W e t * 0 1 ׳
f t
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
H a c k i n g W i r e l e s s N e t w o r k s
M o d u le 1 5
Engineered by Hackers. Presented by Professionals.
C E H ^
CcrtifM EthKal
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u le 1 5 : H a c k in g W ir e le s s N e tw o r k s
E x a m 3 1 2 -5 0
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 3 5
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
Hacking Wireless Networks
C E HS e c u r i t y N e w s
S m a rt p h o n e W i-F i S e a rc h e s O ffe r M a s s iv e 04 October 2012
N e w D a ta L e a k a g e V e c t o r
O u r m o b ile p hone s are u n w itt in g ly g iv in g a w a y th re a t v e cto rs to w o u ld -be h ackers (and, fo r th a t
m a tte r, p hy sical crim in als as w e ll) , offerin g crim in a ls a n e w way t o tap in form a tio n hou sed o n
sm a rtp h o nes.
A c cordin g to re sea rc h er a t So phos, th e a b ility o f s m a rtp ho n e s to re ta in id e n tif ie r s fo r th e truste d W i-
Fi n e tw o r k s th e y a tta ch to a u to m a tically o ffe rs c rim in als a w in d o w in to d a ily hab its a nd e xp lo ita b le
in fo rm a tio n .
"A w irele s s d evic e g oe s th r o u g h a d isco very process in w h ic h it a tte m p ts to c o n n ect t o an av aila ble
w ireles s n e tw o rk . This m ay e ithe r be 'p ass iv e' ־ lis te nin g fo r n e tw o rks w h ich are b ro adca stin g
th e m se lv e s - o r 'a ctive ' - se ndin g o u t p ro b e requ e st packe ts in s ea rch o f a n e tw o rk t o conne c t to ," said
S op hos blo gger Julia n B ha rd w a j. "It's v ery lik e ly th a t y o ur s m a rtp hone is b roa d cas tin g the nam e s
(SSIDs) o f y o u r favorite netw o rks fo r a nyo n e to se e."

It mea ns th a t a w o uld - b e crim inal ca n fin d o u t a lo t a bo ut a p erson 's daily m o v e m e n ts - w h ic h coffee
http://www .infosecurity-m agazine.com
sh ops they v isit, w h a t t h e ir h o m e n e tw o rk is ca lle d, w h ic h b ooksto re s are fre q u e n te d, and so o n.
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S e c u r i t y N e w s
i^purs ^
S m a r t p h o n e W i - F i S e a r c h e s O f f e r M a s s i v e N e w D a t a
L e a k a g e V e c t o r
Source: http://w w w .info se curitv-m aga zine .com
Our m obile phones are u n w ittin g ly giving away th re a t vectors to w o uld-be hackers (and, fo r
that m atter, physical crim inals as w ell), offe rin g crim inals a new way to tap in fo rm atio n housed
on sm artphones.
According to researchers at Sophos, the a bility o f sm artphones to retain id entifie rs fo r the
tru sted W i-Fi netw orks the y attach to au tom a tically offers crim inals a w ind ow into daily habits
- and exploitable inform atio n.
"A w ireless device goes throu gh a discovery process in w hich it a ttem p ts to connect to an
available w ireless netw ork. This may e ither be 'passive' - listening fo r netwo rks which are
broadcasting them selves - or 'active' - sending out probe request packets in search o f a
n etw o rk to connect to ," said Sophos blogger Julian Bhardwaj. "It's very likely th a t your
sm artphone is broadcasting the names (SSIDs) of y ou r favorite netw orks fo r anyone to see."
Ethical Hacking and Countermeasures C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
Module 15 P a g e 2 1 3 6
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
It means th a t a would -be crim inal can find o u t a lot about a person's daily m ovements - w hich
coffee shops they visit, w hat the ir hom e n etw o rk is called, w hich bookstores are fre qu en ted,
and so on. But aside from being a nice to o lkit fo r a stalker, it also gives cybercriminals a way
in to the person's sm artphone. Specifically, an attacker could set up a rogue W i-Fi netw o rk w ith
the same SSID as the one the user is tryin g to connect to, w ith the aim of fo rcing the phone to

