Wireless Network Hacking

The Vulnerabilities Of A Wireless Network

Related Articles

Risk Management

Ethical Hacking Topics

Hacking Overview
Footprinting And Reconnaissance
Network Scanning
Enumeration Stage
System Hacking
Trojan And Backdoors
Viruses And Worms
Virus and Worm Timeline
Sniffers And Session Hijacking
Social Engineering
Denial of Service
Web Server and Applications
Wireless Network Hacking
IDS, Firewalls, Honeypots
Buffer Overflows
Cryptography
Penetration Testing

Outside of being inexpensive and scalable, wireless networks have many more advantages. Wireless communication has become more than a novelty; it's become a way of life and almost as impossible to do without as water or electricity.

For the attacker, with wireless networks, the question now is asking what level of security is covering the wireless networks? Since WiFi can be piggybacked, many ISPs have lost interest in trying to protect them from their end. This is why, from the security stand-point, the owner that is making a WiFi signal available should not put security on the side-line.

Wireless Network Design

Wireless Network Categories

Providing an inexpensive and flexible way to establish communications, wireless security must be a concern. Challenges, along with security include providing a single that is reliable and allowing for privacy. Wireless technologies operate on Layer 1 of the OSI and often do incorporate protocols from Layer 2 as well. This is for framing and management needs.

Here are some of the broader categories of wireless technologies in use:

  • Infrared, Microwave & RF (Legacy Technologies)
  • Wireless Fidelity (WiFi)
  • Cell Phone Technologies (CMDA & GSM)
  • Blue tooth
  • RFID Devices

Clients connect to wireless networks via an infrastructure configuration or in an ad hoc fashion. With an infrastructure configuration, a group of clients work together and can share resources. The ad hoc method of networks are usually designed for temporary connections between two hosts.

WiFi Network Types

WiFi refers to a series of different protocols and versions. The Institute of Electronics and Electrical Engineers (IEEE) and also known as the "I-triple-E", have assigned certain designations for different WiFi specifications. These are:

IEEE Distance (Meters / Feet) Speed Frequency Range
802.11a 20 / ~98 54 Mbps 5 Ghz
802.11b 100 / ~328 11 Mbps 2.4 Ghz
801.11g 100 / ~328 54 Mbps 2.4 Ghz
802.11n +125 / +410 +600 Mbps 2.4 Ghz

Here are some important facts regarding the different WiFi protocols.

802.11a networks are not as resilient to noise and signal degradation as 802.11b.

802.11b offered the best of both in regards to speed and reliability.

802.11i was a rewrite of the WEP protocols that upgraded the security of WPA(2).

802.11e included extensions that allowed for quality of service (QoS) for data streams like multimedia. WiFi Multimedia (WMM) is a subset of 802.11e.

802.11n was an upgrade that focused on reliability and distance. The original speed was 108 Mbps in the pre-draft version. Devices that are "n" ready have increased the speeds, however the distance of 125 Meters (401 Feet) is in debate. Notably, some devices have demonstrated reliable signals at a distance of up to 500 Meters (1,640 Feet.)

802.11x was an authentication extension that allowed technologies such as RADIUS or EAP and LEAP. These are used to authenticate the clients to the network. Though somewhat difficult to setup and maintain, many commercial tools have made it easier and the approach can be extremely effective.

WiFi Network Setup

Having similar characteristics as a wired network, WiFi networks use a hub as the concentrator. This is also known as a "star wired, logical bus" architecture, only more dangerous. Anyone within radio distance of he signal will be able to see it without requiring a physical access to wiring. The hardware equivalent of the concentrator is known as the Access Point (AP). Clients must wirelessly first associate themselves to an AP in order to participate in the network.

Since the same signal space is shared by everyone in the signal range, everyone has access to multiple APs and peers. A logical group of participants is bound by a shared string. This string is known as the Service Set Identifier (SSID); the group of participants is known as the Service Set. Part of the associating with an AP involves presenting this string in a management frame.

If it is wanted to have the network easy to find and join, the SSID is broadcast by the AP at a periodic rate in beacon frames. This notification of the SSID is know to be an open network. When the SSID is not broadcast by the AP, it is known as a closed network. In this case, the client nees to know the string in advance before associating with this network.

Though not a secret, the SSID is considered a shared password. The SSIDs are sent in clear text, even on a closed network when a client associates. An attacker armed with a wireless card is capable of sniffing these management frames to discover this information.

