W e t * 0 1 ׳ f t E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W ire le s s N e t w o r k s H a c k i n g W i r e l e s s N e t w o r k s M o d u le 1 5 Engineered by Hackers. Presented by Professionals. C E H ^ CcrtifM EthKal E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u le 1 5 : H a c k in g W ir e le s s N e tw o r k s E x a m 3 1 2 -5 0 E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . M o d u le 1 5 P a g e 2 1 3 5 E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s Hacking Wireless Networks C E HS e c u r i t y N e w s S m a rt p h o n e W i-F i S e a rc h e s O ffe r M a s s iv e 04 October 2012 N e w D a ta L e a k a g e V e c t o r O u r m o b ile p hone s are u n w itt in g ly g iv in g a w a y th re a t v e cto rs to w o u ld -be h ackers (and, fo r th a t m a tte r, p hy sical crim in als as w e ll) , offerin g crim in a ls a n e w way t o tap in form a tio n hou sed o n sm a rtp h o nes. A c cordin g to re sea rc h er a t So phos, th e a b ility o f s m a rtp ho n e s to re ta in id e n tif ie r s fo r th e truste d W i- Fi n e tw o r k s th e y a tta ch to a u to m a tically o ffe rs c rim in als a w in d o w in to d a ily hab its a nd e xp lo ita b le in fo rm a tio n . "A w irele s s d evic e g oe s th r o u g h a d isco very process in w h ic h it a tte m p ts to c o n n ect t o an av aila ble w ireles s n e tw o rk . This m ay e ithe r be 'p ass iv e' ־ lis te nin g fo r n e tw o rks w h ich are b ro adca stin g th e m se lv e s - o r 'a ctive ' - se ndin g o u t p ro b e requ e st packe ts in s ea rch o f a n e tw o rk t o conne c t to ," said S op hos blo gger Julia n B ha rd w a j. "It's v ery lik e ly th a t y o ur s m a rtp hone is b roa d cas tin g the nam e s (SSIDs) o f y o u r favorite netw o rks fo r a nyo n e to se e." It mea ns th a t a w o uld - b e crim inal ca n fin d o u t a lo t a bo ut a p erson 's daily m o v e m e n ts - w h ic h coffee http://www .infosecurity-m agazine.com sh ops they v isit, w h a t t h e ir h o m e n e tw o rk is ca lle d, w h ic h b ooksto re s are fre q u e n te d, and so o n. Copyright © by EC-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. S e c u r i t y N e w s i^purs ^ S m a r t p h o n e W i - F i S e a r c h e s O f f e r M a s s i v e N e w D a t a L e a k a g e V e c t o r Source: http://w w w .info se curitv-m aga zine .com Our m obile phones are u n w ittin g ly giving away th re a t vectors to w o uld-be hackers (and, fo r that m atter, physical crim inals as w ell), offe rin g crim inals a new way to tap in fo rm atio n housed on sm artphones. According to researchers at Sophos, the a bility o f sm artphones to retain id entifie rs fo r the tru sted W i-Fi netw orks the y attach to au tom a tically offers crim inals a w ind ow into daily habits - and exploitable inform atio n. "A w ireless device goes throu gh a discovery process in w hich it a ttem p ts to connect to an available w ireless netw ork. This may e ither be 'passive' - listening fo r netwo rks which are broadcasting them selves - or 'active' - sending out probe request packets in search o f a n etw o rk to connect to ," said Sophos blogger Julian Bhardwaj. "It's very likely th a t your sm artphone is broadcasting the names (SSIDs) of y ou r favorite netw orks fo r anyone to see." Ethical Hacking and Countermeasures C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . Module 15 P a g e 2 1 3 6 E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W ire le s s N e t w o r k s It means th a t a would -be crim inal can find o u t a lot about a person's daily m ovements - w hich coffee shops they visit, w hat the ir hom e n etw o rk is called, w hich bookstores are fre qu en ted, and so on. But aside from being a nice to o lkit fo r a stalker, it also gives cybercriminals a way in to the person's sm artphone. Specifically, an attacker could set up a rogue W i-Fi netw o rk w ith the same SSID as the one the user is tryin g to connect to, w ith the aim of fo rcing the phone to connect and transfer data through it. "So w hile som eone knowing that your phone is tryin g to connect to ׳BTHomeHub-XYZ׳ isn't im m e diately condem ning, it may allow fo r them to launch a ׳m an -in -th e-m id dle ' attack against you, intercepting data sent between you and a friend, giving the impression you 're talking directly to each oth e r over a private connection, when in fact the en tire conversation is co ntrolled by the attacker," explained Bhardwaj. "An ׳evil tw in ' attack could even accomplish this w ith o u t needing any know ledge of you r W