Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA PenTest+ Certification: A Simple Guide To Wireless and RF Attacks
Source: https://www.fatskills.com/comptia-pentest-certification/chapter/comptia-pentest-certification-a-simple-guide-to-wireless-and-rf-attacks

CompTIA PenTest+ Certification: A Simple Guide To Wireless and RF Attacks

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~47 min read

Key topics:
- Wireless attack methods
- Specific wireless attacks and when to use them
- The mystery of wireless password cracking

- 802.11 Wireless
- Wireless Networking Overview
- Wireless Testing Equipment
- Attacking Wireless
- Attacking Bluetooth
- Bluetooth Specifications
- Device Discovery
- Bluetooth Attacks
- RFID and NFC

The PenTest+ exam objectives cover wireless and radio frequency (RF)–based vulnerabilities and exploits. In this guide, we will focus on some of the basics a pentester needs to know about wireless network protocols found in the 802.11 (routers and access points), 802.15 (Bluetooth), radio frequency ID (RFID), and near field communications (NFC) technologies. We will investigate various tools for interacting with wireless devices, conducting discovery, and ways to attack wireless devices.

802.11 Wireless
Wireless pentests are often designed to evaluate the reach of a wireless network, whether or not the traffic flowing over that network can be intercepted (or influenced) by an attacker and if an attacker can gain access to the network wirelessly. This involves evaluating possible flaws in the implementation of the network, as well as the reach of the network, and it requires special hardware. Pentesters need to understand how these networks work in order to identify implementation weaknesses and select the right hardware and software tools for the job.

Wireless Networking Overview
Before we talk about how to attack wireless networks, let’s take a minute to talk about how they work. Remember, as a pentester, your job is not only to prove that systems can be broken but to recommend how to fix them. To do that and be a successful attacker, it will be helpful to know what frames look like, how networks are implemented, and how encryption standards are used in wireless networking.

802.11 Wireless Standards
First, let’s talk about how wireless networks transmit data. Wireless networks use specific radio frequencies and channels using defined power ranges. Each frequency range is divided into multiple channels. The Federal Communications Commission (FCC) defines and limits the power ranges that can be applied to Wi-Fi–enabled devices, such as your typical home wireless router. The IEEE 802.11 (https://www.ieee.org) standards define wireless networking.

The table below describes common wireless standards (also referred to as protocols) that a pentester is likely to come across during an engagement.



Table:   Wireless Standards

As you can see, Wi-Fi networks work over the 2.4 GHz or 5 GHz spectrum bands. Each band maintains its own properties and supports various deployment scenarios. The 2.4 GHz band is broken up into 14 channels, each with a bandwidth between 20 and 22 MHz of total separation. This spectrum is supported by many of the 802.11 protocols and provides coverage over a longer range; however, transfer speeds are much slower compared to 5 GHz. The 5 GHz band is broken up into over 20 channels and supports faster transfer speeds using a much wider bandwidth than the 2.4 GHz band, but less coverage by area.
When the 2.4 GHz band gets crowded, the network is more likely to experience slower transfer speeds. Newer wireless routers and networking equipment support dual bands, which have the capability to transmit and receive data over 2.4 GHz and 5 GHz spectrum bands. This option provides flexibility and can support an organization’s decision to use the 5 GHz band to reduce the likelihood of interference when there are many access points (APs) competing on a channel.

Note: : Laws may govern what you are allowed to transmit based on frequency and power use, based on your geographical location and federal regulations. The FCC documents their rules and regulations in Title 47 of the Code of Federal Regulations. Section 15 applies to radio frequency devices, including consumer wireless in computers.

Wireless Modes
Wireless network devices that follow the 802.11 standards have the ability to function in different modes, depending on the requirements of the network. These modes are different implementations with separate considerations for security. The two modes for a wireless network are ad hoc and infrastructure.
In ad hoc mode, wireless clients (stations or STA) are connected in a peer-to-peer mode, and this is commonly referred to as an independent basic service set (IBSS). This is the least common approach, and is least likely to be found in most pentest engagements.

The figure below provides a basic example of computers configured in ad hoc mode.



Figure:   Ad hoc mode

Infrastructure mode is the most common configuration in both home and commercial applications. In infrastructure mode, the wireless clients communicate with a central device called a wireless AP instead of directly communicating with each other, like in ad hoc mode. This is often referred to as a basic service set (BSS) or wireless local area network (WLAN). The AP manages the wireless network and broadcasts a case-sensitive, 32-alphanumeric-character service set identifier (SSID) to advertise its existence. The SSID is the name of the WLAN. Wireless clients can associate with an AP when they are in range and are configured to use the same SSID. However, the AP may impose additional requirements before allowing a client to join the network, such as authentication credentials (for various encryption standards) and a compatible wireless data rate.
The AP facilitates connectivity to either wired networks or additional APs via a distribution system (DS). Having multiple APs connected within the same local area network (LAN) provides a much larger coverage area for wireless clients. Each AP has an associated basic service set identifier (BSSID) that describes its unique media access control (MAC) address. This provides network clarity when multiple APs are on the same WLAN broadcasting the same SSID. Since all wireless network packets contain the originator’s BSSID, the packet can be traced. An extended service set (ESS) is formed when a DS connects multiple APs. ESS provides mobility between the wireless clients so they are free to roam within the coverage area. The extended service set identifier (ESSID) is the network name of the ESS.

The figure below is an example of how a DS can be used to extend service areas for WLAN configurations.



Figure:   Infrastructure mode

802.11 Frames
Inside the traffic, a wireless datagram is a logical chunk of data that is transferred over a wireless network at the transport layer of the OSI model. Much like a typical IEEE 802.3 Ethernet network, frames store much-needed information, such as physical and logical attributes of the device sending the transmission. Frames package together all this information into packets and define a beginning and ending as the information is transferred to the recipient of the communication.

The IEEE 802.11 standards define three primary frames associated with wireless network communication (see Table below).



Table:   802.11 Frames

The beacon frame includes properties that disclose details about the AP that are used for association, including the SSID, type of encryption, MAC, channel, and vendor information.

The figure below shows the SSID value from a packet capture in Wireshark. Finding open wireless networks without any encryption makes it extremely easy for your nosy neighbor to connect and start eavesdropping on your network. This information will become very useful during the wireless scanning process.



