In the good old days, Internet access was a privilege of the few and many used to try getting access by all means possible. A common way to achieve unauthorized access was war dialing, or calling through long lists of phone numbers using automated tools and then trying to log in by guessing a username–password pair.
- [Kali Linux] Crack Wireless Password (WPA2-PSK) in 8 Easy Steps
- Pros and Cons of Wireless Networks
- Breaking Into Wireless Networks From The Internet
- Wireless Issues, Types, Applications and Its Technologies
- How to Bypass Mac Filtering on Wireless Networks
- Wireless Adapter Packet Injection Test
- 700+ Wireless Networking Abbreviations
- Wireless Networks – Questions With Answers
- Top 8 Common Types of Wireless Network Attacks Explained
Wireless networking is one of the most popular and fastest growing technologies on the market today. From home networks to enterprise-level wireless networks, people are eager to take advantage of the freedom and convenience that wireless networking promises. However, while wireless networking is convenient, it is not always deployed securely.
Insecure wireless networks are found in people’s homes, public locations and even in large corporations. Because of these insecure deployments, penetration testers are often called in to determine what the security posture of an organization’s wireless network is, or to verify that a company has deployed its wireless network in a secure fashion.
The common terms used in Wireless Networking and Security are:
The original IEEE standard defining medium access and physical layer specifications for up to 2 Mbps wireless connectivity on local area networks. 802.11 standard covers both DSSS and FHSS microwave radio LANs as well as infrared links.
A revision to the 802.11 IEEE standard that operates in the UNII band and supports data rates up to 54 Mbps using DSSS.
A revision to the 802.11 IEEE standard that operates in the middle ISM band and supports data rates up to 11 Mbps using DSSS.
A revision to the 802.11 IEEE standard that operates in the middle ISM band and supports data rates up to 54 Mbps using DSSS and possessing backward compatibility with 802.11b.
The IEEE wireless LAN security standard developed by the 802.11i Task Group. 802.11i combines the use of 802.1x and TKIP/CCMP encryption protocols to provide user authentication, data confidentiality, and integrity on WLANs.
The IEEE communications specification that was approved in early 2002 for wireless personal area networks (WPANs).
The IEEE Layer 2 port-based access control and authentication standard.
Access control list (ACL)
A security mechanism controlling the incoming and outgoing traffic on the network.
A Layer 2 connectivity device that interfaces wired and wireless networks and controls networking parameters of wireless LANs.
A method by which client devices discover wireless networks. Involves the client device broadcasting a probe request frame and receiving a probe response frame containing the parameters of the responding network.
Ad hoc network
Also referred to as an Independent network or Independent basic service set (IBSS). An ad hoc network is a wireless LAN composed of wireless stations without an access point.
A device injecting DC power into the RF cable to increase gain. Can be uni- or bi-directional with fixed or adjustable gain increase.
A device for transmitting or receiving a radio frequency (RF) signal. Antennas are designed for specific frequency ranges and are quite varied in design. In this book we mainly refer to antennas working in the ISM and UNII bands.
Use of multiple antennas per single receiver to increase the signal reception quality and overcome some RF problems, such as the multipath.
Assuming a false Layer 2 identity on the network by injecting forged ARP packets.
Loss of RF signal amplitude due to the resistance of RF cables and connectors, free space path loss, interference, or obstacles on the signal path.
Authentication header (AH)
An IPSec protocol that verifies the authenticity of IP packets, but does not provide data confidentiality.
In 802.1x, the relay between the authentication server such as RADIUS and the supplicant. On wireless networks this is usually the access point; on wired LANs, high-end switches can perform such a function.
Virtual networking system / protocols suite based on UNIX principles. Not used frequently nowadays. The Banyan VINES StreetTalk naming system is fun.
Basic service set (BSS)
A basic 802.11 cell consisting of a single access point and associated client hosts.
Basic service set identifier (BSSID)
In practical terms, a wireless side MAC address of an access point. Not to be confused with the ESSID.
