Chapter 15
Wireless Networking

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  1. image III. Security
    • P. Vulnerabilities
  2. image IV. Tools/Systems/Programs
    • O. Operating environments (e.g., Linux, Windows, Mac)
    • S. Exploitation tools

Wireless networks have been popular for over a decade now and have quickly replaced or enhanced wired networks. The ability to become more mobile due to the lack of wires has been a big motivator in the adoption of the technology by businesses as well as end users. Additionally the technology has made it possible to push networks into areas they have not traditionally been able to go, including airports, hotels, coffee shops, libraries, and other areas where the use of wires would be prohibited.

However, there are security problems with wireless networks. In this chapter we will cover the various types of wireless networks and explore their vulnerabilities, security risks, and how to penetrate them successfully.

What Is a Wireless Network?

The risks associated with wireless networks have increased, in some cases dramatically, compared to traditional wired networks. Attacking parties have found wireless networks much easier to target and penetrate than wired networks. As a result, many companies have slowed their implementation or needlessly exposed themselves to security risks—needless because they can have a wireless network and strong security as well.

Wi-Fi: An Overview

Wireless networks, or Wi-Fi, fall into the range of technologies covered under the IEEE 802.11 standard. The technology has been adapted for use by everything from laptops and personal computers to smartphones and videogame consoles. Through the use of wireless technology, users can connect to the Internet and share resources in ways that weren’t possible in the past. However, the technology for all its convenience and flexibility does have its drawbacks:

  • There’s a much more dramatic decrease in bandwidth than with wired networks since more devices are connected at once.
  • You must invest in new network cards and infrastructure. However, it is worth noting that in today’s world new network cards and infrastructure are more likely than not to have wireless networking built in.
  • Interference is an issue because many other electronic devices and technologies operate on similar frequencies as Wi-Fi.
  • The range of wireless networking can be less than advertised and in most cases is about half of the distance promised.
  • Terrain can slow down or impede wireless signals.

Some of the advantages are as follows:

  • You have the convenience of not having to deal with wires.
  • You can be connected in places where it would be impossible to run wires.

The Fine Print

A wireless network uses radio waves to transmit data. The technical details that define a wireless network and 802.11 occur at the physical layer of the network. The standard that defines Wi-Fi was itself built from the 802.11 specification. The Wi-Fi standard defines many details, including how to manage a connection through techniques such as direct-sequence spread spectrum (DSSS), frequency-hopping spread spectrum (FHSS), infrared (IR), and orthogonal frequency-division multiplexing (OFDM).

In this chapter we will be talking about four environments built around the technology and how each varies. These are:

  • Extension to an existing wired network as either a hardware- or software-based access point
  • Multiple access points
  • LAN-to-LAN wireless network
  • 3G or 4G hot spot

The first type, which uses access points, comes in one of two types: hardware- or software-based. Hardware-based access points (HAPs) use a device such as a wireless router or dedicated wireless access point for Wi-Fi–enabled clients to attach to as needed. A software-based access point (SAP) is also possible through the use of a wireless-enabled system attached to a wired network, which, in essence, shares its wireless adapter.

The second type involves providing more than one access point for clients to attach to as needed. With this implementation, each access point must have some degree of overlap with its neighboring access points. When it has been set up correctly, this network allows clients to roam from location to location seamlessly without losing connectivity.

A LAN-to-LAN wireless network, the third type, allows wired networks in different locations to be connected through wireless technology. This approach has the advantage of allowing connection between locations that may otherwise have to use a more expensive connectivity solution.

A 3G/4G hot spot, the fourth type, provides Wi-Fi access to Wi-Fi–enabled devices, including MP3 players, notebooks, cameras, PDAs, netbooks, and more.

Wireless Standards in Use

Not all wireless standards are the same, and you should become familiar with the differences and similarities of each (see Table 15.1).

