CompTIA Pentest+ PT0-002 – Section 9: Wireless Attacks Part 2

76. Signal Exploitation (OBJ 3.2)

When someone is using a wireless network like Wi-Fi, the data is being transmitted through the air using radio waves. This means that the signal is being exposed to possible exploitation, because there’s no bounded media containing the data as it’s being transmitted, like you would inside a copper or fiber cable in a typical ethernet network. For this reason, securing a wireless network can be challenging for network defenders, especially at the physical layer of the OSI model. When a penetration tester considers the physical layer of a wireless network, they’re going to be focused on their ability to collect, manipulate, and otherwise exploit the wireless radio waves and signals that are passing freely throughout a given location. This means that a penetration tester can intercept, eavesdrop, manipulate, or jam any given signal within their range. To effectively exploit the signals, it is important to understand the different types of antennas that you can use as a penetration tester, since each kind will affect the distance at which you’re going to be able to intercept a given signal when you’re choosing your own antenna, as well as understanding the different patterns of wireless signals being transmitted by different access points, based on their antenna type too.

This means that a penetration tester can intercept, eavesdrop, manipulate, or jam any given signal within their range. To effectively exploit the signals, it’s important to understand the different types of antennas that you can use as a penetration tester. This is because each kind of antenna is going to affect the distance at which you can intercept a given signal, and understanding the different patterns of wireless signals being emanated, by an access point, is going to be done based on its antenna type as well. The most common types of antenna you’re going to run into are omnidirectional and unidirectional. Now, an omnidirectional antenna is commonly used by wireless access points to transmit their wireless signals in every direction. Omni just means all. So, an omnidirectional antenna will radiate its power evenly across all the directions when it’s transmitting network data. From a network provider’s perspective, this is really great, because we can blanket a room or a building with the wireless network extremely quickly and very easily. But it’s all also the least secure method of transmission, because it’s radiating data out in all directions, even directions that may be outside of the building. For example, almost every home wireless access point uses an omnidirectional antenna to send out their data. If your home office is in the front bedroom, over your garage, and you install a typical wireless access point there, guess what? Your neighbors across the street are likely able to see and pick up the signals that are coming radiating outward in that 360-degree pattern from that wireless access point. To minimize this risk, most organizations try to place their access points in the center of the room, typically on the ceiling.

If you’d ever taken a college class, just look up and you’ll see that circular wireless access point in the center of the room. Now, as a penetration tester, an omnidirectional antenna is what’s already connected by default to your wireless card in your laptop. This allows you to pick up signals coming from every direction, but this also means it can’t cover very long distances, because it’s splitting its power evenly across all 360 degrees that surround that antenna. As a penetration tester, if you’re able to identify that an organization is using omnidirectional antennas for their wireless networks, you can then exploit this fact by identifying which areas that signal is bleeding into unintentionally, for example, maybe it’s going out into the parking lot or the building next to them. If you know that, you can set up your equipment in those areas, collect and exploit the signals and gain access to the network undetected. The other common type of antenna that we use is known as a unidirectional antenna. Uni simply means one. So, a unidirectional antenna means all of the power for that antenna is going to be transmitted out in a single direction.

The most common type of unidirectional antenna you’re going to find is known as a Yagi antenna, and these are usually reserved in network architectures for building-to-building interconnection links over the 802.11 Wi-Fi standard. You’ll also see unidirectional antennas used internally inside of the building for internal wireless networks, this can help keep the wireless signal within the secure facility and within the sides of the building, and out of areas that it shouldn’t be in, such as the parking lot. As a penetration tester, if you identify that the organization is using unidirectional antennas, you’re going to have to work a bit harder to get yourself into the coverage footprint of that wireless network, in order for you to exploit that network. Now, when I conduct a wireless penetration test, I’m usually going to rely on my omnidirectional antenna when I’m first doing wardriving or warwalking, because I want to capture signals in every direction to figure out where they’re coming from. Now, once I’ve identified my target network and its basic footprint, I’m then going to switch over to a unidirectional antenna, because I can focus all of my power out in one direction towards that wireless network.

