Chapter 7: Remote Targeting II

Questions and Answers

What types of networks should be reviewed for useful information during remote targeting?

• VPN, SSL, WPA-Enterprise
• WEP, WPA-PSK, WPA-Enterprise (correct)
• WPA-PSK, WPA3, Open networks
• WEP, WPA2, VPN

What file type is NOT typically logged by Kismet and airodump for further review?

• PCAP
• Log files
• CSV (correct)
• XML

What indicates a strong potential ownership of a client device during a probe?

• The device last seen within the last hour
• BSSID of the device's network
• Total number of packets seen from the device
• Probing for an SSID matching part of the user's name (correct)

What information is contained in the PCAP files other than basic details?

Times clients were first and last seen (C)

When identifying a target network, what should be looked up for the BSSID?

The MAC address vendor (B)

What is an ideal location for initiating stealth physical recon operations?

A public library (A)

Which method is NOT mentioned as a means of conducting stealth recon?

Physical break-in (B)

What should you do first before changing the MAC address in a Linux terminal?

Bring your interface down (C)

Which of the following is NOT a major vulnerability to be exploited in active wireless attacks?

Cracking WPA2 (D)

When wardriving, what is essential to maintain during operations?

Anonymity and stealth (A)

What is a possible consequence of changing the last digit of your MAC address to avoid detection?

It may frustrate forensic investigations. (A)

Which device is NOT mentioned as suitable for mailing to conduct recon?

A standard telephone (C)

What command is used for spoofing a disassociation message in a wireless network?

aireplay-ng –deauth=5 –a -c mon0 (C)

Which protocol can include the device hostname in its request?

DHCP (C)

What is a primary reason for enumerating wireless client information?

To identify networks without known associations (D)

What does stealth physical recon emphasize during a wireless reconnaissance?

Maintain a low profile and avoid detection (C)

What might indicate the organization responsible for a client device?

Captured packets during recon (C)

Which type of data can DNS automatically query for?

Client information (A)

What concept is beneficial when conducting stealth physical recon?

KISS strategy (A)

What information can be revealed by the NetBIOS broadcast?

Domain name and hostname of the client (C)

WEP networks are used for Wired Equivalent Privacy.

True (A)

Kismet and airodump can only log to PCAP files.

False (B)

The OUI of a MAC address consists of the last six hexadecimal digits.

False (B)

Captured packets can provide helpful information about observed packets.

True (A)

The aireplay-ng command is used for logging packet information.

False (B)

Public areas like coffee shops are suitable locations for stealth recon operations.

True (A)

Wardriving can only be performed using a car.

False (B)

Cracking WEP is one of the identified major vulnerabilities for compromising a target network.

True (A)

Changing the MAC address during active recon can hinder forensic investigations.

True (A)

An extra battery is not a recommended component to include in a mailed device for recon.

False (B)

It is unnecessary to change your MAC address when conducting reconnaissance.

False (B)

Active brute-forcing is a technique used to exploit wireless network vulnerabilities.

True (A)

The command used to spoof a disassociation message includes the parameter –deauth=5.

True (A)

Client device information can only be enumerated when the wireless network is positively identified as belonging to a target organization.

False (B)

During wireless recon, it's possible to capture packets that help to indicate ownership of a client device.

True (A)

The DHCP protocol is unlikely to include any device hostname information.

False (B)

Stealth physical recon emphasizes maintaining a low profile during wireless reconnaissance operations.

True (A)

The concept of KISS in stealth physical recon stands for 'Keep It Simple and Secure.'

False (B)

NetBIOS broadcasts can reveal the domain name of a client device.

True (A)

Social engineering concepts are not applicable during stealth physical reconnaissance.

False (B)

What basic information is contained in the PCAP files logged by Kismet and airodump?

BSSID and associated clients (D)

Which of the following is indicated by the presence of a network probe for YURICH_HOME in relation to employee Tom Yurich?

Tom Yurich owns a device that connects to YURICH_HOME (C)

What does the OUI of a MAC address signify?