TABLE 15.1 Wireless standards

Type Frequency (Ghz) Speed (Mbps) Range (ft)
802.11a 5 54 75
802.11b 2.4 11 150
802.11g 2.4 11 150
802.11n 2.4/5 54 ~100
802.16 (WiMAX) 10–66 70–1000 30 (miles)
Bluetooth 2.4 1–3 (first gen) 33

So why all the different letters in the 802.11 family? Well, the short answer is that the additional letters correspond to the working groups that came up with the modifications to 802.11. For example, 802.11a refers to the standard that defines changes to the physical network layer required to support the various frequency and modulation requirements.

Service Set Identifier

Once a wireless access point or wireless network is established, the next step involves getting clients to attach to it in order to transmit data. This is the job of the service set identifier (SSID). An access point will broadcast an SSID, which will be used by clients to identify and attach to the network. The SSID is typically viewed as the text string that end users see when they are searching for a wireless network. The SSID can be made up of most combinations of characters, but it can only ever be a maximum of 32 bytes in size.

The SSID is continually broadcast by the access point or points to allow clients to identify the network. A client is configured with the name of an access point in order to join the given network. It is possible to think of the SSID configured on a client as a token used to access the named wireless network. The SSID is embedded within the header of packets, thus making it viewable. On open networks, the SSID is visible and can be viewed by any client searching for it. On closed networks, the SSID is not visible and in some cases is said to be cloaked.

Wireless Vocabulary

In addition to the term SSID, this chapter uses the terms shown in Table 15.2.

TABLE 15.2 Common wireless terms

Term Description
GSM (Global System for Mobile Communications) An international standard for mobile wireless
Association The process of connecting a client to an access point
BSSID (basic service set identification) The MAC address of an access point
Hot spot A location that provides wireless access to the public such as a coffee shop or airport
Access point A hardware or software construct that provides wireless access
ISM (industrial, scientific, and medical) band A unlicensed band of frequencies
Bandwidth How much speed is available for devices

Wireless Antennas

Something else you should be aware of when talking about wireless networks is the type of antenna in use. If you are working with consumer-grade access points, this typically is not a big concern as the antenna is built in or provided with these products. However, when working with enterprise and commercial-grade access points you may very well need to select an antenna to suit your environment or for a specific purpose. In this section we’ll look at each of the available types and what makes them unique and why you would choose one over another.

The first type of antenna we’ll discuss is the Yagi antenna (Figure 15.1), which is designed to be a unidirectional (more commonly known as directional) antenna. As a unidirectional antenna, it works well transmitting and receiving signals in some directions but not in others. Typically this type of antenna is used in applications where the transmission of signals is needed from site to site instead of covering a wider area. From a security standpoint, this type of antenna enhances security by limiting signals to smaller areas.

image

FIGURE 15.1 A Yagi antenna

The next antenna type is one of the more common ones and is known as an omnidirectional antenna. This type of antenna emanates radio energy in all directions, but typically in some directions better than others. In many cases, these types of antennas can transmit data in two dimensions well, but not in three dimensions.

A parabolic grid antenna (Figure 15.2) is another popular type of design and is commonly seen in various applications. This type of antenna takes the form of a dish and is a directional antenna because it sends and receives data over one axis; in fact, it can be said that this type of antenna is unidirectional, working well only over a single axis and in one direction. One big advantage of this type of antenna is that its dish catches parallel signals and focuses them to a single receiving point, so it gets better signal quality and over longer ranges. In many cases, this type of antenna can receive Wi-Fi signals over a distance of 10 miles.

image

FIGURE 15.2 A parabolic antenna

Wi-Fi Authentication Modes

When you are authenticating clients to a wireless network, two processes are available. The first, known as open system authentication, is used in situations where you want to make your network available to a wide range of clients. This type of authentication occurs when an authentication frame is sent from a client to an access point. When the access point receives the frame, it verifies its SSID, and if it’s correct the access point sends a verification frame back to the client, allowing the connection to be made.

