Chapter 15
Hacking Wi-Fi and Bluetooth

---

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

•   III. Security
  •   P. Vulnerabilities
•   IV. Tools/Systems/Programs
  •   O. Operating environments (e.g., Linux, Windows, Mac)
  •   S. Exploitation tools

  Wireless networks have been popular for over a decade now and have quickly replaced or enhanced wired networks. The ability to become more mobile due to the lack of wires has been a big motivator in the adoption of the technology by businesses as well as end users. In addition, the technology has made it possible to push networks into areas they have not traditionally been able to go, including airports, hotels, coffee shops, libraries, and other areas where the use of wires would be prohibited.

Adding to the security issues associated with Wi-Fi is another technology in the form of Bluetooth. While not the same as Wi-Fi, it is a wireless technology and does suffer from some of the same general issues that Wi-Fi networks have had to deal with. With the increasing amount of Bluetooth-enabled devices available on the market including smartphones, tablets, and other devices, the implications of data leakage associated with Bluetooth are huge. All you have to think about is the type of information the average user stores on their mobile devices to understand the potential issues emerging with Bluetooth. In this chapter we will cover the various types of wireless networks as well as Bluetooth and how to explore their vulnerabilities and security risks and how to penetrate them successfully.

What Is a Wireless Network?

The risks associated with wireless networks have definitely increased, in some cases dramatically, compared to traditional wired networks. Attacking parties have found that wireless networks allow for much easier targeting of victims and make the penetration into seemingly protected safe areas simpler than they were before the technology arrived. As a result of the perceived risks (both actual and imagined), many companies have slowed their implementation or needlessly exposed themselves to security risks—needlessly because they can have a wireless network that is secure if they take the time to consider all the issues involved as well as the risks.

Wi-Fi: an Overview

Wireless networks, or Wi-Fi, fall into the range of technologies covered under the IEEE 802.11 standard. The technology has been adapted for use by everything from laptops and personal computers to smartphones and video game consoles. Through the use of wireless technology, users can connect to the Internet and share resources in ways that weren’t possible in the past. However, the technology for all its convenience and flexibility does have its drawbacks:

• There’s a much more dramatic decrease in available bandwidth than with wired networks since more devices are connected at once. Though this decrease is itself decreasing, it is still there, but speeds of wireless are increasing regularly with new research showing 1 GB speeds and above are possible.
• You must invest in new network cards and infrastructure. However, it is worth noting that in today’s world new network cards and infrastructure are more likely than not to have wireless networking built in. In fact, it is starting to become the norm to see equipment without wired network connections.
• Interference is an issue because many other electronic devices and technologies operate on similar frequencies as Wi-Fi.
• The range of wireless networking can be less than advertised and in most cases is about half the distance promised.
• Terrain can slow down or impede wireless signals.

Some of the advantages are as follows:

• You have the convenience of not having to deal with wires.
• You can be connected in places where it would be impossible to run wires.
• Mobility is possible in ways not possible with wired networks.
• Hot spots offering wireless connectivity are commonplace, so a Wi-Fi connection is a reality just about anywhere someone goes.

The Fine Print

A wireless network uses radio waves to transmit data. The technical details that define a wireless network and 802.11 occur at the Physical layer of the network. The standard that defines Wi-Fi was itself built from the 802.11 specification. The Wi-Fi standard defines many details, including how to manage a connection through techniques such as Direct Sequence Spread Spectrum (DSSS), Frequency Hopping Spread Spectrum (FHSS), infrared (IR), and orthogonal frequency-division multiplexing (OFDM).

In this chapter we will be talking about four environments built around the technology and how each varies:

• Extension to an existing wired network as either a hardware- or software-based access point
• Multiple access points
• LAN-to-LAN wireless network
• 3G or 4G hot spot

The first type, which uses access points, comes in one of two types: hardware- or software-based. Hardware-based access points (HAPs) use a device such as a wireless router or dedicated wireless access point for Wi-Fi–enabled clients to attach to as needed. A software-based access point (SAP) is also possible through the use of a wireless-enabled system attached to a wired network, which, in essence, shares its wireless adapter.

---

  Many people are already more familiar with the concept of SAP-based hotspots than they may realize. With software-based hotspots either included with the software on the device or available as a downloadable app, many mobile devices have the ability to be an SAP. Thus, many people already use these types of setups.

---

The second type involves providing more than one access point for clients to attach to as needed. With this implementation, each access point must have some degree of overlap with its neighboring access points. When it has been set up correctly, this network allows clients to roam from location to location seamlessly without losing connectivity.

A LAN-to-LAN wireless network, the third type, allows wired networks in different locations to be connected through wireless technology. This approach has the advantage of allowing connections between locations that may otherwise have to use a more expensive connectivity solution.

A 3G/4G hot spot, the fourth type, provides Wi-Fi access to Wi-Fi–enabled devices, including MP3 players, notebooks, cameras, PDAs, netbooks, and more.

---

  The 3G/4G hot spot has become very popular in recent years since smartphones and other devices provide it as a standard item.

---

Wireless Standards in Use

Not all wireless standards are the same, and you should become familiar with the differences and similarities of each (see Table 15.1).

Table 15.1 Wireless standards

Type	Frequency (GHz)	Speed (Mbps)	Range (ft)
802.11a	5	54	75
802.11b	2.4	11	150
802.11g	2.4	11	150
802.11n	2.4/5	54	~100
802.11ac	2.4/5	433-3.69 Gbps	~100
802.16 (WiMAX)	10–66	70–1000	30 (miles)
Bluetooth	2.4	1–3 (first gen)	33

---

  The IEEE 802.11 family of standards evolved from a base standard that debuted in 1997. Initially, the speeds were very slow—around 1 to 2 Mbps—and not very popular outside specific implementations and deployments. Since that time, wireless networks have gotten faster and more widespread, and they use wider frequency bands than before.

