Certified Ethical Hacker (CEHv13) Module 16 Hacking Wireless Networks

Wireless Network

An unbounded data communication system that uses radio-frequency technology to communicate with devices and obtain data

Global System for Mobile Communications (GSM)

A universal system used for mobile data transmission in wireless networks worldwide

Bandwidth

The amount of information that may be broadcast over a connection

Access point (AP)

Used to connect wireless devices to a wireless/wired network. It serves as a switch or hub between a wired LAN and wireless network.

Basic service set identifier (BSSID)

The media access control (MAC) address of an access point (AP) or base station that has set up a basic service set (BSS)

Industrial, scientific, and medical (ISM) band

A set of frequencies used by the international industrial, scientific, and medical communities

Hotspot

Places where wireless networks are available for public use

Association

The process of connecting a wireless device to an AP

Service set identifier (SSID)

A 32-alphanumeric-character unique identifier given to a wireless local area network (WLAN) that acts as a wireless identifier of the network

Orthogonal frequency-division multiplexing (OFDM):

A method of digital modulation of data in which a signal, at a chosen frequency, is split into multiple carrier frequencies that are orthogonal to each other. OFDM maps information on the changes in the carrier phase, frequency, amplitude, or a combination of these and shares bandwidth with other independent channels. It produces a transmission scheme that supports higher bit rates than parallel channel operation. It is also a method of encoding digital data on multiple carrier frequencies.

Multiple input, multiple output-orthogonal frequency-division multiplexing (MIMO-OFDM)

MIMO-OFDM influences the spectral efficiency of 4G and 5G wireless communication services. Adopting the MIMO-OFDM technique reduces interference and increases the channel robustness.

Direct-sequence spread spectrum (DSSS)

A spread spectrum technique that multiplies the original data signal with a pseudo-random noise-spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming.

Frequency-hopping spread spectrum (FHSS)

A method of transmitting radio signals by rapidly switching a carrier among many frequency channels

Wi-Fi

A WLAN based on the IEEE 802.11 standard, and it allows a device to access the network from anywhere within the range of an AP

Advantages of Wireless Networks

- Installation is fast and easy

- Easily provides connectivity in areas where it is difficult to lay cables

- The network can be accessed from anywhere within the range of an AP

- Public spaces such as airports, libraries, schools, and even coffee shops offer constant Internet connections through WLANs

Disadvantages of Wireless Networks

- Security may not meet expectations

- The bandwidth suffers as the number of devices in the network increases

- Wi-Fi upgrades may require new wireless cards and/or APs

- Some electronic equipment can interfere with Wi-Fi networks

Types of Wireless Networks

- Extension to a Wired Network

- Multiple Access Points

- LAN-to-LAN Wireless Network

- 3G/4G/5G Hotspot

Extension to a Wired Network

A user can extend a wired network by placing APs between a wired network and wireless devices

Types of Access Points (APs)

- Software Access Points (SAPs)

- Hardware Access Points (HAPs)

Software Access Points (SAPs)

Can be connected to a wired network, and they run on a computer equipped with a wireless network interface card (NIC)

Multiple Access Points

The network connects computers wirelessly using multiple APs. If a single AP cannot cover an area, multiple APs or extension points can be established.

Roaming

The ability to move around seamlessly in a network

LAN-to-LAN Wireless Network

APs provide wireless connectivity to local computers, and local computers on different networks can be interconnected. All hardware APs have the capability to interconnect with other hardware APs. However, interconnecting LANs over wireless connections is a complex task.

3G/4G/5G Hotspot

A type of wireless network that provides Wi-Fi access to Wi-Fi-enabled devices

Wi-Fi Authentication Process Modes

- Pre-Shared Key (PSK) Mode

- Centralized Authentication Mode

WPA/WPA2/Pre-Shared Key (PSK) Mode

Used to secure wireless networks in which a single shared password is used for authentication

Centralized Authentication Mode

A centralized authentication server, known as the remote authentication dial-in user service (RADIUS), sends authentication keys to both the AP and the client, which requires authentication with the AP.