Figure:   SSID value from packet capture in Wireshark

Tip: Eavesdropping is the process of listening to a private conversation without the other party knowing you are doing so. You may see this term referenced in questions on the exam.

Wireless Security and Encryption Standards
To protect the confidentiality of data in transit and prevent unauthorized access to devices operating over the wireless network, many wireless networks implement security standards and use encryption. Common implementations of wireless security used for small office/home office (SOHO) environments include Wi-Fi Protected Setup (WPS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and the new WPA3. The information provided here will help you understand the attacks and give you context for why they work.
WPS  The WPS protocol was designed to allow users to set up secure wireless networks and reduce the overall complexity of associating additional hosts to the network. This is not, in itself, an implementation of encryption so much as a way of securing initial wireless device setup using WPA/WPA2 security without having to use complex passphrases. WPS is commonly found in consumer appliances and may use in-band methods, such as using a personal identification number (PIN) during setup or pushing a button to initiate the network discovery process, or out-of-band methods such as near field communication (NFC), where proximity initiates the connection. For the exam, we’ll focus on in-band methods. Push-button-connect (PBC) initiates a request for a PIN. The PIN can be configured in a graphical user interface (GUI) on the device or may be printed on the device’s label. Other implementations of the PIN setup include both an internal and an external registrar. In the first case, the AP has some interface in which a client can enter a PIN in order to negotiate a connection, often via WPA/WPA2. In the second case (external), the AP provides a PIN which must be entered on the client in order to initiate the connection.
WPS PINs are eight digits. But WPS doesn’t process all eight digits at once to process an authentication request. Instead, it processes this PIN in three parts during authentication. The last digit is a checksum. If this checksum is incorrect, the AP will send a NACK message to end the session. If the checksum is correct, it attempts to validate the first part (four digits). Again, if that is incorrect, the AP sends a NACK. If the first half is correct, then it evaluates the second part, which is three digits.

Tip: WPS requires user interaction to initiate communication. It uses WPA/WPA2 security and an eight-digit PIN. Tools for attack include reaver, wash, and wifite for offline pixie dust attacks or online brute-force PIN attacks.
 

WEP: WEP was included as part of the original standard for 802.11 and was the only encryption protocol available to protect 802.11a and 802.11b wireless networks before WPA. WEP relies on a secret key that is shared between the access point and the clients on the wireless network. The WEP encryption process protects confidentiality of the wireless network using the RC4 stream cipher. RC4 is a symmetric key cipher used to expand a short key into an infinite pseudo-random keystream. The sender will XOR the plaintext message with the keystream to generate the ciphertext. The receiver of the ciphertext will use the same shared secret key to generate an identical keystream and XOR the keystream with the ciphertext to reveal the plaintext message. In order to verify packets have not been modified in transit, WEP uses an integrity check field that is populated with a CRC-32 checksum, which is included as an encrypted part of the payload. A 24-bit initialization vector (IV) is also used to augment the shared secret key and produce a different RC4 key for each packet. The IV is a binary number, which is a fixed-size input that helps decrease the probability of encrypting two ciphertexts with the same keystream.

The figure below provides an overview of the WEP encryption process.



Figure:   WEP encryption standard

Tip: WEP was the standard before WPA. Key reuse in the encryption stream (24-bit IV) makes it vulnerable to cracking, as well as to fragmentation and replay attacks. Use aireplay-ng to generate IV samples and aircrack-ng to decipher the secret key. You can also use wifite to conduct attacks against WEP.
 

WPA: WPA was introduced as an interim replacement for WEP and did not require consumers to replace hardware to support the new security measure. Instead, most vendors released software/firmware updates that could be installed on existing devices. There are multiple flavors of WPA based on the 802.11i wireless security standard: WPA, WPA2, and WPA3. Each of these has Personal or Enterprise modes.
With Personal mode, users use a single shared password (a preshared key [PSK]) that is the same for every endpoint. The PSK (password) can be between 8 and 63 ASCII characters in length. This is fine for small networks with trusted users, where 802.1x-incompatible devices are in use or with guest networks where a captive portal is impossible. With Enterprise mode, users use certificates or credentials (a username and password) via an authentication service, like Remote Authentication Dial-In User Service (RADIUS), instead. These mechanisms are more secure and most often found in enterprise business networks. Every user who authenticates will have a unique session with the AP, making it harder for a malicious user to compromise the individual key when sniffing packets on the same SSID.
WPA increased from 63-bit and 128-bit encryption in WEP to 256-bit encryption technology. WPA implemented the Temporal Key Integrity Protocol (TKIP) after WEP encryption was broken. TKIP is symmetric encryption that still uses the same WEP programming and RC4 encryption algorithm, but it encrypts each data packet with a stronger and unique encryption key. It also includes some additional security algorithms made up of a cryptographic message integrity check, IV sequence mechanism that includes hashing, a rekeying mechanism to ensure key generation after 10,000 packets, and to increase cryptographic strength, it includes a per-packet key-mixing function. These were designed to add extra protection against social engineering, replay and injection attacks, weak-key attacks, and forgery attempts. WPA2 introduced the use of the Advanced Encryption Standard (AES) instead of TKIP. After 2006, all new devices bearing the Wi-Fi trademark required mandatory WPA2 certification.
WPA and WPA2 use a four-way handshake to establish connection.

As referenced below, once the client (or supplicant) and the AP establish a request for association, they use the PBKDF2 algorithm, the PSK, and SSID to derive a shared secret key called a pairwise master key (PMK). The client generates an SNonce, and the AP generates an ANonce. The AP sends the ANonce (message 1 of the four-way handshake) to the client. The AP and the client then derive a temporary pairwise transient key (PTK) using the PMK, the ANonce, the SNonce, and the MAC from the client and the AP. The PTK has five separate keys in 64 bytes: the key confirmation key (KCK); the key encryption key (KEK); a temporal key (TK), which is only valid until the session ends; a Tx key; and an Rx key. The client uses the KCK to generate a message integrity check (MIC), which is sent along with the SNonce in the second message of the four-way handshake. Since the client and the AP are using the same values, the same algorithm, and the same shared secret, they are both able to validate the MIC and decrypt each other’s messages. At this point, the AP and client can encrypt the data in transit without sharing the secret over the wire. The temporal key between the client and the AP is only valid until the session ends. A group transient key (GTK) is exchanged and used to encrypt the broadcast traffic on the wireless network.



