JOHNNY CACHE
JOSHUA WRIGHT
VINCENT LIU
WIRELESS SECURITY SECRETS & SOLUTIONS
SECOND EDITION
“Finally, a comprehensive look at wireless security, from Wi-Fi to emerging wireless
protocols not covered elsewhere, addressing the spectrum of wireless threats facing
organizations today.”
—Mike Kershaw, author of Kismet
“A practical guide to evaluating today’s wireless networks. The authors’ clear
instruction and lessons learned are useful for all levels of security professionals.”
—Brian Soby, Product Security Director salesforce.com
“The introduction of wireless networks in many enterprises dramatically reduces the
effectiveness of perimeter defenses because most enterprises depend heavily on
firewall technologies for risk mitigation. These mitigation strategies may be ineffective
against wireless attacks. With outsiders now gaining insider access, an enterprise’s
overall risk profile may change dramatically. This book addresses those risks and
walks the readers through wireless security fundamentals, attack methods, and
remediation tactics in an easy-to-read format with real-world case studies. Never has it
been so important for the industry to get their arms around wireless security, and this
book is a great way to do that.”
—Jason R. Lish, Director, IT Security
Honeywell International
“The authors have distilled a wealth of complex technical information into
comprehensive and applicable wireless security testing and action plans. This is a vital
reference for anyone involved or interested in securing wireless networking technologies.”
—David Doyle, CISM, CISSP, Sr. Manager, IT Security & Compliance
Hawaiian Airlines, Inc.
“Hacking Exposed Wireless is simply absorbing. Start reading this book and the only
reason you will stop reading is because you finished it or because you want to try out
the tips and techniques for yourself to start protecting your wireless systems.”
—Thomas d’Otreppe de Bouvette, author of Aircrack-ng
protocols not covered elsewhere, addressing the spectrum of wireless threats facing
organizations today.”
—Mike Kershaw, author of Kismet
“A practical guide to evaluating today’s wireless networks. The authors’ clear
instruction and lessons learned are useful for all levels of security professionals.”
—Brian Soby, Product Security Director salesforce.com
“The introduction of wireless networks in many enterprises dramatically reduces the
effectiveness of perimeter defenses because most enterprises depend heavily on
firewall technologies for risk mitigation. These mitigation strategies may be ineffective
against wireless attacks. With outsiders now gaining insider access, an enterprise’s
overall risk profile may change dramatically. This book addresses those risks and
walks the readers through wireless security fundamentals, attack methods, and
remediation tactics in an easy-to-read format with real-world case studies. Never has it
been so important for the industry to get their arms around wireless security, and this
book is a great way to do that.”
—Jason R. Lish, Director, IT Security
Honeywell International
“The authors have distilled a wealth of complex technical information into
comprehensive and applicable wireless security testing and action plans. This is a vital
reference for anyone involved or interested in securing wireless networking technologies.”
—David Doyle, CISM, CISSP, Sr. Manager, IT Security & Compliance
Hawaiian Airlines, Inc.
“Hacking Exposed Wireless is simply absorbing. Start reading this book and the only
reason you will stop reading is because you finished it or because you want to try out
the tips and techniques for yourself to start protecting your wireless systems.”
—Thomas d’Otreppe de Bouvette, author of Aircrack-ng
 |
| Hacking Exposed Wireless, Second Edition |
ABOUT THE AUTHORS
Johnny Cache received his Masters in Computer Science from the Naval
Postgraduate School in 2006. His thesis work, which focused on
fingerprinting 802.11 device drivers, won the Gary Kildall award for the
most innovative computer science thesis. Johnny wrote his first program
on a Tandy 128K color computer sometime in 1988. Since then, he has
spoken at several security conferences including BlackHat, BlueHat, and
Toorcon. He has also released a number of papers related to 802.11 security
and is the author of many wireless tools. Most of his wireless utilities are included in the
Airbase suite, available at 802.11mercenary.net. Johnny is currently employed by Harris
Corporation as a wireless engineer.