---

So why all the different letters in the 802.11 family? Well, the short answer is that the additional letters correspond to the working groups that came up with the modifications to 802.11. For example, 802.11a refers to the standard that defines changes to the Physical network layer required to support the various frequency and modulation requirements.

Service Set Identifier

Once a wireless access point or wireless network is established, the next step involves getting clients to attach to it in order to transmit data. This is the job of the service set identifier (SSID). An access point will broadcast an SSID, which will be used by clients to identify and attach to the network. The SSID is typically viewed as the text string that end users see when they are searching for a wireless network. The SSID can be made up of most combinations of characters, but it can only ever be a maximum of 32 bytes in size.

---

  When you install and set up your device, be sure to change the SSID name that is configured by default with most access points. Leaving the default name as “Linksys” or “dlink,” for example, can tip off an attacker that perhaps you have left other default settings in place.

---

The SSID is continually broadcast by the access point or points to allow clients to identify the network. A client is configured with the name of an access point in order to join the given network. It is possible to think of the SSID configured on a client as a token used to access the named wireless network. The SSID is embedded within the header of packets, thus making it viewable. On open networks, the SSID is visible and can be viewed by any client searching for it. On closed networks, the SSID is not visible and in some cases is said to be cloaked.

---

  A client must have an SSID to access a wireless LAN (WLAN). However, some choose to cloak this SSID so it is not visible to the public and is instead accessible only by those who know the name and are in range. This is done, as some claim, as a security measure. However, the reality is the use of this technique does not provide any substantial security since many tools and techniques can be used to easily obtain the SSID.

It is also worth adding that in particularly congested areas, those with a lot of wireless networks and interference, this practice may degrade performance. With the SSID not visible, a client who was previously connected and is now reentering the area and wishing to use the network can take longer to connect because finding the network can take longer.

---

Wireless Vocabulary

In addition to the term SSID, this chapter uses the terms shown in Table 15.2.

Table 15.2 Common wireless terms

Term	Description
GSM (Global System for Mobile Communications)	An international standard for mobile wireless
Association	The process of connecting a client to an access point
BSSID (basic service set identification)	The MAC address of an access point
Hot spot	A location that provides wireless access to the public such as a coffee shop or airport
Access point	A hardware or software construct that provides wireless access
ISM (industrial, scientific, and medical) band	An unlicensed band of frequencies
Bandwidth	How much speed is available for devices

Wireless Antennas

Something else you should be aware of when talking about wireless networks is the type of antenna in use. If you are working with consumer-grade access points, this typically is not a big concern because the antenna is built in or provided with these products. However, when working with enterprise and commercial-grade access points, you may very well need to select an antenna to suit your environment or for a specific purpose. In this section we’ll look at each of the available types and what makes them unique and why you would choose one over another.

---

  A word of caution here is in order. On some access points you may need to choose not only an antenna but also the cables and such to connect it to the access point. While this may not seem like a big deal, it is possible, with certain combinations, to exceed legal limitations on power and frequency. The FCC and similar agencies will frown on this and can issue fines in extreme cases. Thankfully there exists plenty of guidance on how to set up things correctly, so plan ahead if you are going to be setting up such hardware.

---

The first type of antenna we’ll discuss is the Yagi antenna (Figure 15.1), which is designed to be a unidirectional (more commonly known as directional) antenna. As a unidirectional antenna, it works well transmitting and receiving signals in some directions but not in others. Typically, this type of antenna is used in applications where the transmission of signals is needed from site to site instead of covering a wider area. From a security standpoint, this type of antenna enhances security by limiting signals to smaller areas.

Figure 15.1 A Yagi antenna

The next antenna type is one of the more common ones and is known as an omnidirectional antenna. This type of antenna emanates radio energy in all directions but typically in some directions better than others. In many cases, these antennas can transmit data in two dimensions well but not in three dimensions.

A parabolic grid antenna (Figure 15.2) is another popular type of design and is commonly seen in various applications. This type of antenna takes the form of a dish and is a directional antenna because it sends and receives data over one axis; in fact, it can be said that this type of antenna is unidirectional, working well only over a single axis and in one direction. One big advantage of this type of antenna is that its dish catches parallel signals and focuses them to a single receiving point, so it gets better signal quality and over longer ranges. In many cases, this type of antenna can receive Wi-Fi signals over a distance of 10 miles.

Figure 15.2 A parabolic antenna

---

  Something that has been popular for a while is the conversion of a DirecTV or Dish Network dish into a parabolic Wi-Fi antenna. With the availability of these dishes on sites like eBay or Craigslist, it is possible for someone with a minor monetary investment and basic skills to convert such a dish into an effective long-range antenna.

---

Wi-Fi Authentication Modes

When you are authenticating clients to a wireless network, two processes are available. The first, known as open system authentication, is used in situations where you want to make your network available to a wide range of clients. This type of authentication occurs when an authentication frame is sent from a client to an access point. When the access point receives the frame, it verifies its SSID, and if it’s correct, the access point sends a verification frame back to the client, allowing the connection to be made.

The second process is known as shared key authentication. In this process, each client receives the key ahead of time and then can connect to the network as needed.

This is how shared key authentication works:

1. The client sends an authentication request to the access point.
2. The access point returns a challenge to the client.
3. The client encrypts the challenge using the shared key it is configured with.
4. The access point uses the same shared key to decrypt the challenge; if the responses match, then the client is validated and is given access to the network.

---

  On enterprise-grade networks it is possible that instead of shared key authentication an appropriate enterprise-level solution may be used instead; in many cases this can mean RADIUS.

While a full description and accounting of RADIUS is outside the scope of this book, it is something you should be aware of. Through the use of the RADIUS technology, authentication and authorization can be centralized, meaning the key management can be as well if enterprise authentication options are chosen in the Wi-Fi solution.

---

Wireless Encryption Mechanisms

One of the big concerns with wireless networks is the fact that the data is vulnerable when being transmitted over the air. Without proper protection, the transmitted data can be sniffed and captured easily by an attacker. To prevent or at least mitigate this issue, encryption is a layer of security that is included in most, if not all, wireless products.