Figure:   A detailed diagram of the four-way handshake1

Note: : If you want to read about the PBKDF2 function in all its dry crypto glory, the details are in RFC2898 Section 5.2.

Like WPA2, WPA3 uses AES and, ultimately, a four-way handshake. However, WPA3 is designed for perfect-forward secrecy. This means that the encryption key changes such that its compromise will not result in a breach of data encrypted before that compromise took place. Additionally, WPA3 uses something called Simultaneous Authentication of Equals (SAE) in an attempt to solve WPA and WPA2’s vulnerability to dictionary attacks. SAE is a type of key exchange also referred to as Dragonfly. As with WPA and WPA2, the AP and supplicant start with a shared, salted secret. However, during the handshake, they agree on the parameters to use with either elliptical curve cryptography (ECC) or finite field cryptography (FFC).2 Each party then performs computationally intractable operations to create an asymmetric key whose master key is now exchanged as a surrogate for the PMK in the original four-way handshake. This time, though, cracking the PMK never provides the original shared secret. It also does not grant access to all prior network traffic, because the key changes each time. This is a very simplified explanation, but if you would like to read more about how this works, you can read everything about it in RFC7664.

Tip: WPA uses a four-way handshake and a shared passphrase. Weaknesses in handshake implementation are vulnerable to dictionary attacks (PMKID hash capture and WPA handshake capture). Deauthentication attacks force a new handshake to capture information needed to generate guesses.

Tools for attack include aircrack-ng, aireplay-ng, airodump-ng, wifite, cowpatty, genpmk, and hashcat. WPA3 hides the passphrase behind additional security with the Dragonfly key exchange. WPA3 is weak to downgrade attacks and timing attacks. The Dragonblood vulnerabilities target the Dragonfly key exchange.

Wireless Testing Equipment
Wireless adapters receive and transmit information to other devices on a wireless network. In other words, you will need a wireless antenna in order to observe and interact with wireless networks. When selecting an antenna, you will want to consider supported bands, chipset, and type.
Most antennas will list which of the 802.11 standards they support, and you’ll need to know the one you are targeting in order to choose the best hardware. Some will support multiple standards, which can be useful. However, there are cases where performance considerations will make you select a more specialized antenna. It is unlikely you will be tested on brand specifics during the exam, but you should be aware of this need.

Many internal wireless adapters do not allow you to use monitor mode, a requirement for eavesdropping. External adapters overcome this issue and typically have better range. But finding the right adapter that works with operating systems like Kali Linux can be a challenging endeavor. Adapters come in many shapes and sizes and can support both single-band or dual-band (2.4 GHz and 5 GHz) networks. The two most important factors that make a wireless adapter compatible for operating systems are the chipset (hardware) and the drivers (software).

The following are popular chipsets that support monitor mode and injection and are compatible with the Kali operating system:
- Atheros AR9271
- Ralink RT3070
- Ralink RT3572

Note: : Once you have an antenna and have installed an adapter, in Kali Linux, the iwlist command can be used to show compatible channels, frequencies, encryption capabilities, and APs the interface has associated with. The iw and iwconfig commands can be used to manipulate the interface by enabling or disabling it or by manually configuring it on a wireless network.
As for antenna type, let’s say you want to be discreet during a wireless assessment. The type of antenna you choose will affect how close you have to be, where you need to be to get a good signal, and the strength of the signal you can use. Directionality and gain are the two antenna attributes you will most need to consider.
Wi-Fi antennas are either directional or omnidirectional. Directional antennas have comparatively better signal strength, but require more precise aim in relation to the signal. This means you can be farther away as long as you can point your antenna toward the target and have a good line of sight. But not all directional antennas are used at long range. Most RFID badge readers are flat panel near-range directional antennas. Omnidirectional antennas can work in any direction, but often sacrifice strength. So, you need to be closer in order to work.
When we talk about the strength of a signal, we’re really talking about the gain. Antenna gain (dBi) is a relative measure of how well an antenna performs when receiving and transmitting data. This number is useful in determining signal reach when examining the physical perimeter of a wireless network and can often be used by detection devices when seeking rogue wireless devices.

Note: : LearnTomato has a great article about Wi-Fi antennas at https://learntomato.flashrouters.com/how-to-increase-wifi-range-with-the-right-wifi-antenna/.

Attacking Wireless
Now we’re ready to talk about the fun part: the attack. In this section, we’ll discuss attacks against different wireless implementations and some tactics you might use when targeting wireless networks in general. If you plan to create a home lab for experimentation, the following basic items are recommended for the testing environment:
- Laptop (standard keyboard layout) with Kali Linux and a wireless card that supports injection
- Wireless router that supports WEP, WPA, and WPS
- Wireless client that can be used to generate traffic

Wireless Scanning and Discovery
Stumbling is a surveillance technique used for discovering SSIDs, router vendor information and signal strength, MAC addresses, channels, access control protections (encryption), and more. This process is a little more involved than just enabling Wi-Fi on your phone to see if you can find any open access points to connect to. Stumbling would typically capture wireless data along with global positioning system (GPS) data in order to map what is found.

This often builds a locality-specific set of information similar to what you might find in the Wireless Geographical Location Engine (WiGLE), which can be found at https://wigle.net/. Wardriving is a tactical process for surveying an area for access points while in a moving vehicle.

The goal is preliminary reconnaissance and to pinpoint wireless networks and potential targets in a certain area of interest. If the customer has a large campus or facility, this technique may be useful for simulating real-world scenarios and demonstrating adversarial capabilities by various threat actors.

Aircrack-ng (https://www.aircrack-ng.org) is open-source software that provides a suite of tools for conducting RF communication monitoring and security testing of Wi-Fi networks. Airodump-ng is a popular wireless sniffing tool included with the aircrack-ng toolset that can be used during a pentest to discover and validate wireless targets. Airodump-ng helps identify the ESSID and BSSID of access points and any station/client MAC address that is associated with the AP, including various attributes like the channel it is connected to, the transfer speed, and access control (encryption) for connecting to the AP.

Airodump-ng is a command-line tool that is natively installed in Kali Linux. However, before using the tool you must first put your wireless adapter into monitor mode so your computer can listen and inject packets onto wireless networks. Use the airmon-ng command, which is included in the aircrack-ng suite of tools, in order to configure your adapter in monitor mode.

