part0011

The proliferation of readily available Wi-Fi networks has made Wi-Fi one of the most common network mediums. Wi-Fi is in many ways superior to traditional copper wire physically connected networks. Aside from the convenience of connectivity and the flexibility of network configurations that wireless networks afford the users, the lack of physical infrastructure needed to complete the network makes it much cheaper and easier to implement than Ethernet. With this convenience, however, comes certain security concerns that are not associated with traditional hardwired networks. With a copper or fiber-based network, a physical connection is needed for a new machine to join the network.

In order to conduct a Wi-Fi attack a hacker needs, at a minimum, a computer (normally a laptop) that can run scripts which are used to decipher the Wi-Fi password. They also must acquire a special Wi-Fi adapter that can be purchased relatively cheaply. A list of suitable Wi-Fi adapters can be found on hacker resource websites, but in general the adapter must have a feature known as “monitor mode” in order to be able to execute a Wi-Fi attack. It is important to note that not all Wi-Fi adapters that can be found at retail computer supply stores have this feature, and most internal laptop adapters are not appropriate. In general, hackers prefer to use some sort of Linux distribution, usually Kali, to conduct a Wi-Fi attack because most of the readily available tools were written for the Linux OS and come preinstalled on Kali. It is also possible with some configuration to run Linux on a virtual machine within another OS to mount a successful attack. Although attacks from other operating systems are possible, it is much easier for the beginner to conduct them from either a native Linux distribution or a virtual machine. A hacker-friendly distribution like Kali is recommended.

The detailed procedures and recommended programs for conducting Wi-Fi attacks against the various encryption protocols changes over time, although the general principles are the same. For the simplest attack, which is against WEP encryption, the general steps are as follows:

WPA encryption cannot be cracked passively and requires the additional step of packet injection. Cracking WPA can take longer and is a more invasive procedure, but it is not much more difficult than cracking WEP. A program called reaver , normally available on the Kali distribution is typically used by hackers to crack WPA. WPA-2 hacking is a much more advanced concept for more experienced practitioners.

Penetration testing is a simulated attack on a computer system, network or server that analyses and assess vulnerabilities and weaknesses within the system security and once identified the hacker is able to gain access to the features on the system and steal the data.

The process is designed to identify a target system and is approached with a specific goal in mind. The test will then gather data and analyse the information presented to it and determine the most viable option to achieve the chosen objective.

There are two distinct targets which a penetration test will be directed towards. These are white box and black box. The white box target is one which provides a breakdown of the background and system information whereas the black box supplies nothing other than the company name. The main mission of the penetration test is to assess the weaknesses within the system's defences and vulnerabilities which could be exploited. The test will provide details of which areas of the system's defences have failed and supply this information as a means of improving these areas. This data is then sent back through to the system administration who will then use the reports compiled by the penetration test to determine a course of action and how the organization can implement countermeasures to avoid future attacks, exploiting these vulnerabilities.

The goal is largely dependent on the organization and their requirements for their system. The penetration test is also broken down into five phases which will also cover in greater detail for each phase. These phases are Reconnaissance, Scanning, Gaining Access, Maintaining Access and Covering Tracks. Penetration tests are available through a number of tools some of which are supplied operating systems as well as free software depending on the uses for each one, whether in a commercial or domestic sense.

Before one undertakes a penetration test, they must first enter the reconnaissance phase or the discovery phase. This involves collecting preliminary data on the target in question and how it operates. This phase is generally the longest of the five and can take as long as a few weeks or even months. Data is collected by a number of means and the lengths that hacker goes to in order to obtain data will depend upon the backers own objectives and whether they are working in an ethical white hat sense or if their means of attack is that of a black hat.

For an organization to defend against a hacker in the reconnaissance phase they will need to go to great lengths as it can be quite difficult. This is because most organizations will have some degree of public presence or their information can be found across the internet in some form. As we mentioned before the method for obtaining data can be as simple as social engineering in which the hacker is able to coerce employees to provide information. This could even happen over a long period of time in which the hacker continuously sources small pieces of information from employees and overtime they are able to complete the puzzle and discover opportunities where there are security weaknesses and vulnerabilities that can be exploited.

This isn’t to say there aren’t things an organization can do to protect themselves from this type of hacking. For example, certain pieces of information can be kept confidential such as version numbers and patch levels of certain software, email addresses should be hidden from public view on websites as well as the names and positions of key personnel and where they stand in the overall company structure in relation to other members of staff.

Training can be undertaken to ensure staff members follow the correct protocol when dealing with confidential data such as destroying documents that have printed information rather than simply tossing it in the recycling or garage. They should also be warned when communicating with people they are unfamiliar with and avoid providing any information without proper clearance. This can be done through white hat methods, with hackers simulating an attack to ensure that employees are assessed in their handling of confidential information.

By taking these precautions, the organization can have a less likely chance that a hacker will be able to access the information required for an attack. This doesn’t mean they won’t attempt or continue to pressure the organization to gain access and there is still a chance that they can ultimately obtain access, it does however make the job much harder for them and have a higher probability of being caught.