connect and transfer data through it.
"So w hile som eone knowing that your phone is tryin g to connect to ׳BTHomeHub-XYZ׳ isn't
im m e diately condem ning, it may allow fo r them to launch a ׳m an -in -th e-m id dle ' attack against
you, intercepting data sent between you and a friend, giving the impression you 're talking
directly to each oth e r over a private connection, when in fact the en tire conversation is
co ntrolled by the attacker," explained Bhardwaj. "An ׳evil tw in ' attack could even accomplish
this w ith o u t needing any know ledge of you r W i-Fi password - very dam aging for all o f those
w ho use m obile banking fo r instance."
All o f tha t data dartin g across airwaves in an unencrypted fashion clearly offers a poten tially
huge security hole fo r an enterp risin g cybercrim inal. In an effo rt to find out how real the danger
is, Bhardwaj launched an e xperim ent at a recent unive rsity open day in W arw ick, UK.
He ran a security demo in which he collected data from people w alking by, displaying it for
them to see. In jus t five hours, 246 w ireless devices came in to range. Alm ost half -4 9 % - of
these devices w ere actively probing fo r th e ir prefe rred netw orks to connect to, resulting in 365
n e tw ork names being broadcast. Of those, 25% w ere customized, non-standard netw ork
names. However, 7% o f the names revealed location inform a tion , including th ree w here the
n etw o rk name was actually the first line o f an address.
״W ha t makes this even m ore worrying was how easily I was able to capture this sensitive
inform atio n ," he explained. ״A tiny wireless ro ute r I purchased from eBay for $23.95 and some
fre ely available softw are I found on Google was all I needed. I did n 't even need to understand
anything about the 802.1 protocols tha t govern Wi-Fi to carry out this attack."
Coupled w ith a portab le power source, a device could easily be hidden in a plant pot, garbage
can, park bench and so on to lure W i-Fi devices to attach to it.
M obile phone users can pro te ct themselves som e what by te llin g your phones to ׳forge t'
netw orks you no longer use to m inimize the a m ount o f data leakage, he said. But, ׳׳the
u nfortuna te news is the re doe sn't appear to be an easy way to disable active wireless scanning
on sm artphones like A ndroids and iPhones," he noted, oth e r than sh utting Wi-Fi access
com pletely o ff or disabling location-aw are sm artphone apps.
Copyright © 2012
artphor1e-wifi-searches-offer-rr1assive-

new-data-leakage-vector/
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 3 7
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
M o d u l e O b j e c t i v e s
C E H
J W hat Is Spectrum Analysis?
How to Reveal Hidden SSIDs
J Crack W i-Fi E ncryption
J W ireless Hacking Tools
B luetooth Hacking
How to BlueJack a V ictim
How to Defend Against Wireless Attacks
J W ireless Security Tools
J W ireless Pene tration Testing
J Types o f W ireless N etw orks
J W ireless Term inologies
J Types o f W ireless Encryption
J How to Break WEP E ncryption
J W ireless Threats
J F ootp rin t th e W ireless N e tw ork
J GPS Mapping
J How to Discover W i-Fi Netw ork
Using W ardriving
J W ireless Traffic Analysis
M o d u l e O b j e c t i v e s
1 = Wireless netw orks are inexpensive when com pared to w ired netw orks. But, theyare
m ore vulnerable to attacks w hen com pared w ith th e w ired netw orks. An attacker can easily

com prom ise the wireless network, if proper security measures are not applied or if the netw o rk
is not configured appropriately. Employing a high security m echanism m ay be expensive.
Hence, it is advisable to de te rm ine critical sources, risks, or vuln erabilitie s associated w ith it and
th en check w hether the current security mechanism is able to pro tect you against all possible
attacks. If not, then upgrade th e security m echanisms. But, you should ensure th a t you leave no
oth er doorway fo r attackers to reach and com prom ise the critical resources of your business.
This m odule assists you in identifying the critical sources o f your business and how to pro tect
th em .
This m odule fam iliarizes you w ith:
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 3 8
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s
H a c k in g W i r e l e s s N e tw o r k s
©
Types o f Wireless Netw orks
©
W ha t Is Spectrum Analysis?
©
W ireless Terminologies
©
How to Reveal Hidden SSIDs
©
Types of Wireless Encryption
©
Crack Wi-Fi Encryption
©
How to Break WEP Encryption
©

W ireless Hacking Tools
©
W ireless Threats
©
B luetooth Hacking
©
Footprin t th e Wireless N etwork
©
How to BlueJack a Victim
©
GPS M apping
©
How to Defend Against W ireless Attacks
©
How to Discover W i-Fi N etw ork
©
W ireless Security Tools
©
Using W ardrivin g
W ireless Traffic Analysis
©
W ireless Penetratio n Testing
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u re s C o p y r ig h t © b y E C - C 0 U n c il
A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S tric t ly P r o h i b i t e d .
M o d u le 1 5 P a g e 2 1 3 9
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
M o d u l e F l o w C E H
M o d u l e F l o w
Y

