Wireless attacks - HACKING 17 Most Dangerous Hacking Attacks (2017)

HACKING 17 Most Dangerous Hacking Attacks (2017)

Chapter 4 – Wireless attacks

The reality is that there are so many different ways to attack wireless networks that I don’t even know where to begin. I have dedicated a book specifically for implementing Wireless attacks in Volume 3 where I have dived into more details on how to use multiple methods regards to attacking Wireless Networks.

Most people love to use Free WIFI, in fact, any wireless networks as the technology expanded we don’t need wires anymore. Now that the 21st Century began we all realized that Wireless networks are now everywhere and because more and more Access points all over the signals have grown dramatically, therefore we have started to use the Internet wirelessly. Furthermore, we have got to the point that we have begun chatting on our mobile devices, then shortly after we were able to do Skype calls and for a long time now we can stream live TV channels in HD quality.

Because wireless networks are in our everyday life, hackers have realized that too. Multiple techniques can be used to gain power over Wireless Networks.

At first Wireless networks were used as some backdoors by Hackers to get access to the leading network of individual companies. Even now that wireless networks are lots more secured, believe it or not, hackers still gain access through a Wireless Access Point as still many large organizations didn’t take enough steps to implement proper security measurements around their Wireless Networks.

As I mentioned before we all love to use free WIFI Hotspots, but the sad true is that many of has no clue how big of a danger it might be once we would connect to a Rogue Access Point that advertises itself as a genuine Free WIFI Hotspot.

Rogue Access Point

To create a Rogue Access Point is very easy. Therefore big business must have many security measurements in place to protect the Wireless Network.

To duplicate a whole access point many people think that an average hacker should have to get an actual access point and configure that and place it somewhere, even this might be one way to go about it; nowadays there are more brilliant strategies for wireless hacking purposes. To become an Ethical Hacker, or a Security Consultant, you must understand every little wireless hacking method that is out there and the bad guys might use against you or your company that hires you. If you don’t know what threats are out there, then you won’t be able to implement the right security measurements. Therefore you will not be able to protect the network.

Most of the Access points are not consuming any electricity, and they are PoE devices, meaning Power over Ethernet is how they function. Therefore access points must be connected to something that would be powered on. Additionally, Access Points are not very small, so you will not see hackers walking around holding one in their hands. Instead of having an Access Point, you can virtualize one within your laptop using either Back|Track or Kali Linux. Once you have a laptop, you might proceed and install Back|Track or Kali. However, you might just install it on a Virtual Machine and bridge it together with your notebook then began to hack any wireless network.

To become a Rogue Access Point on a Wireless Network, you can configure Back|Track or Kali to start to monitor Wireless signals, then analyze existing genuine Access Points in more detail. Next, you could learn the MAC Address of the valid access point and what channel it’s using for wireless purposes. Having all that information, you can configure your Back|Track device to advertise the same details then become the new fake Access point aka Rogue Access Point.

Of course, there are many other configurations required such as DHCP services, DHCP Server settings to provide IP Addresses to the clients, or I should say, victims. Next would need to implement NAT Network Address Translation so that private Addresses would be able to get translated to Public IP Addresses, lastly routing functionality must be configured so that victims would be able to communicate and have access to the Internet.

Yes, you are right the victims would have access to the web through the Rogue Access Point. Therefore, it’s also known as a Man in the Middle. I have explained and demonstrated these steps in Volume 3 in case you want to practice in your home lab environment. However, I wanted to provide a high-level overview what a Rogue Access Point could do.

Man in the Middle on Wireless

As I explained, once there is a Man in the Middle, Everything that you do, including every website you visit, every username and password you type can be logged by the Man in the Middle. Additionally, to be registered, your details can be modified, or even changed while you would fill some important inline document for someone it would be written by someone else and so on. I have discussed already what a Man in the Middle could mean, however yet I never explained that one of the most common ways that are used is indeed through wireless networks, by having victims to connect to a Rogue Access Point.

This is key to understand so next time when you see a free WIFI Hotspot; you must make sure that is the real genuine access point that advertises the real wireless network, as once you wouldn’t want to connect to a Rogue Wireless Access Point.

Mis-Association Attacks

Another method I have demonstrated and successfully implemented in Volume 3 – Hacking Wireless Networks.