The following are some of the more commonly used wireless encryption and authentication protocols in use:

• Wired Equivalent Privacy (WEP) is the oldest and arguably the weakest of the available encryption protocols. The WEP standard was introduced as the initial solution to wireless security but was quickly found to be flawed and highly vulnerable.

  The WEP protocol is still regularly encountered as an option on many wireless access points and devices but should be avoided in favor of other options or upgrading hardware to support newer standards where possible. However, if these options aren’t realistic at the time, then it can suffice as a short-term solution but should be combined with other security technologies just in case.

• Wi-Fi Protected Access (WPA) was the successor to WEP and was intended to address many of the problems that plagued WEP. In many areas it succeeded and made for a much tougher security protocol. WPA uses Temporal Key Integrity Protocol (TKIP) and message integrity code (MIC).
• WPA2 is the successor to WPA and was intended to address the problems with WPA. WPA2 is much stronger and uses tougher encryption in the form of AES and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). The standard also comes in a version that uses stronger systems such as Extensible Authentication Protocol (EAP), TKIP, and AES (with longer keys).
• WPA2 Enterprise is a version that incorporates EAP standards as a way to strengthen security as well as scale the system up to large enterprise environments. WPA2, as an enterprise solution, uses RADIUS or similar technology to centralize and manage access to the wireless network.

Authentication Technologies

Some points to remember:

• EAP is incorporated into multiple authentication methods, such as token cards, Kerberos, and certificates.
• Lightweight Extensible Authentication Protocol (LEAP) is a proprietary WLAN authentication protocol developed by Cisco.
• Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication and authorization management system.
• 802.11i is an IEEE standard that specifies security mechanisms for 802.11 wireless networks.

---

  802.11i is the standard largely responsible for the introduction and improvement of the WPA and WPA2 technologies.

---

WEP Encryption: a Closer Look

WEP is the oldest of the wireless encryption protocols and is also the most maligned of all of the available methods. When originally introduced and integrated into the 802.11b standard, it was viewed as a way of providing security of data transmissions more or less on a par with that of wired networks. As designed, WEP made use of some existing technologies, including RC4, as encryption mechanisms. Although WEP was intended to provide security on the same level as wired networks, it failed in that regard and has largely fallen into disuse.

---

  Pay particular attention to the WEP security protocol because you will be expected to understand how it works. Know its flaws and vulnerabilities, and be able to describe why these problems arise.

---

First, you need to understand what WEP was designed to provide. WEP was intended to achieve the following:

• Defeat eavesdropping on communications and attempts to reduce unauthorized disclosure of data.
• Check the integrity of data as it flows across the network.
• Use a shared secret key to encrypt packets prior to transmission.
• Provide confidentiality, access control, and integrity in a lightweight, efficient system.

Its problems arise from the following circumstances:

• The protocol was designed without input from the academic community or the public, and professional cryptologists were never consulted.
• It provides no clearly defined method for key distribution other than preshared keys. As a result, the keys are cumbersome to change on a large scale and are very rarely changed in many cases.
• An attacker gaining cipher text and plain text can analyze and uncover the key.
• Its design makes it possible to passively uncover the key using sniffing tools and cracking tools available freely in operating systems such as Kali Linux.
• Key generators used by different vendors are inconsistently and poorly designed, leading to vulnerabilities such as issues with the use of 40-bit keys.
• The algorithms used to perform key scheduling have been shown to be vulnerable to attack.

WEP Problems and Vulnerabilities

WEP suffers from many flaws that make it easy for even a slightly skilled attacker to compromise. These flaws are in the following areas:

• CRC32 (Cyclic Redundancy Check), used in integrity checking, is flawed, and with slight modifications packets may be modified consistently by attackers to produce their desired results.
• Initialization vectors (IVs) are only 24 bits in length, meaning that an entire pool of IVs can be exhausted by a mildly active network in 5 hours or less.
• WEP is susceptible to known plaintext attacks through the analysis of packets.
• Keys may be uncovered through the analysis of packets, allowing for the creation of a decryption table.
• WEP is susceptible to denial-of-service (DoS) attacks through the use of associate and disassociate messages, which are not authenticated by WEP.

---

  WEP makes extensive use of initialization vectors. An IV is a randomized value that is used with the secret key for data encryption purposes. When these two values are combined, they form a number used once (nonce).

The idea behind using an IV is that through the use of such a mechanism randomness of data is assured, making detection of patterns or frequency of data more difficult. However, flaws in the generation of IVs in WEP can make it vulnerable to analysis and cracking.

---

Breaking WEP

Undoubtedly you have heard a lot about how poor the WEP protocol is and how you should not use it. In this section we’ll explain how WEP is broken so you can see the process and how everything pulls together.

The important part of breaking the WEP protocol is intercepting as many IVs as possible before attempting to recover the key. The collection of IVs is done through the process of sniffing or capturing. Collecting and saving IVs allows you to perform analysis: The more packets, the easier it becomes to retrieve the keys. However, there can be a problem with this process: collecting enough IVs can take a substantial amount of time, which depends on how active the network is over the period in which the packets are being collected. To speed up this process, it is possible to perform a packet injection to induce the network to speed up the generation and gathering process.

To perform this process (including cracking the keys), follow these steps:

1. Start the wireless interface on the attacking system in monitor mode on the specific access point channel. This mode is used to listen to packets in the air.
2. Probe the target network with the wireless device to determine if packet injection can be performed.
3. Select a tool such as aireplay-ng to perform a fake authentication with the access point.
4. Start the Wi-Fi sniffing tool to capture IVs. If you’re using aireplay-ng, ARP request packets can be intercepted and reinjected back into the network, causing more packets to be generated and then captured.
5. Run a tool such as Cain & Abel or aircrack-ng to extract the encryption keys from the IVs.

