Chapter 7 Part 2: Active Wireless Recon

CHAPTER 7 Phase III: Remote Targeting Part Two ACTIVE WIRELESS RECON II After performing the first set up with recon, now we review all the data for interesting and useful information. We want to review: WEP (networks used Wired Equivalent Privacy) WPA-PSK (network using WPA Pre-Shared Key Mode) WPA-Enterprise (networks using WPA Enterprise Mode) Captured packets Associated clients ACTIVE WIRELESS RECON II Both Kismet ad airodump have the capability of logging PCAP files which we can open with Wireshark. Take your time to also review any information related to client devices besides analyzing the PCAP files. The files will contain all of the basic information such as: BSSID Client devices Associated clients Probing clients channels ACTIVE WIRELESS RECON II Other data included: The times specific clients or networks were first and last seen The total number of packets seen from each device Helpful information about the packets observed Both Kismet airodump also log to XML files by default Both tools can also show you the wireless networks for which a client device probed. This information can help determine which clients might be owned by the target organization ACTIVE WIRELESS RECON II The probed network could also indicate the owner of the client device. If we see a probe for YURICH_HOME and we had identified an employee named Tom Yurich, this might be a strong indication of the owner keep in mind that some client devices may not probe for other configured networks while connected to a network If we are lucky, we will find some obvious networks of interest – for example, the SSID might include part of the target organization’s name. If we are positively identified a target network, we will want to look up the OUI of the BSSID. ACTIVE WIRELESS RECON II The OUI of a MAC address is the first six hexadecimal digits, which are uniquely assigned to every manufacturer of network equipment. This information can be surprisingly useful If you identified any networks that were cloaked, we will want to go back and attempt to enumerate the SSID as part of the second phase We can force the association process by spoofing a disassociation message to the client. Using the aireplay-ng command. ACTIVE WIRELESS RECON II We can spoof this message with the following command: root@kali : ~# aireplay-ng –deauth=5 –a -c mon0 From the client device’s perspective, this looks no difference from a legitimate disassociation message, and a person sitting at the computer will simply see the wireless go down and almost immediately come back up. ENUMERATE CLIENT INFO After performing our initial wireless recon, we will shift to focus on enumerating wireless client information for two reasons; Either we identified wireless network that we can not positively associate with any particular company Or all of the wireless networks positively identified as belonging to the target organization are not vulnerable to direct exploitation. After identifying client’s network then we move to attacking the client device ENUMERATE CLIENT INFO if we are really lucky, we might have captured packets during the wireless network recon that can help indicate the ownership and type of the client device. There are protocols that could reveal the organization that is responsible for the client device, however, the following are extremely core protocols that you likely to see frequently; DHCP: could include device hostname in request NetBIOS: broadcast could reveal domain name of client as well as hostname HTTP; requests could include web server name in HOST header or client information, as cleartext data DNS: it is common for software such as antivirus, endpoint management, or even the operating system to automatically query for servers or client information STEALTH PHYSICAL RECON Remember, this is the very first attack phase in which we have had to leave the comfort of our chair and the cozy warmth of an anonymous Internet connection We will review some tips here that are specific to maintaining stealth during wireless reconnaissance presence. If the situation you find yourself in is unique and requires a little more physical presence, there are examples of how to do this in chapter 8 and 9 but we will not cover them as they require physical infiltration. Not only should you be adhering to the APT strategy of KISS, but you can benefit from some of the social engineering concept from the previous chapter. For example, the concept of acting congruently with your story. STEALTH PHYSICAL RECON To begin you stealth recon operations: If there are good public or common areas, these can be the perfect location to set up shop and begin your recon. You consider other buildings that are close such as hotels, coffee shops, libraries, and even restaurants, where it is common for someone to bring his or her laptop and sit for a long period of time The use for secluded location where you leave your laptop, and the use of car running for a long time and has the laptop on. STEALTH