Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson

Author:Tyler Wrightson [Wrightson, Tyler]
Language: eng
Format: epub, azw3, mobi, pdf
Publisher: McGraw-Hill Education
Published: 2014-12-15T08:00:00+00:00

Active Wireless Recon

Before we know which wireless attack will be the most lucrative, we need to identify if there are any access points to target. We will perform active wireless reconnaissance in two steps, which may occur on the same day. The first step is to focus on identifying wireless access points and networks. In the second step, we’ll follow up and investigate specific networks of interest and seek to identify wireless clients.

In the first step, while discovering wireless networks, we want to be as quick but as thorough as possible. Even on a single campus or building, it can take a decent amount of time to be sure we’ve identified at least all of the BSSIDs available. In the first phase, it’s perfectly fine to not obtain the network name for a cloaked wireless network. The second phase is to specifically target areas of interest and to identify specifics related to the wireless network and its wireless clients. Keep in mind that just because we might not find any active wireless networks at our target organization (which is extremely unlikely but still possible), we might still be able to find and exploit wireless vulnerabilities, specifically within wireless-enabled client devices such as laptops or phones. For example, it’s not uncommon for an employee to have a laptop they bring home. Even though this laptop may or may not be connected to a wireless network at the employee’s home, if the wireless network card is enabled, it will most likely be constantly broadcasting its presence. This is an extremely important fact to understand, so I’ll repeat it! Even when there is no wireless network at a facility, a wireless client may still be vulnerable. In fact, most of the time, these types of wireless client devices will be more valuable for us to compromise than a wireless network.

Before we get started, let’s review the technical ways of identifying wireless networks. There are two basic ways to do this: through capturing beacon frames and through probe request/response. A probe request is a special frame sent from a wireless station to identify either a particular wireless network or all wireless networks—essentially, it’s a broadcast that attempts to identify any wireless networks. A wireless client or access point can then respond with a probe response that includes the network name, capabilities, and supported data rates of the responding device. Since probe requests require our stations to send packets, which can be recorded and alerted on, we will typically avoid the use of them. In fact, it’s a common signature within wireless monitoring systems to log and alert client devices that probe for wireless networks but never join a wireless network. Following is an example of a Kismet message indicating just that:

ALERT Thu Feb 27 10:37:10 2014 Suspicious client 00:21:6a:34:05:c7 - probing networks but never participating.

Beacon frames are sent by access points to periodically announce the existence and capabilities of the wireless network, such as network name (SSID), data rates, timing, etc. Beacon frames are

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.