So, looking at step 1, we put the wireless card into monitor mode to perform the cracking operation. So what is monitor mode? In a sense it is much like promiscuous mode for wired network cards, but taking a closer look we can see it is different than that. On wireless that supports this mode, monitoring allows for the capture of traffic from wireless networks without first being associated with an access point or other device. Another distinction is that wired and wireless cards can both operate in promiscuous mode, but only wireless cards can operate in monitor mode.

Once you look at these steps and realize that we are trying to capture traffic from a network that we aren’t currently attached to, the reason for this mode becomes evident. If we need to retrieve the key from a network we are not currently associated with, we need to be able to capture traffic from the target without having an association to it already. In this case the solution is monitor mode. (See Exercise 15.1.)

---

EXERCISE 15.1

Cracking WEP with Kali

In this exercise you will use Kali Linux 2.0 to break WEP. To perform this exercise, you will need to have Kali Linux installed on a physical system (avoid virtualization). You will also need to have an access point configured to use WEP (which you own) to crack the key on.

Once you have configured your victim access point according to your vendor’s instructions to use WEP and have entered a passphrase, you will need to perform the following steps:

1. Within Kali Linux, open a terminal window.

2. Enter the following command:

   airmon-ng
   

3. When the results appear in the terminal window, note the name of the wireless interface. In most cases the interface will be wlan0, but always verify because it can change if you are using an additional adapter such as a USB adapter.

4. In the terminal window enter the following command:

   airmon-ng start wlan0 (
   

   (or other interface if you’re not using wlan0).

5. If the command executes without error, then you should see a message in the text that reads “monitor mode enabled on mon0.” If the message says something other than mon0, make note of the name.

6. In the terminal window enter the following command:

   airodump-ng mon0
   

7. Once the command is entered, a list of wireless networks should appear. The number will vary depending on your location and wireless card, but your access point should appear on the list.
8. In the list locate your access point in the ESSID column and then take some notes. Specifically, locate the channel and BSSID information. Once you have collected and verified this information, move to the next step.

9. At the terminal window use the information you collected and enter it in the following format:

   Airodump-ng –w <filename> -c <channel number> -bssid <number> <interface name>
   

10. In this example the bssid needs to be entered exactly as it appears on screen, colons and all. For interface name use the name you collected in step 3. The filename is the name of the file you want the results dumped into.

11. After about 15,000 packets have been captured, enter the following at the command line:

    aircrack-ng <filename>
    

12. Wait a few minutes for aircrack to retrieve the key from the file.

Note that the time it takes to complete this whole process could be 10 minutes or more. This all depends on how active the network you are attached to is when collection is being performed. This process can be accelerated if advanced methods such as packet injections are used to generate more traffic.

---

When using some of the tools for sniffing wireless, additional equipment is needed such as Riverbed Technology’s AirPcap hardware. This device is used to sniff wireless frames in ways that standard Wi-Fi cards cannot. If you are going to be auditing wireless networks, an investment in this device is well worth it.

WPA: a Closer Look

The successor to WEP is WPA, or Wi-Fi Protected Access. This standard was intended to be a replacement for the flawed and insecure WEP protocol. The WPA protocol was designed to be a software upgrade instead of requiring full hardware upgrades. However, in some cases where older hardware is present and processing power or other mechanisms are limited, a hardware upgrade may be required.

The most significant development introduced with the WPA protocol was the TKIP system, whose purpose is to improve data encryption. TKIP improves on the WEP protocol (where a static unchanging key is used for every frame transmitted) by changing the key after every frame. This dynamic changing of keys makes WPA much more difficult to crack than WEP.

WPA suffers from the following flaws:

• Weak keys chosen by the user
• Packet spoofing
• Authentication issues with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Cracking WPA

To crack WPA you must use a different approach than you would with WEP. Fortunately, one of the best tools available for thwarting WPA is freely available in Kali Linux in the form of Reaver. Reaver exploits holes in wireless routers in an attempt to retrieve information about the WPA preshared key that is used to access the network.

Wi-Fi Protected Setup

When WPA came onto the scene, one of the issues encountered by early adopters was the perceived difficulty in setting up the technology. In order to reduce configuration issues and ease transition from WEP to WPA a new technology known as Wi-Fi Protected Setup (WPS) was introduced to the public. This feature was and is supported by countless access points, devices, and, of course, operating systems.

In theory, WPS is supposed to make life easier for the non-technology inclined by allowing for quick push button configuration of wireless devices. In practice, the owner of the device and network can push a hardware or software button on their router, and for a brief period devices in range can connect to the wireless network without entering a passphrase. Sounds easy, right? However, for the brief period after WPS is activated on the router, devices in range of the access point can connect whether you authorize them or not. This doesn’t sound like a big deal, but anyone who can get physical access to the access point can push the button and gain access.

But let’s talk about the big problem with WPS, the PIN code. A PIN is simply a code like the one you use for your ATM card and is used for a similar purpose in Wi-Fi networks. The problem is twofold. First, the setting of a PIN code is mandatory, and second, the PIN is only eight characters.

So here is the problem with the PIN and WPS. When the router checks the eight-digit PIN, it only checks the first four digits to verify that they are correct before moving to the second set of four. This makes it staggeringly easy to punch a hole in a WPS-enabled router’s security. In practice, an attacker can brute force the PIN code by cracking only four digits at a time, of which only about 11,000 combinations are possible. Now you may think back to your ATM card and assume that if your bank card locks you out after three attempts, so should the router, right? No such luck here; WPS does not make any accommodations for blocking brute-force attempts this way. In reality, an attacker can hit Go in their attack package and wait until the PIN is retrieved.

The only countermeasure for this type of attack at this time is to disable WPS, which may or may not be possible on many devices. (See Exercise 15.2.)

---

EXERCISE 15.2

Cracking WPA with Reaver and Wash

In this exercise you will use Kali Linux 2.0 to break WPA.

In order to perform this exercise you will need to have Kali Linux installed on a physical system (avoid virtualization). WPA uses WPS for client configuration.

1. Within Kali Linux open a terminal window and enter the following command:

   Airmon-ng start wlan0
   

   This will put the card into monitor mode.

