![Page 1: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/1.jpg)
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefenseChapter 11Chapter 11
Hacking Wireless NetworksHacking Wireless Networks
Last revised 10-30-08 5 pm
![Page 2: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/2.jpg)
2
ObjectivesObjectives
Explain wireless technologyExplain wireless technology Describe wireless networking standardsDescribe wireless networking standards Describe the process of authenticationDescribe the process of authentication Describe wardrivingDescribe wardriving Describe wireless hacking and tools used Describe wireless hacking and tools used
by hackers and security professionalsby hackers and security professionals
![Page 3: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/3.jpg)
3
Understanding Wireless Understanding Wireless TechnologyTechnology
For a wireless network to function, you must have For a wireless network to function, you must have the right hardware and softwarethe right hardware and software
Wireless technology is part of our livesWireless technology is part of our lives Baby monitorsBaby monitors Cell and cordless phonesCell and cordless phones PagersPagers GPSGPS Remote controlsRemote controls Garage door openersGarage door openers Two-way radiosTwo-way radios Wireless PDAsWireless PDAs
![Page 4: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/4.jpg)
4
Components of a Wireless Components of a Wireless NetworkNetwork
A wireless network has only three basic A wireless network has only three basic componentscomponents Access Point (AP)Access Point (AP) Wireless network interface card (WNIC)Wireless network interface card (WNIC) Ethernet cableEthernet cable
![Page 5: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/5.jpg)
5
Access PointsAccess Points
An access point (AP) is a transceiver that An access point (AP) is a transceiver that connects to an Ethernet cableconnects to an Ethernet cable It bridges the wireless network with the wired It bridges the wireless network with the wired
networknetwork Not all wireless networks connect to a wired Not all wireless networks connect to a wired
networknetwork Most companies have Wireless LANs Most companies have Wireless LANs
(WLANs) that connect to their wired network (WLANs) that connect to their wired network topologytopology
![Page 6: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/6.jpg)
6
Access PointsAccess Points
The AP is where channels are configuredThe AP is where channels are configured An AP enables users to connect to a LAN An AP enables users to connect to a LAN
using wireless technologyusing wireless technology An AP is available only within a defined areaAn AP is available only within a defined area
![Page 7: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/7.jpg)
7
Service Set Identifiers Service Set Identifiers (SSIDs)(SSIDs)
Name used to identify the wireless local Name used to identify the wireless local area network (WLAN)area network (WLAN)
The SSID is configured on the APThe SSID is configured on the AP Unique 1- to 32-character alphanumeric nameUnique 1- to 32-character alphanumeric name Name is case sensitiveName is case sensitive
Wireless computers need to configure the Wireless computers need to configure the SSID before connecting to a wireless SSID before connecting to a wireless networknetwork
![Page 8: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/8.jpg)
8
Service Set Identifiers Service Set Identifiers (SSIDs)(SSIDs)
SSID is transmitted with each packetSSID is transmitted with each packet Identifies which network the packet belongsIdentifies which network the packet belongs
The AP usually broadcasts the SSIDThe AP usually broadcasts the SSID
![Page 9: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/9.jpg)
9
Service Set Identifiers Service Set Identifiers (SSIDs)(SSIDs)
Many vendors have SSIDs set to a default Many vendors have SSIDs set to a default value that companies never changevalue that companies never change
An AP can be configured to not broadcast An AP can be configured to not broadcast its SSID until after authenticationits SSID until after authentication Wireless hackers can attempt to guess the Wireless hackers can attempt to guess the
SSIDSSID Verify that your clients or customers are Verify that your clients or customers are
not using a default SSIDnot using a default SSID
![Page 10: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/10.jpg)
10
See links Ch 11a, bSee links Ch 11a, b
![Page 11: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/11.jpg)
11
Configuring an Access PointConfiguring an Access Point