Organizationally Unique Identifier assigned to manufacturers (D)

What additional activity might be necessary when identifying cloaked networks?

Forcing the association process through spoofing (D)

Which types of data can both Kismet and airodump log apart from PCAP files?

XML files by default (D)

What is a key consideration when conducting stealth recon in public areas?

Remaining stationary for long periods (C)

Which method can be used to ensure anonymity during a wireless attack?

Changing the MAC address of devices (D)

What is a common vulnerability found in wireless networks that can be exploited?

Weak WPA preshared keys (D)

What device might be mailed to a target organization to aid in remote reconnaissance?

A smartphone or tablet (A)

What is a potential consequence of changing your MAC address to a digit different from the target MAC address?

Hinders forensic investigations (D)

In preparing for an active wireless attack, what is essential before changing the MAC address?

Bringing the network interface down (A)

What is an appropriate strategy for conducting wardriving effectively?

Using any mode of transportation (D)

What effect does spoofing a disassociation message have on the client device?

The client device experiences a temporary loss of connection. (D)

Which of the following statements about client device enumeration is true?

Enumerating clients can help identify vulnerable networks. (B)

Which protocol can potentially reveal the hostname of a device during enumeration?

DHCP (C)

What is a key consideration to maintain during stealth physical recon?

Blending in and acting congruently with your story. (C)

Which of the following is a correct statement regarding the use of NetBIOS broadcasts?

NetBIOS broadcasts can provide the domain name and hostname of a client. (A)

What aspect of the KISS strategy is critical for stealth physical recon?

Minimize actions to avoid drawing attention. (C)

Why is it beneficial to capture packets during wireless network recon?

It can indicate device ownership and type. (D)

What is a potential outcome of incorrectly executing a command to spoof a disassociation message?

Loss of visibility to the wireless network. (B)

Both Kismet and airodump can log data in XML format by default.

True (A)

The OUI of a MAC address consists of the last six hexadecimal digits uniquely assigned to every manufacturer.

False (B)

Captured packets can only reveal basic information about a wireless network.

False (B)

Probing clients can indicate which clients might belong to the target organization.

True (A)

It is beneficial to perform a detailed analysis of client devices in addition to reviewing PCAP files.

True (A)

The aireplay-ng command can be used to mimic a legitimate disassociation message.

True (A)

When enumerating wireless client information, protocols like DNS and HTTP can provide identity details.

True (A)

Stealth physical recon requires the operator to maintain a high presence in the environment.

False (B)

The DHCP protocol is known to commonly include device hostname information in its requests.

True (A)

Social engineering concepts are irrelevant to the practice of stealth physical recon.

False (B)

The NetBIOS protocol can reveal the hostname of a client device via broadcast.

True (A)

Captured packets during wireless recon are only useful after identifying the target organization.

False (B)

The practice of KISS in stealth recon focuses on keeping operations straightforward and undetectable.

True (A)

Aerial drones are commonly used by government agencies for surveillance.

True (A)

Changing the MAC address of a device is unnecessary when conducting wireless reconnaissance.

False (B)

Wardriving can be performed using any type of transportation.

True (A)

Cracking WEP is one of the vulnerabilities that can be exploited in an active wireless attack.

True (A)

Mailing a device to a target organization is not a recommended method for reconnaissance.

False (B)

The command 'ifconfig wlan0 down hw either 22;44:66:11:22:23' is used to change the MAC address in Linux.

False (B)

Maintaining anonymity and stealth is essential during stealth recon operations.

True (A)

The aireplay-ng command is utilized to force the association process by spoofing a disassociation message.

True (A)

Kismet and airodump are capable of logging only to binary file formats.

False (B)

The first six hexadecimal digits of a MAC address represent the OUI assigned to the device manufacturer.

True (A)

Probed networks do not provide any useful information about the owners of client devices.

False (B)

Captured packets include timestamps related to specific clients or networks being observed.