What you have to understand is that by using such operating systems like Kali Linux or Back|Track you can fake create your own MAC address, therefore you can become anyone that you choose to be. What I mean is that once you begin to monitor wireless signals with your Virtualized Kali Linux, then identify a Wireless Network, you can identify both the Access Point as well all the Clients that are currently associated with it. As I have mentioned before you might fake the Access point’s MAC address and become a Rogue Wireless Access Point, however by analyzing the wireless signals you are also able to learn enough details about the clients too, to fake them. What you need is the MAC address of a trusted Client that already established a connection with the Access point. In case I am confusing you, please remember that every router or access point is remembering your devices MAC address and that’s why you don’t have to type the password each day when you are about to connect to a wireless network that you have provided a password previously. In fact, you don’t even have to click or choose the SSID ( Service Set Identification) as your device would find it, and join to it automatically.

As much as you know that fact, believe me, all the black hat hackers know that too, and they would easily exploit this vulnerability by using an OS (Operating system) such as Back|Track or Kali Linux. Again all you have to do is use a trusted device’s MAC address and assign that to your own. Well by doing that you still have to get on the wireless network, therefore you have to send a de-authentication message through wireless signals to de-authenticate all the trusted clients. While they would try to re-authenticate your device, they would gain power, and they would be connected already. To have your device connected faster than the actual device, you can do a little tweak by making your wireless signal stronger so that would help you get attached to any wireless network faster. In case you have doubt on how to implement such method, I have a step-by-step guide in Volume 3, specifically for Hacking Wireless Networks.

De-Authentication Attack

I have just explained why and how would a hacker plan up a Mis-Association Attack, and the purpose of that would be is to get authenticated on a wireless network that the hacker would want to exploit in same ways. Once you would join a network there are many thinks that you could do, and the hackers would not necessarily want to enjoy free WIFI, instead to something more sophisticated. Sure the majority of the hacking is for financial gain. However there are other factors too, that would be such as espionage, or it could also be impersonation and so on. Occasionally hackers plan would be only to cause a simply delay, or something that would slow down the network, or cause issues such as failure for individual devices to operate or connect to the network. As I mentioned before by Back|Track or Kali Linux you can monitor and learn all the MAC addresses of the real clients that are connected to the network. Once you would learn enough data of the clients, you could begin to run an automated de-authentication request for each of those trusted devices originating it from your Attacker laptop. Make it look like to the AP-s (Access Point) that the request was coming from the clients; the AP would de-authenticate them all, resulting the end-users to wonder why they have lost Internet access. Once it would be reported to the IT Department, engineers should have some time to analyze the logs and understand what exactly happened, and there would be nothing against the regular traffic flow, however, if everyone would be disconnected from the same wireless network that would cause suspicion. Still, it would be hard to find out what exactly happened and who was the villain in the first place.

Wireless Collision Attack

As I explained in Volume 3 – Wireless Hacking Book, Wireless Collision can be found everywhere, even if not always, however, other devices can cause Wireless collisions.

Such devices might be cordless phones, microwaves that could cause interference, therefore, could weaken the wireless signals.

Because wireless access points are sending signals to the air using certain channels, there is a chance that your neighbors could have wireless access points too that might use the same signals as your home router. Most of these access points would provide unyielding signal far as 30-50 meters in a precise radius. However, some could send out messages 200 – 400 meters if there is no interference and there is an obstruction.

Wireless signals would begin to decrease once should go through windows, doors, or walls, and thicker are the object weaker the wireless signal would become. This is common sense. However, most people don’t think about possible interference issues, and the most common could be simply another Access point nearby that would use the same channel, therefore, would cause wireless interference. The reality is that many people live in flats and they would have 3-5 neighbors very close, and most of them would have issues with the wireless network in their home. In the same time if they would check their wired network there would be no problem, however, due to the increasing number of wireless home networks, this is becoming a regular issue.

As I explained some of the fundamentals before you can configure both Back|Track and Kali Linux to provide a stronger signal, moreover you are also able to monitor wireless signals, and identify other wireless access points and what channel they use to operate. As you see, Hackers know facts too, and if they wish to cause an issue on an individual wireless network, all they have to do is configure their Back|Track box to use the same channels as the victims. And quickly the interference would become so high that on the victim’s network could become so slow that would be useless, eventually would drop all packets, and every single client would lose network connectivity. Taking this further, hackers go far as installing a Kali operating system in a Raspberry Pie, and would hide it somewhere close to the targeted wireless access point, furthermore would even attach the Raspberry Pie to a Drone, and land it on a Building that would be their target. Once a sophisticated wireless collision attack would be implemented, it’s possible to damage the Wireless access points so badly that would effect all SSID-s. Therefore, all the clients would drop off the network.