i-Fi password - very dam aging for all o f those w ho use m obile banking fo r instance." All o f tha t data dartin g across airwaves in an unencrypted fashion clearly offers a poten tially huge security hole fo r an enterp risin g cybercrim inal. In an effo rt to find out how real the danger is, Bhardwaj launched an e xperim ent at a recent unive rsity open day in W arw ick, UK. He ran a security demo in which he collected data from people w alking by, displaying it for them to see. In jus t five hours, 246 w ireless devices came in to range. Alm ost half -4 9 % - of these devices w ere actively probing fo r th e ir prefe rred netw orks to connect to, resulting in 365 n e tw ork names being broadcast. Of those, 25% w ere customized, non-standard netw ork names. However, 7% o f the names revealed location inform a tion , including th ree w here the n etw o rk name was actually the first line o f an address. ״W ha t makes this even m ore worrying was how easily I was able to capture this sensitive inform atio n ," he explained. ״A tiny wireless ro ute r I purchased from eBay for $23.95 and some fre ely available softw are I found on Google was all I needed. I did n 't even need to understand anything about the 802.1 protocols tha t govern Wi-Fi to carry out this attack." Coupled w ith a portab le power source, a device could easily be hidden in a plant pot, garbage can, park bench and so on to lure W i-Fi devices to attach to it. M obile phone users can pro te ct themselves som e what by te llin g your phones to ׳forge t' netw orks you no longer use to m inimize the a m ount o f data leakage, he said. But, ׳׳the u nfortuna te news is the re doe sn't appear to be an easy way to disable active wireless scanning on sm artphones like A ndroids and iPhones," he noted, oth e r than sh utting Wi-Fi access com pletely o ff or disabling location-aw are sm artphone apps. Copyright © 2012 http://www.infosecuritv-magazir1e.com/view/28616/sm artphor1e-wifi-searches-offer-rr1assive- new-data-leakage-vector/ E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . M o d u le 1 5 P a g e 2 1 3 7 E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W ire le s s N e t w o r k s M o d u l e O b j e c t i v e s C E H J W hat Is Spectrum Analysis? How to Reveal Hidden SSIDs J Crack W i-Fi E ncryption J W ireless Hacking Tools B luetooth Hacking How to BlueJack a V ictim How to Defend Against Wireless Attacks J W ireless Security Tools J W ireless Pene tration Testing J Types o f W ireless N etw orks J W ireless Term inologies J Types o f W ireless Encryption J How to Break WEP E ncryption J W ireless Threats J F ootp rin t th e W ireless N e tw ork J GPS Mapping J How to Discover W i-Fi Netw ork Using W ardriving J W ireless Traffic Analysis M o d u l e O b j e c t i v e s 1 = Wireless netw orks are inexpensive when com pared to w ired netw orks. But, theyare m ore vulnerable to attacks w hen com pared w ith th e w ired netw orks. An attacker can easily com prom ise the wireless network, if proper security measures are not applied or if the netw o rk is not configured appropriately. Employing a high security m echanism m ay be expensive. Hence, it is advisable to de te rm ine critical sources, risks, or vuln erabilitie s associated w ith it and th en check w hether the current security mechanism is able to pro tect you against all possible attacks. If not, then upgrade th e security m echanisms. But, you should ensure th a t you leave no oth er doorway fo r attackers to reach and com prom ise the critical resources of your business. This m odule assists you in identifying the critical sources o f your business and how to pro tect th em . This m odule fam iliarizes you w ith: E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . M o d u le 1 5 P a g e 2 1 3 8 E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s H a c k in g W i r e l e s s N e tw o r k s © Types o f Wireless Netw orks © W ha t Is Spectrum Analysis? © W ireless Terminologies © How to Reveal Hidden SSIDs © Types of Wireless Encryption © Crack Wi-Fi Encryption © How to Break WEP Encryption © W ireless Hacking Tools © W ireless Threats © B luetooth Hacking © Footprin t th e Wireless N etwork © How to BlueJack a Victim © GPS M apping © How to Defend Against W ireless Attacks © How to Discover W i-Fi N etw ork © W ireless Security Tools © Using W ardrivin g W ireless Traffic Analysis © W ireless Penetratio n Testing E t h i c a l H a c k i n g a n d C o u n t e r m e a s u re s C o p y r ig h t © b y E C - C 0 U n c il A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S