Remote Targeting Techniques - Part Two

Questions and Answers

What types of networks should be reviewed when analyzing data during Phase III of Remote Targeting?

• WPA-Enterprise, Open networks, Captured packers, and Probing clients
• WEP, Captured packets, Rogue access points, and Associated clients
• WEP, WPA2-Personal, WPA-Enterprise, and hidden networks
• WEP, WPA-PSK, WPA-Enterprise, and captured packets (correct)

Which file formats can Kismet and airodump log data into for further analysis?

• CSV and JSON files
• PCAP and XML files (correct)
• HTML and MKV files
• TXT and PDF files

What information can be derived from the probing clients feature during wireless reconnaissance?

• Determination of the total number of packets sent
• Identification of network equipment manufacturers
• Detection of all cloaked networks in the vicinity
• Indication of potential client device ownership (correct)

What does the OUI of a MAC address signify in wireless reconnaissance?

A unique identifier assigned to network device manufacturers (D)

What action can be taken to potentially identify cloaked networks during analysis?

Spoof a disassociation message to force association (A)

What is a key consideration when selecting a location for stealth physical reconnaissance?

It should be in a public or common area. (D)

Which of the following methods can be used for wireless recon targeting vulnerabilities?

Cracking WEP encryption. (A)

What technique can be employed to maintain anonymity in an active wireless attack?

Changing the MAC address of the radio device. (C)

During wardriving, what should a person be aware of regarding their surroundings?

Any observable actions may arouse suspicion. (C)

What is the purpose of using devices like phones or tablets in a stealth physical recon?

To remotely connect for reconnaissance purposes. (B)

What is the correct method to change a MAC address using a Linux terminal?

Use the command root@kali:~# ifconfig wlan0 down hw either 22;44:66:11:22:23. (B)

Which strategy can be implemented to interfere with forensic investigations in wireless activities?

Setting the MAC address to be one digit different from a valid client MAC. (A)

What is the purpose of the aireplay-ng command exemplified in the message spoofing?

To disassociate client devices without detection (D)

Why is it essential to enumerate client info after wireless recon?

To identify the organization's client devices for targeted attacks (A)

Which protocol is NOT mentioned as potentially revealing client device information?

FTP (D)

What foundational strategy should one adhere to during stealth physical reconnaissance?

Maintain a low profile and act congruently with your narrative (A)

In which situation would it be necessary to perform client enumeration?

When the identity of the network is ambiguous or unverified (C)

What critical information might a DHCP request reveal?

Device hostname (C)

Which element is emphasized as part of effective stealth during physical recon?

Acting congruently with a preplanned story (A)

What is the primary advantage of capturing packets during wireless recon?

To obtain data indicative of device ownership and types (A)

The OUI of a MAC address consists of the first six decimal digits.

False (B)

Both Kismet and airodump are capable of logging data to PCAP files for analysis.

True (A)

Any client device will always probe for other configured networks while connected to a single network.

False (B)

Spoofing a disassociation message can aid in identifying cloaked networks during wireless reconnaissance.

True (A)

A captured packet log will often contain the total number of packets sent from each device.

True (A)

The aireplay-ng command can be used to send a disassociation message that appears legitimate to the client device.

True (A)

The NetBIOS protocol can only reveal the internet protocol address of the client device.

False (B)

Performing wireless reconnaissance does not require any physical presence.

False (B)

Capturing packets during wireless network recon can assist in identifying the ownership of client devices.

True (A)

The DHCP protocol does not provide any device-specific information.

False (B)

To maintain anonymity during wireless attacks, it is crucial to adhere to the APT strategy of KISS.

True (A)

Social engineering techniques have no relevance in the context of wireless reconnaissance.

False (B)

Client device information can also be derived from HTTP requests which may show server names in cleartext.

True (A)

Aerial drones are commonly utilized by private individuals for stealth physical reconnaissance.

False (B)

Cracking WEP is one of the major vulnerabilities targeted during active wireless attacks.

True (A)

Changing your MAC address is a complex process that cannot be done from a Linux terminal.

False (B)

Wardriving can only be conducted from a parked vehicle.

False (B)

It is recommended to set your MAC address to match exactly one of the valid client MAC addresses during active recon.

False (B)

Multiple wireless vendor vulnerabilities are not significant in identifying weaknesses within wireless networks.

False (B)

To maintain anonymity during wireless activities, using a MAC address differing by only one digit is an effective strategy.

True (A)

Flashcards

Wireless Network Data Analysis

Reviewing WEP, WPA-PSK, WPA-Enterprise networks, captured packets, associated clients, and client device information.

PCAP Files

Files that contain captured network packets, providing basic information like BSSID, client and associated clients.

Target Organization Connection

Using client device probe requests to identify potential connections with the target organization by checking probed SSID and client's MAC OUI.

OUI of MAC Address

First six hexadecimal digits of a MAC address that uniquely identifies each manufacturer of network equipment.

Spoofing Disassociation

Forcing a client device to disconnect from a wireless network by sending a fake disassociation message using tools like aireplay-ng.

Physical Reconnaissance Locations

Public areas like coffee shops, libraries, or hotels where people frequently use laptops.

Wardriving

Using a vehicle (like a car) to scan for unprotected Wi-Fi networks.

Stealth Physical Reconnaissance

Gathering information about a target without being noticed.

MAC Address Spoofing

The act of changing your network adapter's unique identifier.

Wireless Attack Vulnerability

Weak points in Wi-Fi security that attackers can exploit.

Offline Brute-Forcing

Trying many passwords repeatedly, but done without being connected to the target network.

Wireless Vendor Vulnerabilities

Weaknesses in specific wireless network hardware and software.

Wireless Spoofing

Sending fake disassociation messages to a wireless network, making it seem like the network is going down and then back up.

Client Enumeration

Finding information about client devices connected to a wireless network.

DHCP

A protocol that assigns IP addresses to devices on a network.

NetBIOS

A protocol that allows networked devices to communicate.

HTTP Requests

Used by web browsers to request information from web servers.

DNS Queries

Requests to translate domain names (like google.com) into IP addresses.

Stealth Wireless Recon

Performing wireless network reconnaissance without being noticed.

Maintaining Stealth

Acting discreetly during physical recon.

Why review PCAP files?

PCAP files contain captured network packets. Analyzing them gives crucial information about BSSID, clients, and associated clients. This can help identify target networks and devices.

Client Device Probing

Client devices often probe for available networks even when connected to one. This information can be used to determine which clients are connected to the target organization.

What is the OUI?

The OUI of a MAC address is the first six hexadecimal digits, which uniquely identifies the manufacturer of network equipment.

Why enumerate SSIDs?

Enumerating SSIDs helps identify cloaked networks that are hidden from normal scans. This can uncover potential target network connections.

DHCP in Wireless Recon

Analyzing DHCP requests to reveal a client device's hostname, potentially indicating its owner or organization.

NetBIOS in Wireless Recon

Examining NetBIOS broadcasts to discover a client device's domain name and hostname, revealing possible organizational affiliations.

HTTP Requests in Wireless Recon

Analyzing HTTP requests to identify web servers a client device communicates with, potentially revealing sensitive information.

DNS Queries in Wireless Recon

Analyzing DNS queries to determine if a client device is contacting antivirus servers or endpoint management systems, revealing security measures.

Stealth Physical Recon

Gathering information about a target discreetly while physically present, like blending in with your surroundings.

KISS Principle in Physical Recon

Keeping your actions simple and straightforward during physical reconnaissance to avoid attracting attention and suspicion.

Active Attack

Attacking a target network to gain access or disrupt its operation.

Brute-forcing WPA Preshared Keys

Trying to guess passwords for a wireless network (WPA-PSK).

Active Brute-forcing WiFi Protected Setup (WPS)

Testing the WPS protocol to find weak PINs and gain access to a protected wireless network.

Multiple Wireless Vendor Vulnerabilities

Weaknesses in the software and hardware of specific wireless vendors.

Study Notes

Phase III: Remote Targeting - Part Two

• This phase involves reviewing data from reconnaissance for useful information.
• Wireless networks are categorized by their security protocol:
  • WEP (Wired Equivalent Privacy)
  • WPA-PSK (WPA Pre-Shared Key Mode)
  • WPA-Enterprise (WPA Enterprise Mode)
• Captured packets and associated clients are also examined.
• Tools like Kismet and airodump log PCAP files for analysis using Wireshark.
• PCAP files provide basic information, including:
  • BSSID (Basic Service Set Identifier)
  • Client devices
  • Associated clients
  • Probing clients
  • Channels
• Tools log additional data, including:
  • Timestamps of client and network activity
  • Packet counts from each device
  • Packets observed
  • Wireless networks probed by a client device
• This information helps identify potential target organization clients.
• Probed networks may indicate client ownership.
  • If a probe for a known employee's network is seen, it may suggest the owner.
  • Not all clients probe all networks.
• SSID (Service Set Identifier) information can be helpful in identifying the target organization.
• OUI (Organizationally Unique Identifier) of the MAC address's BSSID is recorded.
• OUI is the first six hexadecimal digits assigned to network equipment manufacturers for identification.
• Cloaked networks require enumeration efforts.
• Spoofing disassociation messages forces association process enumeration using aireplay-ng.

Active Recon II

• Changing MAC addresses is necessary for active attacks.
• The command format for MAC address change in a Linux terminal is: ifconfig wlan0 down, followed by ifconfig wlan0 down hw ether <MAC address>, and ending with ifconfig wlan0 up.
• Example usage for MAC address to 22:44:66:11:22:23:
  • root@kali:~# ifconfig wlan0 down
  • root@kali:~# ifconfig wlan0 down hw ether 22:44:66:11:22:23
  • root@kali:~# ifconfig wlan0 up
• Use of a different card is recommended if possible.

Active Wireless Attacks

• Major vulnerabilities in wireless networks include:
  • WEP cracking
  • Offline brute-forcing of WPA pre-shared keys
  • Active brute-forcing of WiFi Protected Setup
  • Multiple wireless vendor vulnerabilities
• MAC address changes are important for active attacks.
• Spoofing a valid client MAC address helps evade detection; use a one-digit offset

Web Cracking

• WEP cracking relies on packet capture.
• Packet counts vary, typically between 2,000-200,000 packets.
• Passive methods to crack WEP might take 15+ minutes to crack, requiring about 20,000 packets.
• Airodump is a good tool for initial packet capture.
• The airmon-ng command is needed to put the network interface into monitor mode.
• Example command format: root@kali : ~# airmon-ng start wlan.

WPA Preshared Key Cracking

• WPA-PSK vulnerabilities are often exploited by brute-forcing offline.
• Capturing four-way authentication handshakes between client and access point is critical.
• Default WPA pre-shared keys on residential access points are less secure.
• airodump-ng is used to monitor network traffic.
• The command to capture traffic is typically shown as airodump-ng -w <filename> -c <channel> -bssid <BSSID> mon0 for default.
• If needed, spoofing disassociation messages can be used to force re-association.
• Create a wordlist using relevant information (company name, phone numbers, etc).
• hashcat can be utilized for cracking.