Lec 11 - Wireless Networks and Attacks Overview

Questions and Answers

What is the primary aim of a denial of service attack in a wireless network?

To increase the number of connected devices

To improve network performance

To enhance data encryption

To prevent legitimate users from accessing resources (correct)

Which method is used to make a channel appear busy in a Queensland DoS attack?

Running heavy data transfers

Increasing encryption levels

Exploiting CSMA/CA mechanisms (correct)

Rapidly switching AP connections

What is the effect of an 802.11 Beacon Flood attack?

To increase latency in client connections

To strengthen the encryption of data traffic

To facilitate legitimate connections to an AP

To drown out legitimate access points with counterfeit beacons (correct)

What is the primary purpose of sending invalid TKIP data in 802.11 TKIP MIC Exploit attacks?

To exceed the AP's MIC error threshold (C)

Which of the following tools is commonly used for man-in-the-middle attacks on an evil twin AP?

Airsnarf (D)

Which attack technique is used to flood a target with EAP-Start messages?

802.1X EAP-Start Flood (B)

What consequence can arise from executing a 802.1X EAP-of-Death attack?

Crashing of some access points (D)

What does AP phishing involve?

Luring users to provide sensitive information through a fake portal (A)

What is a characteristic of WPA/WPA2 key cracking techniques?

They exploit weak password choices or handshakes (D)

In authentication attacks, what is the goal of stealing user credentials?

To gain unauthorized access to resources (D)

Which technique is often used in EAP manipulation to gain unauthorized access?

Using forged EAP responses (A)

Which method is commonly used for Shared Key Guessing attacks?

WEP Cracking Tools (B)

What is the purpose of Wireless Intrusion Prevention Systems (WIPS)?

To detect and prevent unauthorized access to wireless networks (C)

What can Wireless Intrusion Prevention Systems (WIPS) help to prevent?

Malicious deauthentication attacks (B)

Which of the following tools is commonly associated with flooding techniques against an AP?

LORCON (D)

What is a main characteristic of the 802.11 Deauthenticate Flood attack?

Forging packets to disconnect users from an AP (A)

What tool can be used for WPA/WPA2 PSK recovery through a dictionary attack?

coWPAtty (A)

Which of the following is primarily used for capturing user application login credentials?

WinSniffer (D)

Which attack technique is intended for guessing passwords in 802.1X authentication processes?

802.1X Password Guessing (C)

What is the purpose of tools like THC-LEAPcracker in relation to LEAP packets?

Crack NT password hashes (A)

Which method can be employed to capture user identities in a network using 802.1X?

Cleartext 802.1X Identity Response (C)

What type of attack is used to recover user credentials from captured NetBIOS password hashes?

Domain Login Cracking (B)

Which tool is specifically mentioned for executing brute-force attacks on VPN authentication protocols?

ike_crack (C)

Which of the following is NOT typically a technique used for cracking user credentials?

Beacon flooding (B)

Flashcards

PSK Cracking

Recovering a WPA/WPA2 Pre-Shared Key (PSK) from captured key handshake frames using a dictionary attack tool.

Application Login Theft

Capturing user credentials (e.g., email address and password) from cleartext application protocols to steal user information.

Domain Login Cracking

Recovering Windows login and password by cracking NetBIOS password hashes using brute-force or dictionary attack tools.

VPN Login Cracking

Recovering user credentials (e.g., PPTP password or IPsec Preshared Secret Key) by brute-forcing VPN authentication protocols.

802.1X Identity Theft

Capturing user identities from cleartext 802.1X Identity Response packets to steal user information.

802.1X Password Guessing

Repeating 802.1X authentication attempts to decipher user passwords using a password dictionary.

802.1X LEAP Cracking

Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash.

Password Dictionary Attack

A method of cracking passwords by systematically testing a list (dictionary) of common passwords.

802.11 Authentication Flood

Sending many forged authentication requests to an access point to overwhelm it, potentially causing it to crash or stop working.

802.11 Deauthentication Flood

Sending many forged deauthentication messages to an access point, disconnecting users.

802.1X EAP-Start Flood

Sending many EAP-Start messages to an access point, consuming its resources, possibly causing it to crash.

802.1X EAP Failure Attack

Sending a manipulated EAP failure message to exploit a security vulnerability.

802.1X EAP-of-Death

Sending a malformed EAP Identity response intended to crash an access point.

Shared Key Guessing

Trying to guess the network password (often the default or a weak one) to gain unauthorized access.

802.11 TKIP MIC Exploit

Exploiting a flaw in the Temporal Key Integrity Protocol (TKIP) to overwhelm the access point's error handling by generating invalid TKIP data.

Authentication Attacks

Attempting to gain unauthorized access to a network by stealing identities or credentials.

Evil Twin AP

A fake access point that pretends to be a legitimate one, luring users to connect to it and potentially steal their data.

AP Phishing

Using an evil twin AP to create a fake login portal or web server, aimed at stealing user credentials like logins and credit card numbers.

Man in the Middle

Intercepting communication between devices on a network, often using an evil twin AP, to steal sensitive information like passwords or credit card details.

Availability Attacks

Attacks aimed at preventing legitimate users from accessing resources on a wireless network, making it unavailable for intended use.

AP Theft

Physically removing an access point to disrupt network access or steal the device itself.

