Lec 11 - Wireless Networks and Attacks Overview

Questions and Answers

What is the primary aim of a denial of service attack in a wireless network?

To increase the number of connected devices

To improve network performance

To enhance data encryption

To prevent legitimate users from accessing resources (correct)

Which method is used to make a channel appear busy in a Queensland DoS attack?

Running heavy data transfers

Increasing encryption levels

Exploiting CSMA/CA mechanisms (correct)

Rapidly switching AP connections

What is the effect of an 802.11 Beacon Flood attack?

To increase latency in client connections

To strengthen the encryption of data traffic

To facilitate legitimate connections to an AP

To drown out legitimate access points with counterfeit beacons (correct)

What is the primary purpose of sending invalid TKIP data in 802.11 TKIP MIC Exploit attacks?

To exceed the AP's MIC error threshold

Which of the following tools is commonly used for man-in-the-middle attacks on an evil twin AP?

Airsnarf

Which attack technique is used to flood a target with EAP-Start messages?

802.1X EAP-Start Flood

What consequence can arise from executing a 802.1X EAP-of-Death attack?

Crashing of some access points

What does AP phishing involve?

Luring users to provide sensitive information through a fake portal

What is a characteristic of WPA/WPA2 key cracking techniques?

They exploit weak password choices or handshakes

In authentication attacks, what is the goal of stealing user credentials?

To gain unauthorized access to resources

Which technique is often used in EAP manipulation to gain unauthorized access?

Using forged EAP responses

Which method is commonly used for Shared Key Guessing attacks?

WEP Cracking Tools

What is the purpose of Wireless Intrusion Prevention Systems (WIPS)?

To detect and prevent unauthorized access to wireless networks

What can Wireless Intrusion Prevention Systems (WIPS) help to prevent?

Malicious deauthentication attacks

Which of the following tools is commonly associated with flooding techniques against an AP?

LORCON

What is a main characteristic of the 802.11 Deauthenticate Flood attack?

Forging packets to disconnect users from an AP

What tool can be used for WPA/WPA2 PSK recovery through a dictionary attack?

coWPAtty

Which of the following is primarily used for capturing user application login credentials?

WinSniffer

Which attack technique is intended for guessing passwords in 802.1X authentication processes?

802.1X Password Guessing

What is the purpose of tools like THC-LEAPcracker in relation to LEAP packets?

Crack NT password hashes

Which method can be employed to capture user identities in a network using 802.1X?

Cleartext 802.1X Identity Response

What type of attack is used to recover user credentials from captured NetBIOS password hashes?

Domain Login Cracking

Which tool is specifically mentioned for executing brute-force attacks on VPN authentication protocols?

ike_crack

Which of the following is NOT typically a technique used for cracking user credentials?

Beacon flooding

Study Notes

Wireless Network and Network Attacks

• Wireless networks face various security threats
• Examples include: lack of physical security, use of untrusted networks, use of untrusted mobile devices, use of applications created by unknown parties, interaction with other systems, use of untrusted content, and use of location services
• Defense techniques include changing router default username/password and the network IP subnet if possible.
• Changing the service set identifier (SSID) and hiding its broadcasting
• Restricting wireless network access by filtering based on the Media Access Control (MAC) addresses
• Using encryption

Wireless Threats: Access Control Attack

• Aims to penetrate a network by evading WLAN access control measures like AP MAC filters and Wi-Fi port access control.

Types of Access Control Attacks

• War Driving: Discovering wireless LANs by listening to beacons or sending probe requests, enabling further attack opportunities
• Rogue Access Points: Placing an unsecured access point inside a firewall, creating a backdoor into a trusted network.
• Ad Hoc Associations: Connecting directly to an unsecured station to circumvent security measures or for attacks.
• MAC Spoofing: Reconfiguring an attacker's MAC address to appear as an authorized access point or station.
• 802.1X RADIUS Cracking: Recovering RADIUS secret by brute force from 802.1X access requests for use by evil twin APs

Wireless Threats: Integrity Attacks

• Attackers send forged control, management, or data frames over a wireless network to misdirect the wireless device, enabling further attacks
• 802.11 Frame Injection: Crafting and sending forged 802.11 frames
• 802.11 Data Replay: Capturing 802.11 data frames for later (modified) replay.
• 802.1X EAP Replay: Capturing Extensible Authentication Protocol (EAP) messages (e.g., identity, success, failure) for later replay
• 802.1X RADIUS Replay: Capturing RADIUS Access-Accept or Reject messages for later replay

Wireless Threats: Confidentiality Attacks

• Attacks aim to intercept sensitive information sent over wireless associations, regardless of clear text or encryption used in Wi-Fi protocols
• Eavesdropping: Capturing and decoding unprotected application traffic to obtain sensitive information
• WEP Key Cracking: Capturing data to recover the WEP key using passive or active methods
• Evil Twin AP: Masquerading as an authorized access point (AP) to lure users
• AP Phishing: Creating a fake web portal on an evil twin AP to trick users into entering sensitive information
• Man-in-the-Middle: Running traditional man-in-the-middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels.

Wireless Threats: Availability Attacks

• Denial of service (DoS) attacks aim to prevent legitimate users from accessing network resources
• AP Theft: Physically removing an access point from a public area
• Queensland DoS: Exploiting the CSMA/CA mechanism to make a channel appear busy
• 802.11 Beacon Flood: Generating many counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP
• 802.11 Associate/Authenticate Flood: Sending forged Authenticates or Associates from random MACs to fill a target AP's association table

Other Attacks

• Misconfigured Access Point Attack: Vulnerabilities in access point configuration can allow for exploitation
• Unauthorized Association: Establishing connections to a network without authorization
• HoneySpot Access Point attack: Using a decoy access point to trap attackers
• AP MAC Spoofing: Using a forged MAC address to impersonate a legitimate access point
• Denial of Service (DoS) attack: Attempts to disrupt the network's functionality by overwhelming it
• Jamming Signal attack: Disrupting communication by flooding the environment with radio waves

Wireless Threats: Authentication Attacks

• Stealing the identity of a Wi-Fi client through personal information or login credentials to gain unauthorized access to network resources
• Shared Key Guessing: Attempting 802.11 shared key authentication with guessed, default, or cracked WEP keys
• PSK Cracking: Recovering WPA/WPA2 PSK from captured key handshake frames using a dictionary attack
• Application Login Theft: Capturing user credentials from clear-text application protocols
• Domain Login Cracking: Recovering user credentials by cracking NetBIOS password hashes
• VPN Login Cracking: Recovering PPTP or IPsec credentials by brute force
• 802.1X Identity Theft: Capturing user identities from cleartext 802.1X Identity Response packets
• 802.1X Password Guessing: Repeatedly attempting 802.1X authentication to guess a user's password
• 802.1X LEAP Cracking: Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack on the NT password hash

Rogue Access Point Attack

• Placing a rogue access point in an 802.11 network can hijack the connection of legitimate network users
• When a user turns on their computer, a rogue access point might offer a connection
• All traffic will pass through the rogue access point, enabling packet sniffing

Client Mis-association

• Attackers set up a rogue access point outside the corporate perimeter to lure employees into connecting
• Once connected, employees potentially bypass enterprise security policies.

Description

This quiz covers the security threats faced by wireless networks and the defense techniques to mitigate these risks. It examines specific access control attacks, such as war driving, and discusses various prevention methods that can be implemented to secure wireless communication. Test your knowledge on protecting wireless networks against unauthorized access.