A method of processing data in which the most significant bit is presented first.
A malicious attacker determined to get in without any ethical considerations. Often used synonymously with “cracker.”
A part of the 802.15 specification for WPANs developed and supported by the Bluetooth SIG (Special Interest Group), founded by Ericsson, Nokia, IBM, Intel, and Toshiba. Bluetooth radios are low-power FHSS transceivers operating in the middle ISM band.
A blank service set identifier field in 802.11 management frames, synonymous with the ESSID “Any” in practical terms. Signifies that any client can connect to the WLAN.
Brute force, brute-forcing
A password / user credentials guessing attack based on comparing random non-repeating data strings with the password and username until the correct values are guessed.
CAM table flooding
An attack based on overflowing the switch CAM (MAC) table with multiple fake MAC addresses to force the switch to behave like a hub.
CCMP (counter mode with CBC-MAC )
An AES-based encryption protocol planned for WEP and TKIP replacement when the 802.11i security standard is finally released. Will be required by the WPA version 2 certification.
Clear to Send (CTS)
An 802.11 control frame type used by the virtual carrier sense mechanism. The CTS frame is sent as a reply to the RTS frame. It allows data transmission by the requesting host for a period of time declared in the Network Allocation Vector field.
Closed system ESSID
Hiding the ESSID by removing the ESSID value string from beacon and probe response frames. Like MAC address filtering, it is easily bypassed by determined attackers.
Installing multiple access points on a single network using different non-interfering frequencies. Used to increase throughput on wireless LANs.
Someone who breaks the network, host, or software security safeguards to gain unauthorized privileges.
CSMA / CA (Carrier Sense Multiple Access / Collision Avoidance)
Layer 2 contention protocol used on 802.11– compliant WLANs and by AppleTalk’s LocalTalk. CSMA/CA employs positive ACKs for transmitted frames to avoid collisions on LANs.
Cyclic Redundancy Check (CRC)
A basic mathematical checksum used to detect the transmitted data integrity violations. Often calculated by dividing the frame length by a prime number, and it can be easily forged by attackers.
Decibels referenced to a perfect isotropic antenna.
DBm or decibels per milliwatt
Zero dBm equals 1 mW power output at 1 KHz of frequency and 600 ohms of impedance.
Unit for measuring relative power ratios in terms of gain or loss.
A suite of network communication protocols developed and supported by Digital Equipment Corporation.
An approach to network security based on creating multiple layers of defense without a reliance on a single countermeasure, security device, or protocol.
De-militarized zone (DMZ)
An area in the firewall architecture that separates secure internal LAN and publicly accessible hosts.
Denial of service (DoS) attack
Any type of attack that can shut down, freeze, or disrupt operation of a service, host, or the entire network.
A password / user credentials guessing attack based on comparing a dictionary wordlist with the password and username until the correct values are guessed.
A traffic redirection attack based on assuming the domain name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.
DSSS (Direct Sequence Spread Spectrum)
One of two approaches to spread spectrum radio signal transmission. In DSSS the stream of transmitted data is divided into small pieces, each of which is allocated across a wide frequency channel. A data signal at the point of transmission is combined with a higher data-rate bit sequence that divides the data according to a spreading ratio.
EAP (Extensible Authentication Protocol)
A flexible authentication protocol originally designed for PPP authentication and used by the 802.1x standard. EAP is defined by RFC 2284.
EAP (Extensible Authentication Protocol) methods
Specific EAP authentication mechanism types. Common EAP methods include EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, and EAP-LEAP.
EAPOL (EAP over LANs)
Encapsulation of EAP frames on wired LANs. Defined separately for Ethernet and token ring.
EIRP (effective isotropic radiated power)
The actual wireless power output at the antenna calculated as IR + antenna gain.
ESSID (Extended Service Set ID)
The identifying name of an 802.11-compliant network. ESSID must be known in order to associate with the WLAN.
ETSI (European Telecommunications Standards Institute)
A non-profit organization that produces telecommunication standards and regulations for use throughout Europe.
Extended service set (ESS)
A network of interconnected basic service sets unified by a common SSID.
Federal Communications Commission (FCC)
An independent U.S. government agency directly responsible to Congress. The FCC regulates all forms of interstate and international communications.
Federal Information Processing Standard (FIPS)
The standards and guidelines developed and issued by the National Institute of Standards and Technology (NIST) for government-wide use in the United States.
FHSS (Frequency Hopping Spread Spectrum)
One of two approaches to spread spectrum radio signal transmission. Characterized by a carrier signal that hops pseudo-randomly from frequency to frequency over a defined wide band.
Free space path loss
Decrease of RF signal amplitude due to signal dispersion.
In simplified terms, an elliptical area around the straight line of sight between two wireless transmitters. The Fresnel zone should not be obstructed by more than 20 percent in order to maintain a reasonable wireless link quality.
An increase in RF signal amplitude. Estimated in decibels.
An IT security professional or enthusiast who follows situational ethics and can be both hero and villain depending on circumstances and mood.
An individual enthusiastic about programming and/or networking, often with an interest in information security. Both media and the general public tend to confuse the terms “hacker” and “Black Hat”; in reality a hacker can wear a hat of any color.
A wireless client capable of communicating with the access point but unable to communicate with another wireless client(s) on the same WLAN. The presence of hidden nodes causes excessive collisions and retransmits on a wireless network.
Taking over a network connection.
A real or virtual network of honeypots.
A host specifically set up to be attacked by crackers. The main reason for deploying honeypots is learning about crackers’ behavior, methodologies, and tools. They can also be used to slow down the attacks by distracting the crackers’ attention and effort. Honeypots are often set up with known security holes and should be completely separate from the internal network.
An area covered by a public access wireless network. Usually positioned in airports, hotels, coffee shops, and similar public places.
Initialization Vector (IV)
In encryption, an additional nonsecret binary input for enciphering known or predictable plaintext to introduce additional cryptographic variance. In addition, IV can be used to synchronize cryptographic equipment.
Integrity Check Value (ICV)
A simple checksum (CRC) calculated over an 802.11 frame before WEP encryption.
Internet Key Exchange (IKE)
Key management protocol standard usually employed by IPSec.
Internet Protocol Security (IPSec)
A standard Layer 3 data confidentiality and integrity protocol.
IrDA (Infrared Data Association)
A non-profit trade association providing standards to ensure the quality and interoperability of infrared networking hardware.
IR (intentional radiator)
RF transmitting device with cabling and connectors but without the antenna. Defined by the FCC for power output regulations implementation.
ISM (Industrial, Scientific, Medical)
Frequency bands authorized by the FCC for use by industrial, scientific, and medical radio appliances without the need to obtain a license. These bands include 902–928 MHz, 2.4–2.5 GHz, and 5.725–5.875 GHz.
Intentional introduction of interference to a wireless data channel. Layer 1 DoS attack against wireless networks.
Lightweight Directory Access Protocol (LDAP)
A protocol that provides interface for management and browser applications enabling access to the X.500 directory service.
Line of sight
A straight line of visibility between two antennas.
A method of processing data in which the least significant bit is presented first.
Also called beams; the electrical fields emitted by an antenna.
Management Information Base (MIB)
An Abstract Syntax Notation (ASN) specification of device parameters. Used by SNMP for device status monitoring and reporting as well as remote configuration tasks.
An active attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication process.
Message Integrity Check (MIC)
An HMAC employed by the 802.11i security standard to ensure the packet authentication and integrity.
Microsoft Challenge Handshake Authentication Protocol.
Wireless networking problem caused by hosts in close proximity to the access point outpowering far nodes, efficiently cutting them off the network. Could be a result of a Layer 1 man-in-the-middle attack.
A general security principle stating that users should only have access to the resources and data necessary to complete their tasks in accordance to their roles in the organization.
Open system authentication
Default 802.11 authentication method by exchanging authentication frames that must contain the same ESSID to succeed. Does not provide security because the ESSID is transmitted in cleartext.
Orthogonal Frequency Division Multiplexing (OFDM)
A physical layer encoding technique multiplexing several slower data subchannels into a single fast, combined channel. Used by 802.11a and 802.11g standard-compliant networks.
A method by which client devices discover wireless networks. Involves client devices listening for and analyzing beacon management frames.
Penetration testing (pentesting)
A process of assessing the network or host security by breaking into it.
Physical carrier sense
A Wireless network medium sensing by checking the signal strength.
A connector that adapts proprietary connection sockets on wireless hardware to the standard RF connectors. A major source of headaches and failures in mobile setups such as wardriver “rigs.”
Point-to-Point Tunneling Protocol (PPTP)
A very common Microsoft proprietary tunneling protocol.
The physical orientation of an antenna in relation to the ground. Can be horizontal or vertical.
Power save mode (PSM)
A mode of 802.11 client device operation in which the device powers down for very short amounts of time and passively listens to the beacon (BSS) or ATIM (IBSS) frames. When a beacon with the TIM field set or an ATIM frame is received, the client wakes up and polls the data. After all packets are polled, the client goes back to sleep.
Pre-Shared Key (PSK) mode.
A WPA security mode based on distributing a pre-shared key among the WLAN hosts when key distribution via 802.1x is not available.
Remote Access Dial-In User Service (RADIUS)
A de-facto standard multi functional network authentication protocol and service with many implementations.
Attacks based on replaying captured network traffic. Thwarted by properly implemented packet sequence counters.
A situation where the sending party denies sending data or the receiving party denies receiving it.
Request to Send (RTS)
An 802.11 control frame type used by the virtual carrier sense mechanism. When virtual carrier sense is used on the 802.11 network, an RTS frame must be sent by a station willing to send data before the transmission is allowed to take place.
Also called monitor mode. A mode of 802.11 client device operation that allows capture and analysis of 802.11 frames. Used by wireless attackers for passive network discovery and eavesdropping, and it is necessary for 802.11 networks troubleshooting, monitoring, and intrusion detection.
RF (radio frequency)
A generic term for any radio-based technology.
A wardriver’s system setup, usually consisting of a laptop, antenna, GPS receiver, and necessary connectors and cables.
Rogue wireless device
An unauthorized transceiver. Often an access point or a wireless bridge, but can be a hidden wireless client device (e.g. USB dongle) as well.
A class of traffic redirection or DoS attacks based on modifying the target host’s routing table. Can be done by forging routing protocols updates as well as via ICMP types 5, 9, and 10.
A practical implementation of the virtual carrier sense on 802.11 networks. Uses 4-way RTS => CTS => Data => ACK handshake. RTS/CTS protocol is often employed to alleviate the hidden node problem.
Script kiddie or 1337 h4x0r
An unskilled attacker who uses (often precompiled) hacking tools without understanding how they were written and why they work. Often has an ego the size of the Empire State Building.
Shared key authentication
A type of 802.11 authentication based on a challenge-response using a pre-shared WEP key. Does not provide strong security and will be eventually replaced by 802.1x.
Surveying the area to determine the contours and properties of RF coverage.
SNR (signal-to-noise ratio)
Received signal strength minus background RF noise ratio.
Software access point
An access point functionality implemented on a wireless client hardware using the access point capabilities of this hardware driver.
Spanning tree protocol (STP)
An 802.1d standard-defined Layer 2 protocol designed to prevent switching loops in a network with multiple switches and redundant connections.
A receiver that identifies the amplitude of signals at selected frequency sets. Useful for discovering interference or jamming on wireless networks.
RF modulation technique that spreads the signal power over a frequency band that is wider than necessary to carry the data exchanged.
