Hacking Wireless
Wireless Local Area Networks (WLAN) are based on the 802.11 standard.
SSID → is the name of the wireless network
BSS → is the name of the Access Points
Different security algorithms have been used for WLANs: WEP (not secure), WPA (not secure), WPA2 (more secure and used today).
15.2 Wireless encryption
WEP is a stream cipher which uses a key and a random initialization vector of 24 bit. It’s very un-secure because the number of bits is too low: there is the 50% probability of repeating the IV in 4096 frames.
It’s very easy to break, but there still exist wireless networks using it.
There is a tool designed to break WEP → Wifite
How to break it: 
WPA and WPA2 use a block encryption instead and brought a lot of security improvements.
To defend your wireless network:
- Use WPA2 and not WEP
- Use complex passphrases
- Use AES (block cipher)
- Use a higher level of encryptions as IPsec
15.4 Wireless attack methods
Footprinting → it’s basically scanning the air with antennas searching for available
wireless networks. Several tools give you more detailed information on used channels,
frequency, received power etc. (airodump-ng,inSSIDer, NetStambler, Vistumbler).
MAC spoofing attack → it’s using someone’s else MAC address. It has not so much to
do with wireless itself, but there is a command in Linux to impersonate the victim
configuring its MAC address:
ifconfig wlan0 down
ifconfig wlan0 hw aa:bb:cc:dd:ee:ff
ifconfig wlan0 up
Deauthentication attack → deauthenticate a user from the network
15.5 Bluetooth and Bluejacking
The attacks to bluetooth are not very common, but they still exist.
These are the attack types:
- BLUEJACKING, sending a message over bluetooth and gain info on the response back;
- BLUESNIFF, “watch the air” for bluetooth data
- BLUESNARF, stealing info from a device through bluetooth technology
- BLUESMACKING, DoS sending random packets.
Tools:
15.6 Wireless Attack Defense
- Scan the air for APs (don’t forget you have neighbours!)
- Providers often offer Rogue AP detection capabilities
- Change SSID from the default one and remember this is not a password
- Change username/password from the default
- Use WPA2 and not WEP
- IPsec for data encryption
15.7 Wireless IPS (WIPS)
Intrusion Prevention Systems for Wireless:
CISCO provides “Cisco Adaptive WIPS”
Aruba provides “RFProtect WIPS”
IDS, Firewalls and Honeypots
Intrusion Detection System → design to analyze network traffic to discover intruders.
It monitors the activity of users and the system.
There are 3 components: Network IDS (parses network traffic), Network Node IDS
(similar to NIDS but monitors single host traffic), Host IDS (discovers changes to
filesystem)
IDS looks for:
How to choose an IDS:
- Identify your security needs and the purpose of IDS
- Network/Host – based?
- Features – what does it monitor?
Highly rated IDS software:
- CISCO secure IDS, snort, AIDE, OSSEC, Check Point
Firewalls → can be hardware/software- based. Itallows or disallows access to network
or port, it can filter by any information in the network packet header.
Types: Packet-filtering, Circuit-level, State inspection, Application-level, Multilayer.
How to choose a firewall:
- Hardware or Software?
- Info about vendor (e.g. support or update the vendor provide)
- Type of firewall you need
- Features
Highly rated firewall: Fortinet FortiGate, CISCO ASA, pfSense, Cyberoam UMT, FireEye, WatchGurad, Sohos UTM, Check Point VSX, Juniper SRX
Honeypot → system design to trap would-be attackers. It has no access to other
system or data. (honeynet = many honeypot in the same network).
How to choose a Honeypot:
- Determine purpose of your honeypot
- Features
Highly rated honeypot:
- HoneyBOT (Windows-based)
- LaBrea (multiple platform)
- Google Hack Honeypot (multiple platform, protect against social engineer attacks)
- Kojoney (multiple platform, written in Python)
- CONPOT (multiple platform, Python-based)
16.5 Evading IDS and Firewalls
There are 3 techniques to evade IDS:
– Payload obfuscation → design to confuse IDS to hide the payload.