True (A)

Using an aerial drone for surveillance is commonly adopted by various government agencies.

True (A)

Wardriving is exclusively performed while using a car.

False (B)

MAC address spoofing can confuse forensic investigations into wireless activities.

True (A)

Active brute-forcing targets the encryption method used in Wi-Fi Protected Setup.

True (A)

The only method to maintain anonymity while attacking a wireless network is by changing the MAC address.

False (B)

Cracking WEP is mentioned as one of the significant vulnerabilities in wireless networks.

True (A)

Public and common areas are ideal locations for setting up stealth recon operations because of the high traffic and anonymity they provide.

True (A)

The aireplay-ng command used for spoofing disassociation messages uses the parameter –deauth=10.

False (B)

Captured packets during wireless recon can sometimes reveal the device operating system type.

True (A)

Stealth physical recon requires strict adherence to a complex set of strategies.

False (B)

NetBIOS broadcasts are unlikely to provide useful information about a client device's hostname.

False (B)

Utilizing DHCP requests can help identify the hardware manufacturer of a client device.

True (A)

All wireless networks positively identified as belonging to a target organization are guaranteed to be vulnerable.

False (B)

Acting congruently with your story is not relevant in social engineering for stealth recon.

False (B)

Kismet and airodump are capable of logging multiple types of information beyond just packet data.

True (A)

What specific information about clients can be inferred from probe requests during remote targeting?

Potential ownership of client devices based on specific probing patterns (C)

In the context of wireless reconnaissance, what does the term OUI refer to?

Organizationally Unique Identifier, the first six digits of a MAC address (A)

What is an important purpose of logging to XML files via Kismet and airodump?

To retain a detailed history of network monitoring for later audits (C)

Why might some client devices not probe for other networks while connected?

They have been programmed to maintain secure connections on their current network only (A)

What can the aireplay-ng command specifically achieve in wireless reconnaissance?

Spoof disassociation messages to force clients to reconnect (A)

What is a primary component of maintaining anonymity while performing active wireless reconnaissance?

Changing the MAC address of your devices (D)

Which of the following is a method for performing reconnaissance without physically being present?

Mailing a modified device to the target (A)

What should be considered when selecting a public location for stealth recon operations?

Low foot traffic and visibility to others (B)

Which technique is specifically designed for conducting attacks on wireless networks?

Using a deauthentication attack (D)

What is the consequence of leaving your laptop running in a secluded location during recon?

Risk of being observed by passersby (D)

In the context of wireless attacks, what does changing the last digit of a MAC address accomplish?

Confuses forensic investigations (B)

Which of these vulnerabilities is notably targeted during wireless network attacks?

Exploiting weak encryption protocols (C)

What are the potential implications of spoofing a disassociation message from a client's perspective?

The connection will appear to drop and return without any user notice. (B)

Why is it vital to enumerate wireless client information before proceeding with an attack?

To verify the availability of attack vectors on identified networks. (D)

Which protocol can provide crucial information about the domain name of a client device being probed?

NetBIOS (C)

What is a core strategy emphasized in stealth physical recon operations?

Acting congruently with your cover story. (B)

Which of the following statements regarding DHCP packets is true during wireless reconnaissance?

They could include the device hostname in the request. (C)

What is one reason to capture packets during wireless network reconnaissance?

To establish the type and ownership of client devices. (B)

What principle does the APT strategy 'KISS' stand for during stealth physical reconnaissance?

Keep It Simple and Secure. (A)

In the context of wireless client attacks, what does enumerating client information primarily assist with?

Identifying vulnerabilities in a target organization. (A)

Flashcards

Wireless Network Recon Tools

Tools like Kismet and airodump are used to collect data about wireless networks, including WEP, WPA-PSK, WPA-Enterprise, and captured packets.

PCAP Files

Kismet and airodump create PCAP files that contain network packet data in Wireshark readable format.

Client Device Analysis

Analyzing client device data like BSSID, associated clients, probed networks helps identify target organization's assets.