The figure below shows an example of starting airmon-ng in monitor mode for the wlan1 interface:



Figure:   airmon-ng
 

airmon-ng start wlan1

Note: : If your wireless adapter fails to go into monitor mode in Kali, try killing processes with rfkill unblock all. Then try to put the adapter in monitor mode. If it still doesn’t work, your wireless adapter may not support monitor mode.

Once the adapter is configured to listen and inject packets onto the network, you are in business. Now, you can use airodump-ng to start capturing packets from various wireless networks within the range of your adapter and antenna. Airodump-ng will hop from channel to channel to identify wireless devices it can receive beacons from if no channels are specified at the command line. Channel hopping makes capturing packets from your targets more difficult. In this case, you can sit on a single channel in order to target collection against a specific range of APs.

The figure below shows how to use airodump-ng to capture packets based on specific channel settings for the AP and dump the output into multiple formats to include TXT, PCAP, and CSV for easy parsing in Microsoft Excel. One important thing to note is the PWR reading for each station (client) and BSSID (router). This is the wireless signal strength, and it is measured in decibels milliwatts (dBm), expressed in negative values. The closer the number is to zero, the stronger the signal and the closer you are to the device.



Figure:   airodump-ng
 

airodump-ng -c 4,5 wlan1mon -w channel4-5.out

Tip: Kismet (https://www.kismetwireless.net) can also do 802.11 sniffing and perform wireless intrusion detection, and it has better GPS support than airodump. You might choose to use Kismet for stumbling and mapping or for wardriving and follow up with airodump for further inspection. If you save your data as a PCAP, you can replay it in Wireshark (https://wireshark.org), which provides the capability to separate frames for further packet inspection.

Cracking WPS
For WPS, let’s start by identifying WPS networks using a tool called wash in Kali. Even though WPS is designed to require user interaction to initiate data exchange, some devices are still discoverable. Wash also supports active probing of detected wireless networks to identify whether they support WPS.

The figure below provides an example of how to locate WPS networks using wash.



Figure:   Locate WPS networks with wash

Once you have identified a WPS PIN–controlled target, you can use the reaver command in Kali Linux to brute-force attack the WPS PIN. Reaver attacks a WPS implementation weakness in the registrar functionality, where it only takes 11,000 attempts to guess the correct WPS PIN.

The figure below shows example output of reaver successfully recovering the PIN for a WPS network after targeting a wireless repeater. You can execute reaver using the following command syntax:



Figure:   Successful recovery of WPS PIN
 

# reaver -i <interface> -b <target MAC of AP> -c <channel> -vvv -K 1

The command options include the following:
- -i  Your wireless interface name
- -b  MAC of the target AP
- -c  Channel to camp on
- -vvv  Verbosity level
- -K  Execute pixie dust attack (brute-force WPS PIN)

Note: : A wireless repeater (also called a range extender) rebroadcasts the same signal from an AP. By repeating the signal, it is able to create another network for clients outside the range of the AP to associate with, thus extending the wireless coverage. These types of devices are recommended for residential use.

Once you have the PIN, the AP will give you the WPA password. You can recover the password using the reaver command.

The figure below provides an example of successfully recovering the password used to connect to the wireless network.



Figure:   Successfully recovering the WPA password

Caution: This attack does not work against all WPS-enabled devices. Some devices require a user to press a button on the outside of the router, which will only enable WPS for a short period, limiting the window for attack. Other devices have built-in protection against brute-force PIN attempts and will lock out the device attempting to connect to the network after too many unsuccessful attempts. This is done by the AP applying a MAC filter against the hardware address of the network interface card making the connections. You can try and bypass the PIN lockout by setting a delay in reaver and running macchanger to change the MAC address of your wireless interface.

Cracking WEP
First, review the figure below . When you know the unencrypted value of the data that is being sent (i.e., an ARP packet) and you know the IV, this reduces the number of things you need to guess in order to derive the encryption key. You see, most implementations of WEP initialize hardware using an IV of 0, then increment by 1. This can iterate through the 24-bit IV space in a matter of hours (depending on the amount of network activity). That forces the network to initialize the IV back to 0 and repeat the use of IVs.
Let’s walk through an exercise for recovering a WEP key by replaying (injecting) an ARP packet on the network to generate new unique IVs. We will assume that you have a WEP-enabled access point configured with at least one wireless client on the network that can generate ARP traffic (e.g., ping a nonexistent host continuously during the exercise) and are using Kali Linux as your testing host.
 

1.: Open up a terminal window in Kali Linux and list all available wireless interface cards.
# airmon-ng

Tip: You can also list available wireless interface cards using the command iwconfig.
 

2.: Enable monitor mode on the wireless interface card that supports injection. In this case, wlan1 was switched to wlan1mon for monitor mode.
# airmon-ng start wlan1
 

3.: Use the wireless interface enabled for monitor mode to identify the channel your WEP network is operating on, using either the BSSID (MAC address) or ESSID (i.e., network name). The channel number will be listed under the “CH” column. In this case, the access point was operating on channel 9.
# airodump-ng wlan1mon
Once you have identified the channel, use CTRL-C to exit out of airodump-ng and make note of the channel, network name, and MAC address for the target AP.
 

4.: Test the wireless device packet injection, as shown next. If you receive “Injection is working!” you can move on to step 5. If not, check to make sure you are using a compatible wireless card.
# aireplay-ng -9 -e <network name> -a <target MAC> <interface>


The command options include the following:
- -9  Means injection
- -e  Wireless network name
- -a  MAC of the target AP
- <interface>  Your wireless interface name
 

5.: Start airodump-ng to capture the IVs from the access point. To do this, use airodump-ng and put the collected packets into a file. You will use this file later for cracking the WEP key. The illustration shows an example airodump-ng session after executing the following command:
# airodump-ng -c 9 --bssid <target MAC> -w wep-output <interface>

Tip: The airodump-ng tool will hop from channel to channel and restrict your ability to collect all of the packets necessary to recover the WEP key from the target network. Camping out on the specific channel will help increase the odds of successful exploitation.



