You are previewing Hacking Exposed Wireless, Third Edition.
O'Reilly logo
Hacking Exposed Wireless, Third Edition

Book Description

Exploit and defend against the latest wireless network attacks Learn to exploit weaknesses in wireless network environments using the innovative techniques in this thoroughly updated guide. Inside, you’ll find concise technical overviews, the latest attack methods, and ready-to-deploy countermeasures. Find out how to leverage wireless eavesdropping, break encryption systems, deliver remote exploits, and manipulate 802.11 clients, and learn how attackers impersonate cellular networks. Hacking Exposed Wireless, Third Edition features expert coverage of ever-expanding threats that affect leading-edge technologies, including Bluetooth Low Energy, Software Defined Radio (SDR), ZigBee, and Z-Wave. Assemble a wireless attack toolkit and master the hacker’s weapons Effectively scan and enumerate WiFi networks and client devices Leverage advanced wireless attack tools, including Wifite, Scapy, Pyrit, Metasploit, KillerBee, and the Aircrack-ng suite Develop and launch client-side attacks using Ettercap and the WiFi Pineapple Hack cellular networks with Airprobe, Kraken, Pytacle, and YateBTS Exploit holes in WPA and WPA2 personal and enterprise security schemes Leverage rogue hotspots to deliver remote access software through fraudulent software updates Eavesdrop on Bluetooth Classic and Bluetooth Low Energy traffic Capture and evaluate proprietary wireless technology with Software Defined Radio tools Explore vulnerabilities in ZigBee and Z-Wave-connected smart homes and offices Attack remote wireless networks using compromised Windows systems and built-in tools

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Foreword
  7. Acknowledgments
  8. Introduction
  9. Part I Hacking 802.11 Wireless Technology
    1. CASE STUDY: Twelve Volt Hero
    2. 1 Introduction to 802.11 Hacking
      1. 802.11 in a Nutshell
        1. The Basics
        2. Addressing in 802.11 Packets
        3. 802.11 Security Primer
      2. Discovery Basics
      3. Hardware and Drivers
        1. A Note on the Linux Kernel
        2. Chipsets and Linux Drivers
        3. Modern Chipsets and Drivers
        4. Cards
        5. Antennas
        6. Cellular Data Cards
        7. GPS
      4. Summary
    3. 2 Scanning and Enumerating 802.11 Networks
      1. Choosing an Operating System
        1. Windows
        2. OS X
        3. Linux
      2. Windows Discovery Tools
        1. Vistumbler
      3. Windows Sniffing/Injection Tools
        1. NDIS 6.0 Monitor Mode Support (NetMon/MessageAnalyzer)
        2. AirPcap
        3. CommView for WiFi
      4. OS X Discovery Tools
        1. KisMAC
      5. Linux Discovery Tools
        1. airodump-ng
        2. Kismet
      6. Advanced Visualization Techniques (PPI)
        1. Visualizing PPI-Tagged Kismet Data
        2. PPI-Based Triangulation (Servo-Bot)
      7. Summary
    4. 3 Attacking 802.11 Wireless Networks
      1. Basic Types of Attacks
      2. Security Through Obscurity
      3. Defeating WEP
        1. WEP Key Recovery Attacks
      4. Putting It All Together with Wifite
        1. Installing Wifite on a WiFi Pineapple
      5. Summary
    5. 4 Attacking WPA-Protected 802.11 Networks
      1. Obtaining the Four-Way Handshake
        1. Cracking with Cryptographic Acceleration
      2. Breaking Authentication: WPA Enterprise
        1. Obtaining the EAP Handshake
        2. EAP-MD5
        3. EAP-GTC
        4. LEAP
        5. EAP-FAST
        6. EAP-TLS
        7. PEAP and EAP-TTLS
        8. Running a Malicious RADIUS Server
      3. Summary
    6. 5 Attacking 802.11 Wireless Clients
      1. browser_autopwn: A Poor Man’s Exploit Server
        1. Using Metasploit browser_autopwn
      2. Getting Started with I-love-my-neighbors
        1. Creating the AP
        2. Assigning an IP Address
        3. Setting Up the Routes
        4. Redirecting HTTP Traffic
        5. Serving HTTP Content with Squid
      3. Attacking Clients While Attached to an AP
        1. Associating to the Network
      4. ARP Spoofing
      5. Direct Client Injection Techniques
      6. Summary
    7. 6 Taking It All the Way: Bridging the Air-Gap from Windows 8
      1. Preparing for the Attack
        1. Exploiting Hotspot Environments
        2. Controlling the Client
      2. Local Wireless Reconnaissance
      3. Remote Wireless Reconnaissance
        1. Windows Monitor Mode
        2. Microsoft NetMon
      4. Target Wireless Network Attack
      5. Summary
  10. Part II Bluetooth
    1. CASE STUDY: You Can Still Hack What You Can’t See
    2. 7 Bluetooth Classic Scanning and Reconnaissance
      1. Bluetooth Classic Technical Overview
        1. Device Discovery
        2. Protocol Overview
        3. Bluetooth Profiles
        4. Encryption and Authentication
      2. Preparing for an Attack
        1. Selecting a Bluetooth Classic Attack Device
      3. Reconnaissance
        1. Active Device Discovery
        2. Passive Device Discovery
        3. Hybrid Discovery
        4. Passive Traffic Analysis
      4. Service Enumeration
      5. Summary
    3. 8 Bluetooth Low Energy Scanning and Reconnaissance
      1. Bluetooth Low Energy Technical Overview
        1. Physical Layer Behavior
        2. Operating Modes and Connection Establishment
        3. Frame Configuration
        4. Bluetooth Profiles
        5. Bluetooth Low Energy Security Controls
      2. Scanning and Reconnaissance
      3. Summary
    4. 9 Bluetooth Eavesdropping
      1. Bluetooth Classic Eavesdropping
        1. Open Source Bluetooth Classic Sniffing
        2. Commercial Bluetooth Classic Sniffing
      2. Bluetooth Low Energy Eavesdropping
        1. Bluetooth Low Energy Connection Following
        2. Bluetooth Low Energy Promiscuous Mode Following
      3. Exploiting Bluetooth Networks Through Eavesdropping Attacks
      4. Summary
    5. 10 Attacking and Exploiting Bluetooth
      1. Bluetooth PIN Attacks
        1. Bluetooth Classic PIN Attacks
        2. Bluetooth Low Energy PIN Attacks
        3. Practical Pairing Cracking
      2. Device Identity Manipulation
        1. Bluetooth Service and Device Class
      3. Abusing Bluetooth Profiles
        1. Testing Connection Access
        2. Unauthorized PAN Access
        3. File Transfer Attacks
      4. Attacking Apple iBeacon
        1. iBeacon Deployment Example
      5. Summary
  11. Part III More Ubiquitous Wireless
    1. CASE STUDY: Failure Is Not an Option
    2. 11 Software-Defined Radios
      1. SDR Architecture
      2. Choosing a Software Defined Radio
        1. RTL-SDR: Entry-Level Software-Defined Radio
        2. HackRF: Versatile Software-Defined Radio
      3. Getting Started with SDRs
        1. Setting Up Shop on Windows
        2. Setting Up Shop on Linux
        3. SDR# and gqrx: Scanning the Radio Spectrum
      4. Digital Signal Processing Crash Course
        1. Rudimentary Communication
        2. Rudimentary (Wireless) Communication
        3. POCSAG
        4. Information as Sound
        5. Picking Your Target
        6. Finding and Capturing an RF Transmission
        7. Blind Attempts at Replay Attacks
        8. So What?
      5. Summary
    3. 12 Hacking Cellular Networks
      1. Fundamentals of Cellular Communication
        1. Cellular Network RF Frequencies
        2. Standards
      2. 2G Network Security
        1. GSM Network Model
        2. GSM Authentication
        3. GSM Encryption
        4. GSM Attacks
        5. GSM Eavesdropping
        6. GSM A5/1 Key Recovery
        7. GSM IMSI Catcher
      3. Femtocell Attacks
      4. 4G/LTE Security
        1. LTE Network Model
        2. LTE Authentication
        3. LTE Encryption
        4. Null Algorithm
        5. Encryption Algorithms
        6. Platform Security
      5. Summary
    4. 13 Hacking ZigBee
      1. ZigBee Introduction
        1. ZigBee’s Place as a Wireless Standard
        2. ZigBee Deployments
        3. ZigBee History and Evolution
        4. ZigBee Layers
        5. ZigBee Profiles
      2. ZigBee Security
        1. Rules in the Design of ZigBee Security
        2. ZigBee Encryption
        3. ZigBee Authenticity
        4. ZigBee Authentication
      3. ZigBee Attacks
        1. Introduction to KillerBee
        2. Network Discovery
        3. Eavesdropping Attacks
        4. Replay Attacks
        5. Encryption Attacks
        6. Packet Forging Attacks
      4. Attack Walkthrough
        1. Network Discovery and Location
        2. Analyzing the ZigBee Hardware
        3. RAM Data Analysis
      5. Summary
    5. 14 Hacking Z-Wave Smart Homes
      1. Z-Wave Introduction
        1. Z-Wave Layers
        2. Z-Wave Security
      2. Z-Wave Attacks
        1. Eavesdropping Attacks
        2. Z-Wave Injection Attacks
      3. Summary
  12. Index