Joshua Wright is a senior security analyst with InGuardians, Inc., an
information security research and consulting firm, and a senior instructor
and author with the SANS Institute. A regular speaker at information
security and hacker conferences, Joshua has contributed numerous
research papers and hacking tools to the open source community. Through
his classes, consulting engagements, and presentations, Joshua reaches
out to thousands of organizations each year, providing guidance on
penetration testing, vulnerability assessment, and securing complex
technologies. Joshua holds a Bachelor of Science from Johnson & Wales
University with a major in information science. In his spare time, he enjoys spending
time with his family, when he teaches his kids to always start counting from zero.
Vincent Liu is a Managing Partner at Stach & Liu, a security consulting
firm providing IT security services to the Fortune 1000 and global financial
institutions as well as U.S. and foreign governments. Before founding
Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering
teams for the Global Security unit at Honeywell International. Prior to
that, he was a consultant with the Ernst & Young Advanced Security
Centers and an analyst at the National Security Agency. He is currently
co-authoring the upcoming Hacking Exposed: Web Applications, Third
Edition. Vincent holds a Bachelor of Science and Engineering from the
University of Pennsylvania with a major in Computer Science and Engineering and a
minor in Psychology.
ABOUT THE CONTRIBUTING AUTHORS
Eric Scott, CISSP, is a Security Associate at Stach & Liu, a security consulting firm
providing IT security services to the Fortune 1000 and global financial institutions as
well as U.S. and foreign governments.
Before joining Stach & Liu, Eric served as a Security Program Manager in the
Trustworthy Computing group at Microsoft Corporation. In this role, he was responsible
for managing and conducting in-depth risk assessments against critical business assets
in observance of federal, state, and industry regulations. In addition, he was responsible
for developing remediation plans and providing detailed guidance around areas of
potential improvement.
Brad Antoniewiecz is the leader of Foundstone’s network vulnerability and
assessment penetration service lines. He is a senior security consultant with a focus on
internal, external, web application, device, and wireless vulnerability assessments and
penetration testing. Antoniewicz developed Foundstone’s Ultimate Hacking: Wireless
class and teaches both Ultimate Hacking: Wireless and the traditional Ultimate Hacking
classes. Brad has spoken at many events, authored various articles and whitepapers, is a
contributing author to Hacking Exposed: Network Security Secrets & Solutions, and
developed many of Foundstone’s internal assessment tools.
ABOUT THE TECHNICAL EDITORS
Joshua Wright, Johnny Cache, and Vincent Liu technically edited one another’s chapters.
Christopher Wang, aka “Akiba,” runs the FreakLabs Open Source ZigBee Project.
He’s currently implementing an open source ZigBee protocol stack and open hardware
development boards for people who want to customize their ZigBee devices and
networks. He also runs a blog and wireless sensor network (WSN) newsfeed from his
site at http://www.freaklabs.org/ and hopes that someday wireless sensor networks will be
both useful and secure. Christopher supplied valuable feedback and corrections for
Chapter 11, “Hack ZigBee.”
Introduction
Johnny Cache received his Masters in Computer Science from the Naval
Postgraduate School in 2006. His thesis work, which focused on
fingerprinting 802.11 device drivers, won the Gary Kildall award for the
most innovative computer science thesis. Johnny wrote his first program
on a Tandy 128K color computer sometime in 1988. Since then, he has
spoken at several security conferences including BlackHat, BlueHat, and
Toorcon. He has also released a number of papers related to 802.11 security
and is the author of many wireless tools. Most of his wireless utilities are included in the
Airbase suite, available at 802.11mercenary.net. Johnny is currently employed by Harris
Corporation as a wireless engineer.
Joshua Wright is a senior security analyst with InGuardians, Inc., an
information security research and consulting firm, and a senior instructor
and author with the SANS Institute. A regular speaker at information
security and hacker conferences, Joshua has contributed numerous
research papers and hacking tools to the open source community. Through
his classes, consulting engagements, and presentations, Joshua reaches
out to thousands of organizations each year, providing guidance on
penetration testing, vulnerability assessment, and securing complex
technologies. Joshua holds a Bachelor of Science from Johnson & Wales
University with a major in information science. In his spare time, he enjoys spending
time with his family, when he teaches his kids to always start counting from zero.
Vincent Liu is a Managing Partner at Stach & Liu, a security consulting
firm providing IT security services to the Fortune 1000 and global financial
institutions as well as U.S. and foreign governments. Before founding
Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering
teams for the Global Security unit at Honeywell International. Prior to
that, he was a consultant with the Ernst & Young Advanced Security
Centers and an analyst at the National Security Agency. He is currently
co-authoring the upcoming Hacking Exposed: Web Applications, Third
Edition. Vincent holds a Bachelor of Science and Engineering from the
University of Pennsylvania with a major in Computer Science and Engineering and a
minor in Psychology.
ABOUT THE CONTRIBUTING AUTHORS
Eric Scott, CISSP, is a Security Associate at Stach & Liu, a security consulting firm
providing IT security services to the Fortune 1000 and global financial institutions as
well as U.S. and foreign governments.
Before joining Stach & Liu, Eric served as a Security Program Manager in the
Trustworthy Computing group at Microsoft Corporation. In this role, he was responsible
for managing and conducting in-depth risk assessments against critical business assets
in observance of federal, state, and industry regulations. In addition, he was responsible
for developing remediation plans and providing detailed guidance around areas of
potential improvement.
Brad Antoniewiecz is the leader of Foundstone’s network vulnerability and
assessment penetration service lines. He is a senior security consultant with a focus on
internal, external, web application, device, and wireless vulnerability assessments and
penetration testing. Antoniewicz developed Foundstone’s Ultimate Hacking: Wireless
class and teaches both Ultimate Hacking: Wireless and the traditional Ultimate Hacking
classes. Brad has spoken at many events, authored various articles and whitepapers, is a
contributing author to Hacking Exposed: Network Security Secrets & Solutions, and
developed many of Foundstone’s internal assessment tools.
ABOUT THE TECHNICAL EDITORS
Joshua Wright, Johnny Cache, and Vincent Liu technically edited one another’s chapters.
Christopher Wang, aka “Akiba,” runs the FreakLabs Open Source ZigBee Project.
He’s currently implementing an open source ZigBee protocol stack and open hardware
development boards for people who want to customize their ZigBee devices and
networks. He also runs a blog and wireless sensor network (WSN) newsfeed from his
site at http://www.freaklabs.org/ and hopes that someday wireless sensor networks will be
both useful and secure. Christopher supplied valuable feedback and corrections for
Chapter 11, “Hack ZigBee.”
Introduction
Since the first edition of Hacking Exposed Wireless, the technologies and the threats
facing these communications have grown in number and sophistication. Combined
with the rapidly increasing number of deployments the risk of implementing
wireless technologies has been compounded. Nevertheless, the risk is often surpassed
by the benefits and convenience of wireless technologies, which have been a large factor
in the spread of these devices within homes, offices, and enterprises spanning the globe.
The story of wireless security can no longer be told with a narrow focus on 802.11
technology. The popularity of wireless technologies has created an intense interest in
other popular wireless protocols such as ZigBee and DECT—interest that has manifested
itself into research into attacks and vulnerabilities within the protocols and the
implementation of those protocols in devices. With this growth in wireless technologies,
these networks have become increasingly attractive to attackers looking to steal data or
compromise functionality. While traditional security measures can be implemented in an
effort to help mitigate some of these threats, a wireless attack surface presents a unique
and difficult challenge that must first be understood before it can be secured in its own unique fashion.
This book serves as your humble guide through the world of wireless security. For
this edition, we have completely rewritten core sections on how to defend and attack
802.11 networks and clients. We also cover rapidly growing technologies such as ZigBee
and DECT, which are widely deployed in today’s wireless environments.
