Podcast
Questions and Answers
What is the first step to compromise wireless networks in the remote targeting phase?
What is the first step to compromise wireless networks in the remote targeting phase?
Which of the following is a primary criteria for an APT hacker in Phase III?
Which of the following is a primary criteria for an APT hacker in Phase III?
What is the purpose of targeting the family members of employees during social spear phishing?
What is the purpose of targeting the family members of employees during social spear phishing?
Why might an attacker shift focus to wireless client services after failing to compromise a wireless network?
Why might an attacker shift focus to wireless client services after failing to compromise a wireless network?
Signup and view all the answers
Which wireless standards should be prioritized according to the content?
Which wireless standards should be prioritized according to the content?
Signup and view all the answers
What is a key characteristic of directional antennas?
What is a key characteristic of directional antennas?
Signup and view all the answers
What is a potential downside of using a longer antenna cable?
What is a potential downside of using a longer antenna cable?
Signup and view all the answers
In the United States, what is the maximum legal output power for wireless radios?
In the United States, what is the maximum legal output power for wireless radios?
Signup and view all the answers
Which command can be used to check the current power setting of a wireless card?
Which command can be used to check the current power setting of a wireless card?
Signup and view all the answers
Which factor is influenced by the chipset of a wireless card?
Which factor is influenced by the chipset of a wireless card?
Signup and view all the answers
What frequency range does the 802.11a standard operate in?
What frequency range does the 802.11a standard operate in?
Signup and view all the answers
Which of the following protocols is older and likely not implemented in newer wireless technology?
Which of the following protocols is older and likely not implemented in newer wireless technology?
Signup and view all the answers
What measurement is used to express the gain provided by a wireless antenna?
What measurement is used to express the gain provided by a wireless antenna?
Signup and view all the answers
Which type of antenna radiates signals in all directions?
Which type of antenna radiates signals in all directions?
Signup and view all the answers
What is a common price range for microcomputers like the Raspberry Pi?
What is a common price range for microcomputers like the Raspberry Pi?
Signup and view all the answers
Study Notes
Chapter 7: Phase III: Remote Targeting - Part One
- Phase III focuses on identifying and targeting wireless systems, a core component of Advanced Persistent Threat (APT) hacking.
- Wireless systems enable anonymity and maintain important attack criteria for APTs.
- Initial steps involve determining if target employee relationships exist for spear phishing.
- Wireless reconnaissance follows, aiming to compromise identified wireless networks by targeting key vulnerabilities.
- Failing to compromise a network, efforts shift to targeting wireless client services.
Remote Presence Reconnaissance
- Gathering comprehensive information about employees working remotely for the target organization is crucial.
- Information sources include the target organization's remote worker policies (from public resources), home addresses (using tools like Spokeo and Intelinus), address history, office locations, and lunch locations.
Social Spear Phishing
- Social engineering is essential during this phase.
- Attacking employee family members can be a source of information obtained from emails sent to the targeted employee.
- Compromising the target employee's home system allows for pivoting to directly attack the employee's computer.
Wireless Phases
- Wireless system targeting prioritizes wireless reconnaissance followed by attacking wireless access points, then wireless clients.
- Reconnaissance aims to identify target wireless networks and clients.
- A time limit (e.g., 45 minutes) is imposed when targeting wireless systems that might be present in a location like a coffee shop.
- If the network is resistant to direct attack, clients at the location become a target.
Remote Edge Access Points
- A diagram illustrates remote access points configured from a central wireless controller at headquarters.
- Remote offices connect to headquarters via VPN.
- Remote Access Points are configured by the wireless controller.
APT Wireless Tools
- Beyond standard laptop and wireless network card needs, additional tools enhance the attack.
- Essential features of a wireless network card to optimize this attack phase include supported wireless standards, antenna types, connection types, power, and chipset capabilities.
Wireless Technologies
- Connection type (e.g., PCMCIA, USB) significantly affects how efficiently a network card works.
- USB connection facilitates easily positioning the adapter and antenna.
- Alfa cards and PRISM cards are popular choices and are relevant tools visualized by images.
- Focusing on common wireless technologies (e.g., 802.11a, b, g, n) is vital as they may be the vulnerable points in target reconnaissance
Wireless Technologies (continued)
- Wireless spectrums and technologies should cover all possible options in reconnaissance to ensure all possible routes of attack are identified.
- The 802.11a and other related standards operate in the 5GHz range, and other 2.4GHz wireless protocols are supported by many devices and should be prioritized in reconnaissance.
- Newer technologies may exclude older/less secure protocols from attack scopes.