After a client has associated, there are additional agreements made with the AP in regards to collision avoidance as well as other management parameters. At this point the client is ready to send traffic. The OSI upper Layers 3 - 7 come into play in the same manner as in any wired network.

In a typical infrastructure consisting of both wired and wireless networks, all clients participate in the same Layer 3 network segment. Clients associating with the AP via their SSID string are using a different Layer 2 technology than those on a wired network. Wireless routing products, for the most part incorporate a Layer 2 translation bridge to allow 802.3 and 802.11 devices to seem as if they are on the same network. Nothing else is different at this point. Each device must have or lease an IP configuration and must be able to communicate common protocols.

For an attacker, the best way to access wireless machines is to have a physical connection to the router if possible and then bypass the wireless altogether. Successfully associating with the AP is pretty much the same thing as plugging into a drop even if the attacker is in the parking lot. With this said, proper segmentation is critical in the terms of defense. Consider higher layer authentication techniques whenever wireless access is going to be provided.

Antenna Types

An attacker must understand the type of wireless antenna used to execute a successful attack. There are two major types of antennas used.

  • Directional (or Unidirectional)
  • Omni-directional

Directional Antennas

A Directional antenna aims the signal in a more specific pattern. There are several types of these antennas.

Yagi Antenna

Yagi Antenna A Yagi antenna is a directional antenna consisting of a driven element such as dipole or folded dipole and additional parasitic elements which are typically a reflector and one or more directors. It radiates in only one direction and is most commonly used in point-to-point communications.

A Yagi antenna is also known as "beam antenna" or "parasitic array". It is very widely used as a high-gain antenna on the HF, VHF and UHF bands.

It is used for communications in a medium range of three to five miles between two points and can also be used as a bridge antenna to connect clients to an access point.

Diapole Antenna

Diapole Antenna

A Dipole antenna consists of two straight rods or wires oriented end to end on the same axis with the feed-line connected to the two adjacent ends, however Dipoles may be fed anywhere along their length.

Dipoles are frequently used as resonant antennas. As the feed-point of such an antenna is shorted, it will be able resonate at a particular frequency similar to a string instrument being plucked.

The most common Diapole antenna is the half-wave dipole. This design incorporates two rod elements approximately 1/4 wavelength long so the whole antenna is a half-wavelength long.

Reflector Antenna

Relector Antenna A Reflector antenna is an antenna device that reflects electromagnetic waves. Reflector antennas can exist as a standalone device for redirecting radio frequency (RF) energy or can be integrated as part of an antenna assembly. Its efficiency is measured in terms of its effectiveness ratio.

The primary advantage of a Reflector antenna is that it has high directivity. It's functionality similar to a searchlight or flashlight reflector. It directs the radio waves in a narrow beam or receive radio waves from one particular direction only.

Omnidirectional Antennas

Omnidirectional Antenna

Omnidirectional Antenna An Omnidirectional Antenna radiates radio wave power uniformly in all directions in one plane with the radiated power decreasing with elevation angle above or below the plane dropping to zero on the antenna's axis. This radiation pattern is often described as "dough-nut shaped".

A few of the common types of omnidirectional antennas are the whip antenna, "Rubber Ducky" antenna, ground plane antenna, vertically oriented dipole antenna, discone antenna, mast radiator, horizontal loop antenna, also known as a 'circular aerial' because of the shape and the halo antenna.

The fortunate fact for an attacker is that many network are omnidirectional units that are located in the ceiling tiles drawing little attention. Even a laptop can be turned into an AP and would create little to no suspicion.

Sniffing Wireless Traffic

It is more difficult to sniff a wireless network than it is a wired network. Though hardware NICs can be placed into promiscuous mode by using drivers, there is no such universal driver for this on a wireless card. The only equivalent term for this would be "monitor mode" and some wireless card do not support it at all.

If your intention is to only sniff your own traffic, sniffers such as Wireshark work well. All you have to do is to uncheck the option for sniffing in promiscuous mode. On a final note, some attacks require packet injection and just being in monitor mode does not mean your wireless NIC will achieve this either.

Security Considerations

Signal leakage exposes data or provides greater exposure to possible connectivity from unauthorized clients. MAC address filters can be configured but spoofed as well.By adding additional layers of protection can help, encryption being one of them, however all of these best practices come with the price of additional administrative overhead. The attacker constantly looks for a network that has not been given the proper attention.