Subnetwork Access Protocol (SNAP)
An 802.3 frame format designed to provide backward compatibility with DIX Ethernet Version II and allow the use of Ethertype.
In 802.1x, a client device to be authenticated.
A violent wind, commotion, or disturbance. Often associated with all things related to RF emission security. The true code word encompassing the RF emissions security in general is EMSEC. TEMPEST stands for a classified set of standards for limiting electric or electromagnetic radiation emanations from electronic equipment, and it is included in EMSEC together with other RF countermeasures and attacks, such as HIJACK and NONSTOP.
TKIP (Temporal Key Integrity Protocol)
An RC4-based encryption protocol which lacks many of the original static WEP’s weaknesses. TKIP is a non-mandatory part of the 802.11i standard, which is backward compatible with WEP and does not require a hardware upgrade.
Traffic Indication Map (TIM)
A field in 802.11 beacon frames used to inform sleeping client hosts about data buffered for them to receive.
UNII (Unlicensed National Information Infrastructure)
A segment of RF bands authorized by the FCC for unlicensed use; includes 5.15– 5.25, 5.25– 5.35, and 5.725–5.825 GHz frequencies.
Virtual Carrier Sense
A carrier sense method based on using a Network Allocation Vector (NAV) field of 802.11 frames as a timer for data transmission on the WLAN. The timer is set employing the RTS/CTS protocol.
Virtual Local Area Network (VLAN)
A functionality that allows broadcast domain separation on a data link layer using 802.1q or Cisco ISL frame tagging. A router is needed to connect separate VLANs.
A Mother Theresa version of wardriver.
Labeling discovered wireless network’s presence and properties with a piece of chalk or paint using a set of known, agreed symbols. Optional altruistic add-on to wardriving.
A mobile geek usually seeking areas with wireless presence. Advanced people of this type often carry sizable antennas and wield GPS receivers.
Discovering wireless LANs for fun and/or profit. It can be a harmless hobby or a reconnaissance phase of future attacks against uncovered wireless LANs and wired networks connected to them.
WEP (wired equivalent privacy)
An optional 802.11 security feature using RC4 streaming cipher to encrypt traffic on a wireless LAN. Several flaws of WEP are published and widely known.
An IT security professional or enthusiast who adheres to a strict ethical code and would never commit anything illicit (on the network, anyway). A White Hat may discover new security flaws and report them to the vendors first and later to the general public.
WIDS (wireless IDS)
An intrusion detection system capable of detecting Layer 1 and Layer 2 wireless security violations.
An organization that certifies interoperability of 802.11 devices and promotes Wi-FiTM as a global wireless LAN compatibility standard.
Wi-Fi (Wireless Fidelity)
The Wi-Fi Alliance certification standard that ensures proper interoperability among 802.11 products.
A data link layer device that connects wired LANs via wireless medium.
Wireless distributed system (WDS)
An element of a wireless system that consists of interconnected basic service sets forming an extended service set.
A wireless to wired high-end connectivity device that supports a variety of advanced features, possibly including firewall, router, QoS, VPN concentrator, and authentication server functionality. An access point on steroids.
Wireless LAN (WLAN)
This term mainly refers to 802.11-compliant LANs. Of course this use of the term is only partially correct because other types of wireless LANs also exist, but they are not that common.
Wireless man-in-the-middle / hijacking attacks
Rogue wireless device insertion attacks that exploit Layer 1 and Layer 2 vulnerabilities of wireless networks.
A protocol analyzer capable of monitoring the traffic on a wireless network (e.g., using the RFMON mode on 802.11 LANs) and understanding specific Layer 2 wireless protocols.
Wireless traffic injection attack
An attack against WEP-protected WLANs based on duplicating bypassing traffic and reinjecting it into the network or based on obtaining valid parts of the keystream per selected IV to send valid data to the network without knowing the key.
WPA (Wi-Fi Protected Access)
A security subset of the interoperability Wi-Fi certification using 802.11i standard features. At the moment of writing, WPA version 1.0 is available.