Chapter 7: Remote Targeting II

Questions and Answers

What types of networks should be reviewed for useful information during remote targeting?

VPN, SSL, WPA-Enterprise

WEP, WPA-PSK, WPA-Enterprise (correct)

WPA-PSK, WPA3, Open networks

WEP, WPA2, VPN

What file type is NOT typically logged by Kismet and airodump for further review?

PCAP

Log files

CSV (correct)

XML

What indicates a strong potential ownership of a client device during a probe?

The device last seen within the last hour

BSSID of the device's network

Total number of packets seen from the device

Probing for an SSID matching part of the user's name (correct)

What information is contained in the PCAP files other than basic details?

Times clients were first and last seen

When identifying a target network, what should be looked up for the BSSID?

The MAC address vendor

What is an ideal location for initiating stealth physical recon operations?

A public library

Which method is NOT mentioned as a means of conducting stealth recon?

Physical break-in

What should you do first before changing the MAC address in a Linux terminal?

Bring your interface down

Which of the following is NOT a major vulnerability to be exploited in active wireless attacks?

Cracking WPA2

When wardriving, what is essential to maintain during operations?

Anonymity and stealth

What is a possible consequence of changing the last digit of your MAC address to avoid detection?

It may frustrate forensic investigations.

Which device is NOT mentioned as suitable for mailing to conduct recon?

A standard telephone

What command is used for spoofing a disassociation message in a wireless network?

aireplay-ng –deauth=5 –a -c mon0

Which protocol can include the device hostname in its request?

DHCP

What is a primary reason for enumerating wireless client information?

To identify networks without known associations

What does stealth physical recon emphasize during a wireless reconnaissance?

Maintain a low profile and avoid detection

What might indicate the organization responsible for a client device?

Captured packets during recon

Which type of data can DNS automatically query for?

Client information

What concept is beneficial when conducting stealth physical recon?

KISS strategy

What information can be revealed by the NetBIOS broadcast?

Domain name and hostname of the client

WEP networks are used for Wired Equivalent Privacy.

True

Kismet and airodump can only log to PCAP files.

False

The OUI of a MAC address consists of the last six hexadecimal digits.

False

Captured packets can provide helpful information about observed packets.

True

The aireplay-ng command is used for logging packet information.

False

Public areas like coffee shops are suitable locations for stealth recon operations.

True

Wardriving can only be performed using a car.

False

Cracking WEP is one of the identified major vulnerabilities for compromising a target network.

True

Changing the MAC address during active recon can hinder forensic investigations.

True

An extra battery is not a recommended component to include in a mailed device for recon.

False

It is unnecessary to change your MAC address when conducting reconnaissance.

False

Active brute-forcing is a technique used to exploit wireless network vulnerabilities.

True

The command used to spoof a disassociation message includes the parameter –deauth=5.

True

Client device information can only be enumerated when the wireless network is positively identified as belonging to a target organization.

False

During wireless recon, it's possible to capture packets that help to indicate ownership of a client device.

True

The DHCP protocol is unlikely to include any device hostname information.

False

Stealth physical recon emphasizes maintaining a low profile during wireless reconnaissance operations.

True

The concept of KISS in stealth physical recon stands for 'Keep It Simple and Secure.'

False

NetBIOS broadcasts can reveal the domain name of a client device.

True

Social engineering concepts are not applicable during stealth physical reconnaissance.

False

What basic information is contained in the PCAP files logged by Kismet and airodump?

BSSID and associated clients

Which of the following is indicated by the presence of a network probe for YURICH_HOME in relation to employee Tom Yurich?

Tom Yurich owns a device that connects to YURICH_HOME

What does the OUI of a MAC address signify?

Organizationally Unique Identifier assigned to manufacturers

What additional activity might be necessary when identifying cloaked networks?

Forcing the association process through spoofing

Which types of data can both Kismet and airodump log apart from PCAP files?

XML files by default

What is a key consideration when conducting stealth recon in public areas?

Remaining stationary for long periods

Which method can be used to ensure anonymity during a wireless attack?

Changing the MAC address of devices

What is a common vulnerability found in wireless networks that can be exploited?

Weak WPA preshared keys

What device might be mailed to a target organization to aid in remote reconnaissance?

A smartphone or tablet

What is a potential consequence of changing your MAC address to a digit different from the target MAC address?

Hinders forensic investigations

In preparing for an active wireless attack, what is essential before changing the MAC address?

Bringing the network interface down

What is an appropriate strategy for conducting wardriving effectively?

Using any mode of transportation

What effect does spoofing a disassociation message have on the client device?

The client device experiences a temporary loss of connection.

Which of the following statements about client device enumeration is true?

Enumerating clients can help identify vulnerable networks.

Which protocol can potentially reveal the hostname of a device during enumeration?

DHCP

What is a key consideration to maintain during stealth physical recon?

Blending in and acting congruently with your story.

Which of the following is a correct statement regarding the use of NetBIOS broadcasts?

NetBIOS broadcasts can provide the domain name and hostname of a client.