Wireless Replay attacks

This method has lost its fashion, however in the past was very much used and for some might become an old time favorite way to hack the wireless network. Therefore it’s fair to explain the concepts.

As I mentioned before catching wireless signals are very easy, as they are everywhere, so before deciding what wireless network you would want to connect to, first, we would have to monitor the wireless signals. While monitoring the wireless traffic, we could record it by Wireshark, that would help for further analysis regards to what kind of communication is happening on the wireless network. Simply we would want to look for a packet where a client would authenticate to a particular SSID. This packet would confirm the password required for logging on to the wireless network, and if you would use that to replay the very same message in the air, there is a possibility for the access point to authenticate you as a trusted device. The reality is that most large companies are now using new standards for better security. However, there are still many businesses could be exploited using this technique.

Protection against wireless attacks

As I mentioned big companies such as Banks or any other financial Organizations have now learned that Infrastructure security is essential, therefore most of them have good security in place such as ISE – Identity Services Engine, or at least ACS – Cisco Access Secure Control that is the old version of ISE.

Moreover to security, at least one vendor type of Firewall would be required, such as Cisco Systems, Checkpoint, Juniper, Palo Alto, Brocade and so on, however, most companies would rather having two different types or firewalls, just in case one would be compromised.

IDS - Intrusion Detection Systems also famous for wireless security to identify anomalies on the network, so that would fire up alerts in the system, then other devices such as IPS – Intrusion Prevention Systems would prevent such wireless attacks.

Regards to the WAP-s Wireless Access Points, most of them are PoE (Power over Ethernet) devices. Therefore they would be connected to network switches. On network switches additional commands would require being implemented too, in case someone would try to log in to the network using wired connection such devices like a Back|Track or Kali Linux.

Wireless network protection is critical, and if you have a personal wireless network at home, you probably using a protocol such as WPA-Personal or WPA-PSK.

PSK stands for Pre-shared Key, and that would normally be your password. Therefore anyone who would want to connect to the wireless network would have to provide the same password. Unfortunately, PSK can be broken into as well, using Brute-force attack, or even Dictionary attack. Both Brute-force and dictionary attacks are relatively simple tasks to perform, as once you ready to implement them, the software would do the job and eventually would find the password. What I would suggest is to use a password that is very complex should include:

• Uppercase letters

• Lowercase letters

• Numbers

• Multiple symbols

• At least ten characters long

• Do not use dictionary words

I know that most people wouldn’t bother much and use simple passwords such as password1, however more complex is your password, more challenging is to crack it, therefore here is an example that you could use if you want to stick to password1:

Try to sue something like Pa$$W0rd! > the o would be a zero of course, however, try to avoid anything that would be related to words like password or pass, furthermore anything that would be related to you, such as:

• your name,

• your details

• Any date of birth of yours or close family members

• Any names that are close family members

I am explaining these, because unfortunately still most people using similar passwords, words that they could remember easily. This is something the bad guys would be aware too and using social networking sites; it is very easy to find out passwords related to people.

As I mentioned using Brute-force or Dictionary attacks, there is no escape even if cracking passwords could take days or weeks, eventually would be broken by many software.

This is one of the main reason Companies implementing password policies, such as password complexity, and additionally to be changed in every 30 days.

To be honest, in early 2017 there was a new software that was able to crack any password just below 30 days. Therefore the newly recommended password policy is 20days.

Again, I can tell you now that still many companies even aware of this information, still will take months or even years to implement the 20days password policy, as it’s just too much of pain, and of course who likes to change their password in every 20 days. Before you think there is no way to do such thing, let me suggest something that you might consider regards to change your password even in every day if you would want to.

Think about dates, such as months, or the name of the days, then use those backward.

If it might be something that is too difficult to remember, and you want to use a single word, then use it three times. For example, you want to use a password like Pass123; you might use it as Pa$$123Pa$$123Pa$$123 > it’s easy to remember and tough to crack.

As I mentioned before, please don’t use this example or anything related to to the word: pass. However, you might find it helpful and able to apply it to your existing password I order to make harder to be cracked.