2. Next, you will locate access points with WPS using a command called wash. At the command line enter the following:

   Wash –I <monitoring interface>
   

   Interface should be mon0, but verify that this is the case.

3. Locate your access point and record its BSSID.

4. At the command line enter the following command

   reaver -i <interface-name> -b <BSSID of target>
   

   where the interface name is mon0 or whatever you recorded on your system, and the BSSID is the address of the access point (include colons when you enter the BSSID).

When you have verified that this last step is running, it’s time to play the waiting game and let Reaver retrieve the PIN. Once you have the PIN, you can join the wireless network.

---

What Is WPA2?

The upgrade or successor to WPA is WPA2, which was introduced to address some of the weaknesses present in the original. The protocol offers dramatically improved security over its predecessor and maintains full compatibility with 802.11i standards for security.

Like WPA, WPA2 can function in two modes:

• WPA2-Personal, much like the preshared key mode of other systems, relies on the input of a key into each station.
• WPA2-Enterprise uses a server to perform key management and authentication for wireless clients. Common components include RADIUS and Diameter servers for centralized management.

Attacking, Cracking, and Compromising WPA and WPA/2

As with WEP, WPA and WPA/2 both suffer from vulnerabilities that can be exploited to an attacking party’s advantage. Each offers a way to penetrate the security of an otherwise strong protocol.

Offline Attack

The idea behind an offline attack is to be in close enough proximity to an access point to observe the handshake between the client and the access point. This handshake represents the authentication of the client and the access point. If you set up the attack properly, you can capture the handshake and recover the keys by recording and cracking them offline. The main reason why this attack works is that the handshake occurs completely in the clear, making it possible to get enough information to break the key.

Deauthentication Attack

The deauthentication attack approaches the problem of observing the handshake between the client and the access point by forcing a reconnect. An attacker induces a client that is already connected to an access point to disconnect, which should lead the client and access point to reestablish the connection. Authentication will occur, allowing the information to be captured and cracked.

An easy way to perform a deauthentication attack is to use the Linux-based Wifite. This software package will target a network such as one using WPA2 and transmit packets intended to kick clients off the wireless network. Once this is done, the client will attempt to reauthenticate, and at this point clients and the access point undergo the handshake when they connect. Capturing this handshake allows us to extract information needed to connect to the network. The problem is how long will this process take?

In practice it is possible to actively or passively perform this attack. Passively means that we would just wait for a client to connect to the access point and then get our information at that point. Actively means we target either one or multiple clients and kick them off and listen. The latter is more effective, but the former is less intrusive. Wifite performs active attacks very effectively and is ideal for this purpose.

---

  Of note is the fact that while you can execute this attack on the Windows platform, you can only do so passively. This inability to perform active forms of this attack is due to the Windows architecture itself. This is only one example of why you will need to learn how to use Linux if you intend to become effective in penetration testing.

---

Brute-Force WPA Keys

The old standby in a number of cases, including the breaking of WPA/WPA2 keys, is the brute-force attack. This attack is typically performed using tools such as aircrack-ng, aireplay-ng, or KisMAC. The downside of this attack is that it can take a long time or a lot of computing power to recover the keys.

---

  Unless you happen to have a supercomputer lying around, expect a brute-force attack to take anywhere from a few minutes to several weeks.

---

Risk Mitigation of WEP and WPA Cracking

So how can you thwart many of the attacks that we have discussed here that target WEP and WPA? Excluding encryption and other mechanisms, here are the leading techniques:

• Use a complex password or phrase as the key. Using the same rules we observed earlier for passwords, you can make a strong password for the access point.
• Use server validation on the client side to allow the client to have a positive ID of the access point it is connecting to.
• Eliminate WEP and WPA and move to WPA2 where available.
• Use encryption standards such as CCMP, AES, and TKIP.

A Close Examination of Threats

Now that you understand the various technologies and issues specific to each, let’s take a much closer look at some of the other generalized threats that can target an environment. Typically, these attacks can be categorized as access control, integrity, and confidentiality targeted attacks.

---

  Attacks against wireless networks can be passive or active in nature. An attack is passive if the wireless network is detected by sniffing the information that it transmits. An attack is active if the network is uncovered by using probe requests to elicit a response from the network.

---

Wardriving

A wardriving attack is one of the most common forms of action targeting wireless networks. It consists of an attacker driving around an area with a computing or mobile device that has both a wireless card and software designed to detect wireless clients or access points.

What makes this type of attack possible is that wireless detection software will either listen for the beacon of a network or send off a probe request designed to detect the network. Once a network is detected, it can be singled out for later attack by the intruder.

Some of the software packages that are used to perform this type of attack are KisMAC, NetStumbler, Kismet, WaveStumbler, and InSSIDer.

---

  Wireless detection tools known as site survey tools can be used to reveal wireless networks. Tools of this type are typically targeted toward corporate-level admins who need to optimize their wireless networks as well as detect rogue access points and other issues.

It is common for site survey tools to include the ability to connect to a GPS device in order to pinpoint an access point or client within a few feet.

---

There are also variations of the wardriving attack, all of which have the same objective:

Warflying Same as wardriving, but uses a small plane or ultralight aircraft

Warballooning Same as warflying but makes use of a balloon instead

Warwalking Involves putting the detection equipment in a backpack or something similar and walking through buildings and other facilities

A technique known as warchalking involves the placement of symbols in locations where wireless signals were detected. These symbols tell the informed that a wireless access point is nearby and provide data about it where available, including open or closed access points, security settings, channel, and name.

---

  These symbols evolved from hobo marks, which were frequently used by vagrants during the 1930s to tell others where they could get a free meal, where a dog might be, or if the police were likely to arrest you if they found you.

---

Rogue Access Points

A rogue access point is another effective way of breaching a network by violating trust. The attacker installs a new access point that is completely unsecured behind a company firewall. The attacker can then connect with relative impunity to the target network, extracting information or carrying out further attacks.