OUI of MAC Address

The first six hexadecimal digits of a MAC address uniquely identify the network equipment manufacturer.

Target Network Identification

Identifying target networks based on SSID, probed networks and analyzing client devices to pinpoint target organization's network.

Wireless Spoofing

A technique used to simulate legitimate disassociation messages on a wireless network, often used for network reconnaissance.

Client Enumeration

Identifying information about client devices on a wireless network, often for reconnaissance.

DHCP Protocol

A network protocol that dynamically assigns IP addresses. Can include device information in requests.

NetBIOS Protocol

A protocol used for network communication. Broadcast messages can reveal client names and domains.

HTTP Protocol

A protocol for transferring web pages, where requests may include client identifiers in headers.

DNS Protocol

A system for translating domain names to IP addresses. Often used to query servers or client information.

Stealth Physical Recon

Conducting physical reconnaissance while maintaining stealth, crucial in initial attack phases.

Social Engineering

Using influence, manipulation, or persuasion to gain information or access in reconnaissance.

Aerial Drones

Using drones to spy on a target. A spying tool employed frequently by government agencies.

Wardriving

Scanning for and identifying open Wi-Fi networks using a laptop or mobile device in a car or other vehicle.

Wireless Vulnerabilities

Weak points in wireless networks that allow exploitation.

MAC address Spoofing

Changing the Media Access Control address of your device to hide your identity from network monitoring.

WEP Cracking

Method of breaking into a wireless network protected with Wired Equivalent Privacy.

Brute-forcing Wireless Networks

Systematically trying different passwords to gain access.

What are PCAP files used for?

PCAP files capture network packet data, allowing analysts to review communication details on a wireless network.

What is the significance of the BSSID?

The BSSID is the MAC address of a wireless network, used to uniquely identify it. It's part of the network's identity.

What information does a probed network disclose?

A probed network indicates the wireless networks a device has been configured to connect to, potentially revealing an associated client's affiliations.

What is the OUI and how is it beneficial?

The OUI (Organizationally Unique Identifier) is the first six hexadecimal digits of a MAC address, identifying the manufacturer of network equipment.

How can we force a client to disassociate?

Spoofing a disassociation message to a client device using tools like aireplay-ng can force it to disconnect from the network.

De-authentication Spoofing

Sending fake disassociation messages to a wireless client, causing it to temporarily disconnect from the network.

Wireless Recon Objectives

Gathering information about wireless networks and their associated clients during reconnaissance.

Client Information Enumeration

Identifying details about clients on a network, such as their hostnames, domain names, and potentially their operating systems.

Protocols for Client Info

Network protocols often reveal client information during communication, including DHCP, NetBIOS, HTTP, and DNS.

KISS Principle

Keeping reconnaissance methods simple and straightforward to avoid unnecessary risks and attract attention.

Congruent Story

Acting consistently with a persona or cover story to maintain stealth and avoid suspicion.

Physical Infiltration

Gaining physical access to a target location, often requiring more advanced stealth and social engineering techniques.

Active Wireless Attack

A direct attempt to compromise a wireless network by exploiting vulnerabilities, often targeting WEP, WPA, or vendor-specific flaws.

Cracking WEP

Breaking into a wireless network secured with the outdated WEP encryption using tools like aircrack-ng.

WPA Preshared Key Brute-Forcing

Trying every possible password combination against a WPA network to gain access, often done offline with special software.

WiFi Protected Setup (WPS) Brute-Forcing

Exploiting vulnerabilities in the WPS protocol to gain access to a network without knowing the main password.

What is a BSSID?

The BSSID is the unique MAC address of a wireless network, similar to a nametag for a network.

What information can be derived from probing networks?

When a client searches for available wireless networks, it reveals which networks it's configured to connect to. This can help you identify client affiliation or their preferred networks.

What is an OUI?

OUI stands for Organizationally Unique Identifier. It's the first six hexadecimal digits of a MAC address, uniquely identifying the manufacturer of the network equipment.