- Spoofing traffic, rogue devices and traffic sniffing are additional factors to consider as they could lead to additional vulnerability.
Raspberry Pi Microcomputer
- Low-cost microcomputers like the Raspberry Pi and Guru Plug are advantageous for the target reconnaissance task as they are a source of tools for attacking.
Wireless Antennas
- Antenna quality and the ability to utilize external antennas within the network card are crucial reconnaissance factors.
- External antennas significantly enhance both transmission and reception capabilities, measured in decibels isotropic (dBi).
- Two main types of antennas are omnidirectional (radiating in all directions) and directional (targeting specific directions).
Connection Type
- The connection type and the resulting cable length are essential components when choosing a network card for optimized attack targeting.
- Most external network cards come with "rubber ducky" antennas, which are small but with limited range.
- Longer cables connecting the antenna to the wireless radio (especially if using external antennas) can result in data loss that must be considered.
Power
- Power output (in dBm or watts) of a network card affects transmission strength.
- Country-specific legal limitations on radio output power must be considered during this phase of reconnaissance.
- Maximum output power settings—such as 30 dBm (1 watt) in the United States—must be identified and considered as these values will impose limitations on target reconnaissance.
Power (Continued)
- Linux-based tools (e.g., Kali) offer commands to determine pertinent wireless network card power, such as "iwconfig" to view configured power settings.
- Adjusting the selected region can affect power output. Further commands, such as "iw reg set NX", allow setting the targeted region's power settings.
Chipset
- Choosing the appropriate network cards and chipsets dictates the range of supported channels and capabilities.
- Popular Linux drivers include PRISM (Programmable Radio in the ISM Band), Atheros, MadWifi, and Mac802.11.
- Using "iw list" command retrieves and displays available options in the targeted region.
- The chosen driver needs passive and monitor model support to access target systems.
Wireless Reconnaissance
- Wireless reconnaissance gathers information about network topology, clients, and remote workers.
- Gathering information about these targets will assist with mapping target systems.
- This is an active reconnaissance effort, subject to potential detection due to physical activity.
Internet Wireless Reconnaissance
- Target reconnaissance should prioritize searching for the targeted wireless technologies including available WiFi, guest wireless, guest access, and guest internet.
Active Wireless Recon
- Pre-attack active reconnaissance identifies potential targets to optimize attack choice and effectiveness.
- This phase is achieved by searching for access points.
- Identifying targets, focusing on specific networks of interest, and then identifying wireless clients is required.
Active Wireless Recon (continued)
- Beacon frames, sent by access points, announce the existence and capabilities of the wireless networks.
- Beacon frames contain the name (e.g., SSID) of the networks and details about data rates, timing, and more.
- Client devices in ad hoc networks also transmit beacon frames.
Active Wireless Recon (continued)
- Tools Kismet, Airodump, and also Android apps are used for wireless reconnaissance.
- Kismet is highly recommended for enumeration.
- Airodump is vital for identifying supplementary information, and specifically client devices associated with the targeted organization.
- Android apps aid in mobile reconnaissance by mapping wireless network signals geographically.
Active Wireless Recon (continued)
- Kali Linux comes pre-installed with Kismet, ready for use.
- Using commands like "kismet" in the terminal displays relevant information.
- Kismet utilizes client/server models to set up capture sources on remote systems and forward to a central server.
- Airodump—part of the Aircrack-ng suite—is used for basic wireless network reconnaissance.
Active Wireless Recon (continued, specific tool)
- The "airodump-ng -w out mon0" command configures the airodump tool.
Active Wireless Recon (specific use-case for particular tool)
- "airodump-ng -w out mon0" causes the airodump utility to start listening on interface mon0 while employing "out" to save captured files.
Active Wireless Recon (Android recon app)
- Android reconnaissance apps, such as Wardrive and WiGLE Wifi Wardriving, offer GPS functionality to map wireless devices, particularly useful during reconnaissance when physical access is limited.
Active Wireless Recon (War-Driving)
- War-Driving is a recon method utilized when physical access is restricted or mobile devices/laptops are prohibited.
- War-driving uses mobile devices and vehicles for reconnaissance by walking around or driving in the target areas..
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Chapter 7 delves into Phase III of Advanced Persistent Threat (APT) hacking, focusing on remote targeting methods. It covers techniques for wireless reconnaissance, the importance of gathering information on remote employees, and the role of social engineering in spear phishing. This chapter equips learners with the knowledge to identify vulnerabilities in wireless systems and the necessary steps for effective targeting.