Security+: Wireless Attacks (SY0-401) [DECOMMISSIONED ARTICLE]

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.

---

Introduction

Being able to communicate without wires was a real paradigm shift in the field of information technology. While wireless technology makes it easier to set up networks, it also creates possibilities for various kinds of cyberattacks. As an aspirant for the Security+ certification, it’s of paramount importance to know about the most prevalent (and the most dangerous) wireless attacks out there. This article will shed light on the extent to which many of such attacks should be known about by people attempting to ace the Security+ exam.

The Internet can be a dangerous place if enough care is not taken while setting up a system’s security layers. Many attacks happen because of vulnerabilities that arise due to lack of awareness, developer incompetence, and outdated software, among other things. To learn about some of the most common security vulnerabilities that need to be eliminated at any cost from a security infrastructure, click here.

Wireless Attacks for Security+

Attainment of the security+ certification is a dream for all beginning information security professionals, especially because it enhances their credibility and gives them a competitive advantage over their counterparts on job applications. Knowledge of the most prevalent wireless security attacks is a huge requirement in this regard, as exams over the years have contained multiple questions from this segment. Let’s look at some that can’t be missed.

Packet Sniffing

Probably the simplest to perform (yet among the very dangerous) is the packet sniffing attack. The act of packet sniffing involves capturing data packets that are being transferred over a computer network. A packet sniffer is the device or software that’s used for this purpose. It’s apparent that packet sniffing has many legitimate advantages; it can be used for network performance monitoring or for troubleshooting purposes. However, many hackers use it to illegally obtain information about networks that they eventually want to make their way inside. Packet sniffers can be used to obtain sensitive information, such as IP addresses, passwords, implemented protocols, encryption keys, etc.

Preventing packet sniffing is very difficult but making the sniffed packets undecipherable for the hackers is considerably simpler to do. Using sophisticated security protocols (like Kerberos) and implementing strong cryptography can render the efforts of the hackers useless. To learn more about packet sniffing and the potential vulnerabilities, visit this link.

Rogue Access Points

A rogue access point (AP) can be defined as an access point (wireless) that illegally (without administrative authorization) gets installed on an enterprise network. Rogue APs are normally created when legitimate users naively install them without being aware of the vulnerabilities and implications they create, but they can also make their way into a network through an outsider or via deliberate installation during an insider attack. Regardless of the cause of occurrence, a rogue access point is a huge security threat because it creates a backdoor (remember, wireless) into a network that can be used by unauthorized parties. It’s worth noting that access control lists or firewalls also can’t help in such a scenario.

The best way to ensure that rogue access points never get created is by spreading awareness among employees about the potential threats. In additional, rogue access point scanners should periodically be run to ensure that the network is safe from unauthorized access. To know all there is about rogue access points, visit this link.

War Driving

War driving involves running an endless search for wireless networks by hackers while driving around and using a portable device. Hackers who perform war-driving attacks collect network information without actually getting into the network; the act of using a network without proper permissions is known as piggybacking.

War driving is prevalently used to find networks that contain vulnerabilities and that can be made easy pickings. If a network is detected to be significantly unprotected, malware can be downloaded onto the system, eventually leading to the whole system getting compromised. The simplest (slightly unviable) way to prevent war driving is by using wired networks but, if that’s not a possibility, a high-end, rigorously maintained cryptographic layer of security can be added to ward off any potential attacks. A comprehensive report on war driving can be found here.

Replay Attacks

Replay attacks take place when a hacker illegally monitors a network conversation between a sender and a receiver and retrieves authenticated information from the sniffed packets. This sensitive information (including shared keys, nonce, timestamps, etc.) can then be used by the hacker to contact the receiver, who would perceive that the received message comes from the actual sender—but that’s not the case.

For instance, let’s assume that two people, Alice and Bob, are communicating over a network. As Alice shares her key with Bob over a network to prove her identity to him, an intruder, Craig, eavesdrops on the conversation and notes down the key. Later, Craig contacts Bob using Alice’s key and Bob believes that it’s Alice who is sending the message. To prevent replay attacks, secure communication protocols like Kerberos can be used. A comprehensive explanation of replay-attacks can be found here.

WPS Attacks

Most Wi-Fi routers and access points have a feature known as a Wi-Fi-protected setup (WPS). Via a WPS, a user can configure their device against a wireless network by pressing a button on both the device and the router/access point simultaneously; an exchange of information between the devices occurs, leading to the establishment of a secure link.

However, many WPS cracking tools, such as Reaver, are designed to brute-force the handshaking process without actually pressing the button on the access point/router. A comprehensive report on Reaver and its ability to perform a brute-force WPS attack can be found here.

Testing Wireless Systems

Setting up layers of security in a system is very important. To do that aptly, one needs to know about the OSI model and its architectural importance. The seven layers that form the OSI model are: application, presentation, session, transport, network, data link, and physical. The physical layer conveys the bit stream; at the data link layer, packets get encoded into bits; the network layer is responsible for routing and switching technologies; the transport layer caters to transparent data transfer between hosts; the session layer is responsible for establishment, maintenance, and termination of connections; the presentation layer translates from network to application layer format and vice versa; and the last layer is capable of supporting end-user/application processes. A complete overview of the model can be found here.

There are many wireless testing tools that can be used to perform rigorous wireless network testing in order to ensure that there aren’t any dangerous vulnerabilities. Some of those worth mentioning are:

1. Kismet

Kismet is a sniffer, network detector, and intrusion detection tool. It can work with IEEE 802.11 Wi-Fi networks and can be enhanced by installation of plugins to support other networks.

2. Acrylic Wi-Fi

Acrylic Wi-Fi supports promiscuous and monitor modes that allows the capturing of traffic, along with a password cracking utility (brute-force) that can be used to test the security of system passwords.

3. WirelessNetView

WirelessNetView is another Windows-based tool that can be used to analyze and monitor Wi-Fi networks.

Final Word

Knowledge about the most frequently occurring wireless attacks is not something that potential Security+ aspirants can do without. This article briefly walked the reader through the various attacks and how they can be prevented. For absolute preparation of the Security+ exam, it’s necessary to gain information from as many resources as possible; INFOSEC Institute’s boot-camp is a one-stop solution in this regard.