WPA/WPA2-Enterprise/802.1x Mode

A security protocol designed for enterprises and large-scale network environments. It utilizes a centralized authentication server, typically a RADIUS server, to manage individual user credentials.

Types of Wireless Antennas

- Directional Antenna

- Omnidirectional Antenna

- Parabolic Grid Antenna

- Yagi Antenna

- Dipole Antenna

- Reflector Antenna

Directional Antenna

Can broadcast and receive radio waves from a single direction

Omnidirectional Antenna

Radiate electromagnetic (EM) energy in all directions, providing a 360° horizontal radiation pattern.

Parabolic Grid Antenna

Uses the same principle as a satellite dish, but it does not have a solid dish. It consists of a semi-dish in the form of a grid consisting of aluminum wires. Parabolic grid antennas can achieve very-long-distance Wi-Fi transmissions through highly focused radio beams.

Yagi Antenna

A unidirectional antenna commonly used in communications at a frequency band of 10 MHz to VHF and UHF. This antenna has a high gain and low signal-to-noise (SNR) ratio for radio signals. Furthermore, it not only has a unidirectional radiation and response pattern, but also concentrates the radiation and response. It consists of a reflector, dipole, and many directors. This antenna develops an end-fire radiation pattern.

Dipole Antenna

A straight electrical conductor measuring half a wavelength from end to end, and it is connected at the center of the radio frequency (RF) feed line. Also called a doublet, the antenna is bilaterally symmetrical; therefore, it is inherently a balanced antenna. This kind of antenna feeds on a balanced parallel-wire RF transmission line.

Reflector Antennas

Are used to concentrate EM energy that is radiated or received at a focal point. These reflectors are generally parabolic. If the surface of the parabolic antenna is within a tolerance limit, it can be used as a primary mirror for all frequencies. This can prevent interference while communicating with other satellites. A larger antenna reflector in terms of wavelength multiples results in a higher gain. Reflector antennas reflect radio signals and has a high manufacturing cost.

Wireless Encryption

A process of protecting a wireless network from attackers who attempt to collect sensitive information by breaching the RF traffic

802.11

The 802.11 (Wi-Fi) standard applies to WLANs and uses FHSS or DSSS as the frequency-hopping spectrum. It allows an electronic device to establish a wireless connection in any network.

802.11a

The first amendment to the original 802.11 standard. The 802.11 standard operates in the 5 GHz frequency band and supports bandwidths up to 54 Mbps using orthogonal frequency-division multiplexing (OFDM). It has a high maximum speed but is relatively more sensitive to walls and other obstacles.

802.11ax (Wi-Fi 6)

The latest generation of Wi-Fi and enhances the foundation of 802.11ac (Wi-Fi 5). It supports speeds of up to 9.6 Gbps, uses orthogonal frequency-division multiple access (OFDMA) to efficiently manage multiple connections, and improves performance in crowded areas through features such as BSS Coloring and target wake time (TWT). Wi-Fi 6 is ideal for dense environments, such as stadiums, airports, and smart homes with many connected devices.

802.11b

Extended the 802.11 standard by creating the 802.11b specifications in 1999. This standard operates in the 2.4 GHz ISM band and supports bandwidths up to 11 Mbps using direct-sequence spread spectrum (DSSS) modulation.

802.11be (Wi-Fi 7)

An emerging standard that aims to significantly improve Wi-Fi 6/6E. It supports speeds of up to 30 Gbps, uses a multilink operation (MLO) to aggregate multiple channels across different bands, and reduces the latency for real-time applications. Wi-Fi 7 was designed for future-proof, ultrahigh-speed Internet, virtual reality, augmented reality, and advanced IoT applications.

802.11d

An enhanced version of 802.11a and 802.11b that supports regulatory domains. The specifications of this standard can be set in the media access control (MAC) layer.

IEEE 802.11e

Used for real-time applications such as voice, VoIP, and video. To ensure that these time-sensitive applications have the network resources they need, 802.11e defines mechanisms to ensure quality of service (QoS) to Layer 2 of the reference model, which is the MAC layer.