The hacker takes the information that has been collected during reconnaissance phase and from there assesses the data that has been compiled. From this, they are able to have an understanding of how the business operates and the value of the information that can be access during the attack.

Once the attack weighs up the value of the data that can be accessed from their assessment of data collected, they move through to the scanning phase. The scanning phase involves scanning the perimeter and internal network comprised of all devices and seeks to discover a weakness that can be exploited. There are ways in which scans can be detected such as through Intrusion Detection Solutions (IDS) or Intrusion Prevention Solutions (IPS) however these are not always effective as hackers are continually advancing and creating new circumnavigational techniques to avoid such controls. As hackers advance their techniques and tools, so too do the tools of security services, providing protection to the systems that are used by organizations. This is done through patches and releases of preventative solutions therefore it is best to consistently update software and security tools to ensure you have protection in the latest advances of black hat hackers.

There are some methods which system administrators can employ to ensure there is a reduced risk of an attack occurring or scans being performed on the system. For example, an administrator could shut down all ports that are no longer being used and close down any services that could be hijacked. Critical devices which are used for processing sensitive information should be set to only respond to devices which have been approved to avoid external devices taking advantage of their freedom of use.

Scanning is performed using a number of tools and applications on the behalf of the hacker. We will have a further look into the tools used in penetration testing further along in this chapter. Scanning is similar to the reconnaissance phase however it is at a more targeted level, scanning the target that is to be attacked whereas the reconnaissance phase is directed more towards the organization. Once the hacker has secured an even more defined target, the entry point, they are to move onto the next phase. Gaining Access.

This the climax of the penetration attack. The hacker now has access to the resources available on the database of the organization. The hacker is then free to either extract the information that he sees of value or he is able to take control of the network and use it as a base to launch further attacks against other targeted networks in how we described a DoS attack. By gaining access to the network, the hacker now has control over one or more devices.

As was the case in the preventative measures of scanning, there are some precautions that administrators and security personnel are able to take to ensure that devices and services are more challenging to access by legitimate users such as black hat hackers. This can involve restricting access of users such who have no legitimate day to day requirement to be accessing the devices. Furthermore, security managers should be closely monitoring the domains and those who are accessing services such as local administrators. Using physical security controls will allow managers to detect attacks that are occurring in real time and can deny access while also alerting the proper authorities to ensure the intruder is exposed.

Another approach which can be taken to ensure that access is denied is to encrypt highly sensitive and confidential information using protection keys. This would mean that any attacker attempting to access the system regardless of how well the system is protected, will gain access only to find that the information is scrambled and with the keys protected, the attacker would have no reliable method for using the data that has been encrypted. Encryption is a good final line of defence for particularly valuable data however it cannot be relied upon entirely in itself. Even if the attacker was to access the system and discover that the data is encrypted, they can still wreak havoc on the network and even disable it, causing significant damage as a means of sabotage. Even more alarming, the attacker could have control over the system and use it for further crimes which could be traced back to the organization's network.

Once the attack has gained access to the system, they are still far from being in the clear. Access is for a limited time, the longer the hacker is operating from the system, the greater the chances of being caught. The hacker must then shift to the next phase, maintaining access to ensure they are able to collect as much data as possible.

The hacker is working against the clock at this point and they must ensure they are able to maintain access long enough to succeed in what they had set out to do whether this was to steal critical data and information or to launch a further attack from the encumbered server. The hacker has been able to avoid detection up until this point, however they are still at risk of being caught and the longer they have access to the system, the higher the risk they could be detected.

While you can make use of both IDS and IPS devices to detect hackers accessing the system, you can also detect when a hacker is departing from the system. This is known as an extrusion and there are a number of methods this can be done. The primary way you can identify your system has been in use from an unauthorised assailant is by detecting file transfers to external sites from internal devices. This indicates that data is being transferred from your server and being sent to external source and if this source is unfamiliar, it could indicate theft.

Another method is to detect any sessions which have begun between servers in the internal data centre and external networks that are not under your control. Assessing the traffic mix per time interval can also indicate that there is external access to the system that is not in line with the regular practices of the business.

Once the hacker has remained in control of the system for long enough to achieve all their objectives, they are then to move onto the next stage which is to both prevent themselves from being caught and exposed as well as establish a basis for re-entry should they need to return.

The final step for the hacker to take involves removing any evidence of their intrusion as well as establish controls which can be used at a later time should they need to re access the system. These controls will also need to be hidden and undetectable to avoid their removal. This is obviously the most difficult stage to detect a hacker as they are deliberately removing information that could alert security personnel.

It is still possible at this stage to detect an intruder, however it is likely that your system would have experienced a breach of security and a loss of data as a result of the attack. In this case, the best course of action is to perform a system mind assessment to discover any activity or processes that exist on the system that are not in line with the normal operation of the business. Once you have been alerted of an attacker, even if the hacker has long gone, security protocols should be upgraded to combat future attacks.

You may find it valuable to explore security solutions such as anti-malware, personal firewalls, host based IPS solutions and an improvement on security protocols and training of staff to be able to detect future events themselves and prevent further damage.