You can use the settings in an AP itself to create either an open or closed network. If the closed network turns out to be greater trouble than necessary, the change of the default SSID of the AP is recommended. AP manufactures default SSIDs are easily recognized and indicate to an attacker an AP is not likely administered properly in other ways as well. Also, if additional authentication is not in use, this could result in associating with the wrong network.

Regular audits of surrounding areas are recommended and important. Establishing a baseline of existing SSIDs is a good first step. It is even better to develop signal profiles so that rogue APs might at least be detected.

A De-auth (De-authentication) flood involves a rouge access point that is spoofing a MAC address of a connected client and then sending a de-auth packet to the access point. At the same time it acts to have the same SSID so that the same client will reconnect with the attacker if it has a stronger signal. The hijacking exploit involves understanding how the disruption at lower layers of the network can lead to the taking of higher layers.

When a wireless client connects to an AP, only a hardware association exists. There is no association with user accounts and no way to who is operating the hardware that has joined the service set. Without securing any network at the lower layer possible, the higher layer authentication services are at risk. If attackers can see the network and transmit traffic, they can attack it.s

WEP and WPA

WEP (Wired Equivalent Privacy)

Wired Equivalent Privacy (WEP) was designed to emulate the benefits of being on a wired network on a switched environment. As you know, the wireless network has a hub-like nature prone to risks and signal leakage creating an even worse situation because physical access to the network is difficult to control.

To configure WEP, you begin with a pre-shared key. The AP if first configured with the key and then each client that is authorized to connect to the wireless network is configured with the same key. In advance to any connection, one key is shared to as many clients as necessary. Obviously, the key is not secret and there are a lot of administrative overheads as far as time goes should you want to change the key on the AP and the clients. WEP does help though by separating frames from different service set traffic and making sure that if someone is sniffing, they can't just see everything.

The pre-shared key is either 40 or 104 bits in length. The AP transmits an Initialization Vector (IV) periodically to each associated client. This is then appended to the pre-shared key. This now generates a Rivest Cypher 4 (RC4) encryption key that is either 64 or 128 bits in length. The IV is always 24 bits long.

The result of this is a key that is 40 + 24 or 104 + 24 and then used to encrypt the data portion of the WiFi traffic being sent from the client and the AP using a XOR process. When the AP changes the IV, it is sent in a management frame to the clients so the client will know how to encrypt and decrypt the traffic. When the IV is changed again, the process repeats. The pre-shared key is never exchanged on the network, however the IV is clear and unprotected should the attacker see the management frames.

As an IV is transmitted, it is known as an Interesting Frame. The IV is only 24 bits and therefore limited to a number of times it is available before repeating itself. If the AP has not been restarted, its pseudo-random number generator will create a set of IVs that will repeat eventually. Some IVs are considered weak as they introduce patters off bits into the key stream.

If an attacker sniffs enough interesting frames, enough statistical data will be created that will most likely reveal the pre-shared key. This technique was known as the Flurer, Mantin and Shamir (FMS) attack and takes advantage of the weak key scheduling algorithm in RC4 along with analysis of predictable IVs to compute the PSK.

WPA (WiFi PRotected Access)

WiFi Protected Access (WPA) is a subset of the 802.11i specification. It is an improvement over the 802.11 specification regarding security as it has added three new features.

  • Key Mixing
  • Rekeying
  • Message Integrity

Key Mixing - Supported in WPA is Temporal Key Integrity Protocol (TKIP), and, unlike WEP that only appended the IV to each key, TKIP mixes the IV into the key stream. By doing so, this minimizes the risk of related key attacks which were a primary vulnerability of WEP.

Rekeying - The three keys used in WPA are 1) a master key, 2) a working key, and 3) a RC4 key. The Master Key is a key shared between the client and AP used to generate new (working) keys. The RC4 key is a result of a new IV being mixed in. If supported, it is possible to change the RC4 keys for each frame that is sent.

Message Integrity - In order to detect integrity breaches of each 802.11 frame, WEP used a Cyclical Redundancy Check (CRC). WPA, however, uses Message Integrity Check, (MIC or Michael). This computes integrity checks not for each frame but for the datagram passed to the Layer 2 protocols. MIC protects against bit flipping, which is an attack on a cryptographic cipher in which the attacker can change the cipher text in such a way as to result in a predictable change of the plain text, although the attacker is not able to learn the plain text itself. CRC was vulnerable to this type of attack. If an attacker made changes to the payload of a frame, it would be possible to make minor changes to the CRC calculation to compensate.