Configuring an AP varies depending on Configuring an AP varies depending on the hardwarethe hardware Most devices allow access through any Web Most devices allow access through any Web
browserbrowser Enter IP address on your Web browser and Enter IP address on your Web browser and
provide your user logon name and passwordprovide your user logon name and password
![Page 12: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/12.jpg)
12
Wireless RouterWireless Router
A wireless router includes an access point, A wireless router includes an access point, a router, and a switcha router, and a switch
![Page 13: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/13.jpg)
13
Demo: Configuring an Demo: Configuring an Access PointAccess Point
Wireless Configuration Wireless Configuration OptionsOptions SSIDSSID Wired Equivalent Wired Equivalent
Privacy (WEP) Privacy (WEP) encryptionencryption
Changing Admin Changing Admin PasswordPassword
![Page 14: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/14.jpg)
14
Configuring an Access PointConfiguring an Access Point Wireless Configuration OptionsWireless Configuration Options
SSIDSSID Wired Equivalent Privacy (WEP) encryptionWired Equivalent Privacy (WEP) encryption WPA (WiFi Protected Access ) is betterWPA (WiFi Protected Access ) is better
![Page 15: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/15.jpg)
15
Configuring an Access Point Configuring an Access Point (continued)(continued)
Steps for configuring a D-Link wireless Steps for configuring a D-Link wireless router (continued)router (continued) Turn off SSID broadcastTurn off SSID broadcast You should also change your SSIDYou should also change your SSID
![Page 16: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/16.jpg)
16
![Page 17: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/17.jpg)
17
Wireless NICsWireless NICs
For wireless technology to work, each For wireless technology to work, each node or computer must have a wireless node or computer must have a wireless NICNIC
NIC’s main functionNIC’s main function Converting the radio waves it receives into Converting the radio waves it receives into
digital signals the computer understandsdigital signals the computer understands
![Page 18: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/18.jpg)
18
Wireless NICsWireless NICs
There are many wireless NICs on the There are many wireless NICs on the marketmarket Choose yours depending on how you plan to Choose yours depending on how you plan to
use ituse it Some tools require certain specific brands of Some tools require certain specific brands of
NICsNICs
![Page 19: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/19.jpg)
19
Understanding Wireless Understanding Wireless Network StandardsNetwork Standards
A standard is a set of rules formulated by A standard is a set of rules formulated by an organizationan organization
Institute of Electrical and Electronics Institute of Electrical and Electronics Engineers (IEEE)Engineers (IEEE) Defines several standards for wireless Defines several standards for wireless
networksnetworks
![Page 20: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/20.jpg)
20
IEEE: CCSF Student Chapter IEEE: CCSF Student Chapter
Next meeting:Next meeting: Thurs, Nov 6, 2008 in Sci 37, 5:00 pmThurs, Nov 6, 2008 in Sci 37, 5:00 pm
Email Email [email protected]@ccsf.edu for more info for more info
![Page 21: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/21.jpg)
21
IEEE StandardsIEEE Standards
Standards pass through these groups:Standards pass through these groups: Working group (WG)Working group (WG) Sponsor Executive Committee (SEC)Sponsor Executive Committee (SEC) Standards Review Committee (RevCom)Standards Review Committee (RevCom) IEEE Standards BoardIEEE Standards Board
IEEE Project 802IEEE Project 802 LAN and WAN standardsLAN and WAN standards
![Page 22: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/22.jpg)
22
The 802.11 StandardThe 802.11 Standard
The first wireless technology standardThe first wireless technology standard Defined wireless connectivity at 1 Mbps Defined wireless connectivity at 1 Mbps
and 2 Mbps within a LANand 2 Mbps within a LAN Applied to layers 1 and 2 of the OSI modelApplied to layers 1 and 2 of the OSI model Wireless networks cannot detect collisionsWireless networks cannot detect collisions
Carrier sense multiple access/collision Carrier sense multiple access/collision avoidance (CSMA/CA) is used instead of avoidance (CSMA/CA) is used instead of CSMA/CDCSMA/CD
![Page 23: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/23.jpg)
23