tric t ly P r o h i b i t e d . M o d u le 1 5 P a g e 2 1 3 9 E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W ire le s s N e t w o r k s M o d u l e F l o w C E H M o d u l e F l o w Y A wireless netw ork is a relaxed data com m un icatio n system that uses radio frequency technolo gy w ith wireless m edia to com m unicate and obtain data through the air, which frees the user from com plicated and m ultiple w ired connections. They use electrom agnetic waves to in te rconne ct data an individual point to a no ther w itho u t relying on any bodily co nstru ction. To understand the concept of hacking w ireless netw orks, let us begin w ith w ireless concepts. This section provides insight into wireless networks, types o f wireless netw orks, wireless standards, authe ntication modes and process, wireless term inology, and types of wireless antenna. W ireless Concepts * W ireless Encryption W ireless Threats & | | | | | | W ireless Hacking M eth odo log y W ireless Hacking Tools ^ 1 B lue tooth Hacking E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . M o d u le 1 5 P a g e 2 1 4 0 E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W ire le s s N e t w o r k s E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . M o d u le 1 5 P a g e 2 1 4 1 Exam 3 12-50 Certified Ethical HackerEthical Hacking and Countermeasures H a c k in g W ire le s s N e t w o r k s W i r e l e s s N e t w o r k s * י • • C E H י י•* י•* י•* •* Certified IUkjI Hwfca 0 0 J Wi-Fi refers to wireless local area networks (WLAN) based on IEEE 802.11 standard J It is a w idely used technology for wireless comm unication across a radio channel J Devices such as a personal computer, video-gam e console, sm artphone, etc. use Wi-Fi to connect to a netw ork resource such as the Internet via a wireless netw ork access point » Security is a big issue and may not m eet expectations « As th e numbe r of com puters on th e netw ork increases, th e ban d w id th suffers « WiFi enhancem ents can require new wireless cards a n d /or access points « Some electronic e quip m en t can interfere with th e Wi-Fi networks « Installation is fast and easy and elim inates w irin g th rough walls and ceilings « It is easier to provide connec tivity in areas w here it is d ifficult to lay cable e Access to the network can be fro m anywhere w ithin range o f an access poin t © Public places like airp orts, libraries, schools or even coffee shops o ffer you constant Intern et connections using Wireless LAN A d v a n ta g e s Copyright © by IG-COUIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W i r e l e s s N e t w o r k s A w ireless n etw o rk refers to a co m pute r n e tw o rk that is not connected by any kind of cables. In wireless networks, the transmission is made possible through th e radio wave transm ission system. This usually takes place at the physical layer of the netw ork structure. Fundam ental changes to the data netw o rkin g and telecom m unication are taking place w ith the wireless com m u nicatio n revolu tion. Wi-Fi is developed on IEEE 802.11 standards, and it is w idely used in wireless com m unication. It provides w ireless access to applications and data across a radio netw o rk. Wi-Fi sets up num erous ways to build up a connection between the tran s m itter and th e receiver such as Direct-sequence Spread Spectrum (DSSS), Frequency- hopping Spread Spectrum (FHSS), Infrared (IR), and Orthogonal Frequency-division M ultiple xing (OFDM). Advantages: 9 Installation is fast and easy and elim inates w iring through walls and ceilings. 9 It is easier to provide connectivity in areas where it is d ifficu lt to lay cable. 9 Access to the netw ork can be from anywhere w ith in range o f an access point. E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s Copyright © by E C - C 0 U n C il All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le 1 5 Page 2142 E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W ire le s s N e t w o r k s 9 Using a wireless n etw ork, m u ltip le members can access the In ternet sim ultaneously w ith o u t having to pay an ISP fo r m u ltiple accounts. 0 Public places like airports, libraries, schools, or even coffee shops offer you a constant Internet connection using a w ireless LAN. Disadvantages: 9 Security is a big issue and may no t m eet expectations. 9 As the num ber o f com puters on th e n etw o rk increases, the b an dw idth suffers. 9 W i-Fi standards changed which results in replacing wireless cards and/o r access points. 