WIRELESS NETWORKS - key concepts

 https://www.niii.tech/

WIRELESS NETWORK

802.11 series of standards is VERY IMPORTANT

802.11a 

Speeds up to 54 Mbps

5 GHz range

802.11b

11 Mbps

2.4 GHz

802.11g

54 Mbps

2.4 GHz

802.11n

over 100 Mbps

Ranges in MIMO format between 2.4 GHz and 5 GHz

802.11i 

Extension of the original 802.11 series with security mechanisms for WLAN

802.15.1

Bluetooh

802.15.4 

Zigbee

802.16

Wireless metropolitan areas networks (WiMAX)

Modulation: encoding method of choice in wireless networks

(manipulation properties of a waveform)

OFDM (Orthogonal Frequency-Division Multiplexing) and DSSS (Direct-Sequence Spread Spectrum) uses various pieces of a waveform to carry a signal.

OFDM works  with several waveforms carrying messages back and forth and the TRANSMISSION MEDIA is divided into a series of FREQUENCY BANDS that do not overlap each other and EACH BANDS CAN CARRY A SEPARATE SIGNAL.

DSSS COMBINES ALL AVAILABLE WAVEFORMS and the ENTIRE FRREQUENCY BANDWIDTH can be used for the delivery of a message.

Ad Hoc mode: wireless systems can connect directly to other systems (as if there is a cable).

Infrastructure mode uses an Access Point (AP) to funnel all wireless connections, and clients authenticate to it.

Wireless networks can be SINGLE access points or MULTIPLE access points, creating « cells », and allowing the user to roam freely without losing connectivity (the needs to associate and disassociate when moves from one cell to the next).

BSA (Basic Service Area) happens when there is a SINGLE ACCESS POINT.

BSS (Basic Service Set) is the communication between the single AP (of the BSA) and its clients.

ESS (Extended Service Set) happens when THE RANGE OF THE NETWORK IS EXTENDED ADDING MULTIPLE AP (Access Points).

« Roaming » is the moviment across  multiple AP’s within a single ESS.

Antennas:

-Most standard AP’s uses an omnidirectional antenna, which spreads the signal in 360 degrees from source.

-Directional antenna focus in a specific direction.

-Other antennas: dipole (2 signal towers and work omnidirectionaly) and parabolic grid (up to 10 miles range)

-SSID (Service Set Identifier): identify a wireless network to clients.

-SSID is not a password and PROVIDES NO SECURITY FOR THE NETWORK.

-SSID is a text word (32 characters or less) that distinguishes one wireless network of the each other.

-SSID cloaking: identification of wireless network even if the broadcast is turnned off.

-SSID is part of the header on every packet.

WIRELESS AUTHENTICATION

1) Open System Authentication (client send an 802.11 authentication frame with an SSID to an AP and receives the a verification frame)

2) Shared Key Authentication (client participate of a challenge scenario)

3) Centralized Authentication  (example: RADIUS)

(Bits and pieces of wirelesss authentication mechanisms together)

Association: client connnect to a AP, and authentication identify the client before he/she access the network.

WEP (Wired Equivalent Privacy):

-Weak security for wireless network.

-Uses 40-bit to 232-bit keys RC4 ecryption algorithm.

-Weakness is in the reuse of initialization vectors (IV). The hacker generate enough packets to analyse the IV and come up with the key used.

WPA (Wi-Fi Protected Access) or WPA2. 

WPA uses TKIP (Temporal Key Integrity Protocol), 128-bit key and client’s MAC address to strong encryption.

WPA changes the key every 10,000 packets, and the keys are transfered back and forth during an EAP (Extensible Authentication Protocol) authentication session with four-step handshake process.

WPA2 is the same that WPA, but was designed for GOVERNMENT and ENTERPRISE.

For Integrity, WPA2 uses CCMP (Cipher Block Chaining Message Authentication Code Protocol) with MIC (Message Integrity Codes) in the process CBC-MAC (Cipher Block Chaining Message Authentication Code).

WPA3 uses AES-GCMP-256 for encryption and HMAC-SHA-384 for authentication.

WPA3 Personal uses DragonFly Key Exchange to password authentication through SAE. 

WPA3 Enterprise use multiple encryption algorithms and ECDSA-384 for exchange keys.

WEP is susceptible to know-plaintext attacks.

WAP pre-shared key is vulnerable to eavesdropping and offline attacks, and TKIP function is vulnerable to packet spoofing.

WAP2 have the “Hole196” vulnerability: MITM and DoS attacks.

AirPcap dongle is a USB wireless adapter, and was replaced for others models.

WiGLE and NetStumbler (WINDOWS BASED) are tools to mapping wireless network locations.

Kismet is LINUX BASED wireless discovery option. Kismet is passive (don’t send any packets). Kismet can detect AP that have not been configured (and is suscetible to the default admin password…). Kismet sniff packets and save then to a log file, readable by Wireshark or tcpdump.

ROGUE ACCESS POINT (“evil twin” / “mis-association”, “honeyspot attack”) attack:

Hacker sets up an AP (access point) near legitimate AP and trick users into authenticate with it.

DoS:

Put together wireless signal, using some device like high-gain antenna/amplifier (ALL WIRELESS DEVICES ARE SUSCETIBLE TO SOME FORM OF JAMMING/INTERFERENCE).

Cracking WEP is RIDICULOUSLY EASY: it’s just generate enough packets to guess the encryption key.

The weak IV (Initialization Vector) is the SECRET. The IV are REUSED and sent in CLEAR TEXT. Tools for crack WEP: Cain amd Abel, Aircrack, KisMAC (run in MacOS, and use brute-force WEP or WPA), WEPCrack, Elcomsoft Wireless Security Auditor.