AddressingAddressing
Wireless LANs do not have an address Wireless LANs do not have an address associated with a physical locationassociated with a physical location An addressable unit is called a station (STA)An addressable unit is called a station (STA)
![Page 24: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/24.jpg)
24
The Basic Architecture of The Basic Architecture of 802.11802.11
802.11 uses a basic service set (BSS) as 802.11 uses a basic service set (BSS) as its building blockits building block Computers within a BSS can communicate Computers within a BSS can communicate
with each otherwith each other
![Page 25: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/25.jpg)
25
The Basic Architecture of 802.11The Basic Architecture of 802.11
To connect To connect two BSSs, two BSSs, 802.11 802.11 requires a requires a distribution distribution system (DS)system (DS)
![Page 26: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/26.jpg)
26
Frequency RangeFrequency Range
In the United States, Wi-Fi uses In the United States, Wi-Fi uses frequencies near 2.4 GHzfrequencies near 2.4 GHz
(Except 802.11a at 5 GHz)(Except 802.11a at 5 GHz) There are 11 channels, but they overlap, so There are 11 channels, but they overlap, so
only three are commonly usedonly three are commonly used See link Ch 11c (cisco.com)See link Ch 11c (cisco.com)
![Page 27: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/27.jpg)
27
Infrared (IR)Infrared (IR)
Infrared light can’t be seen by the human eyeInfrared light can’t be seen by the human eye IR technology is restricted to a single room or IR technology is restricted to a single room or
line of sightline of sight IR light cannot penetrate walls, ceilings, or floorsIR light cannot penetrate walls, ceilings, or floors
Image: IR transmitter for wireless headphonesImage: IR transmitter for wireless headphones
![Page 28: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/28.jpg)
28
IEEE Additional 802.11 IEEE Additional 802.11 ProjectsProjects
802.11a802.11a Created in 1999Created in 1999 Operating frequency 5 GHzOperating frequency 5 GHz Throughput 54 MbpsThroughput 54 Mbps
![Page 29: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/29.jpg)
29
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.11b802.11b Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range Throughput 11 MbpsThroughput 11 Mbps Also referred as Wi-Fi (wireless fidelity)Also referred as Wi-Fi (wireless fidelity) Allows for 11 channels to prevent overlapping Allows for 11 channels to prevent overlapping
signalssignals Effectively only three channels (1, 6, and 11) can Effectively only three channels (1, 6, and 11) can
be used in combination without overlappingbe used in combination without overlapping Introduced Wired Equivalent Privacy (WEP)Introduced Wired Equivalent Privacy (WEP)
![Page 30: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/30.jpg)
30
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.11e802.11e It has improvements to address the problem It has improvements to address the problem
of interferenceof interference When interference is detected, signals can jump to When interference is detected, signals can jump to
another frequency more quicklyanother frequency more quickly
802.11g802.11g Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range Throughput increased from 11 Mbps to 54 Throughput increased from 11 Mbps to 54
MbpsMbps
![Page 31: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/31.jpg)
31
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.11i802.11i Introduced Wi-Fi Protected Access (WPA)Introduced Wi-Fi Protected Access (WPA) Corrected many of the security vulnerabilities Corrected many of the security vulnerabilities
of 802.11bof 802.11b 802.11n (draft)802.11n (draft)
Will be finalized in Dec 2009Will be finalized in Dec 2009 Speeds up to 300 MbpsSpeeds up to 300 Mbps Aerohive AP runs at 264 Mbps nowAerohive AP runs at 264 Mbps now
Links Ch 11zc, Ch 11zdLinks Ch 11zc, Ch 11zd
![Page 32: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/32.jpg)
32
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.15802.15 Addresses networking Addresses networking
devices within one devices within one person’s workspaceperson’s workspace Called wireless Called wireless
personal area network personal area network (WPAN)(WPAN)
Bluetooth is one of six Bluetooth is one of six 802.15 standards802.15 standards Image from Image from
ubergizmo.comubergizmo.com
![Page 33: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/33.jpg)
33
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