The second process is known as shared key authentication. In this process, each client receives the key ahead of time and then can connect to the network as needed.

This is how shared key authentication works:

  1. The client sends an authentication request to the access point.
  2. The access point returns a challenge to the client.
  3. The client encrypts the challenge using the shared key it is configured with.
  4. The access point uses the same shared key to decrypt the challenge; if the responses match, then the client is validated and is given access to the network.

Wireless Encryption Mechanisms

One of the big concerns with wireless networks is the fact that the data is vulnerable when being transmitted over the air. Without proper protection, the transmitted data can be sniffed and captured easily by an attacker. To prevent or at least mitigate this issue, encryption is a layer of security that is included in most, if not all, wireless products.

The following are some of the more commonly used wireless encryption and authentication protocols in use:

  • Wired Equivalent Privacy (WEP) is the oldest and arguably the weakest of the available encryption protocols. The WEP standard was introduced as the initial solution to wireless security but was quickly found to be flawed and highly vulnerable.
  • Wi-Fi Protected Access (WPA) was the successor to WEP and was intended to address many of the problems that plagued WEP. In many areas it succeeded and made for a much tougher security protocol. WPA uses Temporal Key Integrity Protocol (TKIP), message integrity code (MIC), and Advanced Encryption Standard (AES) encryption as its main mechanism for securing information.
  • WPA2 is the successor to WPA and was intended to address the problems with WPA. WPA2 is much stronger and uses tougher encryption in the form of AES and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). The standard also comes in a version that uses stronger systems such as Extensible Authentication Protocol (EAP), TKIP, and AES (with longer keys).
  • WPA2 Enterprise is a version that incorporates EAP standards as a way to strengthen security as well as scale the system up to large enterprise environments.
  • TKIP is used as an enhancement to WPA over WEP.
  • AES is a symmetric-key encryption, used in WPA2 as a replacement for TKIP.
  • EAP is incorporated into multiple authentication methods, such as token cards, Kerberos, and certificates.
  • Lightweight Extensible Authentication Protocol (LEAP) is a proprietary WLAN authentication protocol developed by Cisco.
  • Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication and authorization management system.
  • 802.11i is an IEEE standard that specifies security mechanisms for 802.11 wireless networks.
  • CCMP uses 128-bit keys, with a 48-bit initialization vector (IV) for replay detection.

Let’s look at some of these protocols a little more closely so you can gain a better understanding of them. We’ll start by looking at WEP.

WEP Encryption: A Closer Look

WEP is the oldest of the wireless encryption protocols and is also the most maligned of all of the available methods. When originally introduced and integrated into the 802.11b standard, it was viewed as a way of providing security of data transmissions more or less on a par with that of wired networks. As designed, WEP made use of some existing technologies, including RC4, as encryption mechanisms. Although WEP was intended to provide security on the same level as wired networks, it failed in that regard.

First you need to understand what WEP was originally designed to provide. WEP was intended to achieve the following:

  • Defeat eavesdropping on communications and attempts to reduce unauthorized disclosure of data.
  • Check the integrity of data as it flows across the network.
  • Use a shared secret key to encrypt packets prior to transmission.
  • Provide confidentiality, access control, and integrity in a lightweight, efficient system.

Its problems arise from the following circumstances:

  • The protocol was designed without input from the academic community or the public, and professional cryptologists were never consulted.
  • It provides no clearly defined method for key distribution other than preshared keys. As a result the keys are cumbersome to change on a large scale and are very rarely changed in many cases.
  • An attacker gaining ciphertext and plaintext can analyze and uncover the key.
  • Its design makes it possible to passively uncover the key using sniffing tools and cracking tools available freely in operating systems such as Kali Linux.
  • Key generators used by different vendors are inconsistently and poorly designed, leading to vulnerabilities such as issues with the use of 40-bit keys.
  • The algorithms used to perform key scheduling have been shown to be vulnerable to attack.
WEP Problems and Vulnerabilities