- -c  The channel you are camping on
- --bssid  MAC of the target AP
- -w  Output file containing the IVs
 

6.: Now, use aireplay-ng to initiate a fake authentication request with the access point and attempt to associate with the network. You should do this concurrently with the previous step to ensure you collect all of the data you have replayed. In a separate terminal window, execute aireplay-ng using the following command syntax:
# aireplay-ng -1 0 -e <network name> -a <target MAC> -h <wireless MAC> <interface>
The example output is as shown:


The command options include the following:
- -1  Use fake authentication
- 0  Reassociation timing in seconds
- -h  Your wireless interface MAC
 

Caution: The AP will not accept packets from a source MAC address that has not already associated with the network. If the AP sees packets from a source MAC that has not associated, it will ignore the packet and send a deauthentication packet in cleartext and no new IVs will be created because the injected packets will be ignored.
 

7.: The next step is to start aireplay-ng in ARP request replay mode. When the program identifies an ARP request, it will immediately start to inject it, shown next:
# aireplay-ng -3 -b <target MAC> -h <wireless MAC> <interface>



- -3  Listen to/inject ARP requests
- -b  MAC of the target AP

Tip: Let the aireplay-ng command run for a few minutes to capture enough packets:
64-bit WEP key is a 10-digit key
128-bit WEP key is a 26-digit key

It will take roughly five minutes to crack either key length having enough IVs. However, if your screen says “got 0 ARP requests” after waiting a while, start pinging invalid IP addresses from the wireless client on the target network.
 

8.: Once you think you have enough IVs (e.g., 5,000 IVs seems to be a good amount to crack the WEP key relatively quickly), kill off the airodump-ng and aireplay-ng commands executed in the previous steps using CTRL-C to allow the command to finish writing to the output files. The .cap file is a PCAP file that can also be replayed in Wireshark. Here’s an example IV captured in the WEP parameters of the broadcasted packet.



 

9.: Now, you can use aircrack-ng to crack the WEP key for the target AP, using the IVs captured from step 3. You may have multiple .cap files. You can use a wildcard to specify all of the files and let aircrack-ng sort them out:
# aircrack-ng -b <target MAC> wep-output*.cap

The command is as follows:




Tip: Another way to accomplish WEP key recovery when there are no clients on the network is by executing a fragmentation attack. This type of attack will speed up the cracking process by injecting arbitrary packets into the wireless access point but does not actually crack the key. The fragmentation attack exploits the pseudo-random generation algorithm (PRGA) sequence in RC4, where after 4,096 packets, 2 will likely share the same IV and thus the same RC4 key. In Kali Linux, you can use aireplay-ng with the fragmentation attack option (-5) to recover the PRGA and then use the packetforge-ng command to carry out the injection attack and ultimately recover the WEP key. You can read more about these types of attacks at www.aircrack-ng.org.

Cracking WPA-PSK and WPA2-PSK
WPA and WPA2 both rely on the four-way handshake and authentication method. Refer to the figure if you need a refresher on the four-way handshake. We can use the same basic method for cracking them. While they use different encryption protocol strengths, both are susceptible to brute force. First, assume you can capture the handshake.

Let’s take inventory of what you know based on what is available to you on the network:
- The SSID of the AP and the supplicant
- The MAC of the AP and the supplicant
- The ANonce and the SNonce (message 1 and message 2)
- The algorithm used to generate the PMK
- The MIC (from message 2 and 3)

This means that if you can capture the four-way handshake, you can use the information you know along with a dictionary of guesses to generate a PMK of your own. Then you can test that generated PMK using the MIC to see if it’s valid for the network.

Now, here’s an exercise using the Aircrack utilities to crack a WPA2 network using a preshared key. We assume that you are attacking a test WPA2 network configured with a simple password that is susceptible to a dictionary attack, that the network has at least one wireless supplicant on the network, that you can deauthenticate that supplicant at will, and that you are using Kali Linux as your attack host. Before you begin, you should follow Steps 1–3 from the WEP exercise to identify the appropriate channel and MAC address of the target AP hosting your test WPA2 network. If you know those details already, you can proceed.

Our first goal is to try to collect the handshake.
 

1.: Start airodump-ng. Wireless clients will appear under the STATION column and will report the BSSID of the AP they are connected to. The following illustration shows an example of starting airodump-ng to collect a handshake against the target AP on channel 4.


The command options are as follows:
- -w  Output file containing the four-way handshake
# airodump-ng -c 4 --bssid <target MAC> -w <outfile> <interface>
 

2.: If you are patient enough, you can wait for a client to deauthenticate from the network naturally, you will capture the handshake, and airodump-ng will report the handshake in the top-right corner of the terminal window. However, to force the issue, you can use aireplay-ng to deauthenticate an existing wireless client from the network to capture the four-way handshake. An example of capturing the handshake after deauthenticating a Windows client from the network is shown next.

Open up a separate terminal window and execute aireplay-ng using the following command syntax:
# aireplay-ng -0 1 -a <target MAC> -c <target MAC> <interface>
- -0  Deauthentication
- 1  How many deauthentications to send to the wireless client
- -c  MAC of the target wireless client




Tip: Deauthenticated wireless clients may connect to a different network that it knows about, which would prevent you from capturing the handshake until it comes back to the network you’re on.
 

3.: Once you capture the handshake with airodump-ng, you can use a dictionary attack (rather than brute force, as with WEP). Use aircrack-ng and your favorite wordlist to crack the PSK found in the handshake. Kali includes a few wordlists located in /usr/share/wordlists. For this exercise, we used the rockyou.txt list located in the wordlists directory, shown in the following illustration, to successfully crack the PSK. Use CTRL-C to close the terminal window you were running airodump-ng from, then use the following command syntax to crack the WPA PSK:



- -w  Wordlist (dictionary)
- <outfile>  Output file containing the four-way handshake


Other methods are available to crack the WPA/WPA2 PSK, depending on your tool preference and the level of complexity required to recover the PSK. In Kali, the genpmk command can be used to build a PMK table (rainbow table) by precomputing the hashes and saving them into a hash file. Then, you can use the cowpatty command, along with the four-way handshake from a PCAP file and genpmk hash file, to crack the WPA/WPA2 key. In turn, the hash file can be reused in future engagements to help speed up the cracking process.