9 Some electronic equipm ent can interfere w ith th e Wi-Fi netw orks. E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d . M o d u le 1 5 P a g e 2 1 4 3 [...]... WEP, WPA, W PA2, W EP issues, how to break encryption algorithms, and how to defend against encryption algorithm cracking Wireless Concepts ^ 0 * Wireless Threats Wireless Hacking Tools M o d u le 1 5 P a g e 2 1 6 9 W ire less Encryption Wireless Hacking M ethodology ^ Bluetooth Hacking E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil A l l R ig h t s... ie d E t h ic a l H a c k e r H a c k in g W ir e le s s N e t w o r k s Module Flow «b - H ‫־־‬ CE H M odule Flow Wireless encryption is a process of protecting the wireless netw ork from attackers w ho can collect your sensitive inform ation by breaching the RF (Radio Frequency) traffic This section provides insight on various wireless encryption standards such as WEP, WPA, W PA2, W EP issues, how... 54 2 5 -7 5 8 0 2 1 1 b 2.4 DSSS 11 1 5 0 -1 5 0 8 0 2 l l g 2.4 O FD M , DSSS 54 150 - 1 5 0 8 0 2 H i Provides W PA2 en cry p tio n for 802.11a, 802.11b and 8 0 2.l l g networks 8 0 2 l l n 2 4 - 2 5 8 0 2 1 6 a / d / / e / m ( W iM A X ) B lu e t o o th O FD M 54 ~100 10-66 70 - 1 0 0 0 30 m iles 2.45 1 -3 25 TABLE 15 1: D iffe r e n t W ire le s s S ta n d a rd s M o d u le 1 5 P a g e 2 1 5 4 E... e le s s N e t w o r k s S ta n d a r d F re q A m e n d m e n ts (G H z ) M o d u la tio n Speed R a n g e (ft) (M b p s ) 8 0 2 1 1 a 5 OFDM 54 2 5 -7 5 8 0 2 1 1 b 2.4 DSSS 11 150 - 1 5 0 8 0 2 l l g 2.4 OFDM, DSSS 54 150 - 1 5 0 8 0 2 H i Defines W PA2-Enterprise/WPA2-Personal fo r Wi-Fi 8 0 2 l l n 2.4, 5 8 0 2 1 6 (W iM A X ) B lu e to o th OFDM 54 -1 0 0 1 0 -6 6 70 - 1 0 0 0 30 m iles 2.4 1... th a t p ro vid e s W i-F i access to W i-F ie n a b le d devices in c lu d in g M P3 players, n o te b o o ks, cam eras, PDAs, n e tb o o k s , and m o re Internet 3G Connection A Cell Tower FIG U RE15.6: D ia g ra m m a tic a l re p re s e n ta tio n o f 3G H o ts p o t M o d u le 1 5 P a g e 2 1 5 0 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n... 0 7% 1 1% 0% o II A p p le A p p le A p p le iP h o n e A n d ro id 4% iPad iP o d ‫ו ו‬ O th e r I I W in d o w s W in d o w s 7 xp I /V is ta M ac OS X h t t p : / / w w w m e r a k i c o m FIG U RE15.2: W i-F i D evice T yp e C o m p a ris o n in th e y e a r 2 0 1 0 S u m m a ry : 9 B e tw e e n 2010 and 2011, m o b ile p la tfo rm s o v e rto o k d e s k to p p la tfo rm s in p e rce n ta g e... tu re s W ith s u ita b le n e tw o rk in g s o ftw a re s u p p o rt, users on th e w ire le ss LAN can share file s and p rin te rs s itu a te d on th e w ire d LAN and vice versa Internet FIG U RE15.3: E x te n s io n to a W ire d N e tw o rk M u l t i p l e A c c e s s P o in ts This ty p e o f n e tw o rk consists o f w ire le ss c o m p u te rs c o n n e cte d w ire le ssly by using m u ltip... cia tio n R e quest (S e cu rity P a ra m e te rs) ‫'י‬ C lie n t a tte m p tin g to c o n n e ct o » S w itc h o r Cable Access P o in t (AP) M odem ‫" ״י‬ In te rn e t < Association Response o FIGURE 15 7: O p e n S yste m A u th e n tic a tio n m o d e S h a re d K e y A u t h e n t ic a t io n P r o c e s s In th is process each w ire le ss s ta tio n is assum ed to have received a shared se cre... allen g e te x t, and if ~ co rre ct, a u th e n tic a te s c lie n t < C lie n t a tte m p tin g to connect _ _ Access P o in t (AP) iw llc r l o r 1 6 ‫י 0®־‬ M odem > ln t e rn e t FIGURE 15 8: S h a re d ke y A u th e n tic a tio n m o d e M o d u le 1 5 P a g e 2 1 5 8 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il A l l R i g h... The AP g e n e ra te s a m u ltic a s t/g lo b a l a u th e n tic a tio n key e n c ry p te d w ith a p e r-s ta tio n u n ica st session key, and tra n s m its it to th e w ire le ss s ta tio n FIGURE 15 9: S h a re d ke y A u th e n tic a tio n m o d e M o d u le 1 5 P a g e 2 1 6 0 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 l1 n C il A l l R i g h . understand the concept of hacking w ireless netw orks, let us begin w ith w ireless concepts. This section provides insight into wireless networks, types o f wireless netw orks, wireless standards,. process, wireless term inology, and types of wireless antenna. W ireless Concepts * W ireless Encryption W ireless Threats & | | | | | | W ireless Hacking M eth odo log y W ireless Hacking. Hidden SSIDs J Crack W i-Fi E ncryption J W ireless Hacking Tools B luetooth Hacking How to BlueJack a V ictim How to Defend Against Wireless Attacks J W ireless Security Tools J W ireless