WPA2

WPA / TKIP is now at its End Of Life (EOL) and WPA2 now the current specification. WAP2 uses Advanced Encryption Standard (AES) in Counter Mode with Cipher Block Changing (CCMP). It also replaces both the RC4 and TKIP features of WPA.

WPA2 does have its downside as while WPA can be added to old hardware in a firmware upgrade, the newer encryption standards make this impossible. This is the reasoning as to why WEP and WPA are still so widely used.

WPA2 in Pre-shared Key (PSK) mode is configured in a similar fashion as WEP. It uses a key of up to 64 bytes entered into both the AP and authorized clients. Should a short key be used, WPA and WPA2 are still vulnerable to off-line brute forcing attacks. The best practice is using the entire 64 byte space for the PSK. This makes a brute force attack highly unlikely.

PSK can be difficult to distribute. If shared key mode is used instead, it allows a password or pass-phrase to be entered at the time the client connects. This allows password guessing or brute force attacking.

The AES key that is generated results the hashing of a pass-phrase 4096 times. It is much easier to use a pre-computed lookup table of common pass-phrases before attempting a true brute force attack.

Security Risks of WiFi Networks

Discovering Wireless Networks

There are a number of tools available that make surveying an area for the presence of WAPs. These tools include Netstumbler for Windows or Kismet for Linux. External antenna connectors are also available on some PC Cards that provided the ability to receive signals better. Some of these antennas can be either home made or commercially produced and can provide not only a better signal reception but are also extremely sensitive measuring many aspects of a signal's quality.

Smart phones can also have applications for finding WiFi networks and even reveal the GPS coordinates of these signals. There are other commercially available tools that can provide diagnostic and troubleshooting capabilities as well, though some of these tools can get expensive.

Since attackers will be actively searching out and discovering WiFi networks, it is important to do the same from a defensive and security stand-point. A best practice is to walk withing the area, as well as its perimeter of your company or organization and create a baseline of the discovered signals. Check for new networks that appear that were not included in your baseline. This new network could be a sign of a rouge AP. Performing regular audits of approved networks for proper security configurations is also important.

Wireless Network Attacks

There are seven common attacks against a wireless network. These are:

  • Default Configuration
  • Warkitting
  • Brute Force Authentication
  • Denial of Service
  • Eavesdropping
  • Man-In-The-Middle
  • Basic Network Attacks

Default Configuration- Residential wireless products come pre-configured to provide an out-of-the-box working device. These default settings are an open, unsecured network and being plug-n-play, they work. Being aware of this is important to be looking for default configuration honeypots. A honeypot is a decoy computer system for trapping hackers or tracking unconventional or new hacking methods. Unfortunately, attackers use honeypots to snare unsuspecting targets in the attempt to find default configuration, in this case, and gain access to their system.

Attackers commonly set up WiFi honeypots to see who will connect. All they have to do is to change the WiFi's SSID to reflect a local business or any name that will attract unsuspecting targets.

Best practice dictates that whenever setting up one of these relatively easy networks, to change the default password and rename the SSID to something other than the manufacture's or IPS's name.

Warkitting - Warkitting is a combination of wardriving and rootkitting. This is accomplished by configuring the WAP to allow administrative access from a wireless interface. The attacker can then perform a firmware upgrade that includes a backdoor access to the router, even if the owner fixes the settings.

Though not a default setting as most products will only allow administration from a wired interface, an attacker can find ways to access the WAP from that means through any compromised host on the network.

Brute Force Authentication - In regards to wireless, any network that supports Open System Authentication (OSA) consists of clients and APs that both know the SSIDs. Should the service set support Shared Key Authentication (SKA), then something like a WEP key is required.

In an attempt to reduce the administrative efforts by configuring clients ahead of time, some APs allow a password to be used from which the key is generated. Like any other password protected system, this entrance point is vulnerable to default passwords followed by password guessing and the results are a brute force attack.

Denial of Service - 802.11b/g operates in the Industrial, Scientific Medical (ISM) band along with other devices such as baby monitors, wireless camera, cordless phones and microwave ovens.