Many prefer to use hashcat to execute a dictionary, brute-force, or rule-based attack because graphics processing unit (GPU)–based password guessing is often much faster. Hashcat does not support handshakes in the PCAP format. However, you can use the cap2hccapx utility from hashcat-utils to convert the .cap file over to hashcat’s own “hccapx” file format. The hashcat-utils project includes helpful binaries to assist with complex password cracking. You can download the latest release from https://github.com/hashcat/hashcat-utils/releases, which includes source code and precompiled binaries for both Windows and Linux operating systems.

The latest release (please verify this) hashcat-utils-1.9.7. After downloading the hashcat-utils prebuilt binaries or compiling the source code, you can convert the PCAP format over to hccapx by executing the cap2hccapx command using the following syntax:
# ./cap2hccapx <outfile>.cap <newfile>.hccapx

The command options are as follows:
- <outfile>  PCAP file containing a four-way handshake collected from airodump-ng in step 1
- <newfile>  Name of the new hccapx-formatted file to create

If the command was successful, it will print out to the terminal how many WPA handshakes it wrote to the new .hccapx file. Before executing hashcat, verify that it can see your GPU or CPU by executing hashcat –I at the command line. Check out the hashcat website (https://hashcat.net/hashcat) to ensure you have the latest driver requirements to support your environment; otherwise, hashcat may not be able to run.

To execute a dictionary attack in Kali Linux against the new hccapx-formatted file with the rockyou.txt wordlist, execute the hashcat command using the following syntax:
# hashcat –m 2500 <newfile>.hccapx rockyou.txt
- -m  The hash type to use (i.e., 2500 = WPA/WPA2)
- <newfile>  Name of the hccapx-formatted file

If the command executed successfully, you should see the plaintext value of the key. The hashcat website provides a wiki with additional guidance on how to brute-force attack the hccapx file using combinations for calculating the length, character type, and so on and rule-based attack methods for mutating a wordlist using a predetermined set of rules to make certain letters uppercase, lowercase, etc.

These types of methods help improve the efficiency of the attack.

Attacking the Dragonfly Handshake (Dragonblood Attack2)

Remember that WPA3 implements SAE, also referred to as the Dragonfly key exchange. The Extensible Authentication Protocol-Password (EAP-PWD) authentication method, which is used in some Enterprise networks, also uses Dragonfly handshakes and may be vulnerable to some of the same attacks. Research by Mathy Vanhoef and Eyal Ronen has revealed this is vulnerable to multiple types of attacks, even despite the implementation of additional security measures.

ir research proposes that WPA3 connections can be tricked into downgrading to a weaker protocol (such as WPA2), or choose a weak security group using a rogue AP and forged messages, or discern information about the password based on timing of responses to commit frames. We’ll talk more about rogue AP attacks later in this guide. But attackers can use the Dragonslayer proof of concept to attempt to bypass authentication using a valid username, use the Dragontime proof of concept to test for password leakage based on timing if certain configurations are supported by the target, and use the Dragonforce proof of concept to attempt to crack passwords based on timing attacks. These tools can be found in Mathy Vanhoef’s GitHub at https://github.com/vanhoefm.

Jamming and Other Denial of Service Attacks
Jamming Wi-Fi is illegal in the United States, according to the FCC.3 This applies to using a device to generate a radio signal designed to interfere with an otherwise legitimate radio signal, such as a Wi-Fi or cellular network. However, denial of service through protocol abuses is still legal and may be something you need to do during a penetration test. For example, if you need to force a target to connect to your device in order to capture traffic, you may need to temporarily target the other network.

Obviously, you need to be cautious when launching denial of service attacks and be certain their impact falls within your authorization for testing.

You can use a tool such as mdk4, which is part of the aircrack-ng suite of tools, to launch denial of service attacks such as:
- Beacon flooding, which may show fake APs to clients
- Overwhelming APs with authentication frames
- Sending repeated deauthentication and disassociation packets to clients to force them off the network
- Intentionally triggering defense lockouts (Michael countermeasures in TKIP)
- Sending fake sessions to flood APs

 

Let’s run through a quick example of how you might use this tool.
 

1.: First, install the tool in Kali if it is not already installed.
$ sudo apt install mdk4
2.: It has to run as root, so you will either need to type sudo  for each of these or sudo su –  to change your user context. To get help, you can look at a single module. The following will show the help for the beacon flooding module:
$ sudo mdk4 --help b
3.: Let’s use this to flood the nearby area with a bunch of false AP names. This will use our wireless interface wlan01, -b to specify beacon flooding mode, -a to generate SSIDs with nonprintable characters and use SSIDs larger than 32 bytes, -m to use valid MAC addresses by manufacturer for the false APs, and -s to send 500 packets per second.
sudo mdk4 wlan01 -b -a -m -s 500
4.: Now, when clients look for wireless networks, they’ll see a ton of garbage APs to choose from.
Depending on the rules of engagement for the pentest, you may be authorized to target the communications of wireless targets on the network in order to harvest credentials or sensitive data that could help aid with further target development and exploitation. One way to do this is to act as a fraudulent Wi-Fi access point, otherwise known as the evil twin. HostAP (in Kali Linux: apt-get install hostapd) is a popular access point software that can be run from a computer operating system such as Kali Linux. It allows the host to perform all functions of a typical wireless router.

Tip: Rogue AP attacks may be used for targeting Enterprise implementations that rely on RADIUS. Attack tools such as HostAP and EAPhammer can launch attacks like the Karma attack that will help target these networks. You can also use airbase-ng and aireplay-ng.

For WPA and WPA2 enterprise networks, HostAP provides support for RADIUS authentication and supports the ability to carry out impersonation attacks against wireless clients. Hostapd-wpe supports impersonation against the various authentication protocols, including the Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), and Microsoft’s version of CHAP (MS-CHAPv2). Once a client connects and sends user credentials (which in many cases can be a username/password hash from Active Directory), hostapd-wpe can be configured to send an EAP success message to the client, which can trick the client into thinking it just authenticated to the legitimate RADIUS authentication server.

Additional offline and on-path attacks can be executed at this point, such as cracking the NTLMv2 hash or providing networking connectivity through a Dynamic Host Configuration Protocol (DHCP) lease, Domain Name System (DNS) redirect, and so on. Implementing server certificate validation is one way to mitigate against this type of impersonation attack. However, the weakest link would be the user if he or she accepts the unknown or self-signed server certificate warning prompted during authentication to the malicious AP. The hostapd-wpe tool is a modified version of the HostAP software to help facilitate on-path attacks such as evil twin and the Karma attack. More information can be found at https://tools.kali.org/wireless-attacks/hostapd-wpe.