Why change your MAC address during an Active Wireless Attack?

Changing your MAC address helps hide your identity and frustrate forensic investigations, making it harder to track your actions.

Brute-forcing WPA Preshared Keys

Trying every possible password combination against a WPA network to gain access, often done offline using dedicated software.

Wireless Network Recon

The process of gathering information about wireless networks, including their names (SSID), security types, and associated client devices.

KISS Principle in Recon

Keeping reconnaissance methods simple and straightforward to avoid unnecessary risks and attract attention.

DHCP in Recon

The Dynamic Host Configuration Protocol (DHCP) can reveal device hostnames during client requests, which can be useful for gathering information about connected devices.

What is a PCAP file?

A PCAP file is a captured packet data file used for analyzing network traffic. It contains information about the sent and received packets, including timing, source and destination addresses, and packet contents.

What does probing a network reveal?

When a wireless client probes for networks, it reveals the SSIDs of networks it's configured to connect to, potentially revealing client affiliation or their preferred networks.

How can you force a client to disassociate from a network?

You can force a client to disconnect by spoofing a disassociation message using tools like aireplay-ng. This sends a fake message to the client, telling it to leave the network.

Why is MAC address spoofing useful?

Changing your MAC address hides your identity, making it much harder to track your activities on a network. This can help evade detection during an attack.

Spoofing Deauth Message

Sending a fake disassociation message to a wireless client, causing it to temporarily disconnect from the network.

Enumerating Client Info

Gathering information about individual devices connected to a wireless network, such as their names, domain names, and potential operating systems.

DHCP for Client Info

The Dynamic Host Configuration Protocol (DHCP) can reveal a device's hostname during client requests, aiding in discovering connected devices.

NetBIOS for Client Info

NetBIOS broadcasts can reveal a client's domain name and hostname, helping identify the device's network affiliation.

Congruent Story in Recon

Acting consistently with a persona or cover story to maintain stealth and avoid suspicion during physical reconnaissance.

Stealth Recon Locations

Public places like hotels, coffee shops, and libraries offer good cover for discreet recon. Secluded spots and running vehicles with laptops also work for long-term observation.

Aerial Drones for Recon

Government agencies often use aerial drones for surveillance, gathering visual data from the air.

WPA Key Brute-forcing

Trying all possible password combinations to gain access to a WPA-secured network.

What information does probing a network reveal?

When a wireless client probes for networks, it reveals the SSIDs of networks it's configured to connect to, potentially revealing client affiliation or their preferred networks.

What is an OUI and why is it important?

OUI stands for Organizationally Unique Identifier. It's the first six hexadecimal digits of a MAC address, uniquely identifying the manufacturer of the network equipment. This allows you to identify the maker of a network device by its MAC address.

Deauth Spoofing

Sending fake disassociation messages to wireless clients, causing them to temporarily disconnect from the network. This is often used to interrupt network traffic or disrupt connectivity.

Changing MAC Address

Modifying a device's MAC address to hide its identity and make it harder to track online.

What are PCAP files?

PCAP files capture details of network packets, including timestamps, sender, receiver, and content. They're used for examining network activity, such as finding patterns or suspicious behavior.

Probing a network: What's revealed?

When a device probes for networks, it shows which networks it's configured to connect to. This can reveal affiliation or preferred networks for a client.

Spoofing a deauth message: What's its impact?

Sending a fake disassociation message to a client can force it to disconnect temporarily from the network. This can disrupt network traffic or interrupt connections.

NetBIOS in Recon

NetBIOS broadcasts can reveal a client's domain name and hostname, helping identify the device's network affiliation.

Active Brute-forcing of WiFi Protected Setup

Exploiting vulnerabilities in the WPS protocol to gain access to a network without directly knowing the main password.

Study Notes

Chapter 7: Phase III: Remote Targeting, Part Two

• This chapter details remote targeting in Phase III.
• Active Wireless Recon II involves reviewing data for useful information after initial setup.