What aspect of the KISS strategy is critical for stealth physical recon?

Minimize actions to avoid drawing attention.

Why is it beneficial to capture packets during wireless network recon?

It can indicate device ownership and type.

What is a potential outcome of incorrectly executing a command to spoof a disassociation message?

Loss of visibility to the wireless network.

Both Kismet and airodump can log data in XML format by default.

True

The OUI of a MAC address consists of the last six hexadecimal digits uniquely assigned to every manufacturer.

False

Captured packets can only reveal basic information about a wireless network.

False

Probing clients can indicate which clients might belong to the target organization.

True

It is beneficial to perform a detailed analysis of client devices in addition to reviewing PCAP files.

True

The aireplay-ng command can be used to mimic a legitimate disassociation message.

True

When enumerating wireless client information, protocols like DNS and HTTP can provide identity details.

True

Stealth physical recon requires the operator to maintain a high presence in the environment.

False

The DHCP protocol is known to commonly include device hostname information in its requests.

True

Social engineering concepts are irrelevant to the practice of stealth physical recon.

False

The NetBIOS protocol can reveal the hostname of a client device via broadcast.

True

Captured packets during wireless recon are only useful after identifying the target organization.

False

The practice of KISS in stealth recon focuses on keeping operations straightforward and undetectable.

True

Aerial drones are commonly used by government agencies for surveillance.

True

Changing the MAC address of a device is unnecessary when conducting wireless reconnaissance.

False

Wardriving can be performed using any type of transportation.

True

Cracking WEP is one of the vulnerabilities that can be exploited in an active wireless attack.

True

Mailing a device to a target organization is not a recommended method for reconnaissance.

False

The command 'ifconfig wlan0 down hw either 22;44:66:11:22:23' is used to change the MAC address in Linux.

False

Maintaining anonymity and stealth is essential during stealth recon operations.

True

The aireplay-ng command is utilized to force the association process by spoofing a disassociation message.

True

Kismet and airodump are capable of logging only to binary file formats.

False

The first six hexadecimal digits of a MAC address represent the OUI assigned to the device manufacturer.

True

Probed networks do not provide any useful information about the owners of client devices.

False

Captured packets include timestamps related to specific clients or networks being observed.

True

Using an aerial drone for surveillance is commonly adopted by various government agencies.

True

Wardriving is exclusively performed while using a car.

False

MAC address spoofing can confuse forensic investigations into wireless activities.

True

Active brute-forcing targets the encryption method used in Wi-Fi Protected Setup.

True

The only method to maintain anonymity while attacking a wireless network is by changing the MAC address.

False

Cracking WEP is mentioned as one of the significant vulnerabilities in wireless networks.

True

Public and common areas are ideal locations for setting up stealth recon operations because of the high traffic and anonymity they provide.

True

The aireplay-ng command used for spoofing disassociation messages uses the parameter –deauth=10.

False

Captured packets during wireless recon can sometimes reveal the device operating system type.

True

Stealth physical recon requires strict adherence to a complex set of strategies.

False

NetBIOS broadcasts are unlikely to provide useful information about a client device's hostname.

False

Utilizing DHCP requests can help identify the hardware manufacturer of a client device.

True

All wireless networks positively identified as belonging to a target organization are guaranteed to be vulnerable.

False

Acting congruently with your story is not relevant in social engineering for stealth recon.

False

Kismet and airodump are capable of logging multiple types of information beyond just packet data.

True

What specific information about clients can be inferred from probe requests during remote targeting?

Potential ownership of client devices based on specific probing patterns

In the context of wireless reconnaissance, what does the term OUI refer to?

Organizationally Unique Identifier, the first six digits of a MAC address

What is an important purpose of logging to XML files via Kismet and airodump?

To retain a detailed history of network monitoring for later audits

Why might some client devices not probe for other networks while connected?

They have been programmed to maintain secure connections on their current network only

What can the aireplay-ng command specifically achieve in wireless reconnaissance?

Spoof disassociation messages to force clients to reconnect

What is a primary component of maintaining anonymity while performing active wireless reconnaissance?

Changing the MAC address of your devices

Which of the following is a method for performing reconnaissance without physically being present?

Mailing a modified device to the target

What should be considered when selecting a public location for stealth recon operations?

Low foot traffic and visibility to others

Which technique is specifically designed for conducting attacks on wireless networks?

Using a deauthentication attack

What is the consequence of leaving your laptop running in a secluded location during recon?

Risk of being observed by passersby

In the context of wireless attacks, what does changing the last digit of a MAC address accomplish?

Confuses forensic investigations

Which of these vulnerabilities is notably targeted during wireless network attacks?

Exploiting weak encryption protocols

What are the potential implications of spoofing a disassociation message from a client's perspective?

The connection will appear to drop and return without any user notice.

Why is it vital to enumerate wireless client information before proceeding with an attack?

To verify the availability of attack vectors on identified networks.

Which protocol can provide crucial information about the domain name of a client device being probed?