BluetoothBluetooth Defines a method for interconnecting portable Defines a method for interconnecting portable
devices without wiresdevices without wires Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band Throughput of up to 2.1 Mbps for Bluetooth 2.0Throughput of up to 2.1 Mbps for Bluetooth 2.0
Note: the speed value of 12 Mbps in your book and Note: the speed value of 12 Mbps in your book and the lecture notes is wrongthe lecture notes is wrong
Link Ch 11zgLink Ch 11zg
![Page 34: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/34.jpg)
34
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.16 (also called WIMAX)802.16 (also called WIMAX) Addresses the issue of wireless metropolitan area Addresses the issue of wireless metropolitan area
networks (MANs)networks (MANs) Defines the WirelessMAN Air InterfaceDefines the WirelessMAN Air Interface Range of up to 30 milesRange of up to 30 miles Throughput of up to 120 MbpsThroughput of up to 120 Mbps
802.20802.20 Addresses wireless MANs for mobile users who Addresses wireless MANs for mobile users who
are sitting in trains, subways, or cars traveling at are sitting in trains, subways, or cars traveling at speeds up to 150 miles per hourspeeds up to 150 miles per hour
![Page 35: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/35.jpg)
35
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
BluetoothBluetooth Defines a method for interconnecting portable Defines a method for interconnecting portable
devices without wiresdevices without wires Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band Throughput of up to 12 MbpsThroughput of up to 12 Mbps
HiperLAN2HiperLAN2 European WLAN standardEuropean WLAN standard It is not compatible with 802.11 standardsIt is not compatible with 802.11 standards
![Page 36: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/36.jpg)
36
2.1 Mbps
![Page 37: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/37.jpg)
37
Understanding AuthenticationUnderstanding Authentication
Wireless technology brings new security Wireless technology brings new security risks to a networkrisks to a network
AuthenticationAuthentication Establishing that a user is authentic—Establishing that a user is authentic—
authorized to use the networkauthorized to use the network If authentication fails, anyone in radio range If authentication fails, anyone in radio range
can use your networkcan use your network
![Page 38: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/38.jpg)
38
The 802.1X StandardThe 802.1X Standard
Defines the process of authenticating and Defines the process of authenticating and authorizing users on a WLANauthorizing users on a WLAN
Basic conceptsBasic concepts Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP) Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP) Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)
![Page 39: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/39.jpg)
39
Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)
Many ISPs use PPP to connect dial-up or Many ISPs use PPP to connect dial-up or DSL usersDSL users
PPP handles authentication with a user PPP handles authentication with a user name and password, sent with PAP or name and password, sent with PAP or CHAPCHAP PAP (Password Authentication Protocol) PAP (Password Authentication Protocol)
sends passwords unencryptedsends passwords unencrypted Vulnerable to trivial sniffing attacksVulnerable to trivial sniffing attacks
See link Ch 11fSee link Ch 11f
![Page 40: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/40.jpg)
40
CHAP VulnerabilityCHAP Vulnerability
CHAP (Challenge-Handshake CHAP (Challenge-Handshake Authentication Protocol)Authentication Protocol) Server sends a Challenge with a random Server sends a Challenge with a random
valuevalue Client sends a Response, hashing the random Client sends a Response, hashing the random
value with the secret passwordvalue with the secret password This is still vulnerable to a sort of session This is still vulnerable to a sort of session
hijacking attack (see links Ch 11e)hijacking attack (see links Ch 11e)
![Page 41: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/41.jpg)
41
Extensible Authentication Extensible Authentication Protocol (EAP)Protocol (EAP)
EAP is an enhancement to PPPEAP is an enhancement to PPP Allows a company to select its Allows a company to select its
authentication methodauthentication method CertificatesCertificates KerberosKerberos
Kerberos is used on LANs for authenticationKerberos is used on LANs for authentication Uses Tickets and KeysUses Tickets and Keys Used by Windows 2000, XP, and 2003 Server by Used by Windows 2000, XP, and 2003 Server by