Active wireless Recon II

• Review collected data for interesting and useful information.
• Focus on:
  • WEP (Wired Equivalent Privacy) networks
  • WPA-PSK (WPA Pre-Shared Key Mode) networks
  • WPA-Enterprise (WPA Enterprise Mode) networks
  • Captured packets
  • Associated clients

Active Wireless Recon II (cont.)

• Kismet and airodump can log PCAP files for analysis using Wireshark.
• Review client device information beyond PCAP files.
• Basic information from PCAP files includes:
  • BSSID (Basic Service Set Identifier)
  • Client devices
  • Associated clients
  • Probing clients
  • Channels

Active Wireless Recon II (cont.)

• Other collected data includes:
  • Times specific clients or networks were first and last seen
  • Total number of packets from each device
  • Information about observed packets
  • Wireless networks probed by client devices

Active Wireless Recon II (cont.)

• Probed networks may indicate client device ownership.
• Examples include:
  • Identifying an employee to correlate a probe for a known network.
  • Discovering networks with SSID related to the target organization.
  • Identifying networks with recognizable patterns.

Active Wireless Recon II (cont.)

• Organization Unique Identifier (OUI) of a MAC address is the first six hexadecimal digits.

• OUIs are assigned to network equipment manufacturers.

• Identify cloaked networks to enumerate SSIDs.

• Force association by spoofing a disassociation message using the aireplay-ng command.

Enumerate Client Info

• After initial wireless reconnaissance, shift focus to enumerating wireless client information, assessing vulnerabilities.
• Determine networks not positively associated with any particular company.
• Confirm if all identified networks belong to the target organization and are not vulnerable to direct exploitation.

Enumerate Client Info (cont.)

• Key protocols:
  • DHCP (Dynamic Host Configuration Protocol).
  • NetBIOS.
  • HTTP (Hypertext Transfer Protocol).
  • DNS (Domain Name System).

Stealth Physical Recon

• This phase shifts reconnaissance to physical locations.

• Maintaining stealth and anonymity is paramount.

• Good locations include:

  • Public areas like coffee shops, libraries, or hotels.
  • Buildings with areas for laptops.

• Avoid obvious tactics for physical infiltration.

• Consider social engineering concepts and acting congruently with your story.

• Utilizing tools like drones or sending devices to the target organization are also options.

Active Wireless Attacks

• Identify potential vulnerabilities in target networks for exploitation.
• Examples include:
  • Cracking WEP
  • Off-line brute-forcing WPA preshared keys
  • Active brute-forcing of WiFi protected setup
  • Wireless vendor vulnerabilities

Active Wireless Attacks (cont.)

• Changing MAC addresses from Linux terminal is needed for active attacks.
• Commands to accomplish this include:
  • ifconfig wlan0 down
  • ifconfig wlan0 down hw either 22;44:66:11:22:23
  • ifconfig wlan0 up

Active Wireless Attacks (cont.)

• Do not use the same card for active recon or attack if it uniquely belongs to the network.

Web Cracking

• WEP cracking relies on collecting a certain amount of packets (2,000-200,000) to deduce the key.

• Fastest cracking using an active method takes about 15 minutes using ~20,000 packets.

• Use airodump for packet capture.

• Use aireplay-ng command for faster capture.

Web Cracking (cont.)

• Put interface into monitor mode using airmon-ng command.

• Use airodump-ng to configure and specify desired parameters

• Use airodump-ng to capture packets for target network.

• Capture and analyze packet data using airodump-ng.

• Use airock-ng to crack the WEP key.

WPA Preshared Key Cracking

• Offline brute-force is the only effective method for WPA-PSK (Wired Equivalent Privacy).
• Capturing the four-way authentication handshake is necessary.
• Many modern devices use strong, randomly generated WPA preshared keys.
• Using airmon-ng and aircrack-ng in a similar way to WEP cracking.
• Capture the necessary data and then use aircrack-ng with wordlist.
• Disconnecting a client for analysis of spoofed disassociation messages