Hacking Exposed Wireless · 3rd Edition by Wright, Joshua -- Read -- Imperial Library of Trantor

Index

Cover Title Page Copyright Page Dedication Contents Foreword Acknowledgments Introduction Part I Hacking 802.11 Wireless Technology

CASE STUDY: Twelve Volt Hero 1 Introduction to 802.11 Hacking

802.11 in a Nutshell

The Basics Addressing in 802.11 Packets 802.11 Security Primer

Discovery Basics Hardware and Drivers

A Note on the Linux Kernel Chipsets and Linux Drivers Modern Chipsets and Drivers Cards Antennas Cellular Data Cards GPS

Summary

2 Scanning and Enumerating 802.11 Networks

Choosing an Operating System

Windows OS X Linux

Windows Discovery Tools

Vistumbler

Windows Sniffing/Injection Tools

NDIS 6.0 Monitor Mode Support (NetMon/MessageAnalyzer) AirPcap CommView for WiFi

OS X Discovery Tools

KisMAC

Linux Discovery Tools

airodump-ng Kismet

Advanced Visualization Techniques (PPI)

Visualizing PPI-Tagged Kismet Data PPI-Based Triangulation (Servo-Bot)

Summary

3 Attacking 802.11 Wireless Networks

Basic Types of Attacks Security Through Obscurity Defeating WEP

WEP Key Recovery Attacks

Putting It All Together with Wifite

Installing Wifite on a WiFi Pineapple

Summary

4 Attacking WPA-Protected 802.11 Networks

Obtaining the Four-Way Handshake

Cracking with Cryptographic Acceleration

Breaking Authentication: WPA Enterprise

Obtaining the EAP Handshake EAP-MD5 EAP-GTC LEAP EAP-FAST EAP-TLS PEAP and EAP-TTLS Running a Malicious RADIUS Server

Summary

5 Attacking 802.11 Wireless Clients

browser_autopwn: A Poor Man’s Exploit Server

Using Metasploit browser_autopwn

Getting Started with I-love-my-neighbors

Creating the AP Assigning an IP Address Setting Up the Routes Redirecting HTTP Traffic Serving HTTP Content with Squid

Attacking Clients While Attached to an AP

Associating to the Network

ARP Spoofing Direct Client Injection Techniques Summary

6 Taking It All the Way: Bridging the Air-Gap from Windows 8

Preparing for the Attack

Exploiting Hotspot Environments Controlling the Client

Local Wireless Reconnaissance Remote Wireless Reconnaissance

Windows Monitor Mode Microsoft NetMon

Target Wireless Network Attack Summary

Part II Bluetooth

CASE STUDY: You Can Still Hack What You Can’t See 7 Bluetooth Classic Scanning and Reconnaissance

Bluetooth Classic Technical Overview

Device Discovery Protocol Overview Bluetooth Profiles Encryption and Authentication

Preparing for an Attack

Selecting a Bluetooth Classic Attack Device

Reconnaissance

Active Device Discovery Passive Device Discovery Hybrid Discovery Passive Traffic Analysis

Service Enumeration Summary

8 Bluetooth Low Energy Scanning and Reconnaissance

Bluetooth Low Energy Technical Overview

Physical Layer Behavior Operating Modes and Connection Establishment Frame Configuration Bluetooth Profiles Bluetooth Low Energy Security Controls

Scanning and Reconnaissance Summary

9 Bluetooth Eavesdropping

Bluetooth Classic Eavesdropping

Open Source Bluetooth Classic Sniffing Commercial Bluetooth Classic Sniffing

Bluetooth Low Energy Eavesdropping

Bluetooth Low Energy Connection Following Bluetooth Low Energy Promiscuous Mode Following

Exploiting Bluetooth Networks Through Eavesdropping Attacks Summary

10 Attacking and Exploiting Bluetooth

Bluetooth PIN Attacks

Bluetooth Classic PIN Attacks Bluetooth Low Energy PIN Attacks Practical Pairing Cracking

Device Identity Manipulation

Bluetooth Service and Device Class

Abusing Bluetooth Profiles

Testing Connection Access Unauthorized PAN Access File Transfer Attacks

Attacking Apple iBeacon

iBeacon Deployment Example

Summary

Part III More Ubiquitous Wireless

CASE STUDY: Failure Is Not an Option 11 Software-Defined Radios

SDR Architecture Choosing a Software Defined Radio

RTL-SDR: Entry-Level Software-Defined Radio HackRF: Versatile Software-Defined Radio

Getting Started with SDRs

Setting Up Shop on Windows Setting Up Shop on Linux SDR# and gqrx: Scanning the Radio Spectrum

Digital Signal Processing Crash Course

Rudimentary Communication Rudimentary (Wireless) Communication POCSAG Information as Sound Picking Your Target Finding and Capturing an RF Transmission Blind Attempts at Replay Attacks So What?

Summary

12 Hacking Cellular Networks

Fundamentals of Cellular Communication

Cellular Network RF Frequencies Standards

2G Network Security

GSM Network Model GSM Authentication GSM Encryption GSM Attacks GSM Eavesdropping GSM A5/1 Key Recovery GSM IMSI Catcher

Femtocell Attacks 4G/LTE Security

LTE Network Model LTE Authentication LTE Encryption Null Algorithm Encryption Algorithms Platform Security

Summary

13 Hacking ZigBee

ZigBee Introduction

ZigBee’s Place as a Wireless Standard ZigBee Deployments ZigBee History and Evolution ZigBee Layers ZigBee Profiles

ZigBee Security

Rules in the Design of ZigBee Security ZigBee Encryption ZigBee Authenticity ZigBee Authentication

ZigBee Attacks

Introduction to KillerBee Network Discovery Eavesdropping Attacks Replay Attacks Encryption Attacks Packet Forging Attacks

Attack Walkthrough

Network Discovery and Location Analyzing the ZigBee Hardware RAM Data Analysis

Summary

14 Hacking Z-Wave Smart Homes

Z-Wave Introduction

Z-Wave Layers Z-Wave Security

Z-Wave Attacks

Eavesdropping Attacks Z-Wave Injection Attacks

Summary

Index

← Prev
Back
Next →

← Prev
Back
Next →