn't notice anything different since their internet is still running like normal. These attacks are extremely dangerous as the attacker has immediate access to all sorts of sensitive information.

Access Point Configuration 02:34-03:06 The other big problem with wireless access points is their configuration. Many wireless attacks are achieved simply because a network administrator didn't properly configure their legitimate access points. Access points usually include great security options, but if they aren't enabled or configured properly, they can't deflect attacks. It's as simple as that.

For many of these wireless attacks to work, the attacker needs to kick everyone off the legitimate network and prevent them from reconnecting. This is possible with jamming or disassociation attacks.

Jamming Attack 03:06-03:42 Wi-Fi jamming is the deliberate use of radio signals in an attempt to interfere with authorized wireless communications. Hackers can perform jamming attacks by analyzing the spectrum used by wireless networks and then transmitting a powerful signal to interfere with communication on the discovered frequencies. In essence, the jammer is trying to be the loudest voice or signal in the room so nearby devices can't see the legitimate wireless network. The attacker's hope is that the devices disconnect and can't reconnect afterward. Thankfully, jamming devices are illegal and difficult to come by.

Disassociation Attack 03:42-04:40 A disassociation or deauthentication attack, on the other hand, can be performed with a laptop. When a device connects to a wireless network, special unencrypted management packets are sent back and forth. A deauthentication attack takes advantage of this unencrypted process by sending fake malicious deauthentication packets to kick people off the network. The attacker can select individual users or kick everyone off. Jamming and deauthentication attacks have the same result but use very different methods.

We see Wi-Fi in use everywhere today and, as you can see, attackers are always working on methods to exploit weaknesses in the connection. Our best bet to protect our networks is to be proactive and constantly hunting for threats. You should perform regular site surveys to locate rogue access points and be constantly monitoring your network for irregular traffic. Proactive threat-hunting helps reduce a network's attack surface area.

Wireless Hacking Methodology and Tools 04:40-09:05 Now that we've talked about the different types of wireless attacks you can expect to see, let's turn to some of the methods and tools hackers use to find every way possible to break into our wireless networks.

The first step for an attacker is to find a network to hack in to. This is called Wi-Fi discovery and footprinting. To footprint a wireless network, an attacker needs to identify the basic service set, or BSS, provided by the access point. Before an attacker can identify the BSS, they need to know the wireless network's SSID. An attacker can use either passive or active methods to detect this.

Passive methods involve the hacker detecting access points by sniffing packets from the airwaves. The hacker doesn't try to connect with any device or inject any packets.

Active methods involve the hacker sending a probe request with the SSID to an access point and waiting for a response. The probe request can be blank if the SSID isn't known, and the access point might end up responding with the missing information. Basically, as long as the attacker knows the BSS, they can get the SSID.

A hacker can use a variety of tools to carry out Wi-Fi discovery and footprinting. One common tool is inSSIDer Plus,

which is a Wi-Fi network scanner application that runs on Microsoft Windows platforms. With this tool, someone can scan for wireless networks using their laptop's wireless adapter. As networks are found, their signal strengths are presented visually, and the attacker can see which channels a person is using.

A similar tool that's designed to run on Android mobile devices is WifiExplorer. Since mobile devices have built-in 802.11 radio capabilities, you could use WifiExplorer to collect information about nearby wireless access points. As you can see here, the data you collect can be displayed in many useful ways.

So once a hacker has discovered a wireless network to target, he or she needs to gain access. This means they need to crack the security. Most wireless networks today are protected using WPA2 encryption, which is what hackers train to get around.

To crack WPA2, an attacker needs to capture the necessary packets and then perform cracking attacks on them. They do this with deauthentication attacks and offline password attacks.

A deauthentication attack is carried out against a client that's connected to the target network. To make this work, the attacker sends a deauthenication frame to the client, which disconnects the user from the network. When the client reconnects, the hacker intercepts the four-way handshake that contains the encrypted password key.

A common way to carry out these attacks is with the Aircrack-ng tool set. These tools can be used to monitor wireless networks, perform deauthentication attacks, and intercept four-way handshake packets. Once the hacker has the needed packets, they can perform an offline password-cracking attack to get the wireless key.

An offline password-cracking attack simply means that the hacker is using tools on their local machine to crack the password file. Attackers have different techniques at their disposal to do this, including brute force attacks, dictionary attacks, rainbow tables, and more. These techniques are all tedious and time-consuming, so hackers use automated tools, like Hashcat.

Hashcat is a password-cracking utility that works on multiple operating systems and can work with many different types of hashes and password files. The problem with password-cracking is that these techniques can take years if a strong password is used.

For a more secure environment, routers often use the Wi-Fi Protected Access, or WPA, Protocol. This is easy to configure without having to enter a long password. You do this with a personal identification number, or PIN, that's hard-coded into the device. But an open-source tool named Reaver takes advantage of a weakness found in this protocol that allows the program to find the PIN. To crack the password, Reaver tries a series of PINs on the router in brute-force attempts, one after another. Once the correct PIN is found, the router sends Reaver its password and the attacker can start exploiting the access point and network.

As you can see, there are a variety of methods and tools an attacker could use to gain wireless network access. As a security analyst, you must be aware of these techniques so you can prevent them from being used against your networks.

Summary 09:05-09:26 That's it for this lesson. In this lesson, we looked at some of the more common attacks a hacker might perform against a wireless network, including rogue access points, jamming, and deauthentication attacks. We also talked about the methods and tools hackers use to compromise wireless networks.

6.2.2 Wireless Hacking Facts

Wireless networks are designed to provide easy network access wherever users go. This ease of access creates a larger attack surface. Security specialists need to be aware of the methods attackers use to gain unauthorized access to wireless networks.

This lesson covers the following topics:

  • Wi-Fi attacks
  • Methods and tools

Wi-Fi Attacks

The following table lists many of the common types of wireless attacks.

Wireless Attack Type Description
Rogue access pointsA rogue access point is an unauthorized access point. Rogue access points:
  • May be set up by employees to bypass existing restrictions.
  • Can be installed by an attacker who has gained physical access to the building. An attacker:
    • Can configure an extremely compact and powerful hardware device called a Raspberry Pi as an access point.
    • Can also use software-only access points called soft access points.
    • Can set up a rogue access point close to existing internet access. The intent is that users will inadvertently connect to the rogue access point. This is known as an unauthorized association.
Evil twin attackRogue access points can be used to run an evil twin attack.
  • In this attack, the rogue access point is configured with the same SSID as the organization's SSID.
  • Jamming or disassociation attacks are used to knock users off the legitimate network.
  • When re-connecting to the network, the user unknowingly connects to the attacker's access point.
  • Once a user connects to the attacker's network, the attacker can monitor and capture all data that flows through the access point.
  • The user does not notice any difference in network usage.
Access point misconfigurationWireless attacks are often successful because the access points are not properly configured. This is known as access point misconfiguration.
  • The misconfiguration of the access point typically happens when the proper security steps have not been fully implemented.
  • Misconfiguration can open a wireless network to attackers in a number of ways.
Jamming attacksWi-Fi jamming is the deliberate use of radio noise or signals in an attempt to block or interfere with authorized wireless communications. Key points are:
  • An attacker analyzes the spectrum used by a wireless network.
  • When the wireless network's frequency is found, the attacker transmits a powerful signal to interfere with communication on that frequency.
  • The 802.11 protocol is based on a collision avoidance algorithm that requires a period of silence before a device can transmit.
  • Users cannot connect while jamming is taking place.
  • A user already connected will lose the connection.
Deauthentication attackA deauthentication attack is similar to a jamming attack, except this can be performed with only a laptop.
  • When a device connects to a wireless network, special unencrypted management packets are sent back and forth.
  • A deauthentication attack sends fake deauthentication packets to knock people off the network.
  • The attacker can select individual users to knock off or knock everyone off.
  • Jamming and deauthentication attacks have the same result but use very different methods.
WardrivingIn wardriving, an attacker uses a laptop or smartphone to drive around and search for wireless networks to attempt to break into.

Although wardriving is defined as using a car for this purpose, any means of transportation, such as biking, walking, and jogging can be used. These are then referred to as warbiking, warwalking, and warjogging.
MAC spoofingA media access control (MAC) address is a number that uniquely identifies a network interface card.
  • This number is stored on the card in a read-only memory area.
  • Wireless network managers can create a list of legitimate MAC addresses and allow only devices with listed MAC addresses to access the wireless network.

However, many network drivers allow the MAC address to be changed.
  • An attacker can use a packet analyzer tool (also referred to as a sniffing tool) to obtain legitimate MAC addresses.
  • Then, the attacker changes the MAC address of the driver used for the attack to match one of the legitimate addresses and obtains network access.
Promiscuous clientA promiscuous client is often used in conjunction with many of the other types of attacks.
  • An attacker uses advanced technology to set up and advertise the promiscuous client using an extremely strong signal.
  • Since most users are looking for the strongest signal, a promiscuous client’s signal is almost irresistible.
  • Blinded by the great connection, mobile users often forget to consider that they may be opening themselves up to an attack.

Methods and Tools

An attacker uses a process of discovery and footprinting to find a wireless network and obtain information that will help to breach it. Two of the most important things an attacker needs to break into a wireless network are the Basic Service Sets (BSS) and the service set identifier (SSID). Both are provided by access points.

The process of footprinting can be done either passively or actively, as described in the following table.

Footprinting Process Description
Passive footprintingUses some type of wireless listening device, known as a sniffer, to capture packets in an attempt to discover the critical information needed.
  • Wardriving is a common passive footprinting method.
  • With passive footprinting, no attempt is made to connect with an access point or wireless clients.
  • The attacker only collects the data.
Active footprintingAllows an attacker to use information obtained with the passive technique to get more aggressive in the attack on the network.

For example, an attacker may send packets to the access point using a discovered SSID or send a probing packet without the SSID. When an access point answers a probing packet that does not have an SSID, it includes the BSS.

There are many tools to discover and map wireless networks. The following table describes two popular tools:

Wi-Fi Discovery Tool Description
inSSIDer PlusinSSIDer Plus is a wireless network scanner application that runs on Windows platforms. It was developed by MetaGeek, LLC.
  • With this tool, a user can scan for wireless networks using a laptop’s wireless adapter.
  • When a network is found, the tool displays the signal strength and the channels the network is using.
  • inSSIDer Plus displays other useful information about the network.
WiFi ExplorerWiFi Explorer (developed by Nuts About Nets) is another Wi-Fi scanning tool designed to run on Android phones and tablets.
  • WiFi Explorer uses the device's built-in 802.11 radio capabilities to collect information from nearby wireless access points.
  • The data collected can be displayed and used in many beneficial, legitimate ways.
  • This tool can help attackers understand the relationship between access points, wireless network SSIDs, and client devices.

After gathering information on the wireless network, the attacker will attempt to gain access to it. Since many networks are protected using WPA2 encryption, the attacker will need to crack the encryption.

The first step in this process is to capture a packet that contains the WPA2 passphrase. To do this:

  • A deauthentication attack is carried out against a client connected to the target network.
  • When the client reconnects, the attacker can intercept the four-way handshake containing the encrypted password key.
  • A common tool used to carry out these attacks is the Aircrack-ng set of tools.
  • These tools can be used to discover and monitor wireless networks, perform deauthentication attacks, and intercept four-way handshake packets.

With the intercepted packets, the attacker can perform an offline password-cracking attack to get the wireless key. In an offline password-cracking attack, the attacker uses a local machine to crack the password file. Different types of password-cracking techniques can be attempted, including:

  • Brute force
  • Dictionary
  • Rainbow table

Password cracking is an extremely tedious and time-consuming process. Automated tools such as Hashcat can be used to automate and simplify the process.

  • Hashcat is a password-cracking utility that works on multiple operating systems.
  • It can work with many different types of hashes and password files.

The good news for security professionals is that a strong password can take years to crack using these techniques.

An attacker may be able to attack WPS if it is being utilized on the router.

  • Reaver is a powerful tool tested against many different access points and WPS implementations.
  • Reaver can scan all WPS PINs available until it finds a match.
  • Once a match is found, it will exploit the AP to give the attacker access to the network.

6.2.3 Detect a Rogue Device

Click one of the buttons to take you to that part of the video.

Detect a Rogue Device 00:00-00:28 When a device on your network isn't under the administrative control of the network staff, it's called a rouge device. Rogue devices are often completely malicious. They exist for the sole purpose of stealing sensitive information like credit card numbers and passwords. It could be a rogue wireless access point, server, and so on. In our scenario, we have a rogue DCHP server on our network, and we're going to use Wireshark to detect it.

Rogue DHCP 00:28-00:50 As clients connect to the network, both the rogue and real DHCP server offer them IP addresses as well as the other network settings. If the information provided by the rogue DHCP differs from the information provided by the real one, clients accepting IP addresses from it may experience network access problems or have their network traffic sniffed as part of a man-in-the-middle attack.

Use Wireshark to Examine the DHCP Traffic 00:50-01:10 All right. I have Kali Linux opened here, and I'm going to run Wireshark to see what's happening. I'll go to Applications, down to sniffing, and over to Wireshark. Once Wireshark launches, I'll click on the shark fin to start sniffing traffic. It's running, so I'm going to jump over to the client machine and investigate why that client can't get to the internet.

View IP Info from Windows 10 Client 01:10-01:54 Okay. I'm on the client machine that belongs to the employee that can't connect to the internet. I have a command prompt here, and I'm going to do an 'ipconfig' on the machine. Now, as I look up, I have an IP address of 10.10.10.11. The subnet mask is correct, but there's no default gateway. Also, my domain isn't CorpNet.xyz. This one, here, says BadDomain.com, so I seem to be having some problems. Just to double-check, I'm going to do an 'ipconfig /release'. Now, let's do an 'ipconfig /renew'. I'm getting the exact same information, so I'm going to investigate. Now I'm going to jump over to another workstation and see what IP addresses they're getting from the DHCP server.

View IP Info from Second Client 10 Client 01:54-03:47 Okay. I'm on a different Windows 10 system. It's one that I use occasionally. I'm going to do an 'ipconfig'. I get some information. This domain, CorpNet.xyz, is actually the correct domain. Down here, this IP ends with 195, which is in the range of my real DHCP server. When we checked the other machine, that one ended in .11. That's not in in the right IP range for my DHCP server. Here, I have my default gateway. The information down here is from another demo I did it's not relevant here.

So, I'm going to go turn off my real DHCP for a few minutes, come back here, and renew the IP address to see if I pick up something from the rogue DHCP that appears to be running on this network.

Okay. I went in and turned off the DHCP server. I'm going to do an 'ipconfig /release'. I get a message saying I need elevated privileges, too. Let's close this and reopen the command prompt with elevated privileges. I'll say yes to the User Account Control and move the window up a little. Let's try that again. That's 'ipconfig /release', and then I'll do 'ipconfig /renew'. Now I'll just do an 'ipconfig'. And when I do, we get BadDomain.com. This IP certainly isn't coming from my DHCP server. It's not even in the IP range that I've set up. That tells me I have a rogue DHCP server. I'm going to turn on my real DHCP server again, so I don't forget.

All right. Let's turn the DHCP back on. I'm going to try to obtain a new IP address again. I'll do 'ipconfig /release' and then 'ipconfig /renew'. Now it looks like my real DHCP server beat the rogue DHCP server. This gateway and IP info is from the correct DHCP server. But I still need to find out more about this rogue DHCP server. At this point, we're going to go back to Wireshark on the Kali Linux system and see what's going on there.

View Wireshark Data 03:47-04:49 I'm back on the Kali Linux machine, where Wireshark has been running the entire time. First, let's stop sniffing. I want to filter the traffic and just see the DHCP events. We can filter things in Wireshark. If I type in 'dhcp', the filter area turns into a salmon color. That means that this filter isn't correct. I want to type in 'bootp', the filter for DHCP traffic. When I do, I get the filter to work.

Here's something I know: my DHCP server's IP is 10.10.10.1. That's what I should be seeing here. Instead, I'm getting a DHCP Offer from 10.10.10.10, which isn't my DHCP server.

If I scroll down there a bit, I can see 10.10.10.197 getting a request for an IP from the real DHCP server, 10.10.10.1.

If I scroll down more, I can see a mixture of traffic from the rogue DHCP and the real DHCP. So, somewhere on this network, I have a rogue DHCP server with the IP of 10.10.10.10.

Prevent Rogue DHCP Server 04:49-05:29 Now, come down here, and I can see the MAC address for that device. It says it's the source MAC address. To fix this on a temporary basis, I can kick that device off the network based on the MAC address. Long-term, I need to prevent this from happening in the first place.

Rogue DHCP servers can be stopped by an IPS with appropriate signatures, as well as by certain multilayer switches configured to drop the packets. One method for dealing with rogue DHCP servers is DHCP snooping. DHCP snooping drops DHCP messages that aren't trusted from a DHCP server. You can configure DHCP snooping on LAN switches to prevent rogue DHCP servers from operating.

Summary 05:29-05:54 That's it for this demo. In this demo, we investigated a rogue device on the network. First, we identified an IP address that was assigned by the rogue device. Then we verified that there was a rogue device from a second system. After that, we viewed our filtered Wireshark traffic and identified the rogue DHCP server's IP and MAC addresses.

6.2.4 Rogue Devices Facts

A rogue device is any unauthorized electronic equipment attached anywhere in an organization's environment.

This lesson covers the following topics:

  • Types of rogue devices
  • Rogue device detection
  • Protecting against rogue devices
  • Scan & sweep events

Types of Rogue Devices

Rogue devices can include a USB storage device attached to a computer to copy sensitive data, an extra Wi-Fi adapter installed on an employee's workstation and used to establish a wireless hotspot or an employee's personal, unsecured smartphone connected to the network. Examples of rogue device types include the following:

Rogue Device Type Description
Network tapsA physical device might be attached to cabling to record packets passing over that segment. Once attached, taps cannot usually be detected from other devices inline with the network, so physical inspection of the cabled infrastructure is necessary.
Wireless access points (WAP)While there are dedicated pen test rogue WAPs, such as the Wi-Fi Pineapple ( shop.hak5.org/products/wifi-pineapple ), anyone with access to the network can create a WAP, even from a non-specialized device like a laptop or smartphone. The WAP can be used to intentionally mislead others into connecting to the rogue access point, opening the door for on-path attacks.
ServersAn attacker may also use a server as a malicious honeypot to harvest credentials and data. This type of attack often requires some method of traffic diversion, usually either through ARP poisoning or corrupted name resolution.
Wired and wireless clientsEnd-user devices may introduce malware, perform network reconnaissance, or enable data exfiltration. Most user devices also include cameras and microphones.
SoftwareRogue servers and applications, such as malicious DHCP or DNS servers, may be installed covertly on authorized hardware.
Virtual machinesVirtual machines make deploying rogue servers much simpler, as virtualization software is available for many different operating systems and device types.
Smart appliancesDevices such as printers, webcams, and VoIP handsets often contain exploitable vulnerabilities in their firmware. These devices can be used as a vector for attack. Smart appliances, including TVs, refrigerators, and "streaming sticks," are often installed in facilities with little oversight or restriction.

Rogue Device Detection

Rogue system detection refers to identifying (and removing) unauthorized devices. There are several techniques available to perform rogue machine detection:

Technique Description
Visual inspection of ports/switchesSimply looking for out-of-place devices or odd cabling connections is very effective. Looking inside cabinets and under desks for tape-mounted Raspberry Pi and other microcomputers is very important.
Network mapping/host discoveryNetwork scans can identify hosts and use banner grabbing and fingerprinting to collect valuable information. DHCP logs are also very helpful.
Wireless monitoringDiscover unknown or unidentifiable service set identifiers (SSIDs) showing up within range of the office.
Packet sniffing and traffic flowReveal the use of unauthorized protocols on a network and suspicious peer-to-peer communication.
NAC and intrusion detectionSecurity suites and appliances can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.

Protecting Against Rogue Devices

Rogue devices depend upon network access. By implementing port-based access control or 802.1x network access control, unauthorized devices are much less likely to be able to gain network access. Additionally, implementing these controls can help make identifying rogue devices easier.

Scan & Sweep Events

The initial stages of an attack often include network scans and ping sweeps to identify hosts and services on the network, including any exploitable vulnerabilities. The term scan can refer specifically to a port scan directed at a single host (also known as fingerprinting) to enumerate which ports are open and the software and firmware in use. A sweep refers to probing a range of IP addresses to discover hosts.

Authorized network scans should be performed from pre-authorized devices. Scans and network sweeps are useful tools in the security analyst's arsenal as they help to identify issues such as unauthorized devices and software or misconfigured hosts. Scans originating from unauthorized locations and devices should be immediately investigated. Intrusion detection systems can detect most types of scanning activity, though there are some methods of evading detection, such as sparse scanning.

Scan sweeps on internet-facing systems are a common occurrence and less likely to be prioritized for investigation. Identification of other indicators of compromise can be compared to historical data to determine if the intrusion correlates to scanning activity and reveals additional information about the attacker.

Last Updated:
Prev
2.1 Regulations and Standards
Next
6.3 Web Server Security