WEP suffers from many flaws that make it easy to compromise by even a slightly skilled attacker. These flaws are in the following areas:

  • CRC32 (Cyclic Redundancy Check) used in the integrity checking is flawed and with slight modifications packets may be modified consistently by attackers to produce their desired results.
  • Initialization vectors (IVs) are only 24 bits in length, meaning that an entire pool of IVs can be exhausted by a mildly active network in 5 hours or less.
  • WEP is susceptible to known plaintext attacks through the analysis of packets.
  • Keys may be uncovered through the analysis of packets, allowing for the creation of a decryption table.
  • WEP is susceptible to denial-of-service (DoS) attacks through the use of associate and disassociate messages, which are not authenticated by WEP.

Breaking WEP

Undoubtedly you have heard a lot about how poor the WEP protocol is and how you should not use it. In this section we’ll explain how WEP is broken so you can see the process and how everything pulls together.

The important part of breaking the WEP protocol is intercepting as many IVs as possible before attempting to recover the key. The collection of IVs is done through the process of sniffing or capturing. Collecting and saving IVs allows analysis to be performed: the more packets, the easier it becomes to retrieve the keys. However, there can be a problem with this process: collecting enough IVs can take a substantial period of time, which depends on how active the network is over the period in which the packets are being collected. To speed up this process, it is possible to perform a packet injection to induce the network to speed up the generation and gathering process.

To perform this process (including cracking the keys), follow these steps:

  1. Start the wireless interface on the attacking system in monitor mode on the specific access point channel. This mode is used to listen to packets in the air.
  2. Probe the target network with the wireless device to determine if packet injection can be performed.
  3. Select a tool such as aireplay-ng to perform a fake authentication with the access point.
  4. Start the Wi-Fi sniffing tool to capture IVs. If you’re using aireplay-ng, ARP request packets can be intercepted and reinjected back into the network, causing more packets to be generated and then captured.
  5. Run a tool such as Cain & Abel or aircrack-ng to extract the encryption keys from the IVs.

WPA: A Closer Look

The successor to WEP is WPA, or Wi-Fi Protected Access. This standard was intended to be a replacement for the flawed and insecure WEP protocol. The WPA protocol was designed to be a software upgrade instead of requiring full hardware upgrades. However, in some cases where older hardware is present and processing power or other mechanisms are limiting, a hardware upgrade may be required.

The most significant development introduced with the WPA protocol was the TKIP system, whose purpose is to improve data encryption. TKIP improves on the WEP protocol (where a static unchanging key is used for every frame transmitted) by changing the key after every frame. This dynamic changing of keys makes WPA much more difficult to crack than WEP.

WPA suffers from the following flaws:

  • Weak keys chosen by the user
  • Packet spoofing
  • Authentication issues with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Cracking WPA

To crack WPA you must use a different approach than you would with WEP. Fortunately one of the best tools available for thwarting WPA is freely available in Kali Linux in the form of Reaver. Reaver exploits holes in wireless routers in an attempt to retrieve information about the WPA preshared key that is used to access the network.

What Is WPA2?

The upgrade or successor to WPA is WPA2, which was introduced to address some of the weaknesses present in the original. The protocol offers dramatically improved security over its predecessor and maintains full compatibility with 802.11i standards for security.

Like WPA, WPA2 can function in two modes:

  • WPA2-Personal, much like the preshared key mode of other systems, relies on the input of a key into each station.
  • WPA2-Enterprise uses a server to perform key management and authentication for wireless clients. Common components include RADIUS and Diameter servers for centralized management.

Attacking, Cracking, and Compromising WPA and WPA/2

As with WEP, WPA and WPA/2 both suffer from vulnerabilities that can be exploited to an attacking party’s advantage. Each offers a way to penetrate the security of an otherwise strong protocol.