This will allow me to be further from the target organization’s building, and I can still capture their network traffic and remain undetected from that longer distance. So, I might be sitting across the street or in the parking lot, and they’re not going to see me. Antennas are also measured based on their sensitivity as measured in decibels-isotropic, also written as dBi. Now, this is the amount of forward gain that a given antenna is going to have. A typical antenna for a wireless network card in a laptop, smartphone or tablet tends to be rated at around three dBi. At three dBi, you can expect to receive a signal at a distance of up to around a 100 feet within a building, or up to 500 feet for access points that are located outside. If you want to increase the distance, you can switch out that omnidirectional three dBi antenna for a directional one, or you can use a higher sensitivity antenna that is still omnidirectional like a six dBi, nine dBi, or even a 12 dBi. As the forward gain is increased, the signal becomes less omnidirectional though, and it starts to become a little bit more directional in nature, because it goes from a circle amount of coverage to more of an oval. Now, once you have the right antenna selected and you install it with your wireless network card, you can begin to conduct your signal exploitation. There are really three main different types of signal exploitation that you can conduct during a penetration test. These are eavesdropping, deauthentication, and jamming. First, we have eavesdropping. Eavesdropping with wireless networks is actually pretty easy, because all the signals are being sent over the wireless network, much like an older hub would be in a wired network. Switches in a wired network, on the other hand, only send out data to the switch port that’s being addressed by looking at the CAM table and associating the MAC address of that client with a switch port, and that way it knows who to send the data to.

Wireless networks though, they can’t do that. Instead, they’re going to take every signal they receive and rebroadcast it out to the same frequency band for every other device to listen to. By default, wireless network cards are programed to ignore any signals that aren’t addressed to them, so, if they see a MAC address that isn’t theirs, they’re not going to accept it, but they see one that is theirs, they’re going to accept it and respond to that signal, because it was addressed to them. Now, as a penetration tester though, we can turn on our network card into what’s called promiscuous mode. Now, promiscuous mode allows us to listen and capture any data being sent to any client on that wireless network. To be technical here, promiscuous mode is actually a type of computer networking operational mode, in which all network data packets can be accessed and viewed by all network adapters operating in this mode. Simply put, if we put our card in promiscuous mode, we can monitor or sniff network traffic on that wireless network and conduct eavesdropping. If the network is an open network, the data being sent and received is being sent and received in plain text with no encryption.

This means we can simply read it, but if you’re your using WEP, WPA, WPA2, or WPA3, the data is going to be encrypted. That doesn’t mean we still can’t capture it, it just means we’re not going to be able to read it unless we can first decrypt that data by getting the pre-shared key or brute-forcing the encryption scheme. Now, even if a network is encrypted by default, there’s still a lot of good information that we can gather by doing eavesdropping on that network. This includes the identification of different network client MAC addresses, identifying the type of encryption in use, and identifying any client devices on the network, such as printers and other IOT devices. This may be places that we want to think about attacking as part of a future attack, because those devices tend to be less secure. Second, we have deauthentication. Now, a deauthentication attack, also known as a deauth attack, is used to boot a victim wireless client off of an access point, so it’s forced to reauthenticate.

A deauth attack is usually used, so that the penetration tester or the attacker can eavesdrop and capture the reauthentication handshake that occurs between the deauth victim and the access point itself. To conduct a deauth attack, the penetration tester simply needs to send out a management frame to the access point while spoofing the MAC address of the victim they want to have kicked off, and that way, the access point terminates the connection. This is a way to exploit the normal process that occurs when a client wants to leave a given wireless network. By conducting a deauth attack and capturing the reauthentication handshake, you can then attempt to brute-force the pre-shared key that was captured as part of that four-way handshake that was happening with the wireless network. If you can crack the key because a weak password was being used, you can then gain access to the entire wireless network. Deauthentication attacks are most commonly used in conjunction with other attacks, such as trying to capture and crack the handshake like I just mentioned, disconnecting a client from a trusted access point, so you can attempt to get them to reconnect to an evil twin, or to conduct a replay attack by capturing and rebroadcasting the four-way handshake that was used in the authentication. A deauthentication attack can also be used to simply conduct a denial-of-service for a single victimized client as well by continually kicking them off the access point by sending a new deauthentication frame every few seconds.