This type of attack has been made relatively easy to perform through the use of more compact hardware access points and software designed to create an access point. A savvy attacker will either hide the access point from being readily observed or will configure the SSID to appear as a corporate access point.

---

Would You Like Pi with That?

A new way to breach a network has been made possible through the use of extremely compact yet powerful hardware. An option that has become popular over the past two years is the general-purpose, powerful, and extremely compact Raspberry Pi. This computer, which can be had for around $35, is the size of a pack of cards.

Since the hardware is powerful enough to run an operating system such as Linux, it has become an effective multipurpose tool. Some users have installed a custom distribution of Linux that allows the box to be plugged into a network with a traditional wired interface while accepting connections over a wireless interface. The implications of this are that an intruder can quickly plug the device into the target network and in a few short moments have an entry point into the victim’s infrastructure.

To make penetration more secure, some of these devices have been known to employ tactics designed to hide their traffic. One of these techniques is known as reverse SSH tunneling, in which the device opens a connection from inside the network out to the attacker in order to bypass firewall restrictions.

In practice, such devices have become commonly known as dropboxes.

---

MAC Spoofing

For those access points that employ MAC filtering, you can use MAC spoofing. MAC filtering is a technique used to either blacklist or whitelist the MAC addresses of clients at the access point. If a defender deploys this technique, an attacking party can spoof the address of an approved client or switch their MAC to a client that is not blocked.

Typically, it is possible to use tools such as SMAC, ifconfig, changemac.sh, and others to accomplish this task. However, in some cases the hardware configuration settings for a network card may allow the MAC to be changed without such applications.

Ad Hoc

The ad hoc attack relies on an attacker using a Wi-Fi adapter to connect directly to another wireless-enabled system. Once this connection is established, the two systems can interact with each other. The main threats with this type of connection are that it is relatively easy to set up, and many users are completely unaware of the difference between infrastructure and an ad hoc network and so may attach to an insecure network.

Security on an ad hoc network is quirky at best and is very inconsistent. For example, in the Microsoft family of operating systems, ad hoc connections are unable to support any advanced security protocols, thus exposing users to increased risk.

Misconfiguration

We have pointed out this problem before in other areas, and misconfiguration is a problem with access points as well. All the security features in the world aren’t going to help one bit if they are misconfigured or not configured at all. The danger here is heightened, however, since a wireless access point provides an ideal “access anywhere” solution for attackers or other malicious parties who can’t physically connect to the network.

Client Misassociation

The client misassociation attack starts with a client attaching to an access point that is on a network other than their own. Due to the way wireless signals propagate through walls and many other structures, a client can easily detect another access point and attach to it either accidently or intentionally. In either case, a client may attach to a network that is unsafe perhaps while still connected to a secure network. This last scenario can result in a malicious party gaining access to a protected network.

Promiscuous Client

The promiscuous client offers an irresistibly strong signal intentionally for malicious purposes. Wireless cards often look for a stronger signal to connect to a network. In this way the promiscuous client grabs the attention of the users by sending a strong signal.

Jamming Attacks

One particularly interesting way of attacking a WLAN is to resort to a plain-old DoS attack. Although there are many ways to do this, one of the easiest is to just jam the network, thus preventing it from being used. It is possible to use a specially designed jammer that will transmit signals that can overwhelm and deny the use of the access point by legitimate clients. The benefit of this type of attack is that it works on any type of wireless network.

To perform this type of attack, you can use a specially designed hardware device that can transmit signals that interfere with 802.11 networks. These devices are easy to find online and can be used to jam any type of wireless network.

---

  A word to the wise: Using these devices to jam transmissions is illegal in most cases and can result in very steep fines.

---

Honeyspot Attack

Users can connect to any available wireless network as long as they are in range of one another; sometimes this can be a large number of access points. With such an environment, an attacker has expanded opportunities to attract unknowing users. To perform this type of attack, a malicious party sets up a rogue access point in the range of several legitimate ones as a honeyspot. With the rogue access point generating a much stronger and clearer signal, it is possible to attract clients looking for the best signal.

---

  One hardware device that is designed to use as a wireless honeyspot is the Wi-Fi Pineapple from Hak5. This device looks like a compact wireless router, but it offers features useful for working with wireless networks. Since its first release, it has introduced custom hardware and software purpose built to audit wireless networks. In the hands of an ethical hacker, this tool can be used to deploy not only a wireless honeyspot or honeypot but much more.

---

Ways to Locate Wireless Networks

In order to attack, you must first find a target, and though site surveys can make this easier, they cannot help in every case. Several tools and mechanisms make locating a target network easier.

The following tools can complement wardriving or be used on their own:

• OpenSignal is a useful app that can be used on the web at http://opensignal.com or on a mobile device by downloading the OpenSignal app. With this application, you can map out Wi-Fi networks and 2G–4G networks, as well as correlate this information with GPS data.
• wefi (www.wefi.com) provides a map of various locations, with the access points noted in varying amounts of detail.
• JiWire (www.jiwire.com) offers a map of various locations, with access points detected in a given region.
• Wigle (www.wigle.net) is another service that offers the location of wireless access points. The benefit is that the information is crowd-sourced, which is derived from individuals providing data to the service.
• Skyhook (skyhookwireless.com) is another service much like Wigle.

Traffic Analysis

Once you’re connected to a target network, the next step is to perform traffic analysis to gain insight into the activity in the environment. As when using Wireshark with standard network traffic, it is entirely possible to scrutinize traffic on a wireless network. By performing such analysis, you can gain vital information on traffic patterns, protocols in use, and authentication, not to mention information specific to applications. In addition, analysis can reveal vulnerabilities on the network as well as client information.

Under ideal conditions, traffic analysis of a wireless network can be expected to reveal the following:

• Broadcast SSIDs
• Presence of multiple access points
• Possibility of recovering SSIDs
• Authentication method used
• WLAN encryption algorithms

Currently, a number of products can perform wireless traffic analysis—Kismet, AirMagnet, Wireshark with AirPcap, CommView, and a few others.