NetBIOS

What is a core strategy emphasized in stealth physical recon operations?

Acting congruently with your cover story.

Which of the following statements regarding DHCP packets is true during wireless reconnaissance?

They could include the device hostname in the request.

What is one reason to capture packets during wireless network reconnaissance?

To establish the type and ownership of client devices.

What principle does the APT strategy 'KISS' stand for during stealth physical reconnaissance?

Keep It Simple and Secure.

In the context of wireless client attacks, what does enumerating client information primarily assist with?

Identifying vulnerabilities in a target organization.

Study Notes

Chapter 7: Phase III: Remote Targeting, Part Two

• This chapter details remote targeting in Phase III.
• Active Wireless Recon II involves reviewing data for useful information after initial setup.

Active wireless Recon II

• Review collected data for interesting and useful information.
• Focus on:
  • WEP (Wired Equivalent Privacy) networks
  • WPA-PSK (WPA Pre-Shared Key Mode) networks
  • WPA-Enterprise (WPA Enterprise Mode) networks
  • Captured packets
  • Associated clients

Active Wireless Recon II (cont.)

• Kismet and airodump can log PCAP files for analysis using Wireshark.
• Review client device information beyond PCAP files.
• Basic information from PCAP files includes:
  • BSSID (Basic Service Set Identifier)
  • Client devices
  • Associated clients
  • Probing clients
  • Channels

Active Wireless Recon II (cont.)

• Other collected data includes:
  • Times specific clients or networks were first and last seen
  • Total number of packets from each device
  • Information about observed packets
  • Wireless networks probed by client devices

Active Wireless Recon II (cont.)

• Probed networks may indicate client device ownership.
• Examples include:
  • Identifying an employee to correlate a probe for a known network.
  • Discovering networks with SSID related to the target organization.
  • Identifying networks with recognizable patterns.

Active Wireless Recon II (cont.)

• Organization Unique Identifier (OUI) of a MAC address is the first six hexadecimal digits.

• OUIs are assigned to network equipment manufacturers.

• Identify cloaked networks to enumerate SSIDs.

• Force association by spoofing a disassociation message using the aireplay-ng command.

Enumerate Client Info

• After initial wireless reconnaissance, shift focus to enumerating wireless client information, assessing vulnerabilities.
• Determine networks not positively associated with any particular company.
• Confirm if all identified networks belong to the target organization and are not vulnerable to direct exploitation.

Enumerate Client Info (cont.)

• Key protocols:
  • DHCP (Dynamic Host Configuration Protocol).
  • NetBIOS.
  • HTTP (Hypertext Transfer Protocol).
  • DNS (Domain Name System).

Stealth Physical Recon

• This phase shifts reconnaissance to physical locations.

• Maintaining stealth and anonymity is paramount.

• Good locations include:

  • Public areas like coffee shops, libraries, or hotels.
  • Buildings with areas for laptops.

• Avoid obvious tactics for physical infiltration.

• Consider social engineering concepts and acting congruently with your story.

• Utilizing tools like drones or sending devices to the target organization are also options.

Active Wireless Attacks

• Identify potential vulnerabilities in target networks for exploitation.
• Examples include:
  • Cracking WEP
  • Off-line brute-forcing WPA preshared keys
  • Active brute-forcing of WiFi protected setup
  • Wireless vendor vulnerabilities

Active Wireless Attacks (cont.)

• Changing MAC addresses from Linux terminal is needed for active attacks.
• Commands to accomplish this include:
  • ifconfig wlan0 down
  • ifconfig wlan0 down hw either 22;44:66:11:22:23
  • ifconfig wlan0 up

Active Wireless Attacks (cont.)

• Do not use the same card for active recon or attack if it uniquely belongs to the network.

Web Cracking

• WEP cracking relies on collecting a certain amount of packets (2,000-200,000) to deduce the key.

• Fastest cracking using an active method takes about 15 minutes using ~20,000 packets.

• Use airodump for packet capture.

• Use aireplay-ng command for faster capture.

Web Cracking (cont.)

• Put interface into monitor mode using airmon-ng command.

• Use airodump-ng to configure and specify desired parameters

• Use airodump-ng to capture packets for target network.

• Capture and analyze packet data using airodump-ng.

• Use airock-ng to crack the WEP key.

WPA Preshared Key Cracking

• Offline brute-force is the only effective method for WPA-PSK (Wired Equivalent Privacy).
• Capturing the four-way authentication handshake is necessary.
• Many modern devices use strong, randomly generated WPA preshared keys.
• Using airmon-ng and aircrack-ng in a similar way to WEP cracking.
• Capture the necessary data and then use aircrack-ng with wordlist.
• Disconnecting a client for analysis of spoofed disassociation messages

Description

Explore the intricacies of remote targeting in Phase III as discussed in Chapter 7. This chapter emphasizes the analysis of collected data from various network types including WEP and WPA, and highlights tools like Kismet and Wireshark for data review. Understand the significance of client information and logging for effective wireless reconnaissance.