The most commonly used tool for conducting a deauthentication attack is known as Aireplay-ng, and it’s part of the Aircrack-ng toolset. I’m going to demonstrate how to conduct a basic deauthentication attack in a separate video using these tools. Third, we have jamming. Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as a target access point. That way, any signals that the wireless transceiver attempts to send or receive are going to be blocked. Jamming can be conducted using dedicated hardware jammers that simply send out garbage network traffic over the same frequencies that are used by wireless networks, or you can use a more targeted approach. Either way, though, the goal here is the same, to trigger a denial-of-service attack against a given access point or an entire spectrum of frequencies used by other wireless networks in order to disrupt the flow of communication. A quick sidenote here, jamming is considered illegal in many places around the world, so you need to check your engagement scope and the legal restrictions that are in your location before you conduct jamming as part of an engagement. Now, if you are going to conduct jamming against a specific access point, you can use scripts and software tools to focus your exploitation. For example, there’s a Python script known as The Wi-Fi Jammer, and it’s capable of jamming or disrupting the signals of all wireless access points in a given area, or you could be more targeted in your attacks to only affect certain wireless networks or certain wireless clients during a jamming attack using the Wi-Fi jammer script.

77. WEP Hacking (OBJ 3.2)

In this lesson, I’m going to demonstrate how you can brute-force a WEP protected network by exploiting the vulnerability that exists due to a weak initialization vector that’s used in the WEP encryption protocol. Remember, WEP is extremely insecure, because it only uses a 24-bit initialization vector or IV. This is used to create pseudorandomness inside the encryption scheme, but again, because it’s only 24 bits, it’s very weak. So regardless of what pre-shared key you’re going to assign to this network, this attack is going to work every single time, because we’re able to exploit the algorithm behind WEP in order to gain a copy of the pre-shared key that a system administrator enters. So in this attack, I’m going to take you through the steps needed to break WEP. First, we need to monitor the area to detect which WEP enabled networks are in range. Second, we’re going to capture all the network traffic and put it in a PCAP file so we can conduct our cracking of the network traffic offline. Third, we’re going to use a de-authentication attack or fake authentication attack to generate numerous handshakes that we can then capture. And fourth, we’re going to conduct the cracking of the encryption by exploiting the vulnerabilities in the 24-bit initialization vector in order to get a copy of that pre-shared key in plain text.

This entire process is only going to take me about three minutes, and this is the reason that you should never ever use WEP to protect your networks as a network defender. If you ever find a WEP enabled access point in an organization, you should immediately recommend that they remove it or upgrade it to a WPA2 or WPA3 enabled access point instead. Now for the exam, you’re not expected to know how to conduct this or any other wireless network attack. So don’t try to memorize all the commands as I’m typing them here. Instead, you should know what each part of the Aircrack-ng toolset is going to be used for. For example, Airomon-ng is used to monitor the wireless frequencies, and identify the clients and access points. Airodump-ng is going to be used to capture network traffic and save it to a PCAP file. And Airocrack-ng is going to be used to conduct the brute-force exploitation of the WEP encryption scheme. All right, let’s jump into my lab environment, and start going through the steps. So the first thing we’re going to do is we’re going to start with airodump-ng, and then the card that we have, which is wlan0mon. And notice it’s starting to scan for that particular network that we’re looking for.

In our case, we already found it, it is wireless hacking, this WEP network right here. And this is the BSSID or the MAC address for that network. So for us to attack it, we are going to use airodump-ng again. And in this case, we are going to specifically tell it which channel we want to go after, which is channel one right here from the wireless hacking network. We want to go after the BSSID that was provided for that network. And we want to go ahead and write that data to a file, which is going to be WirelessHackingDump, is what we’re going to call that file. And then we’re going to give it the card itself, which is wlan0mon, and hit Enter, and off it goes starting to scan the network, which is helpful. But we’re not quite there yet. Notice the data packets are climbing, but we haven’t yet associate ourself to that network to be able to start doing things like packet injection and capturing those initialization vectors. So I’m going to go ahead and put this up here to make some extra room, and we’ll just bring that right across the top and let it continue to run. We’re going to open up a new terminal, and I’m going to bring that down here to the bottom.