Also note that in addition to traffic analysis, some tools offer the ability to perform spectrum analysis. This means that the user can analyze the RF spectrum of wireless networks and devices. In the right hands, these tools can detect issues with frequency, channel overlap, and performance, as well as help locate devices other than access points that may be in range.

---

    Hacking Wireless the Easy Way

While all the tools mentioned here are very effective at what they do, a problem is that they are probably going to be installed on a laptop or desktop system, which is not very mobile. Fortunately, companies such as Pwnie Express have jumped into the fight with their Pwn Pad and Pwn Phone, both of which are equipped with a powerful suite of software tools designed to aid the penetration tester.

In the case of the Pwn Pad, a tablet is configured to use a specially built version of the Android operating system loaded with various tools. The tablet in its latest iteration, the Pwn Pad 3, offers PC-level performance in a small form factor, allowing you, as a penetration tester, to move around much more freely and have the horsepower to perform computationally intense attacks. For wireless audits this is invaluable.

In the case of the Pwn Phone, the same suite is installed on a smartphone, which offers not only a high degree of mobility but also the ability to hide in plain sight. With the introduction of automated tools to perform various attacks such as the wireless ones covered here, it would be possible for a penetration tester to walk around unnoticed. What would appear to the casual observer to be someone chatting on their cell phone would actually be a penetration tester scanning and mapping out their wireless network.

While these devices may not be appropriate for every situation, they add a new level of power and capability to your toolkit.

---

Choosing the Right Wireless Card

The subject of wireless cards and chipsets is important. Although in many cases the chipset on the card and the wireless card itself may not matter, some tools require the presence of certain chipsets in order to function.

Items to consider include the following:

• Operating system in use
• Application in use
• Whether packet injection is required (Windows systems cannot perform packet injection; if this is required, then Linux must be used.)
• Driver availability
• Manufacturer of wireless card and chipset (You must know both because the two can be made by different manufacturers.)
• If you are using virtualization, you may also need to check to see if your card will work with this environment.

---

  In the real world the biggest deciding factors on many wireless penetration tools are not the type of card and chipset. Consider also compatibility with Linux, because some tools for wireless auditing (for example, Kali) may be available only on the Linux platform. Make sure the card you choose has Linux drivers available.

Another deciding factor is if the card is USB or PCMCIA or whether it is built into the actual hardware. Each situation could cause some problems with some software.

One last thing to consider is that some hardware such as Riverbed Technology’s AirPcap can only be run on Windows or on other specific environments.

---

Hacking Bluetooth

Another wireless technology to consider is Bluetooth, which is seen in many mobile devices in today’s marketplace. Bluetooth refers to a short-range wireless technology commonly used to connect devices such as headsets, media players, and other types of technologies. Bluetooth operates in the 2.4 GHz frequency range and is designed to work at distances up to 10 meters (33 feet).

---

  There are four generations of Bluetooth technologies and each has different specifications. Currently, Bluetooth is able to operate beyond 10 meters, but you will not be tested on the specifics of each generation.

---

When you’re working with Bluetooth devices, there are some specifics to keep in mind about the devices and how they operate.

First, the device can operate in one of the following modes:

Discoverable This allows the device to be scanned and located by other Bluetooth-enabled devices.

Limited Discoverable This mode is becoming more commonly used; in this mode the device will be discoverable by other Bluetooth devices for a short period of time before it returns to being nondiscoverable.

Nondiscoverable As the name suggests, devices in this mode cannot be located by other devices. However, if another device has previously found the system, it will still be able to do so.

In addition to the device being able to be located, it can be paired with other devices to allow communication to occur. A device can be in pairing or nonpairing mode; pairing means it can link with another device and nonpairing means it cannot.

Of course, one of the issues that needs to be addressed when targeting Bluetooth devices is the lack of range; 33 feet is not that far. Staying calm and collected as well as undetected is tough when in such close proximity of a target. So we need to be able to do something about the range question. To tackle this problem we can incorporate the use of an industrial-level Bluetooth adapter. One notable option in this area is the UD100 from Sena Technologies. This adapter can extend the range of Bluetooth from 300 to 1000 meters (1000 feet to 3300 feet) depending on whether an external adapter is used or not. By using this adapter, it is possible to dramatically increase the range of your attacks.

---

  Although Bluetooth has a fairly limited range in most cases (new generations notwithstanding), it is possible to extend your attack range if you do your research. A few short years ago the magazine Popular Science published information on how to extend the range of Bluetooth significantly using only a cell phone antenna and a Bluetooth adapter. With a little elbow grease and an investment of $100—and about a half hour of time—you too can create an antenna that can more than quadruple the range of a standard Bluetooth system.

If you are feeling ambitious, you can even visit YouTube and learn how to make your own “Bluetooth sniper rifle” to extend the range of the technology as well.

---

Bluetooth Threats

Much like Wi-Fi, Bluetooth has a bevy of threats facing it that you must take into account. Bluetooth suffers from many shortcomings that have been slowly addressed with each successive version, but many flaws remain and can be exploited. The technology has already seen many attacks take their toll on victims in the form of losing information such as the following:

• Leaking calendars and address books or other information is possible through the Bluetooth protocol.
• Creation of bugging devices has been a problem with Bluetooth devices because software has been made available that can remotely activate cameras and microphones.
• An attacker can remotely control a phone to make phone calls or connect to the Internet.
• Attackers have been known to fool victims into disabling security for Bluetooth connections in order to pair with them and steal information.
• Mobile phone worms can exploit a Bluetooth connection to replicate and spread.

Bluejacking

Bluejacking is one form of Bluetooth attack that is more annoying than malicious in most cases. The attack takes the form of sending an anonymous text message via Bluetooth to a victim. Since this attack exploits the basic operation of the Bluetooth protocol, it is hard to defend against, other than making the device nondiscoverable.

