Chapter 7 - Part 1 Remote Targeting - PDF

CHAPTER 7 Phase III: Remote Targeting Part One PHASE III: REMOTE TARGETING INTRODUCTION Identifying and targeting wireless systems is really the core of this phase It allows you to maintain some of the most important criteria for an APT hacker Wireless systems are everywhere and they allow us to preserve our anonymity First we must determine if there are any relations of target employees that we should attempt to spear phish PHASE III: REMOTE TARGETING INTRODUCTION Then we will move on to wireless reconnaissance. We will attempt to compromise any wireless networks we identify by targeting a few key vulnerabilities. If we are unsuccessful in our attempt to compromise a wireless network, we will move on to targeting wireless client services. REMOTE PRESENCE RECONNAISSANCE We want to find as much information as we can related to any targeted employee Those work remotely for our target organization This includes identifying: Target organization’s policy on remote workers Anything from public resources Home address. This is easy using online services like Spokeo and Intelinus You can get history of addresses Office location Luncheon places SOCIAL SPEAR PHISHING Must use the social engineering phase You can target employee’s family members also Through family members you might get information from emails for the targeted employee By compromising a system at the target employee’s home, we can use this system to pivot and directly attack the employee’s computer WIRELESS PHASES The most effectively target wireless systems and vulnerabilities, we will perform this phase of attack in the following order: Wireless reconnaissance Attack wireless access points Attack wireless clients WIRELESS PHASES During wireless reconnaissance, we will seek to identify target wireless networks and wireless clients belonging to the target organization Must identify potential vulnerable wireless, we can begin by attacking them If we can not or unable to compromise any of the identified wireless networks, then we move on to target wireless clients You have a time limit say 45 minutes if target in a coffee shop before leaving Even if the wireless network turn out not to be vulnerable to a direct attack, we can target the clients at the location SLIDE : REMOTE EDGE ACCESS POINTS APT WIRELESS TOOLS Beyond the obvious requirements of a laptop and wireless network card, there are few tools that prove to be helpful in this phase You will want to look for certain features when choosing the right wireless network card, including: Wireless standards supported Antenna supported Connection type Power Chipset type WIRELESS TECHNOLOGIES First consider the connection type of the wireless card The typical PCMCIA card type for laptops seems like an obvious choice USB card will allow you to connect the adapter to many more devices A USB connection will also allow you to position the adapter and antenna a little more easily A few popular choices include Alfa card and PRISM cards showing in the following figure SLIDE: ALPHA CARD AND PRISM CHPSET CARD WIRELESS TECHNOLOGIES We will also want to make sure we cover as many (if not all) wireless spectrums and technologies as possible Today, the most popular wireless technologies are 802.11b/g/n and many places still use 802.11a These technologies should be targeted Many of the most common modern cards will support 802.11b, g and n, as they all operate on the 2.4 GHz spectrum. The 802.11a standard operates in the 5 GHz range But you find still some cards that support all of these technologies Newer technologies most likely won’t implement the Wired Equivalent Privacy (WEP) protocol, but they will still be susceptible to sniffing of unencrypted traffic and might even be vulnerable to spoofed management traffic, rogue devices, and others RASPBERRY PI MICROCOMPUTER WIRELESS TECHNOLOGIES Many good low-priced microcomputers are currently available. This will give us all the features needed and allow us to run all of the tools Perfect examples include the Raspberry Pi and Guru Plug. These microcomputers can cost as little as $50 and typically won’t go much higher than $150. Making them perfect for our uses WIRELESS ANTENNAS One of the most important options in the card you choose will not only be the quality of the included antenna Also the ability for the card to use an external antenna It is important to understand that a wireless antenna on one device actually improves both transmission and reception of radiofrequency (RF) signals The gain provided by an antenna is measured in dBI or decibels isotropic WIRELESS ANTENNAS Although there are many different types of antennas, there are two basic choices: Directional antenna Omnidirectional antenna Directional antenna may also be referred to as Yagi-Uda antennas. Or just Yagi antennas Omnidirectional antenna radiate in all directions from the antenna. More appropriate when we do not know where our target. It is the choice when performing our malicious access point attacks. Directional antenna used for point-to-point, between two access points or between