1 00:00:00,620 --> 00:00:00,890 All right. 2 00:00:00,890 --> 00:00:03,410 Hello and welcome back to the official circus series. 3 00:00:03,740 --> 00:00:07,910 This is the oh 211 Wi-Fi wireless security section. 4 00:00:08,570 --> 00:00:09,980 We're going to talk about wireless. 5 00:00:10,310 --> 00:00:12,230 We're going to talk about network attacks. 6 00:00:12,590 --> 00:00:16,430 We're going to talk about wireless encryption and many other topics. 7 00:00:17,420 --> 00:00:21,320 It's a very exciting topic because wireless is everywhere. 8 00:00:21,590 --> 00:00:30,050 Wireless is ubiquitous with the advent of smartphones, Iot devices, Google homes, Google nests, 9 00:00:30,050 --> 00:00:31,340 all that kind of good stuff. 10 00:00:33,360 --> 00:00:34,530 This is our chapter outline. 11 00:00:34,530 --> 00:00:38,390 We're going to talk about wireless networking, the different types of wireless networking. 12 00:00:38,430 --> 00:00:42,000 We're going to look at wireless networking terminologies. 13 00:00:42,630 --> 00:00:45,630 We're going to look at the different bands of wireless networking. 14 00:00:47,710 --> 00:00:49,400 So wireless versus wired networking. 15 00:00:49,420 --> 00:00:54,240 We're going to talk about wireless encryption because it's important to have secure wireless networking 16 00:00:54,520 --> 00:01:01,540 as encryption is always top of mind with respect to wireless networks versus traditional wired networks. 17 00:01:04,490 --> 00:01:08,900 And then, of course, we'll talk about some of the different wireless attacks, as well as some of 18 00:01:08,900 --> 00:01:14,270 the different countermeasures that can be used to prevent wireless attacks. 19 00:01:21,550 --> 00:01:22,940 This is our chapter flow. 20 00:01:23,480 --> 00:01:27,950 We're going to discuss what's in-network, what's a wireless network types. 21 00:01:28,280 --> 00:01:31,220 We're going to go over the different types of wireless networking. 22 00:01:31,220 --> 00:01:32,300 So it's not just. 23 00:01:34,090 --> 00:01:35,170 802 11. 24 00:01:36,390 --> 00:01:36,960 And what? 25 00:01:37,200 --> 00:01:42,360 Finish out with encryption, the different types of tools and we'll even get into some Bluetooth as 26 00:01:42,360 --> 00:01:42,690 well. 27 00:01:45,800 --> 00:01:52,400 So what is the wireless network, wi fi or wireless fidelity refers to the 8.2. 11, I believe, standard. 28 00:01:55,480 --> 00:02:02,050 So the general I believe designation for network standards and ATO to such as ATO 2.34 Ethernet. 29 00:02:02,470 --> 00:02:07,810 The 11 Family of Standards governs all the wireless local area networking. 30 00:02:08,980 --> 00:02:15,120 Essentially, it's an I Tripoli standard developed by the Land Man Standards Committee. 31 00:02:15,130 --> 00:02:21,510 It has currently six different over the air modulation techniques, which we'll get into momentarily. 32 00:02:25,630 --> 00:02:33,010 Wireless networking generally has advantages that it cuts back on the amount of cabling and it also 33 00:02:33,010 --> 00:02:35,920 cannot be cut by an attacker. 34 00:02:35,950 --> 00:02:39,010 So it is that advantageous in that way. 35 00:02:39,310 --> 00:02:45,070 It also allows you to provide connectivity where cables are hard to reach, such as airports, coffee 36 00:02:45,070 --> 00:02:49,000 shops, universities, other places like that. 37 00:02:51,920 --> 00:02:58,310 So the six over the air modulation techniques in 802 11 all use the same layer two protocols. 38 00:02:58,850 --> 00:03:06,230 The most popular and prolific are those defined by the BMG amendments to the original Wi-Fi standard. 39 00:03:06,560 --> 00:03:16,010 And later, more security was added on and enhanced with the 802. 11 I some of the service standards 40 00:03:16,010 --> 00:03:23,600 like the C through F, H, through J as well as the eight or 211 N are enhancements and corrections 41 00:03:23,600 --> 00:03:25,250 to previous specifications. 42 00:03:25,880 --> 00:03:27,710 NATO 11 B was the first. 43 00:03:29,500 --> 00:03:33,190 Widely accepted, wireless networking is standard and followed by A and G. 44 00:03:36,520 --> 00:03:42,250 So some disadvantages of wireless networking working are that security can be more difficult. 45 00:03:42,640 --> 00:03:43,690 And you also. 46 00:03:45,080 --> 00:03:51,650 As you increase the number of nodes in wireless networking, bandwidth becomes an important consideration 47 00:03:51,650 --> 00:03:59,930 and wireless networks can be interfered with with other electronic equipment operation like fluorescent 48 00:03:59,930 --> 00:04:06,290 lighting, certain types of motors, they create electromagnetic interference and radio frequency interference. 49 00:04:06,770 --> 00:04:13,880 So wireless has to be governed by particular frequencies that especially the 2.4 gigahertz and the five 50 00:04:13,880 --> 00:04:15,410 gigahertz frequency band. 51 00:04:17,840 --> 00:04:25,130 So sometimes B and the G networking can have interference from things like microwave ovens and other 52 00:04:25,130 --> 00:04:25,670 things. 53 00:04:26,060 --> 00:04:28,550 So these are the 8 to 11 wireless standards. 54 00:04:28,910 --> 00:04:35,630 We'll see that A02 11 A was adopted in 1999 and B was also adopted around the same time. 55 00:04:37,710 --> 00:04:41,640 We had a around the maximum data rate of 11 megabits per second. 56 00:04:42,800 --> 00:04:45,800 But it operated on the 2.4 gigahertz frequency. 57 00:04:47,920 --> 00:04:56,080 So because Wi-Fi differs from Ethernet in in a very important way, Ethernet uses something called carrier 58 00:04:56,080 --> 00:04:59,050 sense, multiple access collision detection. 59 00:04:59,890 --> 00:05:06,760 That means that Ethernet protocols and frames when there's a collision on the network, such as someone 60 00:05:06,760 --> 00:05:08,140 else is trying to transmit. 61 00:05:09,040 --> 00:05:14,860 It will use a protocol that can detect that collision and back off the amount of data that's being sent. 62 00:05:15,500 --> 00:05:17,350 Now, contrast that with wireless. 63 00:05:17,350 --> 00:05:23,830 On the other hand, wireless does not handle collisions quite nearly as well, and it uses something 64 00:05:23,830 --> 00:05:30,100 called carrier sense multiple access with Collision Avoidance or Sistema CD. 65 00:05:31,360 --> 00:05:37,960 In practice, because of the overhead, the maximum throughput, the eight oh to 11 B could really achieve 66 00:05:38,200 --> 00:05:47,800 was about 5.9 megabit per second over TCP and 7.1 megabit per second over UDP. 67 00:05:48,820 --> 00:05:54,490 So it's different performance rates based on different the type of protocol. 68 00:05:55,090 --> 00:05:55,430 So I. 69 00:05:55,450 --> 00:06:01,990 Tripoli 802 11 B also operates in the unprotected 2.4 gigahertz frequency band. 70 00:06:03,810 --> 00:06:07,020 With an 83.5 megahertz wide channel. 71 00:06:09,030 --> 00:06:15,960 So the key thing to remember with wireless is that it's a theoretical range generally and the maximum 72 00:06:16,980 --> 00:06:24,540 limit to the data rate, it's a maximum under perfect conditions and the typical range will vary based 73 00:06:24,540 --> 00:06:29,550 on things like building materials, construction and things of that nature. 74 00:06:29,550 --> 00:06:38,340 So then eight or 211 be quickly crept up on the market and because it extended some of the different 75 00:06:38,340 --> 00:06:40,860 modulation techniques off the original standard. 76 00:06:41,310 --> 00:06:48,480 So chipsets and wireless routers and devices were able to support the 802 11 B enhancement. 77 00:06:48,480 --> 00:06:49,560 So this increased. 78 00:06:51,800 --> 00:06:56,390 Both the amount of adoption rate and also the price drop as well. 79 00:06:57,350 --> 00:07:01,550 So 211 B rapidly became the definitive wireless LAN technology. 80 00:07:01,550 --> 00:07:08,780 So 802 11 B runs that 11 megabit per second, but we'll scale back to five and a half megabit per second 81 00:07:08,780 --> 00:07:11,480 or two megabit per second, depending on signal quality. 82 00:07:11,930 --> 00:07:17,510 Because lower data rates use less complex and more redundant encoding, they're less susceptible to 83 00:07:17,510 --> 00:07:21,020 corruption due to interference and signal attenuation. 84 00:07:22,690 --> 00:07:30,490 So in order to try and bump up the speeds, they created some enhanced versions called ADA 211 B plus. 85 00:07:30,880 --> 00:07:32,410 But they were not really adopted. 86 00:07:32,410 --> 00:07:35,320 And along came ADA or $2.11 G. 87 00:07:36,100 --> 00:07:39,580 So 802 11 G was. 88 00:07:41,450 --> 00:07:45,950 Released in 2003 with the 2.4 gigahertz frequency band. 89 00:07:45,950 --> 00:07:50,360 Notice that the 54 megabit per second data rate increase. 90 00:08:09,540 --> 00:08:16,020 So the ATO 211 B and ATO 211 G standards do not specify the width of a channel. 91 00:08:16,020 --> 00:08:19,200 Rather they specify the centre frequency. 92 00:08:19,860 --> 00:08:25,650 So the centre frequency is at 22 megahertz apart. 93 00:08:26,310 --> 00:08:30,780 So there are 14 overlapping staggered channels that are 23 megahertz apart. 94 00:08:31,200 --> 00:08:34,950 So the most common channels are one, six and 11. 95 00:08:35,400 --> 00:08:41,070 So channel 14 we can't take advantage of in the US, but if you're overseas, you can take advantage 96 00:08:41,070 --> 00:08:42,030 of Channel 14. 97 00:08:43,090 --> 00:08:51,010 So most often commercial routers when you buy if you buy big routers today, they are set to channels 98 00:08:51,010 --> 00:08:55,030 one, six or 11 because of the lack of overlap. 99 00:09:04,320 --> 00:09:10,410 So depending on the power of the transmitter on a channel, say, for example, a channel one, if you 100 00:09:10,410 --> 00:09:13,560 had a more powerful channel one, it could overwhelm Channel six. 101 00:09:13,890 --> 00:09:17,910 But as a general rule one, six and 11 do not overlap. 102 00:09:18,390 --> 00:09:25,740 And according to the FCC regulations, channels ten and 11 are only the channels which are common throughout 103 00:09:25,740 --> 00:09:26,280 the world. 104 00:09:26,970 --> 00:09:30,150 Channel 14 is restricted to eight oh to 11 B only. 105 00:09:32,550 --> 00:09:39,480 Arrow 211 did use the five gigahertz frequency band and uses something called off FDM or Orthogonal 106 00:09:39,810 --> 00:09:41,850 Frequency Division multiplexing. 107 00:09:42,900 --> 00:09:47,160 And it has a maximum data rate of 54 megabit per second. 108 00:09:47,970 --> 00:09:51,090 They are notice roughly until we. 109 00:09:52,390 --> 00:09:54,850 Received 802 11 end standard. 110 00:09:55,210 --> 00:10:03,250 The typical range stayed consistent outdoors at about 4 to 450 feet, whereas indoors it was anywhere 111 00:10:03,250 --> 00:10:05,650 from 100 to 125 feet. 112 00:10:24,470 --> 00:10:31,430 So the 802 11 G standard swept the consumer shelves in 2003 while before it was actually ratified. 113 00:10:32,000 --> 00:10:39,590 Then it became common to see A, B and G routers, and then it became B, G and then routers. 114 00:10:39,980 --> 00:10:47,000 So G held the promise of higher throughput, but conflict with devices and also interference and really 115 00:10:47,000 --> 00:10:50,450 only having three fully non-overlapping channels. 116 00:10:53,100 --> 00:10:58,500 And also the higher data rates of eight or to 11 G are more susceptible to interference. 117 00:11:00,180 --> 00:11:07,350 So then the move to dual mode or tri band products also carries with it the economies of scale. 118 00:11:07,350 --> 00:11:11,760 So someone has to build a chip to be able to handle that particular. 119 00:11:13,840 --> 00:11:14,410 Standard. 120 00:11:18,360 --> 00:11:24,300 So some chipsets were able to take advantage of things like packet bursting, which will would improve 121 00:11:24,300 --> 00:11:25,560 speeds considerably. 122 00:11:25,860 --> 00:11:33,240 The first major manufacturer to use the G standard in this way was the Apple Airport extreme, as well 123 00:11:33,240 --> 00:11:41,160 as Cisco, who bought up links and was able to offer them under the name Aero Net and January 2004. 124 00:11:41,430 --> 00:11:48,420 I actually decided to form a new task group to amend the 802 11 standard to try to get the real throughput 125 00:11:48,840 --> 00:11:51,330 up above 100 megabits per second. 126 00:11:52,710 --> 00:11:59,760 And at least up to four, two times 4 to 5 times faster than eight or to 11 A or B, and perhaps 20 127 00:11:59,760 --> 00:12:02,010 times faster than B. 128 00:12:05,260 --> 00:12:07,060 So there are a couple of competing variants. 129 00:12:07,360 --> 00:12:13,630 Well, they are 211 end, but it built on the previous 802 11 standards by introducing something called 130 00:12:13,900 --> 00:12:16,690 MIMO, multiple input, multiple output. 131 00:12:17,200 --> 00:12:22,690 So essentially adding additional transmit and receive antennas to have increased throughput. 132 00:12:24,230 --> 00:12:26,210 As well as increased ranged. 133 00:12:27,590 --> 00:12:32,210 Senator Slater 211 and also supported the dual band configuration. 134 00:12:32,660 --> 00:12:35,960 So it's still very common to see eight or to 11 end routers. 135 00:12:35,960 --> 00:12:38,930 Even today, though, AC has kind of taken over the market. 136 00:12:40,340 --> 00:12:43,790 I Tripoli does not actually test equipment for compliance. 137 00:12:44,180 --> 00:12:48,290 So there's a group called the Wi-Fi Alliance, which runs a program. 138 00:12:48,290 --> 00:12:54,500 So all manufacturers that want to produce wireless devices have to pay to participate in. 139 00:12:55,560 --> 00:12:57,820 So this is the Wi-Fi Alliance Web page. 140 00:12:58,450 --> 00:13:05,680 You can see a little bit about who they are, what organizations are members, where their direction 141 00:13:05,680 --> 00:13:06,310 is going. 142 00:13:06,550 --> 00:13:11,830 And if you want a product that's actually certified, you look for the Wi-Fi certified logo. 143 00:13:12,320 --> 00:13:15,730 So generally, that is the brand. 144 00:13:15,730 --> 00:13:17,130 If you want to become a member, member. 145 00:13:17,170 --> 00:13:24,970 You have to, of course, pay a fee, either be a contributor to drive the actual process, or you can 146 00:13:24,970 --> 00:13:25,920 be an implementer. 147 00:13:25,930 --> 00:13:30,070 But there are some small business organizations as well. 148 00:13:33,880 --> 00:13:37,810 But you have to be part of the group to be able to use that membership. 149 00:13:42,540 --> 00:13:48,040 So now let's talk about some different terminology around Wi-Fi. 150 00:13:48,630 --> 00:13:51,990 So there's this idea of Wi-Fi. 151 00:13:53,080 --> 00:13:53,740 Chalking. 152 00:13:55,070 --> 00:14:01,640 Again, it's it's somewhat gone away in recent years, but it is still an interesting part of the Wi-Fi 153 00:14:01,730 --> 00:14:02,120 data. 154 00:14:02,120 --> 00:14:03,140 211 story. 155 00:14:03,740 --> 00:14:05,240 So we have a few terms. 156 00:14:05,240 --> 00:14:07,130 First, we have war driving. 157 00:14:07,130 --> 00:14:13,370 This was the idea of searching around for why find networks where a person usually in a moving vehicle 158 00:14:13,370 --> 00:14:19,970 or maybe with a laptop or a smartphone, there's software for driving freely available on the Internet. 159 00:14:21,410 --> 00:14:24,020 One such software we'll get into here momentarily. 160 00:14:24,350 --> 00:14:34,010 There's also war cycling, war walking or war flying with a drone to try and gather access point information. 161 00:14:34,010 --> 00:14:36,950 So you have to if you want to do war driving, you got to have it. 162 00:14:36,950 --> 00:14:40,850 A device could be a laptop, could be a smartphone. 163 00:14:40,850 --> 00:14:47,840 You have to have the right type of wireless network card or NIC card that will work in promiscuous mode. 164 00:14:47,960 --> 00:14:54,350 So promiscuous mode means that it will receive traffic that is not necessarily addressed to it. 165 00:14:54,770 --> 00:15:03,140 So the antenna could be mounted on the car or on a bicycle because the wireless LAN may actually extend 166 00:15:03,140 --> 00:15:04,490 outside of an office building. 167 00:15:04,490 --> 00:15:10,280 A user could potentially get information on the networks and possibly gain access to other things. 168 00:15:20,250 --> 00:15:22,800 So let's talk about the different types of wireless networks. 169 00:15:22,800 --> 00:15:26,280 And to do that, we really have to talk about wireless encryption. 170 00:15:27,420 --> 00:15:37,350 So we started out with WEP or Wired equivalent privacy, which was not designed to be a long term solution, 171 00:15:37,350 --> 00:15:44,640 but it was designed to provide the same level of security, roughly as a wired network. 172 00:15:49,550 --> 00:15:52,370 So we have some other wi fi terms. 173 00:15:52,700 --> 00:15:53,330 We have. 174 00:15:55,090 --> 00:16:00,010 WPA, which came out as more of a replacement of WEP or an improvement to WEP. 175 00:16:00,940 --> 00:16:08,230 Wi-Fi protected access, but has largely been deprecated because of known tools for breaching security. 176 00:16:09,100 --> 00:16:16,840 WPA can work with something called TCP, which stands for Temporal Key Integrity Protocol, which is 177 00:16:16,840 --> 00:16:19,450 a type of encryption. 178 00:16:19,840 --> 00:16:26,710 Or it can be used with the RC for Stream Cipher, which is what WEP was actually created with. 179 00:16:26,830 --> 00:16:34,150 Then you have WPA two, which is generally seen to be the preferred method of securing a wireless network 180 00:16:34,480 --> 00:16:41,080 because it uses something called skimpy counter cipher. 181 00:16:42,860 --> 00:16:45,890 BLOCK chaining message authentication code. 182 00:16:46,160 --> 00:16:48,380 Protocol or copy. 183 00:16:48,740 --> 00:16:55,760 It's based on the advanced encryption standard or a yes, which is the approved encryption standard 184 00:16:55,760 --> 00:16:57,080 as far as the U.S.. 185 00:16:57,590 --> 00:17:00,170 Adopted by the NSA, though it has been. 186 00:17:02,930 --> 00:17:03,500 Somewhat. 187 00:17:06,270 --> 00:17:14,070 Question as to whether that standard can continue to be approved in the era of quantum computing and 188 00:17:14,070 --> 00:17:22,800 all the technology, but for the foreseeable future, as as well as CMP will be around and be utilized 189 00:17:22,800 --> 00:17:23,130 now. 190 00:17:23,370 --> 00:17:29,510 WEP and is different from the WPA and WPA two. 191 00:17:29,520 --> 00:17:33,480 There are WPA personal and WPA two enterprise. 192 00:17:33,780 --> 00:17:35,100 Now these are tending to be. 193 00:17:36,870 --> 00:17:42,900 Personal meaning what you would use around your home network enterprise would be used for a business 194 00:17:42,900 --> 00:17:50,880 or a company and could take advantage of more advanced authentication methods like ERP, the Extensible 195 00:17:50,910 --> 00:17:52,350 Authentication Protocol. 196 00:17:53,250 --> 00:17:54,840 So these are the different types of networks. 197 00:17:54,840 --> 00:18:00,180 They're usually defined by their security level and their encryption type. 198 00:18:02,350 --> 00:18:05,640 So let's look at the different types of wireless encryption. 199 00:18:08,340 --> 00:18:12,120 We have WEP wired equivalent privacy. 200 00:18:14,930 --> 00:18:16,550 Which has been broken. 201 00:18:18,070 --> 00:18:25,000 Because of its poor handling of the RC four stream cipher, particularly the initialization vector. 202 00:18:32,600 --> 00:18:35,660 So Web has been broken for a long, long time. 203 00:18:36,560 --> 00:18:43,670 WPA came out and did some improvements on it, and because the WPA has the enterprise mode, it can 204 00:18:43,670 --> 00:18:46,280 be used with EAP as well as radius. 205 00:18:46,580 --> 00:18:53,450 Radius stands for remote authentication, dial in user service, and it works over Port 1812. 206 00:18:53,750 --> 00:19:01,370 And it's a what we call a triple A protocol and authorization authentication and accounting protocol. 207 00:19:01,910 --> 00:19:05,120 The point of radius is to provide a secure. 208 00:19:06,760 --> 00:19:08,200 Network access control. 209 00:19:09,100 --> 00:19:17,380 Many times ERP and RADIUS are combined with something called 802.1 x WPA two. 210 00:19:17,620 --> 00:19:24,370 On the other hand, can also be used with temporal key integrity protocol, but it is preferred to be 211 00:19:24,370 --> 00:19:25,150 used with. 212 00:19:26,640 --> 00:19:30,960 CMP because of its being based on a piece. 213 00:19:32,560 --> 00:19:40,660 So t cap came around with the I Tripoli 802. 11 I standard for wireless lands and there are generally. 214 00:19:43,750 --> 00:19:46,600 Two methods of doing wireless networks. 215 00:19:46,600 --> 00:19:50,770 You can either do a pre shared key or you can do an open network. 216 00:19:50,770 --> 00:19:57,790 A pre shared key is where you have to put in a passphrase or a password to your network before you can 217 00:19:57,790 --> 00:19:58,450 authenticate. 218 00:19:58,480 --> 00:20:05,200 Now, this can be done in an enterprise scenario with something like a certificate based authentication 219 00:20:05,500 --> 00:20:08,920 or a smart card or something like that. 220 00:20:09,550 --> 00:20:10,060 Now. 221 00:20:16,300 --> 00:20:24,580 Hotels, many coffee shops, many airports use open wireless networks in order to use something called 222 00:20:24,580 --> 00:20:26,470 a captive portal instead of using. 223 00:20:27,900 --> 00:20:28,320 The. 224 00:20:29,350 --> 00:20:30,370 Pre shared key. 225 00:20:30,370 --> 00:20:35,710 They'll just have you authenticate within the browser and then you'll gain additional network access 226 00:20:35,710 --> 00:20:39,610 once you provide some type of a credentials or a form of payment. 227 00:20:40,360 --> 00:20:47,200 Now, with respect to a yes and yes, these are two of these symmetric encryption algorithms. 228 00:20:47,200 --> 00:20:49,610 There are actually block ciphers. 229 00:20:49,630 --> 00:20:55,780 DS stands for the data encryption standard, and it has been largely deprecated. 230 00:20:56,320 --> 00:21:05,290 It was a 64 bit block size with a 56 bit key, and it was designed before we had a yes. 231 00:21:05,740 --> 00:21:12,040 And essentially, it has been deprecated or replaced by triple DS or a 3DS. 232 00:21:12,400 --> 00:21:20,800 So as is generally the recommended solution, our if you cannot support a yes in your particular organization, 233 00:21:20,800 --> 00:21:23,710 you can use 3DS as a recommended standard. 234 00:21:24,400 --> 00:21:32,710 Now, with respect to enterprise security, the best practice is to use 8.2.1 X with radius and it uses 235 00:21:32,710 --> 00:21:35,980 a shared secret which is similar to a password. 236 00:21:36,610 --> 00:21:41,500 There are some different modes to IP or the extensible authentication protocol. 237 00:21:41,980 --> 00:21:49,510 It has AEA petals, which is considered the most secure because it provides mutual authentication, 238 00:21:50,050 --> 00:21:54,940 but it needs an 82.1 X server and it's largely certificate based. 239 00:21:54,940 --> 00:21:58,960 There has to be a certificate on both the client and the server. 240 00:21:59,650 --> 00:22:08,830 So 8.2.1 X can authenticate using ERP and radius both devices as well as users. 241 00:22:09,460 --> 00:22:11,530 So things like switches. 242 00:22:12,790 --> 00:22:14,170 Voice over IP phones. 243 00:22:16,520 --> 00:22:23,120 There's some other technologies like Leap, which was the lightweight ERP, which was created by Cisco 244 00:22:23,360 --> 00:22:30,380 and then protected Epee, which is a version that was is often used in wireless networks and point to 245 00:22:30,380 --> 00:22:31,310 point connections. 246 00:22:31,340 --> 00:22:35,240 It was created by Microsoft, RSA and Cisco. 247 00:22:35,750 --> 00:22:39,650 But generally epee tools is the most secure. 248 00:22:41,460 --> 00:22:43,530 And there are different types of wireless encryption. 249 00:22:44,040 --> 00:22:51,210 And depending on whether you are a small business or even just a regular home user or a large organization, 250 00:22:51,210 --> 00:22:55,710 you may have different choices for your wireless options. 251 00:22:55,740 --> 00:23:03,090 So now Radius and EEP may also work with something called federated systems. 252 00:23:03,360 --> 00:23:10,470 This means that you can actually log in one time with single sign on and get access to multiple systems 253 00:23:10,470 --> 00:23:11,520 instead of just one. 254 00:23:13,820 --> 00:23:14,450 System. 255 00:23:15,110 --> 00:23:18,200 So this can use any of the ERP versions. 256 00:23:19,540 --> 00:23:24,190 And it's very advantageous for organizations. 257 00:23:31,100 --> 00:23:35,870 Now let's look at some of the different ways in which you can gather information on Wi-Fi. 258 00:23:42,010 --> 00:23:48,760 So we have here wiggled dot net, which is actually a essentially all the networks found by everyone. 259 00:23:48,760 --> 00:23:52,050 So you can actually put in a latitude and longitude. 260 00:23:52,570 --> 00:23:59,830 You can zoom in, zoom out, you can go pretty much anywhere in the different areas that have have Wi-Fi 261 00:23:59,830 --> 00:24:02,950 found and it's pretty much worldwide. 262 00:24:03,730 --> 00:24:07,810 So you can see different areas, obviously, the larger the. 263 00:24:08,990 --> 00:24:12,650 Density of wi fi networks, you'll have larger areas. 264 00:24:14,850 --> 00:24:18,840 And you can see different hotspots individually. 265 00:24:18,840 --> 00:24:25,020 You can actually put in SS IDs if you know that the name of the hotspot, if you know the the Mac address, 266 00:24:25,680 --> 00:24:27,030 you can sort by date. 267 00:24:27,540 --> 00:24:33,530 So if you want to cut out for a particular time to see what's new, you can do that as well. 268 00:24:33,540 --> 00:24:37,800 You can filter based on ones that are possibly free. 269 00:24:39,550 --> 00:24:40,030 Down here. 270 00:24:40,030 --> 00:24:46,570 We can see the statistics over time as to how the wireless networks increased the starting out. 271 00:24:48,580 --> 00:24:54,220 You know, before 2010, it was a much lower number daily in the tens of millions. 272 00:24:54,250 --> 00:24:58,510 Now, today, we're in the hundreds of millions of wireless access points. 273 00:24:58,870 --> 00:25:04,600 And notice that in the early days of them keeping track of this information, networks were largely 274 00:25:04,600 --> 00:25:05,410 unencrypted. 275 00:25:06,460 --> 00:25:09,730 They did not have WPA EP. 276 00:25:10,420 --> 00:25:15,970 Notice on this chart, there's a legend here that shows the red is unencrypted, the green is encrypted, 277 00:25:16,270 --> 00:25:22,480 and then they break down the green as to whether what percentage of each type of encryption algorithm. 278 00:25:22,990 --> 00:25:24,970 So around 2000. 279 00:25:26,980 --> 00:25:34,990 526, the unencrypted started dropping below the encrypted and then slowly we started increasing the 280 00:25:34,990 --> 00:25:37,290 number of encrypted networks. 281 00:25:37,290 --> 00:25:44,710 So if you fast forward all the way to today, you can see that 77% of the networks are encrypted, 18% 282 00:25:44,710 --> 00:25:48,250 are unknown, only 3% are encrypted roughly. 283 00:25:48,580 --> 00:25:52,250 And about of that, 67% are running, too. 284 00:25:53,620 --> 00:25:57,370 There are a few networks still out there with WEP and WPA. 285 00:25:58,720 --> 00:26:02,650 And so how do you find out or how do you submit to this information? 286 00:26:02,720 --> 00:26:08,260 Not only does this have wireless access points, it has Bluetooth devices, it has cell towers. 287 00:26:08,950 --> 00:26:11,020 They also have an app on Android. 288 00:26:11,410 --> 00:26:12,850 Sadly, no iOS app. 289 00:26:13,330 --> 00:26:17,620 But if you want to, you can do an advanced search. 290 00:26:18,920 --> 00:26:26,150 If you log in with an account, you have to first register a new time to get an account from them. 291 00:26:26,600 --> 00:26:28,250 They do track some information. 292 00:26:29,420 --> 00:26:35,780 You can upload data to the site from different types of wireless tools like insider cookies. 293 00:26:35,780 --> 00:26:43,370 Mac Kismet But you have to have a particular type of upload and make sure it's in the appropriate format 294 00:26:44,120 --> 00:26:44,660 for them. 295 00:26:45,500 --> 00:26:52,610 So there's different types of network stumbling tools or network reconnaissance tools, depending on 296 00:26:52,850 --> 00:26:53,840 what your. 297 00:26:56,320 --> 00:26:57,730 Version you're trying to capture. 298 00:26:58,330 --> 00:27:03,130 So if you want to look at this, is there Android app you can go to there? 299 00:27:03,340 --> 00:27:10,510 This is kind of an example of what you would see as you're driving around or walking around with a special 300 00:27:10,510 --> 00:27:11,200 type of antenna. 301 00:27:11,230 --> 00:27:18,610 You can actually capture traffic with their app and then upload it to improve the information. 302 00:27:19,630 --> 00:27:26,830 So the tools, if you want to download the tools, you can download different maps for Google Earth 303 00:27:27,310 --> 00:27:31,960 and different to overlay that with the actual wireless. 304 00:27:35,750 --> 00:27:36,920 Society locations. 305 00:27:36,920 --> 00:27:41,390 There are some other tools written in Python that will do some other things as well. 306 00:27:42,440 --> 00:27:47,480 You can also use their API if you're a developer and you want to utilize their API. 307 00:27:48,470 --> 00:27:53,000 They have a JSON restful API to be able to add functionality. 308 00:27:54,390 --> 00:27:54,960 As well. 309 00:27:57,150 --> 00:28:00,450 So now let's there's lots of different reconnaissance tools. 310 00:28:00,450 --> 00:28:04,650 There's Wi-Fi analyzers, there's smartphone apps, there's many, many different options. 311 00:28:05,280 --> 00:28:08,190 And we'll get into some of those here momentarily. 312 00:28:09,850 --> 00:28:15,820 So bottom line from respect to the cryptographic protocols of wireless, WPA was an interim replacement 313 00:28:15,820 --> 00:28:16,360 for WEP. 314 00:28:16,660 --> 00:28:17,800 It's been deprecated. 315 00:28:18,340 --> 00:28:23,440 WPA two is the current standard, although there are WPA three networks that are popping up. 316 00:28:25,030 --> 00:28:32,380 And then, of course, tip temporal integrity protocol is an older encryption protocol used with WPA. 317 00:28:32,950 --> 00:28:36,310 And then we have CMP, which is based on a yes. 318 00:28:37,090 --> 00:28:40,180 So what's the recommended solution to be used with WPA two? 319 00:28:42,280 --> 00:28:43,990 So how do we secure wireless networks? 320 00:28:43,990 --> 00:28:46,750 Don't use Web use WPA two? 321 00:28:46,960 --> 00:28:50,710 Or if you do use WPA, use it with a yes. 322 00:28:52,740 --> 00:28:57,240 If you have an older router that doesn't support WPA two, might be time for an upgrade. 323 00:28:59,210 --> 00:29:04,430 So let's talk about some of the other wireless terms to understand and important information that. 324 00:29:05,590 --> 00:29:10,180 We'll help you understand wireless networking other than just eight O2 11. 325 00:29:12,500 --> 00:29:13,520 Wireless fidelity. 326 00:29:13,790 --> 00:29:19,430 So we have GSM, which is the global system for mobile communication we have. 327 00:29:21,940 --> 00:29:26,560 D s SS direct sequence spread spectrum. 328 00:29:26,560 --> 00:29:33,190 So the original data signal gets multiplied by some pseudo random noise spreading codes. 329 00:29:34,180 --> 00:29:38,560 Then we have the frequency hop spread spectrum. 330 00:29:39,070 --> 00:29:46,150 This is essentially a method of transmitting radio signals and rapidly switching the carrier among them. 331 00:29:49,170 --> 00:29:57,090 We have the term of BBC, SAS, ID or the basic service set identifier, which is the MAC address of 332 00:29:57,090 --> 00:29:58,260 the wireless access point. 333 00:29:58,260 --> 00:30:01,740 So if you see the BBC ID, that is the MAC address. 334 00:30:06,350 --> 00:30:12,710 The bandwidth is actually just the range of frequencies that the wireless signal is traversing. 335 00:30:13,950 --> 00:30:18,000 And then we have off DRM, orthogonal frequency, division, multiplexing. 336 00:30:18,300 --> 00:30:22,530 This is a method of encoding carrier frequency signals. 337 00:30:26,910 --> 00:30:32,330 Of -- as a method of digital control, digital signal modulation. 338 00:30:32,940 --> 00:30:37,760 You take a single data stream and split it across several narrow band channels at different frequencies. 339 00:30:38,210 --> 00:30:44,240 So the original data streams and bits that will be sent essentially in parallel instead of being sent 340 00:30:44,240 --> 00:30:45,110 in serial. 341 00:30:48,960 --> 00:30:51,360 So the benefit of this is to improve. 342 00:30:53,050 --> 00:30:59,170 Transmission of technology to get cleaner transmission in the early days of DRM was conceived in the 343 00:30:59,170 --> 00:31:04,420 1960s and 1970s with the goal of minimising the interference amongst the different channels. 344 00:31:04,430 --> 00:31:12,460 So it's used not only in Wi-Fi, it's also used in 4G, LTE communications, as well as even TV broadcasting 345 00:31:12,460 --> 00:31:13,150 services. 346 00:31:19,200 --> 00:31:21,300 So direct sequence spread spectrum. 347 00:31:21,510 --> 00:31:28,320 This is a spread spectrum modulation technique, again, to try and reduce overall signal interference. 348 00:31:30,410 --> 00:31:35,930 So the signal gets made wider than the actual information bandwidth. 349 00:31:36,920 --> 00:31:39,560 So how does the signal get transmitted? 350 00:31:40,310 --> 00:31:45,080 The sequence is already known by the receiver, so the transmitter and the receiver can get the same 351 00:31:45,440 --> 00:31:51,710 information and then the receiver can do the other the opposite process to reconstruct the received 352 00:31:51,710 --> 00:31:52,190 signal. 353 00:31:54,240 --> 00:31:58,590 So frequency have spreads spread spectrum and. 354 00:31:59,820 --> 00:32:07,050 Direct sequence spread spectrum are often used in CDMA code division multiple access. 355 00:32:08,770 --> 00:32:09,670 Which is a common. 356 00:32:13,120 --> 00:32:17,290 Time sharing technique amongst multiple cellular providers. 357 00:32:21,870 --> 00:32:29,450 So a DSD and CDMA, a single frequency is used and frequency reuse is not allowed. 358 00:32:30,120 --> 00:32:31,350 The sender has to wait. 359 00:32:31,650 --> 00:32:36,590 If the medium is busy and the power strength is much lower on DSPs. 360 00:32:37,630 --> 00:32:41,400 SS versus frequency helps spread spectrum. 361 00:32:44,350 --> 00:32:50,880 The advantage of frequency hop is that it is often cheaper and it is more common, but spread spectrum. 362 00:32:52,870 --> 00:32:54,180 Eliminates crosstalk. 363 00:32:54,190 --> 00:33:01,360 It has better output with integrity, it reduces noise, and it results in longer operational distances 364 00:33:01,360 --> 00:33:02,140 of wi fi. 365 00:33:06,600 --> 00:33:09,330 So Kelly Lennox is the main operating system for. 366 00:33:11,180 --> 00:33:12,920 Doing wireless penetration testing. 367 00:33:13,220 --> 00:33:18,290 But there are many tools involved, such as aircraft energy. 368 00:33:18,650 --> 00:33:23,450 Aircraft Can is the main tool for exploiting wireless vulnerabilities in Linux. 369 00:33:24,080 --> 00:33:32,600 There are different attacks like WEP, WPA two aircraft can be installed on other Linux distributions. 370 00:33:40,470 --> 00:33:46,530 But as we're focusing on Kelly here, this is what we will we will focus on will briefly just touch 371 00:33:46,530 --> 00:33:48,840 on their aircraft energy website. 372 00:33:50,200 --> 00:33:56,830 So this is the complete set of tools that not only has monitoring, attacking, cracking wep pre shared 373 00:33:56,830 --> 00:33:57,580 keys. 374 00:33:59,650 --> 00:34:05,500 And they have robust instructions if you want to get started either through a Linux distribution. 375 00:34:05,740 --> 00:34:12,960 One of the key things to make sure is if your wireless chipset chipset is compatible with these tools, 376 00:34:12,970 --> 00:34:14,500 some chipsets are not. 377 00:34:14,920 --> 00:34:22,270 So you can go look at the air crack website to see if your chipset is actually compatible. 378 00:34:27,150 --> 00:34:29,250 And you'll have to look at your. 379 00:34:30,690 --> 00:34:31,590 Information. 380 00:34:32,340 --> 00:34:37,260 Certain Linux distributions will have the list of drivers. 381 00:34:37,860 --> 00:34:44,640 There's of course, usually it's going to be some type of arthritis chipset, rather US based cards 382 00:34:45,090 --> 00:34:46,010 or something like that. 383 00:34:46,020 --> 00:34:49,320 You can run the command from within. 384 00:34:49,980 --> 00:34:52,230 Charlie Linux will go ahead and go in here. 385 00:35:05,900 --> 00:35:09,540 So let's go into the home directory. 386 00:35:13,590 --> 00:35:18,630 And if you want to check and see if your wireless chipset is supported, you can get that information 387 00:35:18,930 --> 00:35:25,650 from the LZ USB Dash V command and you can see. 388 00:35:28,120 --> 00:35:31,240 What information you have returned. 389 00:35:31,960 --> 00:35:33,220 Just scroll up because. 390 00:35:38,900 --> 00:35:46,070 So my case, mine is our length technology, our 2870 wireless adapter, that's eight O2, 11 end wireless 391 00:35:46,070 --> 00:35:46,580 LAN. 392 00:35:47,920 --> 00:35:50,620 Gives us a little bit more information about the adapter, the vendor. 393 00:35:52,710 --> 00:35:54,090 Max package size. 394 00:35:55,380 --> 00:36:03,300 So once you get this information, you can also you can also look at the FCC ID as well. 395 00:36:04,800 --> 00:36:08,580 And you have to determine what driver you have. 396 00:36:11,750 --> 00:36:17,210 So in my case, mine is actually an alpha brand wireless adapter and there. 397 00:36:18,480 --> 00:36:22,980 Generally available on many, many different sites like Amazon. 398 00:36:22,990 --> 00:36:24,330 You can get them for not too much. 399 00:36:25,570 --> 00:36:35,740 We can do less the less PCI command TV, and we can see some other information about what modules we 400 00:36:35,740 --> 00:36:36,190 have. 401 00:36:41,750 --> 00:36:47,930 So one important thing to notice that in many cases internal wireless adapters will just not work with 402 00:36:47,930 --> 00:36:50,450 Kali Linux and wireless pen testing. 403 00:36:50,720 --> 00:36:53,150 It's not because the adapter is not supported. 404 00:36:53,150 --> 00:36:58,820 It might be or it might not be because most wireless chipsets do not support packet injection or the 405 00:36:58,820 --> 00:37:03,560 things that we need to be able to do to do a wireless attack. 406 00:37:05,450 --> 00:37:06,980 These are some of the information. 407 00:37:07,280 --> 00:37:10,280 This is how web networking works. 408 00:37:10,910 --> 00:37:15,770 So we can see we have a key store combined with the web key and an initialization vector. 409 00:37:16,160 --> 00:37:25,250 It gets fed into the RC for Cypher to create a key stream that gets exported with some data and gets 410 00:37:25,250 --> 00:37:27,290 fed spit out into the ciphertext. 411 00:37:27,300 --> 00:37:29,330 So you have a WEP encrypted packet. 412 00:37:29,810 --> 00:37:37,970 There's some cyclic redundancy check or a checksum done for integrity checking, but that's the basic 413 00:37:37,970 --> 00:37:39,950 flow of the web networking. 414 00:37:41,980 --> 00:37:44,740 So cracking a web network. 415 00:37:45,340 --> 00:37:54,400 The tools you'll need are Wireshark, the Airplay and Arrow Dump Engine and can enable all which come 416 00:37:54,400 --> 00:37:55,390 with Kali Linux. 417 00:37:55,840 --> 00:37:57,400 This is the basic process. 418 00:37:57,760 --> 00:38:00,070 We start the wireless card and monitor mode. 419 00:38:00,430 --> 00:38:07,510 We test the injection capability, we use Airplay Energy to fake the authentication process, and we 420 00:38:07,510 --> 00:38:10,240 start collecting initialization vectors. 421 00:38:12,350 --> 00:38:19,490 So we can use the wi fi encryption tool to replay packets, and then we run the crack tool to extract 422 00:38:19,490 --> 00:38:20,510 the encryption key. 423 00:38:20,870 --> 00:38:26,210 This is not very difficult and the tools are preloaded with Kali Linux. 424 00:38:26,720 --> 00:38:28,760 So let's go ahead and go over to our. 425 00:38:31,110 --> 00:38:31,950 Kelly Box. 426 00:38:35,220 --> 00:38:36,690 Let's go over to our Kelly Box. 427 00:38:36,720 --> 00:38:42,450 There's some basic commands we'll have to get through besides with once we've figured out that our hardware 428 00:38:42,450 --> 00:38:49,650 is compatible and our wireless adapter is compatible, we have to look at our networking. 429 00:38:50,190 --> 00:38:55,230 So you want to make sure that your wireless device is actually configured? 430 00:38:55,860 --> 00:38:58,890 I've already put my wireless card into monitor mode. 431 00:38:59,970 --> 00:39:06,120 I have an Alpha network and O2 11 BGN long range adapter. 432 00:39:06,450 --> 00:39:11,190 It's model number AWB, U.S. 036 and H. 433 00:39:12,180 --> 00:39:18,840 So I'm going to go ahead and look at my wireless config with the IDB config command and we can see that 434 00:39:18,840 --> 00:39:26,730 mine is in monitor mode and my frequency is 2.412 gigahertz with a power level of 20 DBM. 435 00:39:27,750 --> 00:39:37,830 If I want to look at the man pages for configuring, either b i w config is similar to i have config, 436 00:39:37,830 --> 00:39:40,200 but it's dedicated to the wireless interface. 437 00:39:41,440 --> 00:39:46,810 So you can change the network I.D. You can change the frequency, the channel. 438 00:39:47,440 --> 00:39:48,860 You can even change the mode. 439 00:39:48,860 --> 00:39:53,260 If you want to change it to an ad hoc network, you can change the bitrate depending on whether the 440 00:39:53,260 --> 00:39:54,640 card supports it or not. 441 00:39:55,930 --> 00:40:00,130 If you have multiple transmit towers supported cards, you can change that as well. 442 00:40:09,770 --> 00:40:11,570 Let's go ahead and clear the screen. 443 00:40:12,440 --> 00:40:18,260 And so if I were going to put my wireless card into monitor mode, I would type the error. 444 00:40:18,710 --> 00:40:24,290 Monash Emoji Command and then start and zero. 445 00:40:25,340 --> 00:40:27,410 And it's already started. 446 00:40:29,000 --> 00:40:34,760 So if I just run the command without any arguments, we'll see that I already have my wireless card 447 00:40:34,760 --> 00:40:38,480 in monitor mode, so I'm already ready to start doing. 448 00:40:40,000 --> 00:40:40,720 Capturing. 449 00:40:41,740 --> 00:40:44,800 I can also change my Mac address. 450 00:40:46,940 --> 00:40:50,690 There is a tool called Mac changer or doing that. 451 00:40:52,340 --> 00:40:59,780 If it is not installed in your linux box, you can do an apt get install mac changer. 452 00:41:05,470 --> 00:41:08,620 If I want to change the Mac address from my network interface. 453 00:41:09,740 --> 00:41:12,460 Set it to be something random, some random vendor. 454 00:41:12,470 --> 00:41:20,870 So to further anonymize the activities, of course, I should say that you should not hack wireless 455 00:41:20,870 --> 00:41:24,200 networks that you're not authorized to if you don't have permission. 456 00:41:24,560 --> 00:41:25,520 That is a crime. 457 00:41:25,520 --> 00:41:30,680 And these techniques should not be used to perform nefarious activities. 458 00:41:34,410 --> 00:41:40,260 So if you do the want to change the Mac address, you have to first bring the interface down and then 459 00:41:40,260 --> 00:41:41,070 bring it back up. 460 00:41:41,490 --> 00:41:44,100 You can do that with the I have config command. 461 00:41:45,970 --> 00:41:51,370 I have config and then because it's its own interface wireless LAN zero mine down. 462 00:41:52,470 --> 00:41:53,970 And we brought the interface down. 463 00:41:54,540 --> 00:41:56,760 Now we'll bring it back up with I have config. 464 00:41:57,180 --> 00:41:58,920 Wireless lan zero mine up. 465 00:42:04,670 --> 00:42:05,780 And it takes a second. 466 00:42:05,780 --> 00:42:11,600 And there we can see that it's now back up and we can verify that with my debit config. 467 00:42:13,070 --> 00:42:22,730 Let's go ahead and clear the screen so we can start dumping out the wireless sides or the B side, I 468 00:42:22,730 --> 00:42:26,060 should say, with the aero dump dash energy command. 469 00:42:28,680 --> 00:42:35,430 And we're going to type in wireless land zero man and we'll give it a little bit of time and we should 470 00:42:35,430 --> 00:42:36,270 see our. 471 00:42:39,090 --> 00:42:43,080 Besides populate here momentarily. 472 00:42:44,610 --> 00:42:47,250 Now let's look at how does WPA work? 473 00:42:47,250 --> 00:42:55,410 So WPA Y A5 Protected Access sends a temporal encryption key with an initialization vector and there's 474 00:42:55,410 --> 00:42:59,310 some mixing and some different cipher process. 475 00:42:59,310 --> 00:43:05,010 And eventually you can see here you get out your ciphertext. 476 00:43:12,540 --> 00:43:13,810 The WPA. 477 00:43:13,830 --> 00:43:20,310 You have to because it uses a per key encryption, a per packet encryption key. 478 00:43:20,700 --> 00:43:23,130 They can be cracked using a dictionary attack. 479 00:43:23,970 --> 00:43:31,500 So to crack WPA, you have to stay near the access point to start capturing packets for a small amount 480 00:43:31,500 --> 00:43:36,720 of time, which is enough to capture the authentication handshake. 481 00:43:38,060 --> 00:43:44,060 And you send a authentication attack to essentially disconnect the client and reconnect the client back 482 00:43:44,060 --> 00:43:49,370 to the network so we can try to authenticate and capture the track again. 483 00:43:50,210 --> 00:43:56,830 So once we get that authentication packet, we can then use our crack to brute force the keys. 484 00:44:19,340 --> 00:44:23,480 How does WEP stack up against WPA and WPA two? 485 00:44:23,510 --> 00:44:32,930 So Webb uses the RC for cipher, whereas WPA uses the RC for Cipher with some more functionality, like 486 00:44:32,930 --> 00:44:34,490 a dot one X and the AP. 487 00:44:34,970 --> 00:44:46,370 WPA two also uses ATO 2.1 X with AP and has a automatic key distribution, whereas Webb must be done 488 00:44:46,370 --> 00:44:46,970 manually. 489 00:44:46,970 --> 00:44:53,360 And there's no there's reuse of initialization vectors, which can also cause problems. 490 00:44:53,750 --> 00:44:57,260 Now let's talk about some of the different wireless attack types. 491 00:44:57,680 --> 00:45:05,330 There is the rogue access point which will get into the evil twin attack, which is just another type 492 00:45:05,330 --> 00:45:06,350 of rogue access point. 493 00:45:06,650 --> 00:45:12,230 We'll look at client Ms. Association attacks and we'll look at MAC address spoofing. 494 00:45:14,760 --> 00:45:17,070 So the rogue access point is very similar. 495 00:45:17,280 --> 00:45:20,940 You place your rogue access point near a genuine access point. 496 00:45:22,450 --> 00:45:25,600 And then you essentially try to get people to connect to it. 497 00:45:35,760 --> 00:45:44,040 So the rogue access point could be set to another a different side than the regular society of the organization. 498 00:45:44,040 --> 00:45:44,910 The coffee shop. 499 00:45:44,910 --> 00:45:45,390 The wire. 500 00:45:46,440 --> 00:45:47,190 The airport. 501 00:45:50,140 --> 00:45:56,410 So essentially the hacker will disable the legitimate access point or potentially just blast out the 502 00:45:56,410 --> 00:46:01,090 signal with enough power that it drowns out the legitimate access point signal. 503 00:46:02,140 --> 00:46:05,290 There are jamming devices which can be purchased for not too much money. 504 00:46:05,620 --> 00:46:06,910 To help make this happen. 505 00:46:07,210 --> 00:46:14,050 Essentially, the goal is to get legitimate users to connect to the rogue access point or the evil twin. 506 00:46:14,060 --> 00:46:22,900 Now, the evil twin access point is designed to look very much like the real access point to the victim. 507 00:46:22,900 --> 00:46:23,320 The victim. 508 00:46:23,320 --> 00:46:26,530 Or see something like a Starbucks coffeehouse or. 509 00:46:28,700 --> 00:46:31,550 Something along those lines to be able to. 510 00:46:33,170 --> 00:46:40,010 And try to connect to it so it could be free public Wi-Fi, could be airport Wi-Fi and so on and so 511 00:46:40,010 --> 00:46:40,400 forth. 512 00:46:41,940 --> 00:46:45,950 Let's talk about some of the different the client and disassociation attacks. 513 00:46:46,370 --> 00:46:52,220 So essentially what happens is an attacker will set up a road access point near the target company so 514 00:46:52,220 --> 00:46:54,560 that legitimate corporate users try to connect to it. 515 00:46:55,040 --> 00:47:01,520 Because corporate employees may or may not have training, they will just open up their Wi-Fi and connect 516 00:47:01,520 --> 00:47:01,790 to it. 517 00:47:01,790 --> 00:47:06,050 And now that attacker can essentially see everything that. 518 00:47:07,810 --> 00:47:08,500 They're doing. 519 00:47:13,040 --> 00:47:19,250 So let's talk about some of the different ways in which attackers can perform these types of attacks. 520 00:47:19,640 --> 00:47:26,870 So in normal operation, we have aafp, we have addressed resolution protocol and we have MAC addresses. 521 00:47:26,870 --> 00:47:28,610 And there a switch has to learn. 522 00:47:30,190 --> 00:47:33,390 What systems are connected to what port. 523 00:47:34,600 --> 00:47:40,690 So a switch uses a mac address table to record the MAC addresses and the ports of hosts that the PC 524 00:47:40,720 --> 00:47:41,920 wants to send a frame to. 525 00:47:42,520 --> 00:47:45,970 So a PC one wants to send a frame to PC number two. 526 00:47:47,110 --> 00:47:52,810 So the Mac address, which is ABCD f00-0002. 527 00:47:54,510 --> 00:47:58,920 And the destination frame to send to the switch to the switch switch. 528 00:47:59,100 --> 00:48:04,050 When it receives the frame, it looks at its MAC address table and find out that the destination should 529 00:48:04,050 --> 00:48:05,880 be at port phase zero two. 530 00:48:06,780 --> 00:48:09,690 So the switch then sends the frame to that port. 531 00:48:10,840 --> 00:48:17,260 So for a network spoofing attack or a mac spoofing attack, an attacker will put the second PC's MAC 532 00:48:17,260 --> 00:48:20,950 address as the source address of the frame and send it to the switch. 533 00:48:21,370 --> 00:48:25,540 So the switch thinks that that 002 is that port number three. 534 00:48:28,810 --> 00:48:31,330 And it will update its Mac address table accordingly. 535 00:48:31,570 --> 00:48:35,710 So now on PC, one wants to send information to PC frame two. 536 00:48:36,010 --> 00:48:37,600 According to the Mac address table. 537 00:48:37,930 --> 00:48:43,330 The switch will send all the frames to the attacker instead of its intended recipient. 538 00:48:44,060 --> 00:48:47,230 That's basically how a mac spoofing attack works. 539 00:48:47,500 --> 00:48:52,900 There are other tools like Mac flooding, which can be done on the network or the. 540 00:48:54,230 --> 00:49:00,110 Our player, but they're not really done specifically for wireless networking. 541 00:49:03,110 --> 00:49:08,270 So let's look at some of the different tools we have, Eric Krack, which is the monitoring, attacking, 542 00:49:08,300 --> 00:49:09,890 testing and cracking tool. 543 00:49:10,460 --> 00:49:16,250 We have Kismet which is used for 802 11 sniffing packet capture logging. 544 00:49:16,700 --> 00:49:19,370 It is a client server modular architecture. 545 00:49:20,030 --> 00:49:27,170 The Wi-Fi pumpkin, which has since been deprecated, is no longer being updated, but it is still available 546 00:49:27,440 --> 00:49:29,570 as a Wi-Fi access point. 547 00:49:30,260 --> 00:49:35,870 If you have a Raspberry Pi, you can use this to create the Wi-Fi pumpkin for not too much money and 548 00:49:35,870 --> 00:49:39,170 make a rogue wireless access point yourself. 549 00:49:40,190 --> 00:49:46,630 Then we have burn y firecracker, which is used to crack many different types of wireless networks. 550 00:49:47,350 --> 00:49:53,470 And of course, as part of the wireless cracking process, we need to have a password cracking tool. 551 00:49:53,980 --> 00:50:00,580 So once we sniff the wireless passwords, then we can use the various password cracking techniques. 552 00:50:01,970 --> 00:50:03,560 Of which Kelly alone has many. 553 00:50:04,600 --> 00:50:06,130 So this is our crack energy. 554 00:50:06,610 --> 00:50:08,740 This is the WEP pre shared key cracker. 555 00:50:09,550 --> 00:50:20,110 Once you recover enough WEP keys or WPA two, it can do different methods to essentially recover the 556 00:50:20,110 --> 00:50:20,530 key. 557 00:50:21,840 --> 00:50:27,900 So you can load in capture files, you can load in initialization vector files or even hash cat files, 558 00:50:28,200 --> 00:50:30,030 which is another password cracking tool. 559 00:50:31,040 --> 00:50:36,230 Its main focus is on the different ways of of security, monitoring, replay attacks. 560 00:50:36,560 --> 00:50:40,040 It can also check versions of wi fi cards. 561 00:50:40,370 --> 00:50:45,290 All the tools are at the command line, which takes which allows for heavy scripting. 562 00:50:45,290 --> 00:50:48,470 A lot of the different guys have taken advantage of this. 563 00:50:49,950 --> 00:50:57,420 Primarily aircraft works on Linux, but it also works on OSX and free BSD systems as well. 564 00:50:59,250 --> 00:51:00,240 Then we have kismet. 565 00:51:00,240 --> 00:51:08,100 Kismet as a wireless network and device detector sniffer for driving tool and also a wireless intrusion 566 00:51:08,100 --> 00:51:09,240 detection framework. 567 00:51:09,600 --> 00:51:12,510 Kismet works with Wi-Fi interfaces. 568 00:51:12,840 --> 00:51:14,220 Bluetooth interfaces. 569 00:51:14,760 --> 00:51:16,650 Some software defined radio. 570 00:51:18,640 --> 00:51:20,740 And other specialized CAPTCHA hardware. 571 00:51:21,010 --> 00:51:26,020 It works on Linux access OSX and somewhat. 572 00:51:27,810 --> 00:51:34,080 On Windows ten on the Windows subsystem for Linux Framework Linux. 573 00:51:34,080 --> 00:51:38,520 It'll work with most Wi-Fi cards, Bluetooth interfaces and hardware devices. 574 00:51:44,460 --> 00:51:47,430 So as of April 2020 as the latest version. 575 00:51:54,690 --> 00:51:56,940 And you can read more about this at their Web site. 576 00:51:59,640 --> 00:52:05,880 Then we have fern y firecracker furnace for wireless security auditing and as an attack and software 577 00:52:05,880 --> 00:52:13,470 program written in Python, it can crack WEP, WPA, keys and run other attacks on wireless networks. 578 00:52:15,350 --> 00:52:18,230 It uses the python cute gooey library. 579 00:52:18,860 --> 00:52:25,730 It can crack and recover WEP, WPA or WP keys and run other network based attacks on wireless or Ethernet 580 00:52:26,180 --> 00:52:26,750 networks. 581 00:52:26,780 --> 00:52:29,990 It can do web cracking with fragmentation. 582 00:52:29,990 --> 00:52:34,550 The chop chop attack, our replay or ops attacks. 583 00:52:35,770 --> 00:52:37,870 It can also do dictionary attacks. 584 00:52:39,680 --> 00:52:42,170 And men in the middle and brute force attacks. 585 00:52:44,370 --> 00:52:45,990 Let's go over to our Kelly Box. 586 00:52:50,480 --> 00:52:51,860 And we can look at the. 587 00:52:55,060 --> 00:52:56,920 Various wireless tools. 588 00:52:57,910 --> 00:53:06,220 Under the number six heading, the wireless attack setting and we can click on it and we'll see the 589 00:53:06,220 --> 00:53:07,660 different wireless tools. 590 00:53:07,990 --> 00:53:10,200 Furn Wi-Fi Firecracker Kismet. 591 00:53:10,210 --> 00:53:19,300 Let's go ahead and launch turn and we have to put in a password because in Linux is not run as a root 592 00:53:19,450 --> 00:53:21,100 anymore in the latest update. 593 00:53:22,180 --> 00:53:24,340 So it'll take a moment for it to launch. 594 00:53:30,580 --> 00:53:34,390 Notice when it pops up, there is a professional version of Fern y Firecracker. 595 00:53:34,780 --> 00:53:35,920 We're going to say no. 596 00:53:36,250 --> 00:53:42,910 We're going to select an interface card and we're going to go ahead and scan for access points. 597 00:53:43,360 --> 00:53:48,430 We can see that we have the latest update notice that has some fairly robust tutorials. 598 00:53:49,000 --> 00:53:53,380 If I can zoom out a little bit just to make this a little bit easier. 599 00:54:01,620 --> 00:54:07,830 So to access settings, you can double click anywhere on the main window that you pick what scan you 600 00:54:07,830 --> 00:54:13,380 want to scan for a scandal, pick what channel you want to scan for. 601 00:54:15,870 --> 00:54:20,640 We're just going to say all channels and we're going to go ahead and scan for access points. 602 00:54:21,090 --> 00:54:22,440 Says it's initializing. 603 00:54:23,920 --> 00:54:28,360 And we have they will come back with some wireless access points. 604 00:54:28,900 --> 00:54:34,390 Notice it also tells us what version of aircraft we have installed as well as what version of Python. 605 00:54:35,830 --> 00:54:37,750 And it says it's currently active. 606 00:54:41,620 --> 00:54:48,100 There are some other tools here like cookie hijacking, geolocation tracking. 607 00:54:53,820 --> 00:55:00,590 That's a similar display you would see to Fern for Fern y firecracker as you detect different networks 608 00:55:00,600 --> 00:55:04,410 and it'll add the keys to the database over time. 609 00:55:06,750 --> 00:55:07,890 So let's look at. 610 00:55:09,860 --> 00:55:11,060 The wi fi pumpkin. 611 00:55:11,210 --> 00:55:13,550 It requires at least Python 2.7. 612 00:55:14,180 --> 00:55:21,860 Once you clone the repository, you can run the installer or you can download the Debian package directly 613 00:55:21,860 --> 00:55:24,440 and you'll get the gooey. 