802.11g

Extension ·of 802.11 and supports a maximum bandwidth of 54 Mbps using OFDM technology. It uses the same 2.4 GHz band as 802.11b. The IEEE 802.11g standard defines high-speed extensions to 802.11b and is compatible with the 802.11b standard, which means 802.11b devices can work directly with an 802.11g AP.

802.11i

Improves ·WLAN security by implementing new encryption protocols such as the Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

802.11n

A revision that enhances the 802.11g standard with multiple-input multiple-output (MIMO) antennas. It works in both the 2.4 GHz and 5 GHz bands. Furthermore, it is an IEEE industry standard for Wi-Fi wireless local network transportation. Digital Audio Broadcasting (DAB) and WLAN use OFDM.

802.11ah/Wi-Fi HaLow

Uses 900 MHz bands for extended-range Wi-Fi networks and supports Internet of Things (IoT) communication with higher data rates and wider coverage range than the previous standards.

802.11ac

Provides a·high-throughput network at a frequency of 5 GHz. It is faster and more reliable than the 802.11n standard. Moreover, it involves Gigabit networking, which provides an instantaneous data-transfer experience.

802.11ad

The 802.11ad standard includes a new physical layer for 802.11 networks and works on the 60 GHz spectrum. The data propagation speed in this standard is much higher from those of standards operating on the 2.4 GHz and 5 GHz bands, such as 802.11n.

802.12

Media utilization is dominated by this standard because it works on the demand priority protocol. The Ethernet speed with this standard is 100 Mbps. Furthermore, it is compatible with the 802.3 and 802.5 standards. Users currently on those standards can directly upgrade to the 802.12 standard.

802.15

Defines the standards for a wireless personal area network (WPAN) and describes the specifications for wireless connectivity with fixed or portable devices

802.15.1 (Bluetooth)

Mainly used for exchanging data over short distances on fixed or mobile devices. This standard works on the 2.4 GHz band.

802.15.4 (ZigBee)

Has a low data rate and complexity. The specification used in this standard is ZigBee, transmits long-distance data through a mesh network. The specification handles applications with a low data rate of 250 Kbps, but its use increases battery life.

802.15.5

This standard deploys itself on a full-mesh or half-mesh topology. It includes network initialization, addressing, and unicasting.

802.16 (WiMAX)

A wireless communications standard designed to provide multiple physical layer (PHY) and MAC options. It is also known as WiMax. This standard is a specification for fixed broadband wireless metropolitan access networks (MANs) that use a point-to-multipoint architecture.

Wireless Standards

- 802.11 (Wi-Fi): 802.11a, 802.11x, 802.11ax, 802.11b, 802.11be, 802.11d, 802.11e, 802.11g, 802.11i, 802.11n

- 802.15 (Bluetooth)

- 802.15.4 (ZigBee)

- 802.16 (WiMAX)

Wireless Encryption Algorithms

- 802.11i

- WEP

- EAP

- LEAP

- WPA

- TKIP

- WPA2

- AES

- CCMP

- WPA2 Enterprise

- RADIUS

- PEAP

- WPA3

WEP

Aan encryption algorithm for IEEE 802.11 wireless networks. It is an old wireless security standard and can be cracked easily.

Extensible Authentication Protocol (EAP)

EAP supports multiple authentication methods, such as token cards, Kerberos, and certificates

Lightweight EAP (LEAP)

A proprietary version of EAP developed by Cisco

WPA

An advanced wireless encryption protocol using TKIP and Message Integrity Check (MIC) to provide strong encryption and authentication. It uses a 48-bit initialization vector (IV), 32-bit cyclic redundancy check (CRC), and TKIP encryption for wireless security.

TKIP

A security protocol used in WPA as a replacement for WEP

WPA2

An upgrade to WPA using AES and the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) for wireless data encryption.

AES

A symmetric-key encryption used in WPA2 as a replacement for TKIP

CCMP

An encryption protocol used in WPA2 for strong encryption and authentication

WPA2 Enterprise

Integrates EAP standards with WPA2 encryption

RADIUS

A centralized authentication and authorization management system

PEAP

A protocol that encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel

WPA3

Third-generation Wi-Fi security protocol that provides new features for personal and enterprise usage. It uses Galois/Counter Mode-256 (GCMP-256) for encryption and the 384-bit hash message authentication code with the Secure Hash Algorithm (HMAC-SHA-384) for authentication.