defaultdefault Not common on WLANS (I think)Not common on WLANS (I think)
![Page 42: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/42.jpg)
42
X.509 CertificateX.509 Certificate Record that authenticates network Record that authenticates network
entitiesentities IdentifiesIdentifies
The ownerThe owner The certificate authority (CA)The certificate authority (CA) The owner’s public keyThe owner’s public key
See link Ch 11jSee link Ch 11j
![Page 43: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/43.jpg)
43
Sample X.509 CertificateSample X.509 Certificate Go to gmail.comGo to gmail.com Double-click the padlockDouble-click the padlock
![Page 44: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/44.jpg)
44
Public KeyPublic Key
Your browser Your browser uses the uses the Public Key to Public Key to encrypt data encrypt data so only Gmail so only Gmail can read itcan read it
![Page 45: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/45.jpg)
45
LEAPLEAP
Lightweight Extensible Lightweight Extensible Authentication Protocol Authentication Protocol (LEAP)(LEAP) A Cisco productA Cisco product Vulnerable, but Cisco didn’t careVulnerable, but Cisco didn’t care Joshua Wright wrote the ASLEAP hacking Joshua Wright wrote the ASLEAP hacking
tool to crack LEAP, and forced Cisco to tool to crack LEAP, and forced Cisco to develop a better protocoldevelop a better protocol See link Ch 11gSee link Ch 11g
![Page 46: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/46.jpg)
46
More Secure EAP MethodsMore Secure EAP Methods
Extensible Authentication Protocol-Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)Transport Layer Security (EAP-TLS) Secure but rarely used, because both client Secure but rarely used, because both client
and server need certificates signed by a CAand server need certificates signed by a CA Protected EAP (PEAP) and Microsoft Protected EAP (PEAP) and Microsoft
PEAPPEAP Very secure, only requires server to have a Very secure, only requires server to have a
certificate signed by a CAcertificate signed by a CA See link Ch 11hSee link Ch 11h
![Page 47: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/47.jpg)
47
802.1X components802.1X components
SupplicantSupplicant The user accessing a WLANThe user accessing a WLAN
AuthenticatorAuthenticator The APThe AP
Authentication serverAuthentication server Checks an account database to see if user’s Checks an account database to see if user’s
credentials are acceptablecredentials are acceptable May use RADIUS (Remote Access Dial-In User May use RADIUS (Remote Access Dial-In User
Service)Service) See link Ch 11kSee link Ch 11k
![Page 48: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/48.jpg)
48
![Page 49: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/49.jpg)
49
Wired Equivalent Privacy Wired Equivalent Privacy (WEP)(WEP)
Part of the 802.11b standardPart of the 802.11b standard Encrypts data on a wireless networkEncrypts data on a wireless network WEP has many vulnerabilitiesWEP has many vulnerabilities To crack WEP, see links Ch 11l, 11mTo crack WEP, see links Ch 11l, 11m
![Page 50: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/50.jpg)
50
Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) Specified in the 802.11i standardSpecified in the 802.11i standard Replaces WEPReplaces WEP WPA improves encryption by using WPA improves encryption by using
Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP)
![Page 51: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/51.jpg)
51
TKIP EnhancementsTKIP Enhancements
Message Integrity Check (MIC)Message Integrity Check (MIC) Prevent attacker from injecting forged packets Prevent attacker from injecting forged packets
Extended Initialization Vector (IV) with Extended Initialization Vector (IV) with sequencing rulessequencing rules Prevent replays (attacker re-sending copied Prevent replays (attacker re-sending copied
packets)packets)
![Page 52: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/52.jpg)
52
TKIP EnhancementsTKIP Enhancements
Per-packet key mixingPer-packet key mixing MAC addresses are used to create a keyMAC addresses are used to create a key Each link uses a different keyEach link uses a different key
Rekeying mechanismRekeying mechanism Provides fresh keysProvides fresh keys Prevents attackers from reusing old keysPrevents attackers from reusing old keys
![Page 53: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/53.jpg)
53
WPA Adds 802.1xWPA Adds 802.1x
WPA also adds an authentication WPA also adds an authentication mechanism implementing 802.1X and mechanism implementing 802.1X and EAPEAP This was not available in WEPThis was not available in WEP
![Page 54: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/54.jpg)
54
Understanding WardrivingUnderstanding Wardriving
Hackers use wardrivingHackers use wardriving Finding insecure access pointsFinding insecure access points Using a laptop or palmtop computerUsing a laptop or palmtop computer
Wardriving is not illegalWardriving is not illegal But using the resources of these networks is But using the resources of these networks is
illegalillegal WarflyingWarflying
Variant where an airplane is used instead of a Variant where an airplane is used instead of a carcar
![Page 55: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/55.jpg)
55
How It WorksHow It Works
An attacker or security tester simply drives An attacker or security tester simply drives around with the following equipmentaround with the following equipment Laptop computerLaptop computer Wireless NICWireless NIC An antennaAn antenna Software that scans the area for SSIDsSoftware that scans the area for SSIDs
Not all wireless NICs are compatible with Not all wireless NICs are compatible with scanning programsscanning programs
Antenna prices vary depending on the quality Antenna prices vary depending on the quality and the range they can coverand the range they can cover
![Page 56: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/56.jpg)
56
How It Works (continued)How It Works (continued)
Scanning software can identifyScanning software can identify The company’s SSIDThe company’s SSID The type of security enabledThe type of security enabled The signal strengthThe signal strength
Indicating how close the AP is to the attackerIndicating how close the AP is to the attacker
![Page 57: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/57.jpg)
57
Demo: VistaStumblerDemo: VistaStumbler
Link Ch 11zeLink Ch 11ze
![Page 58: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/58.jpg)
58
NetStumblerNetStumbler
Shareware tool written for Windows that Shareware tool written for Windows that enables you to detect WLANs enables you to detect WLANs Supports 802.11a, 802.11b, and 802.11g Supports 802.11a, 802.11b, and 802.11g
standardsstandards NetStumbler was primarily designed toNetStumbler was primarily designed to
Verify your WLAN configurationVerify your WLAN configuration Detect other wireless networksDetect other wireless networks Detect unauthorized APsDetect unauthorized APs
![Page 59: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/59.jpg)
59
NetStumblerNetStumbler
NetStumbler is capable of interface with a NetStumbler is capable of interface with a GPSGPS Enabling a security tester or hacker to map Enabling a security tester or hacker to map
out locations of all the WLANs the software out locations of all the WLANs the software detectsdetects
![Page 60: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/60.jpg)
60
NetStumblerNetStumbler
NetStumbler logs the following informationNetStumbler logs the following information SSIDSSID MAC address and Manufacturer of the APMAC address and Manufacturer of the AP ChannelChannel Signal StrengthSignal Strength EncryptionEncryption
Can detect APs within a 350-foot radiusCan detect APs within a 350-foot radius With a good antenna, they can locate APs a With a good antenna, they can locate APs a
couple of miles awaycouple of miles away
![Page 61: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/61.jpg)
61
![Page 62: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/62.jpg)
62
![Page 63: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/63.jpg)
63
KismetKismet
Another product for conducting wardriving Another product for conducting wardriving attacksattacks
Runs on Linux, BSD, MAC OS X, and Runs on Linux, BSD, MAC OS X, and Linux PDAsLinux PDAs
Kismet is advertised also as a sniffer and Kismet is advertised also as a sniffer and IDSIDS Kismet can sniff 802.11b, 802.11a, and Kismet can sniff 802.11b, 802.11a, and
802.11g traffic802.11g traffic
![Page 64: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/64.jpg)
64
Kismet featuresKismet features
Ethereal- and Tcpdump-compatible data Ethereal- and Tcpdump-compatible data logginglogging
AirSnort compatibleAirSnort compatible Network IP range detectionNetwork IP range detection
![Page 65: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/65.jpg)
65
Kismet features (continued)Kismet features (continued)
Hidden network SSID detectionHidden network SSID detection Graphical mapping of networksGraphical mapping of networks Client-server architectureClient-server architecture Manufacturer and model identification of APs Manufacturer and model identification of APs