3 methods: encoding, encryption, polymorphism
– Insertion / evasion → IDS doesn’t recognize packets as malignant.
Techniques: protocol ambiguities, low-bandwidth (Time-To-Live), fragmentation (session splicing), overlapping fragments.
– DoS → if IDS is discovered, a DoS attack can prevent it from doing its job.
Techniques: operator DoS, CPU DoS, Memory DoS
You should know your firewall very well!
Techniques to identify the firewall type:
- Port scanning
- Firewalking
- Banner output
Techniques to evade the firewalls:
- Tunneling
- Changing the source
- Other: MitM, have user initiate connection, discover firewall “holes”
16.5 Evading IDS and Firewalls tools
Port scanners tool: nmap, SuperScan, Angry IP Scanner, Unicornscan
Tunneling tools: HTTPort, Super Network Tunnel, HTTP-Tunnel, Bitvise, AckCmd, Loki
ICMP Tunneling
Packet Fragmentation tools: NetScanTool, fping, pktgen, MGEN, hping3, Packet Generator
16.6 Detecting Honeypot
Honeypot are hard to discover, so:
– easy “break into” → “honeypot”
– too many port = suspicious.
You should be aware of how different honeypot software works, use detection tools (nessus or check list of proxies) and seek for unusual responses.
Cloud Computing
On-demand delivery of hosted IT resources via internet.
There are several types:
One of the most popular cloud computer platform is Amazon Web Service.
Other providers:
– Microsoft Azure
– Google Compute Engine
– IBM Cloud
– DigitalOcean
– VMware vCloud
17.3 Detection
How does an attacker know if the target is hosted in a public cloud?
– DNS names can reveal use of a public cloud
– IP Addresses for cloud providers will be registered (use ARIN to gather info)
Cryptography
Cryptography is the practice of securing messages.
It is based on:
– Confidentiality: only intended recipients can read it
– Authentication: the senders is who they say they are
– Integrity: the message hasn’t been modified
There are 2 encryption types:
– Symmetric key (single key for both encryption and decryption)
– Asymmetric key (2 keys: public key to encrypt and private key to decrypt)
18.2 Algorithms
The cryptography algorithms use a very complex math where the main goal is having a good cipher for encryption and decryption. A block cipher works on blocks (or chunks) of data, while a stream cipher operates on streams of data.
Some of the most popular algorithms:
– DES (Data Encryption Standard) → a symmetric key algorithm that uses a block cipher with 64-bit blocks and a 56 bit key (short and insecure for today);
– 3DES → applying DES 3 times with 3 different keys (more secure);
– AES (Advanced Encryption Standard) → a symmetric key algorithm that uses a block cipher with 128-bit blocks and multiple key lengths (more secure);
– RC (Rivest Cipher) → it was the finalist for AES competition and it’s widely used today (RC6);
– RSA algorithms → it’s the asymmetric key algorithms;
– Hash functions → functions that compress an input in a fixed-size output
(random) also called digest. The output must be different for different inputs and from the output must be computationally hard to reverse the function and find out which is the input. Popular hash functions are MD5 (produce a 128-bit hash value using blocks of 512 bits) and SHA (digest of 160 bits and a block size of 512 bits. Today SHA2 and SHA3 are used).
18.3 Tools
Advanced Encryption Package 2016 is a good tool for encryption.
In Linux, you can generate hash of contents using md5sum, sha1sum, sha256sum
commands.
Other tools:
18.4 Public Key Infrastructure
The goal of PKI is to create and manage certificates used for authentication.
The PKI components are:
– Certification Authority → it’s the certificate issuer;
– Registration Authority → accept the certificate request and validate identity of
requester;
– Certificate → CA issued, authenticity validated. It’s tied to a private/public key
pair;
– Users → the certificate holders.
18.7 Attacks against cryptography
18.8 Cryptoanalysis tools
Cryptool 2(CT2) is an open-source tool for cryptoanalysis.
Other tools: