CompTIA Pentest+ PT0-002 – Section 9: Wireless Attacks Part 1

73. Wireless Attacks (OBJ 3.2)

In this section of the course, we’re going to discuss wireless attacks. Now, as we move into this section, we’re going to continue to cover our exploration of the various attacks and exploits that we’re going to be able to use during the third stage of our engagement. As we move through this section, we’re going to be focused on attacking all things wireless, which includes WIFI networks, of course, but also Bluetooth, RFID, and nearfield communication devices. This section of the course will contain everything you need to know about wireless attack vectors and exploits to fully cover Objective 3.2 for the exam. This objective states, “Given a scenario, you must research attack vectors “and perform wireless attacks.” These days, it seems wireless networks and devices are everywhere, from our laptops to our tablets to our smartphones to our smart watches. Even some vehicles and appliances are relying on wireless networks too for their communication needs.

Due to this widespread adoption of wireless networks over the past 20 years, it has really expanded most organizations’ networks drastically beyond what they were, and this leads to a larger attack surface for us to exploit as a penetration tester. Now, because the wireless network signals are simply traveling through the air and they carry all the organization’s sensitive data, that data is now put at risk for modification, loss, or corruption when those wireless networks are exploited by an attacker. So in this section, we’re going to start out by quickly reviewing the different types of wireless security that are used by organizations to try and prevent an attacker from exploiting their network. This includes things like encryption, MAC filtering, and the use of extensible authentication protocols. Next, we’re going to move into the different ways that a penetration tester is able to conduct signal exploitation to eavesdrop on a wireless signal, deauthenticate legitimate users from a network, and even jam a wireless signal to create a denial of service condition. After that, we’re going to move into wireless password attacks that are used to gain access.

74. Wireless Security (OBJ 3.2)

In this lesson, we’re going to do a quick review of wireless encryption types that you learned back in your Network Plus and Security Plus studies. The reason for this is because encryption of your data being transmitted is going to be paramount to increasing the security of your clients’ wireless networks. Also, if you don’t understand how wireless networks are secured, it’s going to be pretty difficult for you to bypass that security during your wireless assessments and penetration tests. Now, most wireless encryption schemes, like WEP, WPA, and WPA2, rely on a pre-shared key. A pre-shared key is going to be used when the access point and the client need to use the same encryption key to encrypt and decrypt the data. The problem with this is scalability becomes really difficult. Think about it like this. You have a friend come over to your house and they want to use your wireless network. What do you have to do? Well, you have to tell ’em your password. Now, if you had 50 friends come over, you’re going to have to tell 50 different people that same password. Now, all 50 of them are going to know your password and just getting it to all 50 of them is a real big challenge too. So, this is one of the first problems we have when we deal with wireless encryption, if you’re going to be using a pre-shared key. Because that key has to be kept secure in order to keep the network secure as well. If you’re distributing that key to 50 people though, that key is not really secret anymore. So, let’s cover some basics of wireless security to see how it’s going to be used to protect a network, and so we can start getting some ideas of how we can break those different security measures as we move into our penetration testing. First, let’s talk about encryption. There are four types of encryption that are commonly used to secure wireless networks. These are WEP, WPA, WPA2, and WPA3. Now, first, we have WEP. WEP stands for the wired equivalent privacy, and it was developed in the first original 802.11 wireless security standard.

It was known as Wired Equivalent Privacy, because it claimed to be just as secure as a wired network. Now, that is definitely not true, and I’m going to prove that to you later on in another video, as I show you how quickly we can brute-force WEP using a common open-source tool like Aircrack-ng. Usually, it takes me less than three minutes to crack a WEP network. So, as you can guess, it isn’t very secure, and it’s not equivalent to the security of a wired network. Now, WEP was designed to use a static 40-bit pre-shared encryption key with the Rivest Cipher Version Four, or RC4 encryption cipher. But later it was upgraded to a 64-bit encryption key. Even later still, they then upgraded it to 128-bit encryption key that should have made it more secure, but it didn’t. The reason for this is that the weakness isn’t the encryption key, but instead it’s a 24-bit initialization vector known as an IV, that’s used in web to create a pseudo randomness in the encryption itself to secure that connection. Now, the initialization vector is sent in the clear, which means it’s sent in a non-encrypted plain text format going from the client to the access point and back during this session establishment. And this makes WEP extremely insecure, because that encryption key can be broken and reverted back to plain text using the IV that was sent in plain text and some advanced mathematical number crunching.

Luckily for us, tools like Aircrack-ng can do all that number crunching for us. So, we can crack just about any WEP network out there using brute-force techniques in less than five minutes, because of that 24 bit-initialization vector being the vulnerability and having that weakness that we can exploit. So, to replace the weakened WEP, the industry created the Wi-Fi Protected Access standard, also known as WPA. Now, WPA replaced the weak initialization vector that was used by WEP with something known as the Temporal Key Integrity Protocol, or TKIP, T-K-I-P. This is essentially a 48-bit initialization vector instead of the 24-bit initialization vector that was used by WEP. To secure the data in transit, WPA also uses the Rivest Cipher Four, or RC4, just like WEP does, but it adds a message integrity check known as MIC, M-I-C, to be able to provide integrity for the data while it’s in transit. All of these changes did make the data much more secure when you’re using WPA over using WEP, and for a long time, it was considered secure. But as time goes on, attackers find ways to exploit things. And so security experts released a newer version known as WPA2 to overcome the then exploited WPA. Now, the Wi-Fi Protected Access Version Two encryption was introduced as part of the 802.11i standard to be able to provide stronger encryption and better integrity. Instead of using MIC for integrity checking, WPA2 is going to use CCMP, which is the counter mode with cipher block chaining message authentication code protocol used in combination with the Advanced Encryption Standard known as AES. The Advanced Encryption Standard uses a 128-bit encryption key or higher, and WPA2 can be a operated in either personal mode using a pre-shared key or enterprise mode using a centralized authentication service using a radius server, or other centralized server to handle the password distribution, or digital certificate-based authentication, if you’re using 802.1X with EAP. For many years, WPA2 was considered very secure, and to this day, it’s still considered to have unacceptable level of security. But as with everything, there is a newer version just around the corner.

These days, the latest version is WPA3, which is Wi-Fi Protected Access Version Three. In WPA3, there are some major changes to wireless security. WPA3 was introduced back in 2018, and was designed to strengthen the flaws and weaknesses that could be exploited inside of WPA2. Like WPA2, WPA3 can be operated in either enterprise mode or personal mode. WPA3 first increases the equivalent cryptographic strength of its ciphers to a minimum of 192-bits wing used in enterprise mode, which provides stronger protection than WPA2 does. WPA3 enterprise mode also provides additional security with up to a 256-bit AES encryption key and the use of SHA-384 for hashing and integrity checking of the data. If you’re operating in personal mode, WPA3 uses AES with CCMP-128. This means it’s using 128-bit key with an AES encryption algorithm as using the same CCMP from WPA2 for its integrity checking. Now, this is the minimum encryption standard that’s required for secure connectivity within personal mode. But there are options to go to higher levels of security in personal mode depending on the access point that’s in use by the targeted organization. Now, in addition to increasing the cryptography a little bit by increasing those key sizes, there was one really big improvement in WPA3, and that is the removal of those pre-shared keys and the associated weaknesses of them. Remember, WEP, WPA, and WPA2 all used a pre-shared key.

So, if you could guess that key or you could brute-force that key, you could then gain access to the network. As that key is getting sent from the client to the access point, there’s always going to be an opportunity for an on-path attack to occur, and have someone snoop on that connection and steal the key from the airwaves and then conduct an offline crack of that key, in order to find the plain text password associated with it. But with WPA3, that is no longer possible, because the pre-shared key exchange is no longer used to secure the network. Instead, we use a new technique known as SAE, or the simultaneous authentication of equals. SAE is going to use a secure password-based authentication and a password-authenticated key agreement methodology to secure the network. By doing this, we end up with a process known as forward secrecy or perfect forward secrecy. Forward secrecy or perfect forward secrecy is a feature of a key agreement protocol just like the one used by SAE to provide assurances that the session keys cannot be compromised, even if the long-term secrets used during that session are compromised. Now, this is a really big deal, because even if somebody gets that long-term password that you have for your network, they still go in and authenticate as if they’re you. This forward secrecy protocol is going to prevent that from occurring. Now, forward secrecy works by going through a five-step process. The first step only happens once. This is when your access point and your client are going to use a public key system to generate a pair of long-term keys. That is the long-term key that I just mentioned that, even if that long-term key is compromised, the rest of the system still won’t be compromised.

That’s the big difference here with WPA3. The second step is that the access point and the client are going to exchange a one-time use session key, or they’re going to use some kind of secure algorithm to do that exchange. This can be something like Diffie Hellman, or TLS. Now, what am I really talking about with this one-time used session key? Well, let’s say that you and I wanted to connect to each other, and we wanted to make sure that we talk to each other securely. Well, to do that, we would want to send some kind of an encryption key over a secure tunnel. And to do that, we need to have a shared secret that we can encrypt that tunnel with. Here in step two, the access point is going to create this one-time session key by creating a random number. Then, it’s going to send that as part of the key exchange using the long-term key from step one. And then they’re going to send that one-time session key over to the client, who can authenticate it as valid. Now, that your client knows what the key is and the center knows what that key is, we can both use that one-time session key to secure our encrypted tunnel. Next, we’re going to move into step three.

And this is where the access point starts sending client messages and encrypts them individually using the session key that we just created. So, now, we’ve created this session key in step two and we conducted the key exchange using something like Diffie Hellman. You know what the key is, I know what the key is, and here in step three, I can now encrypt a message using that key and transmit it encrypted over to you to be able to read. In the fourth step, the client is going to receive that message, and then decrypt that message using the one-time use session key that we just talked about. Then we move into step five, which is where we repeat this process over and over again for the single messages that we’re sending each time. And every so often, we’re going to go back to step two to renegotiate a new key. So, how do we maintain forward secrecy? Well, notice I said, we’re going to go back to step two. Step two is where we create a new one-time use session key. So, we create a session key.

We encrypt the message. I send it over to you. You decrypt the message. And then we start over, and we get another one-time use session key. So, even if somebody can snoop on our session and grab that session key that I’m using right now, it’s not going to be valid for much longer, because we’re constantly updating and changing out those keys. That’s the benefit of WPA3 over its predecessors. And that’s how it maintains perfect forward secrecy. Now, I know this may seem a little confusing, because we’re talking about some encryption techniques that you may not have heard of before. Now, this concept that I just covered with the key exchange protocol and the way all of this works is actually a review from your network plus studies, and these encryption concepts are things you should be familiar with from your security plus studies.

If you skipped either of those two certifications, I recommend that you jump on Google and do a quick search for a tutorial on how Diffie Hellman key exchanges work or a TLS key exchange works, because both of these are very similar to the concept that’s used in the key exchange with WPA3. This is also what we’re dealing with when we talk about perfect forward secrecy. And this will help you get a better understanding of this concept and dive a little bit deeper into it. I just want to give you a quick recap here, because it may have been a while since you’ve taken your Network Plus or Security Plus.

All right, let’s pause here for a second, and I want to give you a couple of quick exam tips. If you’re asked about Wi-Fi and they use the word open in the question, that means the question is looking for some kind of answer that says the network has no security or no encryption in use. If they mention WEP, you should immediately be identifying the weakness as an initialization vector, or IV. And that means you can conduct a brute-force attack against that pre-shared key. If they mention WPA, you should be thinking about RC4 and TKIP as the weaknesses that you can exploit. If the question mentions WPA2, you should start thinking about AES and CCMP as the weaknesses that you can identify. And now you can try to conduct a dictionary attack against that pre-shared key, or do a brute-force against a weak pre-shared key to gain access to that network.

If they mention WPA3, there are currently no known attacks against the algorithm itself, but you may see the term dragonfly, and dragonfly is associated with WPA3. Dragonfly is actually the nickname for that handshake, whose technical name is the SAE, or Simultaneous Authentication of Equals. And so, it’s really talking about how you protect WPA3. Now, there’s a couple of other things to mention in regards to wireless encryption, namely the concept of WPS. Now, this one goes back to one of my favorite sayings, which is, “If we make operations easier, then security is reduced.” And this is exactly what happened with WPS, also known as the Wi-Fi Protected Setup.

Now, Wi-Fi Protected Setup was designed to make setting up new wireless devices easier for consumers and end users. For example, if you just bought a new printer, you could quickly set up your wireless network by pushing the WPS button on the access point and another WPS button on your printer. And then, you could enter or verify a pin number, and those two devices would do an automated handshake and the printer would be able to join the network. To allow this to occur, those two devices have to pass over the secret credentials like the password to the wireless network from the access point to the printer, and then both devices can encrypt their communications over that wireless network. Now, this is great, but the problem is, it was executed poorly by designers.

Now, WPS relies on an eight-digit PIN code to conduct this authentication. But the algorithm was designed to actually break that eight digits into two groups of four digits each. Now, four plus four does equal eight, but in the world of encryption four plus four does not equal eight. Instead, we just took something that would’ve been eight digits long and essentially made it four digits long. This in turn makes it a lot easier to brute-force, because instead of having eight digits to figure out, where we’d have millions of possible combinations, we now only have two, four-digit chunks to figure out. And each one only has 10,000 possible combinations. Now, most computers can go through 10,000 combinations pretty darn quickly, and therefore they can brute-force the password and that pin based on that network using WPS. Later on, I’m going to demonstrate how to crack into a WPS network by brute forcing that pin as well. Remember, WPS is vulnerable to attack, because of the weakness in the implementation of the pin being used during the mutual authentication process.

As a network defender, you should immediately disable any WPS devices you find. If you’re a penetration tester, though, you want to identify those devices and attack away, if it’s in the engagement scope to conduct a wireless exploitation of those devices. The final thing I want to mention in this wireless security lesson is the concept of MAC filtering. Now, some people believe that MAC filtering provides you some kind of protection, but really this is false hope. With MAC filtering implemented on a wireless access point, the network’s owner can either set it up as explicit allow or explicit deny. If they use an allow list, it’s only going to allow devices listed in the MAC filtering list to connect to that wireless network. The only problem here is that you can change the MAC address of your coLinux machine in about five seconds by simply entering the command, macchanger-M, and the Mac address that you want to use.

So, simply turn your Wi-Fi card into promiscuous mode, see what MAC addresses are already connected to a given access point, change your MAC address to one of them, and then connect. If on the other hand the wireless access point uses a block list, it becomes even easier to gain access. A block list is going to create a list of bad MAC addresses. If you’re on one of those lists, simply enter, macchanger-A, and you’re going to be assigned a new random MAC address and you’ll be able to join the network immediately, because you’re no longer on the block list. As you can see, using MAC filtering as a primary security method is fairly useless, but you may still come across it in networks that you’re doing engagements on, so you need to be able to change your MAC address to circumvent them and gain access anyway.

75. Bypassing MAC Filtering (OBJ 3.2)

One of the things you may come across as your hacking wireless networks is a network that just will not seem to let you to connect. Even though you may have the password, it’s still not letting your terminal connect to them. Now, why might that be? Well it’s probably because they’re using something called Mac filtering. And what Mac filtering does is it actually creates a list of devices that are known to the network and allowed to connect. And if your Mac address of your network card doesn’t match one of those, you can’t get on the network even if you have the right username and password. So how do you overcome that? Do you have to steal one of their devices? Well, that’s one way to do it but the other way is to actually change your Mac address on your card to their Mac address. And it’s really easy and quick to do.

And I’m going to show you how. So the first thing we want to do is ensure that our card is in monitoring mode. And do that we’re going to do iwconfig. And you’ll notice here that my card is still in monitoring mode. If yours isn’t, you’re going to have to do the shutting down of the card, reconfiguration and then bring it back up online. Now, once you verify that it is at actually up and running, you want to start scanning for networks and see what’s out there and see if there’s any devices associated with an access point that we can spoof. So we’re going to use airodump-ng and then the card that we’re using which is wlan0mon. And off it goes starting to scan.

You can see, we have a couple of access points up here but we don’t have the associated stations with a particular access point. So now we’ve got a couple here. And the one we’re looking at is going to be our wep network of wireless hacking which is this C8:A7. So once I see that down here, we’ll see if anything is associated with it. And there one just popped up. You can see that our workstation, this is my iPhone in this case is 90:FD:61:AC. So I’m going to go ahead and cancel that. And we’re going to use that as the Mac address that we want to mimic. So I’m going to go ahead and copy that.

So how do we change our Mac address? Well, the first thing we’re going to have to do is shut down our network card. First, let’s see what our current Mac address is. So we’ll do ifconfig and you’ll see here that our Mac address is 00:C0 right up to here, those first 12 digits. So we’re going to use ifconfig and then we’re going to use the network card itself which is wlan0mon and then down. So now the card should be off. As you can see here, it’s no longer showing up in the ifconfig. And now we’re going to use a program called Mac changer. And all we have to do for this is do macchanger -r which gives us a random Mac address, wlan0mon. And if we do this, this is going to assign us a new random Mac address. So let’s see that. Our current one was 00:c0:ca:84:4c:28.

And now we have this new random Mac address. Well, that helps if I just want to mask who I am but it doesn’t help in the case of me wanting to spoof myself as someone else. So instead, we’re going to have to actually change the Mac address to the one that we copied off of the iPhone to mimic that user. So how will we do that? Well, just like any command, if you’re not sure what to use just use -h for help. So we’ll do macchanger -h and you’ll see that you can use the changing of another Mac address by setting it to one that you want. And in this case, it is going to be -m for Mac and it will set the Mac address. So all we have to do is do macchanger -m, paste in that Mac address for the iPhone that we copied and then give it the wlan0mon and hit Enter. And now you’ll see that it says my new Mac address is that iPhone Mac address that we were using. So now we would be able to connect to the access point and it will think that we are that iPhone because we have now taken over its Mac address.

• Category: Uncategorized