Use the following steps to bluejack a victim or a device:

1. Locate an area with a high density of mobile users such as a mall or convention center.
2. Go to the contacts in your device’s address book.
3. Create a new contact and enter a message.
4. Save the contact with a name but without a phone number.
5. Choose Send Via Bluetooth.
6. Choose a phone from the list of devices and send the message.

If all goes well at this point, your new “friend” should receive the message you just crafted.

Bluesnarfing

Another example of a Bluetooth attack is bluesnarfing. This attack is designed to extract information at a distance from a Bluetooth device. If you execute the attack skillfully, you can obtain the address book, call information, text information, and other data from the device. Because of the nature of the attack, it is considered very invasive and extremely dangerous.

Bluetooth Honeypots

A new way to target Bluetooth devices and draw them in is to use a Linux-based tool called Bluepot. This utility is designed to accept incoming malware and respond to Bluetooth attacks. This utility can make the discovery and targeting of Bluetooth devices easier.

Summary

In this chapter we explored wireless technologies, including Wi-Fi and Bluetooth. We observed that wireless is a powerful and convenient technology that frees users from wires and allows the network to expand into areas it could not go into before. We also explored the fact that wireless technologies are very vulnerable and have a whole range of concerns that don’t exist with traditional networks.

Today’s enterprise is likely to have a wireless network in place as well as numerous Bluetooth-enabled devices. The propagation of signals, the misapplication of the technology, social engineering, and just plain-old mistakes have all led to significant vulnerabilities in the workplace. An attacker using a notebook, an antenna, and the right software can easily use a wireless network to break into and take over a network or at the very least steal information with ease.

You learned some of the defensive measures that are also available for wireless technologies. 802.11 networks typically offer security in the form of WEP, WPA, or WPA2 as a front-line defense, with preference given to WPA2 and WPA over the much weaker and broken WEP. If configured correctly, WPA and WPA2 offer strong integrity and protection for information transmitted over the air. Additional security measures include the use of strong passwords and phrases as well as the proper configuration of wireless gear.

Exam Essentials

Understand the various types of wireless technologies. Know that not all wireless technologies are the same. Each wireless technology has different frequencies it works on, channels it can use, and speeds it is capable of achieving to transmit data.

Know how Bluetooth works Understand that Bluetooth is a short-range wireless technology that has several vulnerabilities that can be exploited. Also know that the range of Bluetooth can be extended beyond its default range of 10 meters.

Know the different types of wireless attacks Understand what distinguishes one wireless network attack from another.

Know the differences between the 802.11 standards. Understand that each standard of wireless has its own attributes that make it different from the others.

Understand WEP, WPA, and WPA2. Understand that WEP was the initial specification included in the 802.11 protocol and that WPA and WPA2 were introduced later. Both of the latter protocols are intended to be compatible with the 802.11i standard.

Review Questions

1. WEP is designed to offer security comparable to which of the following?

   1. Bluetooth
   2. Wired networks
   3. IrDA
   4. IPv6

2. Which of the following operates at 5 GHz?

   1. 802.11a
   2. 802.11b
   3. 802.11g
   4. 802.11i

3. Which of the following specifies security standards for wireless?

   1. 802.11a
   2. 802.11b
   3. 802.11g
   4. 802.11i

4. Which of the following options shows the protocols in order from strongest to weakest?

   1. WPA, WEP, WPA2, Open
   2. WEP, WPA2, WPA, Open
   3. Open, WPA, WPA2, WEP
   4. WPA2, WPA, WEP, Open

5. Which of the following is designed to locate wireless access points?

   1. Site survey
   2. Traffic analysis
   3. Pattern recognition
   4. Cracking

6. What is a client-to-client wireless connection called?

   1. Infrastructure
   2. Client-server
   3. Peer-to-peer
   4. Ad hoc

7. When a wireless client is attached to an access point, it is known as which of the following?

   1. Infrastructure
   2. Client-server
   3. Peer-to-peer
   4. Ad hoc

8. Bluesnarfing is used to perform what type of attack?

   1. Send spam text messages.
   2. Read information from a device.
   3. Deposit malware on a system.
   4. Distribute files onto a system.

9. Monitor mode is used by wireless cards to do what?

   1. Capture traffic from an associated wireless access point.
   2. Capture information from ad hoc networks.
   3. Capture information about wireless networks.
   4. Capture traffic from access points.

10. A honeyspot is designed to do what?

    1. Look for patterns of known attacks.
    2. Look for deviations from known traffic patterns.
    3. Attract victims to connect to it.
    4. Analyze attacks patterns.

11. An SSID is used to do which of the following?

    1. Identify a network.
    2. Identify clients.
    3. Prioritize traffic.
    4. Mask a network.

12. AirPcap is used to do which of the following?

    1. Assist in the sniffing of wireless traffic.
    2. Allow network traffic to be analyzed.
    3. Allow the identification of wireless networks.
    4. Attack a victim.

13. What is a rogue access point?

    1. An access point not managed by a company
    2. An unmanaged access point
    3. A second access point
    4. A honeypot device

14. Bluejacking is a means of which of the following?

    1. Tracking a device
    2. Breaking into a device
    3. Sending unsolicited messages
    4. Crashing a device

15. The wardriving process involves which of the following?

    1. Locating wireless networks
    2. Breaking into wireless networks
    3. Sniffing traffic
    4. Performing spectrum analysis

16. Warchalking is used to do which of the following?

    1. Discover wireless networks.
    2. Hack wireless networks.
    3. Make others aware of a wireless network.
    4. Analyze a wireless network.

17. A closed network is typically which of the following?

    1. Public network
    2. Private network
    3. Hot spot
    4. Kiosk location

18. Which feature makes WPA easy to defeat?

    1. AES encryption
    2. WPS support
    3. TKIP support
    4. RC4 support

19. What is a PSK?

    1. The password for the network
    2. The certificate for the network
    3. A key entered into each client
    4. A distributed password for each user

20. Which of the following is a device used to perform a DoS on a wireless network?

    1. WPA jammer
    2. WPA2 jammer
    3. WEP jammer
    4. Wi-Fi jammer