Radio Frequency (RF) interference is expected so the 802.11 specifications utilize Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) along with hamming code signaling to be as an error tolerant as possible. Unfortunately, nothing can overcome a flood of high-powered noise though.

Microwave ovens work on channels 8-11 of the WiFi network. One solution is to put distance between the AP and the microwave oven.

Jammers send out white noise at a high power and are used as DoS tools against a wireless network. These tools can either be purchased or made using common electronic parts. Even a cheap cordless phone can modified to become a jammer. There are no real ways to prevent jamming and this fact should be considered in the risk analysis study prior to installing any wireless technology.

Eavesdropping - The hardest part of sniffing a wireless network's traffic is getting the WiFi NIC into monitor mode. If this is not possible, the next best thing is a Man-In-The-Middle attack.

Man-In-The-Middle (MiTM) Attacks - Opening the doors to spoofing attacks, management frames in the 802.11 standard are sent in the clear even if encryption is protecting the data.

To spoof the MAC address of any client and causing a temporary DoS attack, attackers create "De-Authentication" or "De-Associate" frames. The attacker sets up a WAP with a stronger signal and the same SSID than the genuine WAP and when the client's wireless NIC tries to reconnect, they connect to the attacker.

The attacker can perform all necessary network functions that make their access point transparent to the user by using just basic operating system tools. Should the attacker be running Linux, a DHCP server or DNS forwarder, it can be set up using tools such as dnsmasq. If the attacker is using a Windows server, the process is just as simple. When routing and forwarding all traffic is turned on, the target will never know what is happening.

Basic Network Attacks - Wireless networks operate at Layer 1 with Layer 2 protocols for framing link to link connectivity. At Layer 3, all protocols work the same way as they would on a wired network.

To protect the internal network, best practice would be to isolate the wireless segment using firewalls and then implement a Virtual Private Network (VPN) service to authenticate the user of the associated hardware and encrypt all packets into a tunnel before Layer 2 can create the frames and links.

Using Extensible Authentication Protocol (EAP) can enhance control of the traffic, however if the underlying wireless network is left unprotected, it can still be attacked, therefore as previously said, best practice is to secure and isolate the WiFi link.

Bluetooth

Bluetooth Specifications

Personal Area Networks (PANs) are described under the IEEE 802.15 standard. Bluetooth is a standard that is based on the 802.15.1 standard and operates at the physical layer in the 2.4 Ghz range.

This standard was created to replace the RS-232C serial cable standard with a wireless alternative and the complexity of this standard can become confusing.

The four classes of Bluetooth devices are:

Class Power Range
1.0 100mw 100m (~328 feet)
2 2.5mw 10m (~32 feet)
3 1mw 1m (~1 foot)
4 .5mw .5m (~6 inches)

The five different versions of the Bluetooth specifications are:

Version Throughput
1 723Kbps - 1Mbps
2.0 2.1Mbps - 3Mbps
3.0 25Mbits/s
4.0 25Mbits/s
5.0 50Mbits/s

There are several profiles within the specifications. Each device that establishes a connection must be able to support the same profile. Some of the most common profiles include Hands-Free Profile (HFP), Human Interface Device (HID) and Advanced Audio Distribution Profile (A2DP). Each one of these operate on devices that are in use every day.

Devices associate with a host on a link-by-link basis, and because they are wireless, the opportunity for spoofing and sniffing exists. Actually, sniff is the state a device goes into as it waits for data.

Based on the sharing of a link key, two devices are paired. After the pairing has been established, information is shared about the device name, device class, services supported and additional technical information. With this combination a signature can be formed that allows the devices to cryptographically authenticate each other, at which point they are known to be "bonded".

There are several different modes by which two devices can be bonded. When a symmetric key is involved, it is often derived from a number, usually 0000, but there are many other factors involved that make that number less important.

Bluetooth Network Attacks

There are two types of Bluetooth attacks:

  • Bluejacking
  • Bluesnarfing

Bluejacking - is mostly an injection technique. The compromising of data is not involved, however it can be startling or embarrassing to the victim. The payload could be in a form of a vCard or text message and therefore social engineering is possible.

Bluesnarfing - does involve invasive measures. The attacker is allowed to view data stored on the remote device by way of a connection. The vulnerability that made this attack possible was patched in the specification itself, so the victims must either be a legacy device or be using an incorrect implementation of the standard.