Sniffing wireless traffic
Basics
- In order to receive all the frames that are coming to our host, we need to put our NIC into monitor mode (wireless equivalent of promiscuous mode), but it must be supported by our NIC.
- Similar to how sniffing is done on wired networks, the only difference is the concept of channels and frequency bands. Sniffing can only take place at one channel at a time.
- Two types of sniffing: Local Sniffing (wireshark or some other sniffers,
tcpdump, airodump-ng and horst) and Remote Sniffing (SSH + tcpdump + wireshark)
Selection of antennas
By the help of antennas, we can sniff the traffic from a distance.
- Omni-directional Antennas: Most common in practice, the signal is sent in oval-kind of trajectory, but makes the range limited.
- Directed Antennas: Best for capturing traffic from a distance, we just need to align this antenna in the direction of the AP.
Complications
<aside>
👉 Hardware support
</aside>
- The NIC Of our choosing must be capable of operating in a/b/g/n/ac networks or against the channel we’re targeting.
- Support maximum streams: Suppose the network is of
3x3:3 type, and our NIC only supports 2 spatial streams, then it won’t be able to sniff all the traffic
<aside>
👉 Regulatory authorities
</aside>
The countries have predefined standards for allowed channels, maximum users and maximum power levels, so we must adjust our settings accordingly.
<aside>
👉 Hardware bottleneck
</aside>
- If we’re sniffing in very high throughput networks, suppose our external adaptor is able to sniff all the traffic, but since its being sent over through the USB interface, the interface can also become a bottleneck sometimes.
- We can work around this issue by using Access Points and modifying its firmware to make a sniffer out of it, and they have all the better things we need: more antennas, high performance interfaces, multiple stream support, fast Ethernet connection etc
How to sniff wireless traffic?
#Putting a card into monitor mode, airmon-ng is not recommended because it causes a lot of problems
sudo ip link set <interface> down
iw dev <interface> set monitor none
sudo ip link set <interface> up
#Using sniffers
wireshark #**Will be attached to just one channel, need to change otherwise**
tcpdump #**Will be attached to just one channel, need to change otherwise**
airodump-ng <interface> #Will jump b/w channels
airodump-ng <interface> -c <channel> #Fix airodump to just one channel
airodump-ng <interface> --band abg #Listen on both the frequency bands, by default it just listens on 2.4 GHz
#In order to perform remote sniffing
ssh user@host tcpdump -U -i <interface> -w - | wireshark -k -i - #using ssh
-A software to capture the wireless packets, and sending thme over to the Internet, realtime.
- We can make those packets on the basis of ARUBA ERM standard, and wireshark will be able to understand the packet.
https://github.com/pentesteracademy/patoolkit
wireshark/packet-aruba-erm.c at master · wireshark/wireshark
https://www.youtube.com/watch?v=yCjPUIJPslU
Mitigation
- Using strong encryption in the underlying lower layer protocols
- Minimising the network coverage area
- Network Auditing with a packet sniffer
Attacks against networks with Open System Authentication
Honeypot attack
- Since there is no authentication facility, the only way to identify an AP is through its ESSID and BSSID
- There are multiple techniques to create honeypots: Manual techniques (using Airbase-ng, and hostapd) and using automated tools (WiFIPhisher, Bettercap, EAPHammer)
- If we’re going to manual route, Airbase-ng is not the way to go because it uses raw sockets for communication, and while on the other hand, hostapd using real networking stack for communication and can work with a lot of wireless technologies.
Deauthentication attack
<aside>
👉 Basics
</aside>
We can send specially crafted deauthentication frames to forcefully kick a station out from the network because there is no way to know that a specific frame has been sent by the legitimate station only, they can be spoofed. This can be done via aireplay-ng.
aireplay-ng -0 <deauthPacketCount> -a <bssid> <interface> -c <stationMac>
<aside>
👉 Mitigation
</aside>
- Understanding the impact of such attacks against our business and building a Disaster Recovery Plan instead of trying to stop them because there are a lot of ways by which this can take place
- Detecting, locating, responding and reacting to DOS is the best standard operating procedure.
- Wireless IDS
Beacon flooding
- We create multiple bogus networks to confuse and irritate the users
- Behind the scenes, it creates fake beacons and broadcast them all around the vicinity.
https://github.com/aircrack-ng/mdk4
Attacking browsers
We host a fake AP, and instead of phishing the user for credentials, we embed malicious JavaScript into the webpage to exploit vulnerabilities present in the victim’s browser and move on from there.
https://github.com/beefproject/beef
metasploit-framework/modules/exploits/multi/browser at master · rapid7/metasploit-framework
Captive portals
We host a fake AP, make a legitimate-looking web page and phish the victims for information
https://github.com/trustedsec/social-engineer-toolkit
https://github.com/nodogsplash/nodogsplash
Mitigation