Offline Attack

The idea behind an offline attack is to be in close enough proximity to an access point to observe the handshake between the client and the access point. This handshake represents the authentication of the client and the access point. If you set up the attack properly, you can capture the handshake and recover the keys by recording and cracking them offline. The main reason why this attack works is that the handshake occurs completely in the clear, making it possible to get enough information to break the key.

Deauthentication Attack

The deauthentication attack approaches the problem of observing the handshake between the client and the access point by forcing a reconnect. An attacker induces a client that is already connected to an access point to disconnect, which should lead the client and access point to reestablish the connection. Authentication will occur, allowing the information to be captured and cracked.

Brute-Force WPA Keys

The old standby in a number of cases, including the breaking of WPA/WPA2 keys, is the brute-force attack. This attack is typically performed using tools such as aircrack-ng, aireplay-ng, or KisMAC to brute-force the keys. The downside of this attack is that it can take a long time or a lot of computing power to recover the keys.

Risk Mitigation of WEP and WPA Cracking

So how can you thwart many of the attacks that we have discussed here that target WEP and WPA? Well, excluding encryption and other mechanisms, here are the leading techniques:

  • Use a complex password or phrase as the key. Using the same rules we observed earlier for passwords, you can make a strong password for the access point.
  • Use server validation on the client side to allow the client to have a positive ID of the access point it is connecting to.
  • Eliminate WEP and WPA and move to WPA2 where available.
  • Use encryption standards such as CCMP, AES, and TKIP.

A Close Examination of Threats

Now that you understand the various technologies and issues specific to each, let’s take a much closer look at some of the other generalized threats that can target an environment. Typically these attacks can be categorized as access control, integrity, and confidentiality targeted attacks.

Wardriving

A wardriving attack is one of the most common forms of action targeting wireless networks. It consists of an attacker driving around an area with a computing or mobile device that has both a wireless card and software designed to detect wireless clients or access points.

What makes this type of attack possible is that wireless detection software will either listen for the beacon of a network or send off a probe request designed to detect the network. Once a network is detected, it can be singled out for later attack by the intruder.

Some of the software packages that are used to perform this type of attack are KisMAC, NetStumbler, Kismet, WaveStumbler, and InSSIDer.

There are also variations of the wardriving attack, all of which have the same objective:

Warflying Same as wardriving, but uses a small plane or ultralight aircraft

Warballooning Same as warflying but makes use of a balloon instead

Warwalking Involves putting the detection equipment in a backpack or something similar and walking through buildings and other facilities

A technique known as warchalking involves the placement of symbols in locations where wireless signals were detected. These symbols tell the informed that a wireless access point is nearby and provide data about it where available, including open or closed access points, security settings, channel, and name.

Rogue Access Points

A rogue access point is another effective way of breaching a network by violating trust. The attacker installs a new access point that is completely unsecured behind a company firewall. The attacker can then connect with relative impunity to the target network, extracting information or carrying out further attacks.

This type of attack has been made relatively easy to perform through the use of more compact hardware access points and software designed to create an access point. A savvy attacker will either hide the access point from being readily observed and/or will configure the SSID to appear as a corporate access point.

MAC Spoofing

For those access points that employ MAC filtering, you can use MAC spoofing. MAC filtering is a technique used to either blacklist or whitelist the MAC addresses of clients at the access point. If a defender deploys this technique, an attacking party can spoof the address of an approved client or switch their MAC to a client that is not blocked.

Typically it is possible to use tools such as SMAC, ifconfig, changemac.sh, and others to accomplish this task. However, in some cases the hardware configuration settings for a network card may allow the MAC to be changed without such applications.

Ad Hoc

The ad hoc attack relies on an attacker using a Wi-Fi adapter to connect directly to another wireless-enabled system. Once this connection is established, the two systems can interact with each other. The main threats with this type of connection are that it is relatively easy to set up and many users are completely unaware of the difference between infrastructure and an ad hoc network and so may attach to an insecure network.