As with any significant undertaking, this second edition of Hacking Exposed Wireless
was a result of the efforts of several principals over an extended period of time. When we
first returned to this book, we took great care in reviewing all the feedback and comments
to figure out where we needed to do better for our readers. We also revisited all the
technologies included in the previous volume and researched the interesting technologies
that have emerged since the previous edition.
We have a new co-author this time around, Joshua Wright. Josh is one of the most
well-respected minds in wireless security, and we are confident that you will immediately
notice his contributions in the additional breadth and depth of knowledge found on these pages.
HOW THE BOOK IS ORGANIZED
This book is split into three different parts. The first section is dedicated to the ubiquitous
802.11 wireless networks that are commonly deployed within homes and enterprises.
The second section also involves 802.11 but with a focus on the client, which has become
an attractive target for attackers looking to compromise the systems of wireless users.
Coverage of additional wireless technologies including Bluetooth, ZigBee, and DECT
has been grouped into the third section, and should be extremely beneficial for those
readers who deal with the security of devices that use these protocols.
Part I: Hacking 802.11 Wireless Technology
The first section of this book begins with coverage of the fundamentals of the 802.11
wireless standards as well as the hardware and software required to build your own
hacking toolkit. The section then methodically proceeds through the steps of identifying,
enumerating, and attacking 802.11 networks.
Chapter 1: Introduction to 802.11 Hacking
The first chapter provides a brief overview of the 802.11 protocol and then dives directly
into the various topics necessary to assemble a wireless hacking toolkit. This chapter
includes instructions on proper operating system setup, choosing the correct wireless
cards, and selecting the right antennae.
Chapter 2: Scanning and Enumerating 802.11 Networks
Chapter 2 covers popular scanning tools on Windows, Linux, and OS X platforms.
Vistumbler, Kismet, and KisMAC are covered at length. This chapter also includes a
summary of the 802.11 geolocation and visualization tools available today, and how to
get these tools to cooperate with GPS.
Chapter 3: Attacking 802.11 Wireless Networks
Chapter 3 covers all of the classic attacks against WEP, as well as the unusual ones.
Detailed instructions on cracking WEP keys, pulling them out of the air from FiOS
routers, and various traffic injection attacks are covered. Basic DoS attacks are also covered.
Chapter 4: Attacking WPA-Protected 802.11 Networks
Chapter 4 covers all of the practical attacks currently known against WPA. These include
dictionary attacks against WPA-PSK, attacking LEAP-protected networks with Asleap,
and offline attacks against the RADIUS shared secret. It also explains the recently
discovered Beck-Tews TKIP attack.
Part II: Hacking 802.11 Clients
Part II of this book covers 802.11 security from the client perspective and discusses the
types of attacks that are commonly used to compromise wireless clients. Detailed
walkthroughs are presented of real-world attacks against clients running on both the
OS X and Windows platforms.
Chapter 5: Attack 802.11 Wireless Clients
Chapter 5 walks the reader through a variety of attacks that can be used to compromise
a wireless client. Attacks include application layer issues, rogue access points, direct
client injection, device driver vulnerabilities, and cross-site request forgery (XSRF) injection attacks.
Chapter 6: Taking It All the Way: Bridging the Airgap from OS X
Chapter 6 shows the reader a detailed account of exploiting a Mac OS X 802.11 client,
followed by techniques for leveraging access from the compromised Mac to exploit
nearby wireless networks.
Chapter 7: Taking It All the Way: Bridging the Airgap from Windows
Chapter 7 shows the reader how to exploit a Windows wireless client, leveraging access
gained on the client to exploit additional wireless devices.
Part III: Hacking Additional Wireless Technologies
Part III of this book covers additional wireless technologies including ZigBee, DECT, and
an in-depth treatment of Bluetooth detection and exploitation.
Chapter 8: Bluetooth Scanning and Reconnaissance
Chapter 8 is devoted to identifying target Bluetooth devices, including how to select the
appropriate testing hardware and software. Several practical approaches to finding
Bluetooth devices are covered in this chapter.