PHYSICAL RECON Also aerial drones are used especially by many government agencies to spy on people. If the area is heavily restricted, we could also consider mailing a device to the target organization. The device we ship could be a phone, tablet, modified access point, or microampere device with an extra battery, and can remotely connect to perform recon Wardriving is also another option not only with a car but with any type of transportation. Remember what you are trying to accomplish and that maintaining anonymity and stealth are key here So think through everything that someone might observe while you are Wardriving or in a parked car ACTIVE WIRELESS ATTACKS There are four major vulnerabilities we will look for today to compromise a target network identified in a wireless recon. There are many, for now these are: Cracking WEP Off-line brute-forcing WPA preshared keys Active brute-forcing of WiFi protected setup Multiple wireless vendor vulnerabilities ACTIVE WIRELESS ATTACKS For any active attack, you will want to change the MAC address of any of your radio devices. This is easy to do from a Linux terminal. You just need first bring your interface down and then set the MAC address as in the following: root@kali :~# ifconfig wlan0 down root@kali :~# ifconfig wlan0 down hw either 22;44:66:11:22:23 root@kali :~# ifconfig wlan0 up ACTIVE WIRELESS ATTACKS If this is the case, you should not be using that card for any active recon or active attack You can set our MAC to be just one digit from theirs you recon For example, if a valid client MAC address is 11:22:33:44:55:66, we should set our MAC address by changing last digit to 7 This would definitely add a little bit of frustration to any forensic investigation of our wireless activities. WEB CRACKING The weakness in WEP relies on us collecting a certain amount of packets, which are then used to deduce the key. The amount of packets can vary greatly between networks, but generally, the amount between 2,000 and 200,000 packets. The fastest crack of a WEB key using the active not passive method was within 15 minutes after collecting about 20,000 packets. The best tool to capture these packets is airodump where the default display gives us valuable information with little fluff WEB CRACKING First we need to put our interface into monitor mode using the airmong command as follows: root@kali : ~# airmon-ng start wlan After we identify the BSSID and channel of the target network, we can configure airodump monitor only that network using following command: root@kali ; ~# airodump-ng –w out –c 1 –bssid 02:E9:FF:34:E7:F4 mon0 In this previous example, we are telling airodump to save all the files with the prefix out (-w out), to listen only on channel 1 and not channel hop (-c 1), and to only log packets for the target BSSID of 02:E9:FF:34:E7:F4 and the final option is the monitor mode interface to listen on WEB CRACKING After we have started capturing packets with airodump, we can start the cracking session with Aircrack. Simply use the aircarck-ng command, giving the only argument of PCAP files that contain the captured packets, as in the following example: root@kali : ~/web# airocarck-ng *.cap You have obtained enough packets, you will see output from Aircrack You can see the password recovered The total elapsed time could be 30 minutes and capturing over 60,000 packets If you want it faster then use: root@kali : ~# aireplay-ng –airpreplay –b BSSID mon0 WPA PRESHARED KEY CRACKING The only meaningful vulnerability through which we can compromise a wireless network confirmed with a WPA-PSK is to brute-force the key offline. This is a straightforward attack and one that is entirely passive All we have to do is capture the four-way authentication handshake between a client and access point Many more residential-grade access points are coming with default WPA preshared keys, which are relatively strong and much more “random” than those chosen by end users. WPA PRESHARED KEY CRACKING Using airmon-ng in a similar way to the WEP cracking example, we will monitor all packets for target BSSID and channel. We then use aircarck-ng with the wordlist option and the captured packets. If we failed to capture the necessary authentication packets, we will see an error Just as when capturing an SSID for a cloaked network, we can perform the same spoofed disassociation message to disconnect a client from an access point, after which the client will go through the association and authentication processes. Once we have capture the authentication handshake, we use the aircrack-ng command WPA PRESHARED KEY CRACKING We want to create a password list that contains all of the following words and values and then create permutations based on all of these words: Company name, including acronyms or any iterations Company information, including physical location Phone numbers WiFi WLAN Wireless To do this, we will use the hashcat program.

Chapter 7 Part 2: Active Wireless Recon

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue