This document discusses wireless networking standards and vulnerabilities. It covers: 1. Wi-Fi standards including IEEE 802.11, common environments like multiple access points and hotspots, and wireless vocabulary. 2. Vulnerabilities in wireless encryption like WEP and ways to break it by intercepting initialization vectors. 3. Attacks on wireless networks including exploiting weak encryption standards, attacking access points by brute forcing passwords, and compromising endpoints like user laptops broadcasting nearby networks.

1. Assessing Wireless
Radio and Bluetooth
CNG 256 Vulnerability Assessment
Frank H. Vianzon, GPEN, GCWN, GISP, CompTIA A+, CompTIA Network+

2. Wi-Fi: Overview
 Standard is IEEE 802.11
 Exists in everything these days, from laptops to smartphones to IoT devices

3. Four Environments
Four environments built around the technology
1. Extensions to an existing wired network
2. Multiple Access Points
3. LAN-to-LAN wireless network
4. 3G or 4G hot spots

4. Wireless Standards

5. Wireless Vocabulary
Term Description
Association The process of connecting a client to an access point
BSSID – Basic
Service Set
Identification
The MAC address of an access point
SSID / ESSID –
Extended Service
Set Identification
The (broadcast) name of a network
Hot Spot A location that provides wireless access to the public
Access Point /
Wireless Access
Point (WAP)
A hardware or software construct that provides wireless access

6. Service Set Identifier (SSID)
 SSID is a continual broadcast by the access point
 SSID is embedded within the header of the packets
 SSID is the name of a network. Also called an ESSID
(Extended SSID)
 You can try to mask a ESSID
 BSSID’s identify access points and their clients
 Is the MAC address
 MUST be transmitted

7. BSSID
This identifier is called a basic
service set identifier (BSSID)
and is included in all wireless
packets.
Each Access Point has its Own
BSS

8. Wireless Antennas : Laptops
 On a standard laptop, the antenna is typically around the screen
 Can be extended via USB
 When extending, make sure to match cables and Ohms

9. Wireless Antenna : Yagi Antenna
 Unidirectional
 Site to site or directional

10. Wireless Antennas : Omnidirectional and
Parabolic Grid
 Omnidirectional – all directions
 Two dimensions but not three
 Sometimes magnetic for cars and war driving

11. Wireless Authentication Modes
 Open
 only requires a MAC address
 Shared Key
 All AP’s and clients use the same authentication key
 Hashing methods used to protect the key can be easily broken
 802.1X
 Authentication uses usernames and passwords, certificates or devices such as smart
cards. Requires one or both of these
 RADIUS server to centralize user accounts and authentication information
 A PKI for issuing certificates

12. Wireless Encryption
 WEP – Wireless Equivalent Privacy
 Oldest and weakest
 Initial solution
 WPA – Wi-Fi Protected Access
 Uses Temporal Key Integrity Protocol (TKIP)
 TKIP is a suite of algorithms that works as a "wrapper" to WEP, which allows users of legacy
WLAN equipment to upgrade to TKIP without replacing hardware.
 Uses Message Integrity Code (MIC)
 WPA2
 Uses AES
 Requires hardware

13. WEP Encryption:
 Introduced with the 802.11b standard
 11MBs, 2.4 GHz, RC4
 Design Parameters
 Defeat Eavesdropping on communications
 Check integrity of data
 Use Shared Secret
 Problems with WEP
 Designed w/o input from the academic community or the public, professional
cryptologist were never consulted
 Passively uncover the key

14. Breaking WEP
 Need to intercept as many IV’s (Initialization Vectors) as possible
1. Start the wireless interface in monitor mode
2. Fake authentication with the access point
3. ARP requests can be intercepted and reinjected
4. Run password cracking tool

15. Comcast Split Wireless

16. Attack Surface

17. Attacks and Vulnerabilities
 Attacks in transit
 WEP
 WPA
 WPA2
 Attacks on endpoints
 Laptops
 WAP – Wireless Access Points
 Rouge access points

18. Access Points
Wireless access points transmits its SSID and BSSID
to anyone in range
Using monitor mode, we can see the BSSID and
then use a brute force utility to find the password

19. Access Points
Monitor Mode vs Managed Mode
Managed Mode is the mode you are mostly in to connect to
wireless networks
Monitor mode makes your wireless card passive. It is simply
listening in on every channel
Finding the MAC address
For Windows, you can use the inSSIDer tool
For Linux, you can use place the card in monitor mode and
use the airodump NG tool

20. Access Points
Testing Points
If you systems are using certificates or other PKI
authentication, try to join the network.
Egress Rules
Once you join, can you nmap the network?

21. User Laptops
 User laptops will continuously broadcast for saved networks
 We can attack the user MAC or answer the broadcast with a WiFi Pineapple

22. Bluetooth
 Bluetooth devices are prominent these days. Bluetooth is found on laptops and
mobile devices
 Operates on the 2.4 GHz range
 Four different versions

23. Bluetooth Modes
 Discoverable
 Allows the device to be scanned and located by other Bluetooth devices
 Limited Discoverable
 Mode is becoming more common. This put it into discovery mode for a short period of
time
 Non-discoverable
 As the name suggests, it cannot be located
 Pairing
 We have to pair devices in a peer to peer type connection

24. Bluetooth Threats
 What type of information do you exchange with Bluetooth?
 Calendars and Address Books
 Photos, cameras, microphones
 Attacker can inject microphone