Wireless Attacks You Could Prevent
We went in-depth with Senior Security Analyst and Director of Research with InGuardians, Larry Pesce, to show you exactly how hackers can access your network and data with just a few tools and a plan — and giving you ideas for how to deal with them.
3 Attack Paths From Parking Lot to Password
When Larry goes on site to conduct a pen test, his first action is a passive one. He simply listens.
- To do that, an attacker needs a wireless adapter that can be in monitor mode to capture all traffic on a given channel, or potentially multiple cards to capture the traffic on multiple channels. There are three key tools to choose from in order to get a passive picture of that traffic: Aircrack-ng, Airodump-ng and airmon-ng. One of Larry's other favorite tools is Kismet, which is similar to Airodump but provides a more logical picture of traffic with the ability to dive into the details a little bit more, and do some high-level, initial analysis of the packets.
- The next step involves putting all of that information in Wireshark to "go deep." After that, the tools the attacker or tester uses are dependent on what the traffic is telling them. If they find that they have a WEP path to follow, they'll use aireplay-ng from the Aircrack-ng suite to complete the key cracking. If they know they need to go down a WPA/WPA-2 (Pre Shared Key) path, they'd simply need to observe a device connecting to that network for the first time. That can be tough, but not too tough. If an attacker shows up and gets that far, then they'll be able to watch that handshake connection occur whenever it does. But what happens if they show up late in the day, and all devices that will connect to that network already have done so? To view the four-way handshake, an attacker would knock the devices offline and use the aireplay-ng again to launch a de-auth-based denial of service attack, stop the attack (kicking devices offline) and then watch the reconnection. The viewing happens, again, with monitoring tools like Airodump, Wireshark or Kismet. Obtaining the four-way handshake leads to performing offline password brute force attacks using Hashcat or John the Ripper.
- The last possible path (the paths being determined by traffic observation, remember) is related to cracking WPA Enterprise, which in many cases use a RADIUS server for authentication. In most of the cases Larry finds currently, the WPA Enterprise creates a secure tunnel with TLS to exchange credential information and, upon authentication, key material to encrypt data. The three popular EAP types are PEAP, TTLS and EAP-TLS.
Larry, or any adept attacker or tester, can stand up an access point that looks exactly like your Enterprise solution (typically PEAP) and provide their own certificates so the client will connect to that network. Depending on what he observes in the traffic, that certificate can be totally made up (Larry calls it the snakeoil cert) or legitimate, purchased from an authority. (The latter is rare.)
If the hacker controls the server, they control the certificate, so they can ask for the credentials whenever a device asks to join the network. In order to accomplish this, they might use a tool called hostapd-wpe. That uses a wireless adapter that creates its own AP and its own RADIUS server, thereby becoming a rogue infrastructure. If a client tries to connect and the network accepts, the password hashes should come rolling in. Once hashes are captured, a tool called ASLEAP can complete dictionary-based brute force attacks, or an attacker can choose hashcat or an online tool from a third party.
With just a few tools and some practice and knowledge, an attacker can pwn your network from the parking lot. So how can you possibly protect your network, whatever its type, from these major wireless attacks?
Good News: Wireless Attacks Can be Detected
The only tool that's too stealth to detect is the passive monitoring tools – imagine everyone is eavesdropping all the time. The content of your conversations would need to change. Larry advises being mindful of what someone can hear; in other words, audit your network and observe what the attacker would observe.
A WEP attack is detectable via a strong monitoring solution, because the attacker is sending out unusual packets over and over again. You should also be able to detect a new client on the network that's never joined before. To detect a WPA-2 attack, you might need to monitor for the de-auth based denial of service attack we mentioned, or, in the case that it's never used, you should be able to see the anomalous behavior caused by the appearance of a rogue AP that looks just like your own network.
If an attacker is clever and does the brute force aspects of their attacks offline, those can be hard to detect, warns Larry. You might be able to see the indicators that the info is being gathered, but not the brute forcing itself. However, if a password spray type of brute force is used, which it may be on a WPA Enterprise network, you should be able to detect the multiple authentication attempts that would indicate such a spray.
Three network types, three attack paths, three things you need to see. In our webinar last week, we talked about the exact steps you need to take in order to protect your networks from these wireless attacks. Watch now to learn more about why "constantly monitor" is still the most important step of all.