WPA2 Modes

- Personal

- Enterprise

WPA3 Modes

- Personal

- Enterprise

Wireless Threats

- Access Control Attacks

- Integrity Attacks

- Confidentiality Attacks

- Availability Attacks

- Authentication Attacks

Access Control Attacks

- MAC spoofing

- AP misconfiguration (SSID broadcast, Weak Password, Configuration Error)

- Ad hoc associations

- Promiscuous client

- Client Missassociation

- Unauthorized association

MAC Spoofing

Using the MAC spoofing technique, an attacker can reconfigure a MAC address to appear as an authorized AP to a host on a trusted network.

AP Misconfiguration

If a user improperly configures any of the critical security settings at any of the APs, the entire network could be exposed to vulnerabilities and attacks.

Common AP Misconfiguration Key Elements

- Weak Password

- SSID Broadcast

- Configuration error

SSID Broadcast

Attacker configures APs to broadcast SSIDs to authorized users. All AP models have their own default SSID, and APs with default configurations using default SSIDs are vulnerable to brute-force dictionary attacks. Even if users enable WEP, an unencrypted SSID broadcasts the password in plaintext

Ad hoc associations

Wi-Fi clients can communicate directly via an ad-hoc mode that does not require an AP to relay packets. Security threats arise when an attacker forces a network to enable the ad-hoc mode.

Promiscuous client

Attacker places an AP near the target Wi-Fi network and gives it a common SSID, offering an irresistibly stronger signal and higher speed than the target Wi-Fi network. The intent is to lure the client to connect to the attacker's AP, rather than a legitimate Wi-Fi network.

Client mis-association:

Mis-association is a security flaw that can occur when a network client connects with a neighboring AP. To perform a client mis-association attack, an attacker sets up a rogue AP outside the corporation's perimeter and lures clients to connect. Once a client connects to the rogue AP, an attacker can retrieve sensitive information.

Unauthorized association forms

- Accidental association

- Malicious association

Accidental association

Involves connecting to the target network's AP from a neighboring organization's overlapping network without the victim's knowledge

Malicious association

The attacker creates a soft AP, typically on a laptop, by running a tool that makes the laptop's NIC appear as a legitimate AP. The attacker infects the victim's machine and activates soft APs, allowing an unauthorized connection to the enterprise network.

Integrity Attack

Involves changing or altering data during transmission

Integrity Attacks

- Data-Frame Injection

- WEP Injection

- Bit-Flipping Attacks

- Extensible AP Replay

- Data Replay

- IV Replay

- RADIUS Replay

- Wireless Network Viruses

RADIUS Replay

Capturing RADIUS Access-Accept or Reject messages for later replay

Data-Frame Injection

Constructing and sending forged 802.11 frames

WEP Injection

Constructing and sending forged WEP encryption keys

Bit-Flipping Attacks

Capturing the frame and flipping random bits in the data payload, modifying the ICV, and sending it to the user

Extensible AP Replay

Capturing 802.1X Extensible Authentication Protocols for later replay

Data Replay

Capturing 802.11 data frames for later (modified) replay

Initialization Vector Replay Attacks

Deriving the keystream by sending a plaintext message

Wireless Network Viruses

Viruses have a great impact on wireless networks. They can provide an attacker with a simple method to compromise APs

Confidentiality Attack

Attempts to intercept confidential information

Confidentiality Attacks

- Eavesdropping

- Traffic Analysis

- Cracking WEP Key

- Evil Twin AP

- Honeypot AP

- Session Hijacking

- Masquerading

- MITM Attack

Eavesdropping

Capturing and decoding unprotected application traffic to obtain potentially sensitive information

Traffic Analysis

Inferring information from the observation of external traffic characteristics

Cracking WEP Key

Capturing data to recover a WEP key using brute force or Fluhrer-Mantin-Shamir (FMS) cryptanalysis

Evil Twin AP

Posing as an authorized AP by beaconing the WLAN's SSID to lure users

Honeypot AP

Setting an AP's SSID to be the same as that of a legitimate AP