and clientsand clients Detection of known default access point Detection of known default access point
configurationsconfigurations XML outputXML output Supports 20 card typesSupports 20 card types
![Page 66: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/66.jpg)
66
Understanding Wireless Understanding Wireless HackingHacking
Hacking a wireless network is not much Hacking a wireless network is not much different from hacking a wired LANdifferent from hacking a wired LAN
Techniques for hacking wireless networksTechniques for hacking wireless networks Port scanningPort scanning EnumerationEnumeration
![Page 67: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/67.jpg)
67
Tools of the TradeTools of the Trade
EquipmentEquipment Laptop computerLaptop computer A wireless NICA wireless NIC An antennaAn antenna Sniffer softwareSniffer software
![Page 68: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/68.jpg)
68
AirSnortAirSnort
Created by Jeremy Bruestle and Blake Created by Jeremy Bruestle and Blake HegerleHegerle
It is the tool most hackers wanting to It is the tool most hackers wanting to access WEP-enabled WLANs useaccess WEP-enabled WLANs use
AirSnort limitationsAirSnort limitations Runs on either Linux or Windows (textbook is Runs on either Linux or Windows (textbook is
wrong)wrong) Requires specific driversRequires specific drivers Not all wireless NICs function with AirSnortNot all wireless NICs function with AirSnort
See links Ch 11p, 11qSee links Ch 11p, 11q
![Page 69: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/69.jpg)
69
WEPCrackWEPCrack
Another open-source tool used to crack Another open-source tool used to crack WEP encryptionWEP encryption WEPCrack was released about a week before WEPCrack was released about a week before
AirSnortAirSnort It also works on *NIX systemsIt also works on *NIX systems WEPCrack uses Perl scripts to carry out WEPCrack uses Perl scripts to carry out
attacks on wireless systemsattacks on wireless systems AirSnort is considered better (link Ch 11r)AirSnort is considered better (link Ch 11r)
![Page 70: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/70.jpg)
70
Countermeasures for Countermeasures for Wireless AttacksWireless Attacks
Anti-wardriving software makes it more Anti-wardriving software makes it more difficult for attackers to discover your difficult for attackers to discover your wireless LANwireless LAN HoneypotsHoneypots
Servers with fake data to snare intrudersServers with fake data to snare intruders Fakeap and Black Alchemy Fake APFakeap and Black Alchemy Fake AP
Software that makes fake Access PointsSoftware that makes fake Access Points Link Ch 11sLink Ch 11s
![Page 71: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/71.jpg)
71
Countermeasures for Countermeasures for Wireless AttacksWireless Attacks
Use special paint to stop radio from Use special paint to stop radio from escaping your buildingescaping your building
Allow only predetermined MAC addresses Allow only predetermined MAC addresses and IP addresses to have access to the and IP addresses to have access to the wireless LANwireless LAN
Use an authentication server instead of Use an authentication server instead of relying on a wireless device to relying on a wireless device to authenticate usersauthenticate users
![Page 72: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/72.jpg)
72
Countermeasures for Countermeasures for Wireless Attacks Wireless Attacks
Use an EAP authentication protocolUse an EAP authentication protocol If you use WEP, use 104-bit encryption If you use WEP, use 104-bit encryption
rather than 40-bit encryptionrather than 40-bit encryption But just use WPA insteadBut just use WPA instead
Assign static IP addresses to wireless Assign static IP addresses to wireless clients instead of using DHCPclients instead of using DHCP
Don’t broadcast the SSIDDon’t broadcast the SSID
![Page 73: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/73.jpg)
73
Countermeasures for Countermeasures for Wireless Attacks Wireless Attacks
Place the AP in the demilitarized zone Place the AP in the demilitarized zone (DMZ) (DMZ) (image from wikipedia)(image from wikipedia)
![Page 74: Hands-On Ethical Hacking and Network Defense Chapter 11 Hacking Wireless Networks Last revised 10-30-08 5 pm](https://reader036.vdocument.in/reader036/viewer/2022062300/56649e5f5503460f94b59e90/html5/thumbnails/74.jpg)
74
Demo: Defeating MAC Demo: Defeating MAC Address FilteringAddress Filtering
Link Ch 11zfLink Ch 11zf