Chapter 9: Bluetooth Eavesdropping
Chapter 9 follows the prior topics of scanning and reconnaissance with detailed guidance
on eavesdropping attacks. This chapter focuses specifically on the variety of methods
and tools used to perform eavesdropping attacks.
Chapter 10: Attacking and Exploiting Bluetooth
Chapter 10 continues directly from the previous chapter and dives into several different
attacks against Bluetooth devices that target implementation-specific and protocol
vulnerabilities. Topics include PIN cracking, identity manipulation, and profile abuse
Chapter 11: Attack ZigBee
Chapter 11 covers the history and fundamentals behind the ZigBee protocol before
continuing on to device discovery and network-related attacks such as eavesdropping
and replay. Also included are details on more sophisticated encryption and hardware
attacks against ZigBee devices.
Chapter 12: Attack DECT
Chapter 12 examines the fundamental technology and characteristics behind the popular
Digital Enhanced Cordless Telecommunications (DECT) specification, which is the
worldwide standard for cordless telephony. Practical attacks on how to eavesdrop and
manipulate DECT traffic are covered as well.
Appendix: Scoping and Information Gathering
The Appendix examines the requirements and considerations for scoping a wireless
assessment, identifying pitfalls and opportunities for assessing, scoping, and
implementing a successful test with insight gathered over hundreds of professional engagements.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 11,345 KB |
Pages
|
513 p |
File Type
|
PDF format |
ISBN
| 978-0-07-166662-6 |
Copyright
| 2010 by The McGraw-Hill |
AT A GLANCE
Part I Hacking 802.11 Wireless Technology
▼ 1 Introduction to 802.11 Hacking
▼ 2 Scanning and Enumerating 802.11 Networks
▼ 3 Attacking 802.11 Wireless Networks
▼ 4 Attacking WPA-Protected 802.11 Networks
Part II Hacking 802.11 Clients
▼ 5 Attack 802.11 Wireless Clients
▼ 6 Taking It All The Way: Bridging the Airgap from OS X
▼ 7 Taking It All the Way: Bridging the Airgap from Windows
Part III Hacking Additional Wireless Technologies
▼ 8 Bluetooth Scanning and Reconnaissance
▼ 9 Bluetooth Eavesdropping
▼ 10 Attacking and Exploiting Bluetooth
▼ 11 Hack ZigBee
▼ 12 Hack DECT
▼ A Scoping and Information Gathering
▼ Index
Table of Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part I Hacking 802.11 Wireless Technology
Case Study: Wireless Hacking for Hire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Her First Engagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
A Parking Lot Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Robot Invasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Final Wrap-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
▼ 1 Introduction to 802.11 Hacking . . . . . . . . . . . . . . 7
802.11 in a Nutshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Addressing in 802.11 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
802.11 Security Primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Discovery Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Hardware and Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
A Note on the Linux Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chipsets and Linux Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Modern Chipsets and Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Cellular Data Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
GPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
▼ 2 Scanning and Enumerating 802.11 Networks . . . . . . . . . . . . . . . . . 41
Choosing an Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Windows Discovery Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Vistumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
inSSIDer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Windows Sniffi ng/Injection Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
NDIS 6.0 Monitor Mode Support (NetMon) . . . . . . . . . . . . . . . . . . . . 50
AirPcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
CommView for WiFi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
OS X Discovery Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
KisMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Kismet on OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Linux Discovery Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Mobile Discovery Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Online Mapping Services (WIGLE and Skyhook) . . . . . . . . . . . . . . . . . . . . . . 75
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
▼ 3 Attacking 802.11 Wireless Networks . .. . . . . . . . 79
Basic Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Through Obscurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Defeating WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
WEP Key Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Bringing It All Together: Cracking a Hidden Mac-Filtering,
WEP-Encrypted Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Keystream Recovery Attacks Against WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Attacking the Availability of Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . 111
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
▼ 4 Attacking WPA-Protected 802.11 Networks . . . . . . 115
Breaking Authentication: WPA-PSK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Breaking Authentication: WPA Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Obtaining the EAP Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
LEAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
PEAP and EAP-TTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
EAP-TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
EAP-FAST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
EAP-MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Breaking Encryption: TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Attacking Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Part II Hacking 802.11 Clients
Case Study: Riding the Insecure Airwaves . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
▼ 5 Attack 802.11 Wireless Clients . . . . . . . . . 155
Attacking the Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Attacking Clients Using an Evil DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Ettercap Support for Content Modifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Dynamically Generating Rogue APs and Evil Servers with Karmetasploit 167
Direct Client Injection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Injecting Data Packets with AirPWN . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Generic Client-side Injection with airtun-ng . . . . . . . . . . . . . . . . . . . . 175