Security on an ad hoc network is quirky at best and is very inconsistent. For example, in the Microsoft family of operating systems ad hoc connections are unable to support any advanced security protocols, thus exposing users to increased risk.

Misconfiguration

We have pointed out this problem before in other areas, and misconfiguration is a problem with access points as well. All the security features in the world aren’t going to help one bit if they are misconfigured or not configured at all. The danger here is heightened, however, since a wireless access point provides an ideal “access anywhere” solution for attackers or other malicious parties that can’t physically connect to the network.

Client Misassociation

The client misassociation attack starts with a client attaching to an access point that is on a network other than theirs. Due to the way wireless signals propagate through walls and many other structures, a client can easily detect another access point and attach to it either accidently or intentionally. In either case, if this is done a client may attach to a network that is unsafe perhaps while still connected to a secure network. This last scenario can result in a malicious party gaining access to a protected network.

Promiscuous Client

The promiscuous client offers an irresistibly strong signal intentionally for malicious purposes. Wireless cards often look for a stronger signal to connect to a network. In this way the promiscuous client grabs the attention of the users by sending a strong signal.

Jamming Attacks

One particularly interesting way of attacking a WLAN is to resort to a plain old DoS attack. Although there are many ways to do this, one of the easiest is to just jam the network, thus preventing it from being used. It is possible to use a specially designed jammer that will transmit signals that can overwhelm and deny the use of the access point by legitimate clients. The benefit of this type of attack is that it works on any type of wireless network.

To perform this type of attack, you can use a specially designed hardware device that can transmit signals that interfere with 802.11 networks. These devices are easy to find online and can be used to jam any type of wireless network.

Honeyspot Attack

Users can connect to any available wireless network as long as they are in range of one another, sometimes this can be a large number of access points. With such an environment, an attacker has expanded opportunities to attract unknowing users. To perform this type of attack, a malicious party sets up a rogue access point in the range of several legitimate ones as what is known as a honeyspot. With the rogue access point generating a much stronger and clearer signal, it is possible to attract clients looking for the best signal.

Ways to Locate Wireless Networks

In order to attack, you must first find a target, and though site surveys can make this easier, they cannot help in every case. Several tools and mechanisms make locating a target network easier.

The following are methods that can complement wardriving or be used on their own:

  • OpenSignal is a useful app that can be used on the web at http://opensignal.com or on a mobile device by downloading the OpenSignal app. With this application, you can map out Wi-Fi networks and 2G–4G networks, as well as correlate this information with GPS data.
  • wefi (www.wefi.com) provides a map of various locations, with the access points noted in varying amounts of detail.
  • JiWire (www.jiwire.com) offers a map of various locations, with access points detected in a given region.

Traffic Analysis

Once you’re connected to a target network, the next step is to perform traffic analysis to gain insight into the activity in the environment. As when using Wireshark with standard network traffic, it is entirely possible to scrutinize traffic on a wireless network. By performing such analysis, you can gain vital information on traffic patterns, protocols in use, and authentication, not to mention information specific to applications. Additionally, analysis can reveal vulnerabilities on the network as well as client information.

Under ideal conditions, traffic analysis of a wireless network can be expected to reveal the following:

  • Broadcast SSID
  • Presence of multiple access points
  • Possibility of recovering SSIDs
  • Authentication method used
  • WLAN encryption algorithms

Currently, a number of products can perform wireless traffic analysis—Kismet, AirMagnet, Wireshark with AirPcap, CommView, and a few others.

Choosing the Right Wireless Card

The subject of wireless cards and chipsets is important. Although in many cases the chipset on the card and the wireless card itself may not matter, some tools require the presence of certain chipsets in order to function.