our client and an access point FIGURE: DIRECTIONAL & OMNIDIRECTIONAL RF ANTENNAS CONNECTION TYPE The most important feature of the wireless card we will have to consider is the connecting types for an upgraded antenna Most external wireless cards will come with a “rubber ducky” antenna, which typically small, low grain omnidirectional antenna like the one on the Alfa card You should also be aware that the longer the cable from the antenna to the wireless radio, the more loss If you find you need a few extra feet for the perfect setup, then using a longer USB cable rather than a longer antenna cable is probably the way to go POWER The power output of the card is also an important factor Power is typically measured in dBm or watts It only increase your transmission strength not receiving strength There are legal limitations to the output power of radios that are unique for each country There are different power limits for point-to-point links and point-to-multipoint links The number that is most concerning to us is the maximum output power of our radio, which in the United States is 30 dBm or 1 watt. You can get an effective higher rating by adding a 6-dBi-gain antenna POWER In order to find out the power and other information you can use the Kali command: root@kali : $ iwconfig If the power setting is limited, then you can change region, for example: root@kali : $ ifconfig wlan0 down by brining down Then we use another region like New Zealand which might have higher power and we set that up root@kali : $ iw reg set NX root@kali : $ ifconfig wlan0 up root@kali : $ iwconfig wlan0 txpower 30 root @kali : $ iwconfig wlan0 root@kali : $ iw reg get you get region information CHIPSET Choosing the right card and chipset will dictate which channels and features the card supports. A few major drivers are available for Linux, which include: PRISM (Programmable Radio in the ISM Band) Atheros MadWifi Mac802.11 You can view the capabilities of the card using the (iw list) command You driver should support passive and monitor models WIRELESS RECONNAISSANCE We need to gather as much information about: Network topology Clients Remote workers This is considered an active reconnaissance Challenge to us due to our physical activities that can be detected INTERNET WIRELESS RECONNAISSANCE Hopefully you will find good information related to wireless technologies during reconnaissance phase Start with the basic Some information include: Wireless WiFi Guest wireless Guest access Guest internet ACTIVE WIRELESS RECON Before we know which wireless attack will be the most effective, we need to identify if there are any access point to target. You will perform active wireless reconnaissance in two steps: To focus on identifying wireless access points and networks We will follow up and investigate specific network of interest and seek to identify wireless clients This is to identify all the BSSIDs available Wireless clients devices will be more valuable for us to compromise than a wireless network ACTIVE WIRELESS RECON Beacon frames are sent by access points to periodically announce the existence and capabilities of the warless networks such as: Name (SSID) Data rates Timing Etc. Beacon frames are also sent by client devices when participating in an ad hoc wireless network, also called an independent basic service set (IBSS). FIGURE: DIFFERENCE BETWEEN BEACON AND NETWORK PROBES ACTIVE WIRELESS RECON We have three primary tools to perform active wireless reconnaissance: Kismet Airodump Android apps Kismet has long been the de facto tools for wireless enumeration and, in particular, has been preferred for war driving. We will use Airodump when seeking to enumerate additional information and specifically identify client devices associated with the target organization ACTIVE WIRELESS RECON In Kali Linux, Kimset comes preinstalled and ready to roll. Simply open a terminal window and type kismet, you see the image in the following figure. Kimset actually uses client/server model, which allows you to set up capture sources on remote systems and forward them to a central server, but we will just be using capture sources on our local system. ACTIVE WIRELESS RECON Airodump is part of the Aircrack-ng suite, and although it is geared towards attacking individual networks, it is a good option for wireless recon. The most basic usage for the airodump is the following command: root@kali : $ airodump-ng –w out mon0 This will cause airodump to start listening on the mon0 interface and use the prefect “out” for all saved files. ACTIVE WIRELESS RECON There are a few good Android apps available for wireless recon. Two of the best are wardrive and WiGLE Wifi Wardriving The GPS functionality in both of these allows you to display the data natively within a map. See the following figure FIGURE: ANDROID WARDRIVE APP MAP VIEW ACTIVE WIRELESS RECON War Driving is used when the building can not be accessed or laptop or cell phones are not allowed, then for recon we use a vehicle or a walk around

Chapter 7 - Part 1 Remote Targeting - PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue