Hacking Exposed Wireless, Third Edition by Johnny Cache and Joshua Wright


8659fbfcf3bc212-261x361.jpg Author Johnny Cache and Joshua Wright
Isbn 9780071827638
File size 65.69MB
Year 2015
Pages 544
Language English
File format PDF
Category cryptography



 

Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM HACKING EXPOSED WIRELESS ™ Wireless Security Secrets & Solutions Third Edition Jo s h ua Wrig ht Jo h n ny Cac he New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto 00-FM.indd 1 05/02/15 2:27 pm Copyright © 2015 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-0-07-182762-1 MHID: 0-07-182762-5 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-182763-8, MHID: 0-07-182763-3. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. McGraw-Hill Education, the McGraw-Hill Education Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered trademarks of McGraw-Hill Education and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. McGraw-Hill Education is not associated with any product or vendor mentioned in this book. Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM For Jen, Maya, and Ethan. ~Joshua Wright For those who pushed me forward when the world was trying to hold me back: Nick, Karen, Jen, and Ora. ~Johnny Cache 00-FM.indd 3 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM About the Authors Joshua Wright is a senior technical analyst with Counter Hack, and a senior instructor and author for the SANS Institute. Through his experiences as a penetration tester, Josh has worked with hundreds of organizations on attacking and defending mobile devices and wireless systems, disclosing significant product and protocol security weaknesses to well-known organizations. As an open source software advocate, Josh has conducted cutting-edge research resulting in hardware and software tools that are commonly used to evaluate the security of widely deployed technology targeting Wi-Fi, Bluetooth, ZigBee, and Z-Wave wireless systems, smart-grid deployments, and the Android and Apple iOS mobile device platforms. In his spare time, Josh looks for any opportunity to void a warranty on his electronics. Johnny Cache received his Masters in Computer Science from the Naval Postgraduate School in 2006. His thesis work, which focused on fingerprinting 802.11 device drivers, won the Gary Kildall award for the most innovative computer science thesis. Johnny wrote his first program on a Tandy 128K color computer sometime in 1988. Since then, he has spoken at several security conferences, including BlackHat, BlueHat, and ToorCon. He has also released a number of papers related to 802.11 security and is the author of many wireless tools. He is the founder and chief science officer of Cache Heavy Industries. About the Contributors Chris Crowley is the owner of the Montance Consulting Group in Washington DC, performing penetration testing, computer network defense, incident response, and forensic analysis engagements. As the lead instructor for the SANS Institute Mobile Device Security and Ethical Hacking course, Chris works with thousands of organizations each year, helping them identify, exploit, and address critical flaws in mobile and wireless systems. In his spare time, Chris balances his extreme work schedule with extreme rock climbing. Tim Kuester (BSCE, UMBC) is an engineer working at Tactical Network Solutions in Columbia, MD. He has a background in turnkey engineering, with projects ranging from CubeSats and BioMed research devices to spy gadgets and air vacuums. He enjoys hacking projects involving embedded systems, radios, and circuit boards. Alongside contract work, he teaches courses on software-defined radio and signal processing at TNS headquarters. Outside of work, he enjoys fiddling with amateur radio, riflery, and EMS. Tim would like to extend thanks to his parents and his engineering professors at UMBC for their patience and guidance. 00-FM.indd 4 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM About the Technical Reviewers Tim Medin is a senior technical analyst with Counter Hack and a lead instructor for the SANS Institute. As a professional penetration tester, Tim has worked with hundreds of organizations, including Fortune 100 companies and the US government, to identify and exploit vulnerabilities as part of an essential process to defend critical networks. As the technical lead of the innovative NetWars program, Tim leads the development of information security challenges for education, evaluation, and competition, reaching out to brilliant analysts, from high-school seniors to retired US military veterans. When he’s not identifying critical flaws in pervasive protocols such as Kerberos, Tim likes to spend time with his family. Mike Ryan is a senior security consultant with iSEC Partners, an information security organization. At iSEC, Mike performs penetration testing, specializing in red team exercises, network penetration tests, and embedded platforms. Mike also researches Bluetooth security, contributing significant enhancements to the Ubertooth project for Bluetooth Low Energy attacks. Mike has been doing security in one way or another since 2002 and has a wide array of skills, tricks, and leet hax to bring to the table in any situation. Outside of security, Mike enjoys retro hardware and doing absolutely anything at the beach. Jean-Louis Bourdon is a firmware engineer with ten years’ experience designing processors for Infineon and five years’ experience writing software for embedded systems. He is now currently working for Pektron in the UK, designing instrument clusters for super/hyper cars. His hobbies are often technology related and usually involve dissecting the newest gadgets he can get his hands on. 00-FM.indd 5 05/02/15 2:27 pm This page intentionally left blank Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/FM At a Glance Part I Hacking 802.11 Wireless Technology 1 Introduction to 802.11 Hacking  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Scanning and Enumerating 802.11 Networks  . . . . . . . . . . . . . . . . . . 31 3 Attacking 802.11 Wireless Networks  4 Attacking WPA-Protected 802.11 Networks  . . . . . . . . . . . . . . . . . . . . 89 5 Attacking 802.11 Wireless Clients  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 6 Taking It All the Way: Bridging the Air-Gap from Windows 8  . . . . 155 . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Part II Bluetooth 7 Bluetooth Classic Scanning and Reconnaissance  . . . . . . . . . . . . . . 191 8 Bluetooth Low Energy Scanning and Reconnaissance  . . . . . . . . . . 229 9 Bluetooth Eavesdropping  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 10 Attacking and Exploiting Bluetooth  . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Part III More Ubiquitous Wireless 11 Software-Defined Radios  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 vii 00-FM.indd 7 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM viii Hacking Exposed Wireless: Wireless Security Secrets & Solutions 12 Hacking Cellular Networks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 13 Hacking ZigBee  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 14 Hacking Z-Wave Smart Homes  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Index  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 00-FM.indd 8 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/FM Contents Foreword  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Part I Hacking 802.11 Wireless Technology CASE STUDY: Twelve Volt Hero  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1 Introduction to 802.11 Hacking  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 802.11 in a Nutshell  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The Basics  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Addressing in 802.11 Packets  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 802.11 Security Primer  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Discovery Basics  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Hardware and Drivers  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 A Note on the Linux Kernel  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Chipsets and Linux Drivers  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Modern Chipsets and Drivers  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Cards  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Antennas  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Cellular Data Cards  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 GPS  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2 Scanning and Enumerating 802.11 Networks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Choosing an Operating System  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Windows  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 OS X  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Linux  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Windows Discovery Tools  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Vistumbler  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 ix 00-FM.indd 9 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM x Hacking Exposed Wireless: Wireless Security Secrets & Solutions Windows Sniffing/Injection Tools  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 NDIS 6.0 Monitor Mode Support (NetMon/MessageAnalyzer)  . . . . . . . . 36 AirPcap  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 CommView for WiFi  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 OS X Discovery Tools  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 KisMAC  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Linux Discovery Tools  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 airodump-ng  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Kismet  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Advanced Visualization Techniques (PPI)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Visualizing PPI-Tagged Kismet Data  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 PPI-Based Triangulation (Servo-Bot)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3 Attacking 802.11 Wireless Networks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Basic Types of Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Security Through Obscurity  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Defeating WEP  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 WEP Key Recovery Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Putting It All Together with Wifite  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Installing Wifite on a WiFi Pineapple  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4 Attacking WPA-Protected 802.11 Networks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Obtaining the Four-Way Handshake  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Cracking with Cryptographic Acceleration  . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Breaking Authentication: WPA Enterprise  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Obtaining the EAP Handshake  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 EAP-MD5  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 EAP-GTC  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 LEAP  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 EAP-FAST  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 EAP-TLS  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 PEAP and EAP-TTLS  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Running a Malicious RADIUS Server  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 5 Attacking 802.11 Wireless Clients  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 browser_autopwn: A Poor Man’s Exploit Server  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Using Metasploit browser_autopwn  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Getting Started with I-love-my-neighbors  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Creating the AP  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Assigning an IP Address  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Setting Up the Routes  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Redirecting HTTP Traffic  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Serving HTTP Content with Squid  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 00-FM.indd 10 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM Contents xi Attacking Clients While Attached to an AP  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Associating to the Network  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 ARP Spoofing  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Direct Client Injection Techniques  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 6 Taking It All the Way: Bridging the Air-Gap from Windows 8  . . . . . . . . . . . . . . . . . . . . . . 155 Preparing for the Attack  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Exploiting Hotspot Environments  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Controlling the Client  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Local Wireless Reconnaissance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Remote Wireless Reconnaissance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Windows Monitor Mode  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Microsoft NetMon  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Target Wireless Network Attack  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Part II Bluetooth CASE STUDY: You Can Still Hack What You Can’t See  . . . . . . . . . . . . . . . . . . . . . . 190 7 Bluetooth Classic Scanning and Reconnaissance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Bluetooth Classic Technical Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Device Discovery  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Protocol Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Bluetooth Profiles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Encryption and Authentication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Preparing for an Attack  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Selecting a Bluetooth Classic Attack Device  . . . . . . . . . . . . . . . . . . . . . . . . . 197 Reconnaissance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Active Device Discovery  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Passive Device Discovery  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Hybrid Discovery  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Passive Traffic Analysis  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Service Enumeration  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 8 Bluetooth Low Energy Scanning and Reconnaissance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Bluetooth Low Energy Technical Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Physical Layer Behavior  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Operating Modes and Connection Establishment  . . . . . . . . . . . . . . . . . . . 231 Frame Configuration  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Bluetooth Profiles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Bluetooth Low Energy Security Controls  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 00-FM.indd 11 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM xii Hacking Exposed Wireless: Wireless Security Secrets & Solutions Scanning and Reconnaissance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 9 Bluetooth Eavesdropping  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Bluetooth Classic Eavesdropping  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Open Source Bluetooth Classic Sniffing  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Commercial Bluetooth Classic Sniffing  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Bluetooth Low Energy Eavesdropping  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Bluetooth Low Energy Connection Following  . . . . . . . . . . . . . . . . . . . . . . . 267 Bluetooth Low Energy Promiscuous Mode Following  . . . . . . . . . . . . . . . . 274 Exploiting Bluetooth Networks Through Eavesdropping Attacks  . . . . . . . . . . . . . 276 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 10 Attacking and Exploiting Bluetooth  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Bluetooth PIN Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Bluetooth Classic PIN Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Bluetooth Low Energy PIN Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Practical Pairing Cracking  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Device Identity Manipulation  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Bluetooth Service and Device Class  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Abusing Bluetooth Profiles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Testing Connection Access  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Unauthorized PAN Access  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 File Transfer Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Attacking Apple iBeacon  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 iBeacon Deployment Example  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Part III More Ubiquitous Wireless CASE STUDY: Failure Is Not an Option  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 11 Software-Defined Radios  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 SDR Architecture  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Choosing a Software Defined Radio  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 RTL-SDR: Entry-Level Software-Defined Radio  . . . . . . . . . . . . . . . . . . . . . 331 HackRF: Versatile Software-Defined Radio  . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Getting Started with SDRs  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Setting Up Shop on Windows  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Setting Up Shop on Linux  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 SDR# and gqrx: Scanning the Radio Spectrum  . . . . . . . . . . . . . . . . . . . . . . 335 Digital Signal Processing Crash Course  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Rudimentary Communication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Rudimentary (Wireless) Communication  . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 POCSAG  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 00-FM.indd 12 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM Contents xiii Information as Sound  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Picking Your Target  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Finding and Capturing an RF Transmission  . . . . . . . . . . . . . . . . . . . . . . . . . 347 Blind Attempts at Replay Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 So What?  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 12 Hacking Cellular Networks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Fundamentals of Cellular Communication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Cellular Network RF Frequencies  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Standards  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 2G Network Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 GSM Network Model  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 GSM Authentication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 GSM Encryption  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 GSM Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 GSM Eavesdropping  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 GSM A5/1 Key Recovery  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 GSM IMSI Catcher  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Femtocell Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 4G/LTE Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 LTE Network Model  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 LTE Authentication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 LTE Encryption  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Null Algorithm  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Encryption Algorithms  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Platform Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 13 Hacking ZigBee  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 ZigBee Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 ZigBee’s Place as a Wireless Standard  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 ZigBee Deployments  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 ZigBee History and Evolution  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 ZigBee Layers  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 ZigBee Profiles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 ZigBee Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Rules in the Design of ZigBee Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 ZigBee Encryption  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 ZigBee Authenticity  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 ZigBee Authentication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 ZigBee Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Introduction to KillerBee  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Network Discovery  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Eavesdropping Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 00-FM.indd 13 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM xiv Hacking Exposed Wireless: Wireless Security Secrets & Solutions Replay Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Encryption Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Packet Forging Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Attack Walkthrough  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Network Discovery and Location  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Analyzing the ZigBee Hardware  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 RAM Data Analysis  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 14 Hacking Z-Wave Smart Homes  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Z-Wave Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Z-Wave Layers  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Z-Wave Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Z-Wave Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Eavesdropping Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Z-Wave Injection Attacks  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Index  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 00-FM.indd 14 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/FM Foreword T he first time I gave any thought to wireless communication security was around 2001 when WEP cracking became popular. Suddenly data networks took to the air, and, just as suddenly, the security of those networks was compromised. There was something particularly exciting about wireless security. Networks could be attacked without any physical access or interconnection! An eavesdropper with a very good antenna could monitor a network from a tremendous distance! Over the next few years, Wi-Fi attack tools and techniques became better and better. The security of the networks improved too, but the attacks always seemed to outpace the defenses. During this time my interest in wireless security grew, and I learned important concepts and techniques from 802.11 security experts, including the authors of this book. Eventually, I turned my attention to other wireless communication protocols. I quickly learned that I could accomplish very little without developing my own tools for the transmission and reception of digital radio signals. Wi-Fi tools were readily available and exceptionally powerful. They had been a great benefit to me, enabling me to learn the general principles of wireless communication security. I couldn’t test the security of other radio systems, however, until I started building tools to provide similar capabilities. At first I used software-defined radio (SDR) to build my tools. I was a software person, and I was extremely excited about the promise of SDR, which allowed radios to be built in software rather than hardware. Unfortunately, I found that a great deal of digital signal processing knowledge was required to accomplish my goals. I eventually gained that knowledge, but I also developed an appreciation for special-purpose tools that can be implemented at a lower cost. One such platform that I designed was the Ubertooth One, a Bluetooth test tool that enabled affordable detection of nondiscoverable Bluetooth devices. Today, the field of wireless communication security is more exciting than ever as capabilities for more diverse wireless technologies are continuously developed. In addition to special-purpose tools for popular technologies such as Wi-Fi and Bluetooth, generalpurpose SDR platforms are becoming more affordable and easier to use. The popularity of wireless embedded systems is exploding, and new wireless communication protocols seem to appear on a daily basis. There has never been a better time to start exploring the security of these systems. xv 00-FM.indd 15 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/ FM xvi Hacking Exposed Wireless: Wireless Security Secrets & Solutions This book is the best introduction to wireless security that I know. I hope that it will be read by information security practitioners who want to learn about wireless communication systems. I also hope that it will be read by wireless communication experts who want to learn more about security. In particular, I recommend this book to designers of digital radio protocols, for there is no better way to understand the security of a new system than to experience successful attacks on systems that came before. Even as we develop new wireless communication protocols at a rapid pace, the standardized protocols continue to grow in popularity. The security of these systems matures as we learn how to defend against well-known attacks. Wi-Fi is perhaps the best example of a protocol whose security has benefited from years of scrutiny. Today it is possible to set up an 802.11 network that is resilient to attack, but it is also possible to deploy a network with little or no security. You can even configure a new network with WEP encryption, and unfortunately, some people still do. Guided by this book, you will enjoy learning all about wireless security, including vulnerabilities in Wi-Fi Protected Setup (WPS) and modern protocols such as Bluetooth Low Energy. You will learn how to use sophisticated, purpose-built tools to exploit a variety of flaws in Wi-Fi client systems and how to repurpose commodity radio chips to attack ZigBee and Z-Wave networks. You will get a jump-start on the necessary skills to use SDR to hack wireless protocols that have yet to see production deployment. I hope you’ll even crack a WEP key or two. Most of all, I hope you will have fun