CONTENTS. Hacking Wireless Technology

Size: px

Start display at page:

Download "CONTENTS. Hacking Wireless Technology"

Roy Burns
7 years ago
Views:

1 CONTENTS Foreword xvii Acknowledgments xix Introduction xxi Part I Hacking Wireless Technology Case Study: Wireless Hacking for Hire Her First Engagement A Parking Lot Approach The Robot Invasion Final Wrap-Up Introduction to Hacking in a Nutshell The Basics Addressing in Packets Security Primer Discovery Basics Hardware and Drivers A Note on the Linux Kernel Chipsets and Linux Drivers Modern Chipsets and Drivers Cards Antennas Cellular Data Cards GPS Summary Scanning and Enumerating Networks Choosing an Operating System Windows xi

2 xii Hacking Exposed Wireless: Wireless Security Secrets & Solutions OS X Linux Windows Discovery Tools Vistumbler inssider Windows Sniffing/Injection Tools NDIS 6.0 Monitor Mode Support (NetMon) AirPcap CommView for WiFi OS X Discovery Tools KisMAC Kismet on OS X Linux Discovery Tools Kismet Mobile Discovery Tools Online Mapping Services (WIGLE and Skyhook) Summary Attacking Wireless Networks Basic Types of Attacks Security Through Obscurity Defeating WEP WEP Key Recovery Attacks Bringing It All Together: Cracking a Hidden Mac-Filtering, WEP-Encrypted Network Keystream Recovery Attacks Against WEP Attacking the Availability of Wireless Networks Summary Attacking WPA-Protected Networks Breaking Authentication: WPA-PSK Breaking Authentication: WPA Enterprise Obtaining the EAP Handshake LEAP PEAP and EAP-TTLS EAP-TLS EAP-FAST EAP-MD Breaking Encryption: TKIP Attacking Components Summary

3 Contents xiii Part II Hacking Clients Case Study: Riding the Insecure Airwaves Attack Wireless Clients Attacking the Application Layer Attacking Clients Using an Evil DNS Server Ettercap Support for Content Modification Dynamically Generating Rogue APs and Evil Servers with Karmetasploit 167 Direct Client Injection Techniques Injecting Data Packets with AirPWN Generic Client-side Injection with airtun-ng Munging Software Updates with IPPON Device Driver Vulnerabilities Fingerprinting Device Drivers Web Hacking and Wi-Fi Hacking DNS via XSRF Attacks Against Routers Summary Taking It All The Way: Bridging the Airgap from OS X The Game Plan Preparing the Exploit Prepping the Callback Performing Initial Reconnaissance Preparing Kismet, Aircrack-ng Prepping the Package Exploiting WordPress to Deliver the Java Exploit Making the Most of User-level Code Execution Gathering Intel (User-level Access) Popping Root by Brute-forcing the Keychain Returning Victorious to the Machine Managing OS X s Firewall Summary Taking It All the Way: Bridging the Airgap from Windows The Attack Scenario Preparing for the Attack Exploiting Hotspot Environments Controlling the Client Local Wireless Reconnaissance Remote Wireless Reconnaissance Windows Monitor Mode Microsoft NetMon Target Wireless Network Attack Summary

4 xiv Hacking Exposed Wireless: Wireless Security Secrets & Solutions Part III Hacking Additional Wireless Technologies Case Study: Snow Day Bluetooth Scanning and Reconnaissance Bluetooth Technical Overview Device Discovery Protocol Overview Bluetooth Profiles Encryption and Authentication Preparing for an Attack Selecting a Bluetooth Attack Device Reconnaissance Active Device Discovery Passive Device Discovery Hybrid Discovery Passive Traffic Analysis Service Enumeration Summary Bluetooth Eavesdropping Commercial Bluetooth Sniffing Open-Source Bluetooth Sniffing Summary Attacking and Exploiting Bluetooth PIN Attacks Practical PIN Cracking Identity Manipulation Bluetooth Service and Device Class Bluetooth Device Name Abusing Bluetooth Profiles Testing Connection Access Unauthorized AT Access Unauthorized PAN Access Headset Profile Attacks File Transfer Attacks Future Outlook Summary Hack ZigBee ZigBee Introduction ZigBee s Place as a Wireless Standard ZigBee Deployments ZigBee History and Evolution

5 Contents xv ZigBee Layers ZigBee Profiles ZigBee Security Rules in the Design of ZigBee Security ZigBee Encryption ZigBee Authenticity ZigBee Authentication ZigBee Attacks Introduction to KillerBee Network Discovery Eavesdropping Attacks Replay Attacks Encryption Attacks Attack Walkthrough Network Discovery and Location Analyzing the ZigBee Hardware RAM Data Analysis Summary Hack DECT DECT Introduction DECT Profiles DECT PHY Layer DECT MAC Layer Base Station Selection DECT Security Authentication and Pairing Encryption Services DECT Attacks DECT Hardware DECT Eavesdropping DECT Audio Recording Summary A Scoping and Information Gathering Pre-assessment Scoping Things to Bring to a Wireless Assessment Conducting Scoping Interviews Gathering Information via Satellite Imagery Putting It All Together Index

Build Your Own Security Lab

Build Your Own Security Lab A Field Guide for Network Testing Michael Gregg WILEY Wiley Publishing, Inc. Contents Acknowledgments Introduction XXI xxiii Chapter 1 Hardware and Gear Why Build a Lab? Hackers