The Karma attack is an AP method used to listen for any network probe request from a client to join a .jpg" width="400px"> network, not just one specifically targeted network, like the evil twin attack. In turn, it will rebroadcast the ESSID from the victim in order to entice the victim to connect to the evil network. For example, if you leave wireless enabled on your mobile device and run out to the store to do some shopping, your phone will probe for networks that it has previously associated with. If you have ever connected to an open access network, it’s very likely that your phone will at some point try to connect to that SSID if the wireless card is not already connected. This could leave your phone susceptible to a Karma attack, as the evil twin only needs to know the SSID value of the network to duplicate, not a PSK.

Another way to impersonate the SSID of the network is to use the Airbase-ng utility. Using Kali Linux, you can execute the following command to create the “evil twin” of a legitimate network:
# airbase-ng –a <bssid> –-essid <wireless name> –c <channel> <interface>

Once you have the network up and running, you will need to force the clients to connect. To do that, you can simply issue deauth packets with aireplay-ng. The clients will all disconnect from the AP and attempt to reconnect to the network.

Using Kali Linux, you can execute the following command to force the clients to deauthenticate from the legitimate AP:
# aireplay-ng –deauth 0 –a <target AP MAC> <interface> –ignore-negative-one
 

Caution: If not all the clients reconnect to your evil twin AP, you can boost the signal of your wireless card to be stronger than the legitimate one, or try and get as close as you can to the wireless clients you want to target. Boosting the power on your wireless NIC can be dangerous and illegal in some countries. The default Tx-Power setting is typically 20 dBm but can increase to 30 dBm by changing your wireless card regulation settings with iw reg set BO then iwconfig <interface> txpower 30. Doing so can cause your network card to overheat and possibly damage the wireless NIC or your testing device.

Session Hijacking
Once you have wireless clients connected to your evil twin AP, you can start monitoring and capturing their traffic using Wireshark. When network users log in to websites, a session cookie is created for the session. If you can extract the session cookie from the HTTP session, you can leverage the session to interact with a target website. This could be a convenient way of escalating privileges on the network through administrative consoles.

Note: : Unless you can act as a passthrough between your targeted WLAN user and the website they request (because your device is connected to the Internet or intranet, depending on your target), an evil twin attack can’t help you much with session hijacking.

Attacking Bluetooth
The 802.15 group of standards defines specifications for various categories of wireless private area networks (WPANs), including Bluetooth and ZigBee. Both technologies run on the same wireless frequency band (2400 to 2483.5 MHz within the 2.4 GHz frequency band). ZigBee is a mesh network protocol that was designed to carry lots of data packets over short distances.

Bluetooth is similar, in the sense that it also carries data over short distances.

Bluetooth can be found in different consumer technologies, including speakers, printers, headphones, keyboards, and mobile phones.

Much like Wi-Fi, Bluetooth is susceptible to various types of data exfiltration and remote exploitation attacks due to common vulnerabilities such as:
- Legacy or faulty Bluetooth implementations
- Short PINs that are susceptible to brute-force attacks
- Users pairing Bluetooth devices in public places

We will cover these types of attacks further in the next few sections.
 

Primary Layers of Bluetooth
Bluetooth contains multiple layers in its protocol stack. The following are the primary layers of the stack:
- SDP  Service Discovery Protocol discovers Bluetooth services offered from other devices within range.
- LMP  Link Managing Protocol keeps track of connected devices.
- L2CAP  Logical Link Control and Adaptation Protocol provides data services to upper layers of the Bluetooth protocol stack.
- RFCOMM  Radio Frequency Communication uses L2CAP to provide emulated serial ports to other devices.
- TCS  Telephony Control Protocol uses L2CAP and provides telephone functionality.

Bluetooth Specifications
Bluetooth is designed to have a much more limited range compared to Wi-Fi, for example. This makes it ideal for computing peripherals and small consumer appliances. Bluetooth Low Energy (BLE) is slower, but it uses less power over time, making it ideal to power Internet of Things (IoT) and machine-to-machine (M2M) applications like Fitbits and blood pressure monitors while supporting years-long battery life.

The table below shows Bluetooth, Bluetooth 4.0 LE, and Bluetooth 5.0 LE for comparison.



Table:   Bluetooth Implementations Compared

Device Discovery
Information gathering is the first step in hacking Bluetooth-enabled devices. This process is called Blueprinting. BlueZ (http://www.bluez.org) is the default protocol stack for Bluetooth in most Linux distributions, including Kali Linux. BlueZ includes default capabilities that can be used to enable or disable your Bluetooth adapter and can also be used for basic reconnaissance during the information gathering process. In order to be able to test or discover remote Bluetooth devices, you need to have a compatible adapter (USB dongle). In Kali, you can verify the existence of your Bluetooth adapter (built-in or USB) by executing the hciconfig command at the command prompt. If your adapter exists, you will see the MAC address and other device information, much like running the ifconfig or iwconfig command.

To enable the interface, type:
hciconfig hci<#> up

Once the interface is enabled, you can use the hcitool command in Kali Linux to discover and inquire about other devices, authenticate to devices, and much more. Use the --help option to list additional command options. The bluelog scanner is another command-line utility installed in Kali Linux that can assist with Bluetooth device discovery.

To see a full list of discovery tools available in Kali Linux, check out https://tools.kali.org/tag/bluetooth.

Note: : Ubertooth (http://ubertooth.sourceforge.net) is a development platform suitable for experimenting with Bluetooth. If you are not up for the challenge of building your own Bluetooth testing adapter, the Ubertooth One (you can purchase it through Amazon) is the hardware platform (USB adapter), customized and tweaked to support the installation of tools from the Ubertooth platform.

Bluetooth Attacks
Bluetooth is a chatty protocol, and when a device is within range, it can be targeted and exploited, making it difficult for the user to know that something malicious is even happening. Once you have fingerprinted a list of Bluetooth devices, you can carry out additional remote attacks such as stealing and harvesting sensitive information from a mobile device.
 