exploring the exciting field of wireless security. Michael Ossmann Founder, Great Scott Gadgets 00-FM.indd 16 05/02/15 2:27 pm Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/FM Acknowledgments I would like to thank the faculty at the Johnson & Wales University School of Technology for an education that continues to serve me well many years after graduation. Each chapter in this book reflects lessons I learned there, from computer programming to logic design, from circuit theory to digital signal processing, from embedded systems to microcontroller logic analysis. My professors left an indelible impression on me, teaching me how to learn from my failures, to never stop asking “how does this work,” that I could overcome any obstacle, and inspiring me to do great things. My special thanks to Al Benoit, Frank Tweedie, Jim Sheusi, Ron Russo, Al Colella, Al Mikula, and Sol Neeman for bestowing their special gifts on me. Thanks to my colleagues at Counter Hack for their camaraderie and support while I took many short “sabbaticals” to write. Thanks to the editorial team of Brandi Shailer, Meghan Manfre, Janet Walden, and Amanda Russell, who were flexible with my due dates and guided me through this complex process. I am once again lucky to count on LeeAnn Pickrell for her tremendous copy editing skills, for which I am tremendously grateful. Thank you to my technical editors, Tim Medin, Mike Ryan, and Jean-Louis Bourdon, each of whom made this book better through their contributions. Thanks to Matt Carpenter, Chris Crowley, and Tim Kuester for their invaluable support and technical know-how. Thanks to my co-author Jon, who agreed to take on this project with me over a year ago. Finally, thank you to my children, Maya and Ethan, who make me want to be a better person, and to my wife, Jen, who helps me get there. ~Joshua Wright I would like to thank the many talented individuals and groups I have been fortunate enough to work with over the years. These include (but are certainly not limited to), #area66, serialbox, trajek, Rich Johnson, Matt Miller, h1kari, geo, linnox, spoonm, Skywing, hdm, and Pusscat. Without you guys I probably would never have made it past ATDT 9884227. ~Johnny Cache xvii 00-FM.indd 17 05/02/15 2:27 pm This page intentionally left blank Hacking_2013 / Hacking Exposed Wireless: Wireless Security Secrets and Solutions / Cache & Wright / 763-3/FM Introduction A lmost a year ago now our editors at McGraw-Hill Education approached us about contracting a third edition of Hacking Exposed™ Wireless. At the time, we weren’t sure if it was a good idea. Between our day jobs, our conference schedules, and side projects, we had little time to devote to such a huge undertaking. Looking back, we are very happy that we decided to take on the third edition. First, it was needed—so much had changed in wireless hacking since the second edition of the book just a few years earlier. Second, we used it as an opportunity to research interesting new protocols and develop new tools of our own that we could share with our readers. Third, it was a great opportunity to keep sharing the message: wireless is the Swiss cheese of computer security. About This Book Before we started writing, we discussed what we wanted to accomplish in the third edition of this book. We knew that we wanted to write material that was pragmatic and useful, focusing on practical concepts that can be applied in your penetration tests and security assessments. As a result, each chapter starts with a section describing the technology to be hacked, balancing the value of understanding the underlying protocol while not inundating you with an unnecessary amount of background information. After the necessary background material, each chapter describes actionable attack techniques that you can apply against your own targets. We knew we wanted to bring in experts for areas where we needed assistance. We were very fortunate to have Tim Kuester and Chris Crowley work with us on the SDR and cellular chapters, both of whom have shown tremendous breadth and depth of knowledge in their fields. Where we couldn’t get the leaders in specific areas to write chapters for us, we brought them in as technical reviewers. Tim Medin provided outstanding reviews of the majority of the chapters in this book, while Mike Ryan provided invaluable insight on four very challenging Bluetooth chapters, and Jean-Louis Bourdon provided his expert insight on the Z-Wave chapter, an area where few people can claim to be security experts. xix 00-FM.indd 19 05/02/15 2:27 pm

Author Johnny Cache and Joshua Wright Isbn 9780071827638 File size 65.69MB Year 2015 Pages 544 Language English File format PDF Category Cryptography Book Description: FacebookTwitterGoogle+TumblrDiggMySpaceShare Exploit and defend against the latest wireless network attacks Learn to exploit weaknesses in wireless network environments using the innovative techniques in this thoroughly updated guide. Inside, you’ll find concise technical overviews, the latest attack methods, and ready-to-deploy countermeasures. Find out how to leverage wireless eavesdropping, break encryption systems, deliver remote exploits, and manipulate 802.11 clients, and learn how attackers impersonate cellular networks. Hacking Exposed Wireless, Third Edition features expert coverage of ever-expanding threats that affect leading-edge technologies, including Bluetooth Low Energy, Software Defined Radio (SDR), ZigBee, and Z-Wave. Assemble a wireless attack toolkit and master the hacker’s weapons Effectively scan and enumerate WiFi networks and client devices Leverage advanced wireless attack tools, including Wifite, Scapy, Pyrit, Metasploit, KillerBee, and the Aircrack-ng suite Develop and launch client-side attacks using Ettercap and the WiFi Pineapple Hack cellular networks with Airprobe, Kraken, Pytacle, and YateBTS Exploit holes in WPA and WPA2 personal and enterprise security schemes Leverage rogue hotspots to deliver remote access software through fraudulent software updates Eavesdrop on Bluetooth Classic and Bluetooth Low Energy traffic Capture and evaluate proprietary wireless technology with Software Defined Radio tools Explore vulnerabilities in ZigBee and Z-Wave-connected smart homes and offices Attack remote wireless networks using compromised Windows systems and built-in tools     Download (65.69MB) Wireless Security and Cryptography: Specifications and Implementations Wifi Hacking : Beginner to Pro (FULL COURSE): A Guide to Pentesting Wifi Cryptography and Security Services Cryptography and Security Services: Mechanisms and Applications by Manuel Mogollon For Beginners Guide Hacking On How To Hack, Computer Books New Load more posts

Leave a Reply

Your email address will not be published. Required fields are marked *