614 00:55:25,710 --> 00:55:26,550 Like so. 615 00:55:27,810 --> 00:55:34,620 There are also some Bluetooth hacking tools and blue staffing is the unauthorized access of information 616 00:55:34,620 --> 00:55:39,960 from a wireless device through Bluetooth, often through phones, laptops, PDAs. 617 00:55:41,040 --> 00:55:46,950 This allows you to get things like calendars, contact lists, emails, text messages on some phones. 618 00:55:47,280 --> 00:55:49,950 You can even copy pictures and private videos. 619 00:55:50,910 --> 00:55:55,830 Blue bugging is a form of Bluetooth attack, often caused by a lack of security awareness. 620 00:55:58,630 --> 00:56:03,400 This was developed after the onset of blue jackets and blue staffing similar to blue staffing. 621 00:56:03,790 --> 00:56:09,640 Blue blocking access is and uses all phone features, but is limited by the transmitter power of Bluetooth 622 00:56:09,640 --> 00:56:10,300 radios. 623 00:56:10,570 --> 00:56:12,790 Normally at about 10 to 15 meters. 624 00:56:14,650 --> 00:56:19,750 Blue Log is a Linux Bluetooth scanner which has is designed for more site surveys. 625 00:56:20,290 --> 00:56:27,850 There are even blue honey pots, Bluetooth honey pots written in Java, and there are other devices 626 00:56:29,290 --> 00:56:33,190 like Blue Mojo that can be used for testing Bluetooth with known vulnerabilities. 627 00:56:36,780 --> 00:56:42,840 There was a Bluetooth vulnerability recently called Blue Bourne, which required all Bluetooth devices 628 00:56:42,840 --> 00:56:45,360 to update the latest and greatest version. 629 00:56:45,390 --> 00:56:54,090 Usually, Bluetooth will result in an exploit with the OB X Protocol, which is the Bluetooth protocol. 630 00:56:55,200 --> 00:56:59,220 So we talked about a lot of different things here in the wireless section. 631 00:56:59,220 --> 00:57:04,860 So Wi-Fi Wireless Fidelity refers to ADA 2.11 I triple standards. 632 00:57:04,860 --> 00:57:06,420 We talked about war driving. 633 00:57:06,840 --> 00:57:10,350 We looked at driving around with a wi fi enabled laptop. 634 00:57:10,350 --> 00:57:17,310 We looked at wiggle, we looked at were chalking being drawing symbols in public places to advertise 635 00:57:17,310 --> 00:57:23,370 open Wi-Fi, which is largely gone by the wayside or disappeared altogether. 636 00:57:24,540 --> 00:57:28,830 We talked about war flying, using drones to detect open Wi-Fi networks. 637 00:57:29,250 --> 00:57:34,800 We also looked at the different types of wireless encryption, extensive authentication protocol. 638 00:57:34,800 --> 00:57:42,330 We looked at radius, the triple AA protocols, we looked at WEP, wired equivalent privacy, we looked 639 00:57:42,330 --> 00:57:50,250 at WPA, wi fi protected access, we looked at WPA to the Wi-Fi Protected Access Version two. 640 00:57:50,580 --> 00:57:55,890 We talked about some of the encryption protocols, temporal key integrity protocol, which goes along 641 00:57:55,890 --> 00:57:57,990 with CMP. 642 00:57:58,590 --> 00:57:59,250 We talked about. 643 00:57:59,250 --> 00:58:09,480 Remember that CMP is an improved version of security for WPA two and does work thanks to the advanced 644 00:58:09,480 --> 00:58:10,560 encryption standard. 645 00:58:12,120 --> 00:58:16,440 We talked about the differences of personal versus enterprise versions of wireless. 646 00:58:16,830 --> 00:58:20,160 We talked about different wireless attacks, rogue access points. 647 00:58:20,640 --> 00:58:22,620 We talked about evil twin attacks. 648 00:58:23,400 --> 00:58:27,630 We looked at client association attacks and even Mac spoofing. 649 00:58:30,650 --> 00:58:32,480 Now let's do some practice questions. 650 00:58:33,260 --> 00:58:39,520 I Tripoli 802. 11 defines basic service set as the building block of wireless. 651 00:58:39,530 --> 00:58:40,100 What? 652 00:58:41,630 --> 00:58:42,800 A LAN. 653 00:58:44,160 --> 00:58:45,720 B when protocol. 654 00:58:47,240 --> 00:58:47,840 See. 655 00:58:49,030 --> 00:58:49,660 Man. 656 00:58:50,800 --> 00:58:52,930 Or D all the above. 657 00:58:55,610 --> 00:58:57,200 Answer is a LAN. 658 00:58:57,560 --> 00:59:03,290 So the best ID or the basic service set is the building block for wireless LANs. 659 00:59:05,240 --> 00:59:08,420 What is wired equivalent privacy or WEP? 660 00:59:11,150 --> 00:59:12,980 A security algorithm for Ethernet. 661 00:59:14,400 --> 00:59:16,710 Security algorithm for wireless networks. 662 00:59:18,050 --> 00:59:20,690 Security algorithm for USB connections. 663 00:59:22,070 --> 00:59:23,330 Or D none of the above. 664 00:59:25,930 --> 00:59:33,310 Answer is B wireless networks, weapons wired equivalent privacy, which was designed to provide a similar 665 00:59:33,310 --> 00:59:36,400 level of security to wired networks. 666 00:59:36,430 --> 00:59:38,410 Of course, that did not turn out to be the case. 667 00:59:38,740 --> 00:59:40,480 Thanks to many of the tools we looked at. 668 00:59:40,480 --> 00:59:41,620 And Kelly Lennox. 669 00:59:44,970 --> 00:59:50,730 Question three An attacker drives around a neighborhood with a car and a laptop looking for free Wi-Fi 670 00:59:50,970 --> 00:59:52,710 and uses them to attack servers. 671 00:59:52,740 --> 00:59:53,820 What is this called? 672 00:59:55,710 --> 00:59:57,030 A Wi-Fi gaming. 673 00:59:58,320 --> 00:59:59,490 Be your driving. 674 1:00:00.930 --> 1:00:02.400 Sci fi driving. 675 1:00:04.100 --> 1:00:05.360 Ardi wore chalking. 676 1:00:09.890 --> 1:00:11.540 The answer is be war driving. 677 1:00:12.470 --> 1:00:17.930 So if you have a Wi-Fi-enabled laptop or smartphone or even a Wi-Fi pineapple. 678 1:00:19.380 --> 1:00:20.730 You can perform more driving. 679 1:00:21.210 --> 1:00:23.710 Question for what is a. 680 1:00:26.010 --> 1:00:28.020 A Wi-Fi protected access. 681 1:00:28.770 --> 1:00:30.780 B Wired protected access. 682 1:00:31.740 --> 1:00:36.870 C Wired process access or dh wi fi process access. 683 1:00:46.320 --> 1:00:48.990 Answer is a Wi-Fi protected access. 684 1:00:52.390 --> 1:00:52.660 Ever. 685 1:00:52.660 --> 1:00:53.080 Five. 686 1:00:53.110 --> 1:00:59.650 What is the term used to describe the ability for networking devices from different manufacturers to 687 1:00:59.650 --> 1:01:01.270 communicate effectively? 688 1:01:05.810 --> 1:01:07.430 Answer is a interoperable. 689 1:01:09.300 --> 1:01:10.500 Be accessible. 690 1:01:12.390 --> 1:01:13.380 C portable. 691 1:01:15.360 --> 1:01:16.560 Or D scalable. 692 1:01:20.800 --> 1:01:24.250 The answer is a interoperable or interoperability. 693 1:01:24.790 --> 1:01:28.660 This is the ability for network devices from different manufacturers to communicate. 694 1:01:29.020 --> 1:01:35.170 One of the key things with wireless is to make sure that your chipset is capable of performing various 695 1:01:35.680 --> 1:01:38.020 injection and capturing. 696 1:01:40.130 --> 1:01:42.590 These are some of the different acronyms we talked about. 697 1:01:42.950 --> 1:01:44.930 We talked about wi fi GSM. 698 1:01:45.920 --> 1:01:54.290 Web therapy to you might see Bluetooth or abbreviated Betty the O backs, which is the Bluetooth protocol. 699 1:01:55.070 --> 1:02:01.010 We talked about wireless access points and access points and the different types of networks we talked 700 1:02:01.010 --> 1:02:01.250 about. 701 1:02:01.510 --> 1:02:03.380 P.S. TCP. 702 1:02:05.440 --> 1:02:09.400 And in summary, you should now have a better understanding of wireless networking. 703 1:02:09.760 --> 1:02:16.030 The types of wireless networking, wireless networking terminologies, the different bands of wireless 704 1:02:16.030 --> 1:02:22.990 networks, wireless encryption types, as well as wireless attacks and countermeasures. 705 1:02:25.170 --> 1:02:27.300 So I appreciate your attention in this module. 706 1:02:27.870 --> 1:02:28.920 I hope you learned a lot. 707 1:02:29.730 --> 1:02:34.110 There's a lot to wireless networking, a lot, especially with Kali Linux and all the different tools 708 1:02:34.590 --> 1:02:35.010 and. 709 1:02:36.700 --> 1:02:41.560 Just a disclaimer to use these tools responsibly, not to attack wireless networks. 710 1:02:41.560 --> 1:02:42.610 You do not have permission. 711 1:02:43.900 --> 1:02:46.120 And we'll see you in the next module.