Now, in the new terminal, what I need to do is I need to start doing a authentication to the network using fake authentication, which is our first step in the hack. So that first step in the hack is that we are going to do a program called Aireplay. And in aireplay-ng, we are going to use fakeauth as our command, zero for infinite attempts, a and the MAC address that we are going after, which again we still have pasted right there. And then we’re going to use the MAC address that we are coming from, which we have to find ourself. So we are going open up another terminal, you can see how you start getting quite a few terminals, and just type in something like ifconfig. When you do that, you’re going to get the MAC address for wlan0mon, and the first 12 digits here is that MAC address for our network card. So I’m just going to copy that, and then we can paste that in. Now this uses dashes, but for this particular command you have to use colons. So I’m going to arrow through and change those to colons, as you can see. And the command’s not done yet, ’cause what’s the one thing we haven’t told it? We haven’t told it which card to use. So we have to use wlan0mon.

And then we will hit Enter. And off it goes, sending a authentication. We now have an authentication made with this network. So we can move into the second phase of our attack, which is going to be the packet injection. So for the packet injection, we are going to still use the Aireplay command, and most of it is going to be the same, So what I’m going to do instead of typing it all is hit Up Arrow, which will bring back the last command I used. The big differences here is we are not going to use fake authentication anymore. Instead we want to use an arpreplay so that we can create additional traffic on this network. Instead of a for the access point, we’re going to use b for the access point, which tells that that’s the base station. We’re still going to use the card that we’re coming from and the network card wlan0mon. When we hit Enter, off it goes, and notice that we have a couple of ARP packets here, and our data is going to going up. We have a lot of frame loss. Once you have a couple of ARP requests that have been successful, you can hit Ctr + C and stop that.

Now with this attack, it does help if this is a busy network. Right now as we’re doing this, you can see the data packets are going up. The reason those data packets are going up is because I’m streaming YouTube on the device, this base station here, which this client, which is my iPhone is talking to this access point and streaming YouTube, which is collecting a lot of data. Now the next thing you want to do is start cracking. In every 5,000 data packets that go up, it will start trying to do another attempt. And it’s really easy, you just use aircrack-ng, and then the file name of what you’re going to be using. So let me clear the screen here. And the file that I’m going to be using is WirelessHackingDump-02.cap. And the reason it’s the second one is because I’ve run this attempt once before showing you. So all we’re going to use is aircrack-ng and then the filename that you’re going after, and hit Enter.

And off it goes starting to crack away. Right now, it already has 14,000 initialization vectors collected, and you can see that here from the data, but that wasn’t enough. So when this hits 15,000, you’re going to see this kickoff again without me doing anything, and we’ll see if we can crack that key. So here it goes again. It’s going off and testing the different keys, and it didn’t find it. So it’ll try again at 20,000. Generally it’s going to find it somewhere between 10,000 and 25,000. It really depends on where that particular key is inside the key space, depending on what that hexadecimal password was that we used. So again, you can see the data packets climbing up as I’m streaming different YouTube videos. Every time I start another video it starts downloading all that data. All those frames have an initialization vector in there, and they’re able to be captured so that we can start seeing that information. So now we have over 20,000, it’s going to try again, and there it is. It found our key, 17:25:83:AE:FA. So we now have a key, what are we going to do with it? Well, the next thing we want to do is we want to see if that key actually works, and be able to get onto a network.

We can do that through Kali, or we can do it through your Windows machine or your Mac machine, it depends on what your ultimate goal is. For this example, I’m going to show you how to use it inside your Macintosh machine. You can do the same thing in Windows, and again in Kali. So if we can cancel this capturing at this point, so we’ll hit Ctrl + C. And we’re going to switch back to our client machine, in my case, Macintosh. So now that we’re back on our Windows or our Macintosh machine, you’ll connect to that wireless network just like you normally do. So we’re going to go down to wireless hacking, and it’s going to ask us for the passcode. My passcode that we just cracked was 17:25:83:AE:FA. And, if I go ahead and join, we should see if I can pull an IP address from this network. And if we look at it, you can see here we did pull an IP address from this network, and we are connected to that access point starting with c8:a7, that BSSID, which is the one for wireless hacking. So our hack did work and it was successful.

• Category: Uncategorized