Queensland DoS

Exploiting vulnerabilities in the Clear Channel Assessment (CCA) mechanism to make a channel appear busy, preventing legitimate devices from accessing the network.

802.11 Beacon Flood

Generating a large number of fake 802.11 beacons to overwhelm the network with signals, making it difficult for devices to find a legitimate AP.

Denial of Service (DoS)

A type of attack where the goal is to disrupt network operations and make resources unavailable to legitimate users.

Study Notes

Wireless Network and Network Attacks

• Wireless networks face various security threats
• Examples include: lack of physical security, use of untrusted networks, use of untrusted mobile devices, use of applications created by unknown parties, interaction with other systems, use of untrusted content, and use of location services
• Defense techniques include changing router default username/password and the network IP subnet if possible.
• Changing the service set identifier (SSID) and hiding its broadcasting
• Restricting wireless network access by filtering based on the Media Access Control (MAC) addresses
• Using encryption

Wireless Threats: Access Control Attack

• Aims to penetrate a network by evading WLAN access control measures like AP MAC filters and Wi-Fi port access control.

Types of Access Control Attacks

• War Driving: Discovering wireless LANs by listening to beacons or sending probe requests, enabling further attack opportunities
• Rogue Access Points: Placing an unsecured access point inside a firewall, creating a backdoor into a trusted network.
• Ad Hoc Associations: Connecting directly to an unsecured station to circumvent security measures or for attacks.
• MAC Spoofing: Reconfiguring an attacker's MAC address to appear as an authorized access point or station.
• 802.1X RADIUS Cracking: Recovering RADIUS secret by brute force from 802.1X access requests for use by evil twin APs

Wireless Threats: Integrity Attacks

• Attackers send forged control, management, or data frames over a wireless network to misdirect the wireless device, enabling further attacks
• 802.11 Frame Injection: Crafting and sending forged 802.11 frames
• 802.11 Data Replay: Capturing 802.11 data frames for later (modified) replay.
• 802.1X EAP Replay: Capturing Extensible Authentication Protocol (EAP) messages (e.g., identity, success, failure) for later replay
• 802.1X RADIUS Replay: Capturing RADIUS Access-Accept or Reject messages for later replay

Wireless Threats: Confidentiality Attacks

• Attacks aim to intercept sensitive information sent over wireless associations, regardless of clear text or encryption used in Wi-Fi protocols
• Eavesdropping: Capturing and decoding unprotected application traffic to obtain sensitive information
• WEP Key Cracking: Capturing data to recover the WEP key using passive or active methods
• Evil Twin AP: Masquerading as an authorized access point (AP) to lure users
• AP Phishing: Creating a fake web portal on an evil twin AP to trick users into entering sensitive information
• Man-in-the-Middle: Running traditional man-in-the-middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels.

Wireless Threats: Availability Attacks

• Denial of service (DoS) attacks aim to prevent legitimate users from accessing network resources
• AP Theft: Physically removing an access point from a public area
• Queensland DoS: Exploiting the CSMA/CA mechanism to make a channel appear busy
• 802.11 Beacon Flood: Generating many counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP
• 802.11 Associate/Authenticate Flood: Sending forged Authenticates or Associates from random MACs to fill a target AP's association table

Other Attacks

• Misconfigured Access Point Attack: Vulnerabilities in access point configuration can allow for exploitation
• Unauthorized Association: Establishing connections to a network without authorization
• HoneySpot Access Point attack: Using a decoy access point to trap attackers
• AP MAC Spoofing: Using a forged MAC address to impersonate a legitimate access point
• Denial of Service (DoS) attack: Attempts to disrupt the network's functionality by overwhelming it
• Jamming Signal attack: Disrupting communication by flooding the environment with radio waves

Wireless Threats: Authentication Attacks

• Stealing the identity of a Wi-Fi client through personal information or login credentials to gain unauthorized access to network resources
• Shared Key Guessing: Attempting 802.11 shared key authentication with guessed, default, or cracked WEP keys
• PSK Cracking: Recovering WPA/WPA2 PSK from captured key handshake frames using a dictionary attack
• Application Login Theft: Capturing user credentials from clear-text application protocols
• Domain Login Cracking: Recovering user credentials by cracking NetBIOS password hashes
• VPN Login Cracking: Recovering PPTP or IPsec credentials by brute force
• 802.1X Identity Theft: Capturing user identities from cleartext 802.1X Identity Response packets
• 802.1X Password Guessing: Repeatedly attempting 802.1X authentication to guess a user's password
• 802.1X LEAP Cracking: Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack on the NT password hash

Rogue Access Point Attack

• Placing a rogue access point in an 802.11 network can hijack the connection of legitimate network users
• When a user turns on their computer, a rogue access point might offer a connection
• All traffic will pass through the rogue access point, enabling packet sniffing

Client Mis-association

• Attackers set up a rogue access point outside the corporate perimeter to lure employees into connecting
• Once connected, employees potentially bypass enterprise security policies.

Description

This quiz covers the security threats faced by wireless networks and the defense techniques to mitigate these risks. It examines specific access control attacks, such as war driving, and discusses various prevention methods that can be implemented to secure wireless communication. Test your knowledge on protecting wireless networks against unauthorized access.