Items to consider include:

  • Operating system in use.
  • Application in use.
  • Whether packet injection is required (Windows systems cannot perform packet injection; if this is required then Linux must be used).
  • Driver availability.
  • Manufacturer of wireless card and chipset (you must know both because the two can be made by two different manufacturers).
  • If you are using virtualization, you may also need to check to see if your card will work with this environment.

Hacking Bluetooth

Another wireless technology to consider is Bluetooth, which is seen in many mobile devices in today’s marketplace. Bluetooth refers to a short-range wireless technology commonly used to connect devices such as headsets, media players, and other types of technologies. Bluetooth operates in the 2.4 GHz frequency range and is designed to work at distances up to 10 meters (33 feet).

When you’re working with Bluetooth devices, there are some specifics to keep in mind about the devices and how they operate.

First, the device can operate in one of the following modes:

Discoverable This allows the device to be scanned and located by other Bluetooth-enabled devices.

Limited Discoverable This mode is becoming more commonly used; in this mode the device will be discoverable by other Bluetooth devices for a short period of time before it returns to being nondiscoverable.

Nondiscoverable As the name suggests, devices in this mode cannot be located by other devices. However, if another device has previously found the system it will still be able to do so.

In addition to the device being able to be located, it can be paired with other devices to allow communication to occur. A device can be in pairing or nonpairing mode; pairing means it can link with another device and nonpairing means it cannot.

Bluetooth Threats

Much like Wi-Fi, Bluetooth has a bevy of threats facing it that you must take into account. Bluetooth suffers from many shortcomings that have been slowly addressed with each successive version, but many flaws remain and can be exploited. The technology itself has already seen many attacks take their toll on victims in the form of losing information such as the following:

  • Leaking calendars and address books or other information is possible through the Bluetooth protocol.
  • Creation of bugging devices has been a problem with Bluetooth devices as software has been made available that can remotely activate cameras and microphones.
  • An attacker can remotely control a phone to make phone calls or connect to the Internet.
  • Attackers have been known to fool victims into disabling security for Bluetooth connections in order to pair with them and steal information.
  • Mobile phone worms can exploit a Bluetooth connection to replicate and spread.
Bluejacking

Bluejacking is one form of Bluetooth attack that is more annoying than malicious in most cases. The attack takes the form of sending an anonymous text message via Bluetooth to a victim. Since this attack exploits the basic operation of the Bluetooth protocol it is hard to defend against, other than making the device nondiscoverable.

Use the following steps to bluejack a victim or a device:

  1. Locate an area with a high density of mobile users such as a mall or convention center.
  2. Go to the contacts in your device’s address book.
  3. Create a new contact and enter a message.
  4. Save the contact with a name but without a phone number.
  5. Choose Send Via Bluetooth.
  6. Choose a phone from the list of devices and send the message.

If all goes well at this point, your new “friend” should receive the message you just crafted.

Bluesnarfing

Another example of a Bluetooth attack is bluesnarfing. This attack is designed to extract information at a distance from a Bluetooth device. If you execute the attack skillfully, you can obtain the address book, call information, text information, and other data from the device. Because of the nature of the attack, it is considered very invasive and extremely dangerous.

Summary

In this chapter we explored wireless technologies, including Wi-Fi and Bluetooth. We observed that wireless is a powerful and convenient technology that frees users from wires and allows the network to expand into areas it could not go into before. We also explored the fact that wireless technologies are very vulnerable and have a whole range of concerns that don’t exist with traditional networks.

Today’s enterprise is much more likely to have a wireless network in place as well as numerous Bluetooth-enabled devices. The propagation of signals, the misapplication of the technology, social engineering, and just plain old mistakes have all led to significant vulnerabilities in the workplace. An attacker using a notebook, an antenna, and the right software can easily use a wireless network to break into and take over a network or at the very least steal information with ease.

You learned some of the defensive measures that are also available for wireless technologies. 802.11 networks typically offer security in the form of WEP, WPA, or WPA2 as a front-line defense, with preference given to WPA2 and WPA over the much weaker and broken WEP. If configured correctly, WPA and WPA2 offer strong integrity and protection for information transmitted over the air. Additional security measures include the use of strong passwords and phrases as well as the proper configuration of wireless gear.