Munging Software Updates with IPPON . . . . . . . . . . . . . . . . . . . . . . . 177
Device Driver Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Fingerprinting Device Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Web Hacking and Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hacking DNS via XSRF Attacks Against Routers . . . . . . . . . . . . . . . . 197
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
▼ 6 Taking It All The Way: Bridging the Airgap from OS X . . . . . 203
The Game Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Preparing the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Prepping the Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Performing Initial Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Preparing Kismet, Aircrack-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Prepping the Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Exploiting WordPress to Deliver the Java Exploit . . . . . . . . . . . . . . . . 214
Making the Most of User-level Code Execution . . . . . . . . . . . . . . . . . . . . . . . 217
Gathering 802.11 Intel (User-level Access) . . . . . . . . . . . . . . . . . . . . . . 219
Popping Root by Brute-forcing the Keychain . . . . . . . . . . . . . . . . . . . 220
Returning Victorious to the Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Managing OS X’s Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
▼ 7 Taking It All the Way: Bridging the Airgap from Windows . . . . . . 239
The Attack Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Preparing for the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Exploiting Hotspot Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Controlling the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Local Wireless Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Remote Wireless Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Windows Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Microsoft NetMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Target Wireless Network Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Part III Hacking Additional Wireless Technologies
Case Study: Snow Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
▼ 8 Bluetooth Scanning and Reconnaissance . . . . . . 273
Bluetooth Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Device Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Bluetooth Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Encryption and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Preparing for an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Selecting a Bluetooth Attack Device . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Active Device Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Passive Device Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Hybrid Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Passive Traffi c Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Service Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
▼ 9 Bluetooth Eavesdropping . . . . . . . 315
Commercial Bluetooth Sniffi ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Open-Source Bluetooth Sniffi ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
▼ 10 Attacking and Exploiting Bluetooth . . . . . . . . . 345
PIN Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Practical PIN Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Identity Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Bluetooth Service and Device Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Bluetooth Device Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Abusing Bluetooth Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Testing Connection Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Unauthorized AT Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Unauthorized PAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Headset Profi le Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
File Transfer Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Future Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
▼ 11 Hack ZigBee . . . . . . . . . . . . . . . 399
ZigBee Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
ZigBee’s Place as a Wireless Standard . . . . . . . . . . . . . . . . . . . . . . . . . . 400
ZigBee Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
ZigBee History and Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
ZigBee Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
ZigBee Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
ZigBee Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Rules in the Design of ZigBee Security . . . . . . . . . . . . . . . . . . . . . . . . . 407
ZigBee Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
ZigBee Authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
ZigBee Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
ZigBee Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Introduction to KillerBee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Eavesdropping Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Encryption Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Attack Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Network Discovery and Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Analyzing the ZigBee Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
RAM Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
▼ 12 Hack DECT . . . . . . . . . 439
DECT Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
DECT Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
DECT PHY Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
DECT MAC Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Base Station Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
DECT Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Authentication and Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Encryption Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
DECT Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
DECT Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
DECT Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
DECT Audio Recording . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
▼ A Scoping and Information Gathering . . . . . . . 459
Pre-assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Scoping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Things to Bring to a Wireless Assessment . . . . . . . . . . . . . . . . . . . . . . 462
Conducting Scoping Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Gathering Information via Satellite Imagery . . . . . . . . . . . . . . . . . . . . 465
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
