- Topics Mentioned
- Certified Ethical Hacker
Watch these Ethical Hacking videos, and you’ll understand skills like tools of the trade, social engineering, wireless attacks, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.
What we should look for during our ethical hack is certainly open authentication. That’s an open door. That’s a “gimme.” You’d be so lucky if you found that, especially if you’re getting paid by project instead of by the hour, because you just saved a lot of time and energy. In this situation you just walk right into the network and start hacking. You’re now on the network. WEP security, if the system has WEP is going to take a little bit longer than an open door. You just have to worry about whether there’s some kind of intrusion detection and prevention on the access points themselves.
But, to be honest, if an administrator has left WEP in place on their wireless network, they probably don’t have really good intrusion detection or firewall system going on, at least on this side of the network. They might focus on preventing attacks from the Internet, or preventing attacks in another way, but certainly not on this side. I’ll just waltz in and attack WEP, and then continue my attack, because cracking WEP just makes it an open network for me.
WiFi Protected Set Up
For WiFi protected set up there is a button that you can press on a lot of these access points that allows you to associate. A couple of months ago, at the time of this recording, there was a compromise discovered and documented that allows an attacker to connect up to an access point that has this feature enabled and actually sucks out the pin, which then allows them to suck out the WPA or WPA2 crypto information.
This kind of vulnerability is not on every single device in every single place but it’s often enough seen where WPS is now being shut down. Most security experts are recommending that enterprise and big customers, middle size companies, even mom and dad kind of home environments, shut off WPS.
This is a strong recommendation because if it’s shut off, even if the feature is available on the access point but is disabled, these attacks simply don’t work. Shutting off WPS is great for administrators. For a hacker, if its found and on and you can press that button physically then you can associate the wireless client with it. But, if WPS is enabled at all, the hacker can probably make the hack a little bit easier.
MAC Based Authentication
Just like with a wired client, if the company is using MAC based authentication, I’ll just change my MAC. I’ll sniff the network for a little while, find a few wireless clients that are actually authorized to use the wireless network, and then either they’ll go offline or I’ll conduct a denial of service directly against them, and then I’ll become that computer. I’ll become that host by spoofing the MAC.
Finally, there is this old corny one of no SSID broadcast. If an administrator disables SSID broadcast or uses Mac based authentication, or both, those are pretty much “gimmes” as well. This is because there’s no security from disabling SSID, just like there’s no real security from using Mac authentication, by themselves or together.
Certainly, if you’re doing MAC off and you’re doing SSID broadcast disable and you’re doing 802.1x, WPA, and things like that, it’s going to be much harder. But I see enough wireless networks that just disable SSID and require specific MACs or whitelist/blacklist MACs. Aside from that, it’s actually open, or even WEP. That is no problem at all. Those things don’t combine to a secure solution.
Early on in the footprinting process, when I’m sniffing and looking at all of those wireless networks such as the ones you saw in the screenshot earlier displaying a bunch of networks, I’ll be near a Big Money Bank and their SSID for the company is bmbco.
Well, if I have all of these SSIDs that I’m sniffing around then I’m seeing all of these SSIDs belong on the MAC prefix, Cisco 11.42N access points, and they’re on channels 1, 6, and 11 with WPA2. If I see that consistently I’ll get a really clear idea that this is what this company does. This company has a standard for this device on these channels using this SSID with this off approach. I love when it’s consistent. I love it even more as an ethical hacker when it’s inconsistent.
So, take a look on the bottom. You can see this one oddball D link DAP 1360, that’s also on channel 1, using the same SSID and it’s an open off. This is a real benefit for an ethical hacker.
It typically means that either an administrator has thrown an extra wireless access point to cover some dead spots or some extra coverage in one spot in the building. It could also mean mean a user has actually brought in their own access point and deployed it so that they can maybe connect an unauthorized device, or get access in an area that they wouldn’t normally. They thought enough to say, “Oh, well, I’ll name it ‘bmbco’ so that no one notices.”
Well, the real administrators might not notice, but ethical hackers will notice. Look at this inconsistency. I’m going to go straight on after this D link. That’s going to be my first stop. If I can get access to the corporate network through this open D link, I only need access long enough to plant myself another way in, and then I’m never going to touch it again.
D links, in particular, are fun because usually the users of D links will leave the default passwords intact. This user may have changed the SSID, but they didn’t think enough to change the off, so they probably don’t know enough to change the default password.