Posted by: Jeromie Jackson
aircrack, airodump, karmasploit, RFID cloning, wireless security
Wireless networks pose significant security risk. In order to demonstrate some of the attack points I’ll describe penetration testing techniques and attacks I often use when assessing the wireless security posture of my clients.
Profiling the wireless landscape is the initial process I’ll seek to document what wireless networks are in the area, the types of security being utilized, signal strengths, and network usage statistics. The Aircrack-NG suite is a great set of tools. Using the suite, I’ll fire up a promiscuous wireless interface (airmon-ng start wlan0). Using Airodump-ng I’ll begin discovery (airodump-ng -w filename mon0). If anyone is communicating with a SSID which is not broadcasting it will still be identified as soon as traffic goes through the air with my promiscuous interface.
Secondly, using Wireshark I can begin sniffing traffic being sent through the air even when not connected to a network.
The 3 prominent types of networks you’ll find are completely open, WEP secured, or WPA-PSK secured. Generally you can simply establish communication with an open network and will generally be provided a network address and the other details necessary for basic networking.
With networks secured with WEP it is pretty easy to quickly gain access to the network. Using the Aircrack-NG suite you begin capturing packets. The process requires accumulating a number of packets until we have enough for aircrack-ng to figure out the password. The amount of traffic varies. If packets are not quickly being generated it is easy to use aireplay-ng and replay traffic to generate more data. After a few minutes the attack will be successful and you will now be on the network ready begin penetration into hosts on the wireless network or further back into networks residing inside the organization’s network. Here’s a video showing the process.
WPA is a little more difficult to crack. There are 2 primary ways- rainbow tables and dictionary attacks are the methods used. The Church of WiFi has compiled a list of the top 1000 most popular SSID’s. If the network you are attacking uses one of these SSID’s you are in luck. By leveraging the rainbow tables you can quickly crack the password. If the SSID is not one of those included in the rainbow tables then a dictionary/brute-force password attack will be required. In order to crack the password an initial WPA handshake must be sniffed from the air. By leveraging aireplay-ng to deauth the client the machine will automatically re-connect with the AP. Once you record this initial re-connection your ready to begin cracking. Here is a video demonstrating WPA cracking.
Gaining Access Without Compromising the Access Point
Who says you have to gain access to the existing network in order to compromise the environment? Another method is by acting as an AP and allowing the clients to connect to you! Here are a couple attack methods used in this scenario.
Scenario 1: Someone creates a fake AP, posing as the organization’s AP. When a client connects the attacker serves up a DHCP and DNS address for the user. When the user tries to use networking they are instantly redirected to the attackers website which launches a plethora of attacks against the client with the intent of gaining system access. This is a very effective method and is certainly amusing at the same time. Karmasploit is the tool of choice along with dnsspoof , part of the DSNIFF package, and a DHCP server of choice. Here’s a video of how Karmasploit works. Here’s a great article on how to pull it off.
Scenario 2: Someone walks into the environment and finds an open jack. Jumping on the network they are served up an IP address and is now on the LAN. From here the attacker again sets up a fake AP. When a user connects everything looks normal. They being logging-in, using resources, and doing whatever is they are hired to do, hopefully. During this entire time the attacker is collecting all the credentials the user is using as well as potentially gaining insight into the business applications in use at the organization. Credentials, potentially sensitive information, and network access is achieved.
RFID Cloning- Wireless Access Control System Circumvention
While this article was mostly about hacking wireless networks, I had to include another topic near and dear to my heart that also is related to wireless access. Many access control systems utilize RFID technology to authenticate users to a building or door. While the simplicity is definitely user friendly it equally is accessible to attackers. There are two common ways to attack these systems. First, using a card reader an attacker may simply read the card and copy the credentials to another card. Here’s a video of a couple of buddies of mine using an RFID cloning device, along with a bunch of other cool physical security tools to gain access to a building a steal pounds of diamonds for Jasons of Beverly Hills. Another method is by skimming cards. By placing an overlay over the RFID reader it is possible for the attacker to grab the credentials without needing to be close to the card/individual. The skimmer may use wireless to transmit the data to the attacker in the surrounding area, or may have the ability to store the credentials until the attacker picks up the skimming device. Here’s a video of the skimming technique.
Remediation- Protect Your Organization From Wireless Threats
In summary, it is very easy to mitigate the risks/threats described in this article- hire me!