Bluesnarfing is the process of exploiting vulnerabilities found in certain Bluetooth firmware in order to steal information from a wireless device. Successful attacks are capable of stealing contacts, calendar info, e-mail, and text messages when the Bluetooth device is turned on and set to discoverable mode. In the past, a vulnerability in certain vendors’ firmware could be exploited, and device pairing could be completed without the acknowledgment of the user. Bluesnarfer is a tool in Kali Linux that is capable of carrying out this method of attack.

Note: : Modems have been around for decades. The AT commands are instructions used for controlling modems. However, you can read further about vulnerability analysis of AT commands within mobile platforms (like Android) here: https://atcommands.org

Whether it’s unwanted mail, e-mail, or text messages, spam can be aggravating and can be used both by legitimate businesses to entice consumers to buy certain products or by spammers to entice a victim to download some software, click on a link, or wire some money. Unwanted messages can also be delivered via Bluetooth. We will discuss some of these methods in the next few sections.

One method of sending unsolicited messages to mobile users is called bluejacking. This method transmits data to the device without the knowledge of the user. Typically, this type of attack can be carried out by sending an electronic business card via Bluetooth to an unsuspecting victim. Instead of putting a real name in the name field, you can insert a sneaky message.

To counter this type of attack, mobile phone makers limit the amount of time a phone can be in discovery mode for pairing. This helps lessen the window of attack against Bluetooth devices.

RFID and NFC
Radio frequency ID (RFID)
is system that consists of a transponder (tag) and a reader with an antenna. The tag can be unpowered (passive) or have its own source of power (active). Passive tags are powered by the reader. They respond with a value (often a static value) when in proximity of the reader.

A familiar example is some employee ID badges. Active tags are always broadcasting their data, and it is received by a reader. A familiar example are tollway passes for your car. RFID tags are low frequency (LF) or high frequency (HF) and have a range measured in centimeters, or they are ultra high frequency (UHF) with a range of more than a meter.

NFC devices are RFID devices and operate on the same frequency as HF RFID. NFC devices can act as both an antenna and a transponder and can participate in peer-to-peer transactions over a very short range (centimeters). Since they can receive and transmit and often have computational capability, they are often party to more complex authentication protocols. These are often implemented in contactless payment systems, cell phones, and some access control systems. Both RFID technologies implement various protocols for authentication. Some implementations are prone to similar attack approaches, including on-path attacks, cloning, brute-force attacks, amplification attacks, and replay attacks.

Devices such as the ESPKey (https://redteamtools.com/espkey) are so small that they can be installed to intercept traffic between a tag and reader without arousing suspicion. They can receive a signal, log it, and pass it through to a legitimate reader in the simplest form of on-path attack. These attacks often involve modifying existing readers, which may change their appearance, or placing a device on top of the legitimate device much like a skimmer. Anti-tampering mechanisms, such as security tape, special screws, or tamper-proof wiring, are typically effective measures against these attacks.

RFID cloning (or badge cloning) is the process of reading a series of bits from one RFID card (or key fob) and writing the same series of bits to another compatible card. Proximity readers are common security access mechanisms found in commercial applications using contactless card technologies (proximity cards or prox cards) controlled through RF. The biggest difference in proximity readers is how they are connected to the access control system—either through a wireless or wired connection.

Proximity cards are legacy technologies that are typically LF band at 125 to 134.2 kHz. The card will broadcast a 26- to 37-bit key/number, which is configured by computer software. When the key fob/card is presented at a proximity card reader, it can be no more than 15 inches away. The key fob/card data is read and sent to the controller to either grant access or deny it. When access is granted, the controller releases the physical locking mechanism to allow the door to be opened. At the time of this writing, you could purchase an RFID reader/writer, such as the one shown in the illustration, through Amazon for under $100 USD.







Tip: The “RFID Hacking: Live Free or RFID Hard” presentation done at Black Hat USA 2013 (https://blackhat.com) is still a great reference for RFID hacking.

Brute-force attacks are time consuming and conspicuous when the system logs are being actively monitored. However, if you can gather enough intelligence about the system to make an educated guess about the protocol in use or the range of identifiers used by the system, you may be able to use hardware devices such as the Proxmark Pro (https://proxmark.com/) to generate random combinations of RFID identifiers and send them to the reader in an effort to force the system. These attacks must typically be performed within close proximity. Systems that implement built-in delays are resistant to these attacks.

Normally, these devices have a very short range. But what if you could amplify the signal and increase that range? The Tastic RFID Thief device uses a modified RFID reader with internal storage and an increased range to collect information from access badges from a distance of multiple feet. This data can then be used to clone badges from people as they walk by. BishopFox maintains an excellent article with walkthroughs for construction of the device and with videos of the device in use here: https://resources.bishopfox.com/resources/tools/rfid-hacking/attack-tools/

Most of these attacks rely on a static value being transmitted from the RFID tag. Access control systems that implement more complex protocols or use NFC devices with the capability to handle a secure handshake are not susceptible to these attacks. Other mitigations include monitored logging and security cameras, forced delays or lockouts, secure tag storage (such as a signal-blocking sleeve), and physical antitamper mechanisms.

 

Review

- As we have learned throughout this guide, Wi-Fi and RF signals are susceptible to both discovery and compromise. It’s difficult to prevent two radios from communicating with each other. 
- Wi-Fi encryption helps provide confidentiality within the wireless network; however, each encryption protocol has its own weakness. 
- WPA-PSK and WPA2-PSK improved on the imperfections from WEP but are still vulnerable to offline brute-force attacks. 
- WPA and WPA2 Enterprise eliminate the requirement of sharing the PSK for WPA Personal networks with RADIUS authentication, but user communications can still be targeted and fall victim to the same offline attacks as WPA and WPA Personal. 
- The short-range capability of Bluetooth makes pentesting devices fairly difficult unless you are within close proximity of the target device. 
- Although most firmware bugs have been remediated over the years, there are still methods (and some recent public exploits like those targeting the Bluebourne vulnerability) that can be used to initiate DoS attacks against paired devices or those that are left in discovery mode. 
- Wireless communication is an alternative to the typical wired networks and will continue to gain traction moving forward with newer technology, including IoT and Supervisory Control and Data Acquisition (SCADA) monitoring components. 
- The recent developments in WPA3 demonstrate the commitment of the Wi-Fi Alliance to establish a continuous certification process to improve upon the security standards for tomorrow’s technology.
 



ADVERTISEMENT