Exam Essentials

Understand the various types of wireless technologies. Know that not all wireless technologies are the same. Each wireless technology has different frequencies it works on, channels it can use, and speeds it is capable of achieving to transmit data.

Know the differences between the 802.11 standards. Understand that each standard of wireless has its own attributes that make it different from the others.

Understand WEP, WPA, and WPA2. Understand that WEP was the initial specification included in the 802.11 protocol and that WPA and WPA2 were introduced later. Both of the latter protocols are intended to be compatible with the 802.11i standard.

Review Questions

  1. WEP is designed to offer security comparable to which of the following?

    1. Bluetooth
    2. Wired networks
    3. IrDA
    4. IPv6

  2. Which of the following operates at 5 GHz?

    1. 802.11a
    2. 802.11b
    3. 802.11g
    4. 802.11i

  3. Which of the following specifies security standards for wireless?

    1. 802.11a
    2. 802.11b
    3. 802.11g
    4. 802.11i

  4. Which of the following options shows the protocols in order from strongest to weakest?

    1. WPA, WEP, WPA2, Open
    2. WEP, WPA2, WPA, Open
    3. Open, WPA, WPA2, WEP
    4. WPA2, WPA, WEP, Open

  5. Which of the following is designed to locate wireless access points?

    1. Site survey
    2. Traffic analysis
    3. Pattern recognition
    4. Cracking

  6. What is a client-to-client wireless connection called?

    1. Infrastructure
    2. Client-server
    3. Peer-to-peer
    4. Ad hoc

  7. When a wireless client is attached to an access point, it is known as which of the following?

    1. Infrastructure
    2. Client-server
    3. Peer-to-peer
    4. Ad hoc

  8. A _________ is used to attack an NIDS.

    1. NULL session
    2. DoS
    3. Shellcode
    4. Port scan

  9. Which of the following uses a database of known attacks?

    1. Signature
    2. Anomaly
    3. Behavior
    4. Sniffer

  10. A honeyspot is designed to do what?

    1. Look for patterns of known attacks
    2. Look for deviations from known traffic patterns
    3. Attract victims to connect to it
    4. Analyze attacks patterns

  11. An SSID is used to do which of the following?

    1. Identify a network
    2. Identify clients
    3. Prioritize traffic
    4. Mask a network

  12. AirPcap is used to do which of the following?

    1. Assist in the sniffing of wireless traffic
    2. Allow for network traffic to be analyzed
    3. Allow for the identification of wireless networks
    4. Attack a victim

  13. What is a rogue access point?

    1. An access point not managed by a company
    2. An unmanaged access point
    3. A second access point
    4. A honeypot device

  14. Bluejacking is a means of which of the following?

    1. Tracking a device
    2. Breaking into a device
    3. Sending unsolicited messages
    4. Crashing a device

  15. The wardriving process involves which of the following?

    1. Locating wireless networks
    2. Breaking into wireless networks
    3. Sniffing traffic
    4. Performing spectrum analysis

  16. Warchalking is used to do which of the following?

    1. Discover wireless networks
    2. Hack wireless networks
    3. Make others aware of a wireless network
    4. Analyze a wireless network

  17. A closed network is typically which of the following?

    1. Public network
    2. Private network
    3. Hot spot
    4. Kiosk location

  18. At which layer of OSI does a packet filtering firewall work?

    1. 1
    2. 2
    3. 3
    4. 4

  19. What is a PSK?

    1. The password for the network
    2. The certificate for the network
    3. A key entered into each client
    4. A distributed password for each user

  20. Which of the following is a device used to perform a DoS on a wireless network?

    1. WPA jammer
    2. WPA2 jammer
    3. WEP jammer
    4. Wi-Fi jammer