A wireless netw ork is a relaxed data com m un icatio n system that uses radio frequency
technolo gy w ith wireless m edia to com m unicate and obtain data through the air, which frees
the user from com plicated and m ultiple w ired connections. They use electrom agnetic waves to
in te rconne ct data an individual point to a no ther w itho u t relying on any bodily co nstru ction. To
understand the concept of hacking w ireless netw orks, let us begin w ith w ireless concepts.
This section provides insight into wireless networks, types o f wireless netw orks, wireless
standards, authe ntication modes and process, wireless term inology, and types of wireless
antenna.
W ireless Concepts
* W ireless Encryption
W ireless Threats
&
| | | | | | W ireless Hacking M eth odo log y
W ireless Hacking Tools
^ 1 B lue tooth Hacking
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 0
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 1
Exam 3 12-50 Certified Ethical HackerEthical Hacking and Countermeasures
H a c k in g W ire le s s N e t w o r k s
W i r e l e s s N e t w o r k s * י • • C E H
י י•* י•* י•* •* Certified IUkjI Hwfca
0
0
J Wi-Fi refers to wireless local area networks (WLAN) based on IEEE 802.11 standard

J It is a w idely used technology for wireless comm unication across a radio channel
J Devices such as a personal computer, video-gam e console, sm artphone, etc. use Wi-Fi to
connect to a netw ork resource such as the Internet via a wireless netw ork access point
» Security is a big issue and may not m eet
expectations
« As th e numbe r of com puters on th e netw ork
increases, th e ban d w id th suffers
« WiFi enhancem ents can require new wireless
cards a n d /or access points
« Some electronic e quip m en t can interfere with
th e Wi-Fi networks
« Installation is fast and easy and elim inates
w irin g th rough walls and ceilings
« It is easier to provide connec tivity in areas
w here it is d ifficult to lay cable
e Access to the network can be fro m
anywhere w ithin range o f an access poin t
© Public places like airp orts, libraries, schools
or even coffee shops o ffer you constant
Intern et connections using Wireless LAN
A d v a n ta g e s
Copyright © by IG-COUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i r e l e s s N e t w o r k s
A w ireless n etw o rk refers to a co m pute r n e tw o rk that is not connected by any kind of
cables. In wireless networks, the transmission is made possible through th e radio wave
transm ission system. This usually takes place at the physical layer of the netw ork structure.
Fundam ental changes to the data netw o rkin g and telecom m unication are taking place w ith the
wireless com m u nicatio n revolu tion. Wi-Fi is developed on IEEE 802.11 standards, and it is
w idely used in wireless com m unication. It provides w ireless access to applications and data
across a radio netw o rk. Wi-Fi sets up num erous ways to build up a connection between the

tran s m itter and th e receiver such as Direct-sequence Spread Spectrum (DSSS), Frequency-
hopping Spread Spectrum (FHSS), Infrared (IR), and Orthogonal Frequency-division M ultiple xing
(OFDM).
Advantages:
9 Installation is fast and easy and elim inates w iring through walls and ceilings.
9 It is easier to provide connectivity in areas where it is d ifficu lt to lay cable.
9 Access to the netw ork can be from anywhere w ith in range o f an access point.
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s Copyright © by E C - C 0 U n C il
All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 1 5 Page 2142
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
9 Using a wireless n etw ork, m u ltip le members can access the In ternet sim ultaneously
w ith o u t having to pay an ISP fo r m u ltiple accounts.
0 Public places like airports, libraries, schools, or even coffee shops offer you a constant
Internet connection using a w ireless LAN.
Disadvantages:
9 Security is a big issue and may no t m eet expectations.
9 As the num ber o f com puters on th e n etw o rk increases, the b an dw idth suffers.
9 W i-Fi standards changed which results in replacing wireless cards and/o r access points.
9 Some electronic equipm ent can interfere w ith th e Wi-Fi netw orks.
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 3
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
2 0 1 0 v s . 2 0 1 1 W i - F i D e v i c e T y p e C o m p a r i s o n
L _ J Source: http://w w w .m e raki.c o m
M eraki, the cloud n etw orking com pany, announced statistics showing the W i-Fi device type
com parison. The graph clearly shows that the iPads used significantly m ore Wi-Fi data than the

average m obile device.
13%
16%
3 2%
11 %
6%
7%
| g
II
M II
1 1 %
4 %
II
W indows Windows 7 Mac OS X
XP /V ista
OtherApple
iPod
Apple
iPad
Apple
iPhone
Android
f ר
2
0
1
F IG U R E 1 5 . 1 : W i- F i D e v i c e T y p e C o m p a r i s o n i n t h e y e a r 2 0 1 1
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 4

E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
2 5 %2 5 %
2 1 %
18%
ו ו I I I
4%
7%
II
0%
1 %
2
0
1
o
h t tp : / / w w w . m e r a k i. c o m
A pple O th e r W indows W indows 7 Mac OS X
iPod xp /V ista
A n d roid A pple Apple
iPhone iPad
FIGURE15.2: W i-Fi Device Type Com p arison in th e year 2010
Sum m ary:
9 Between 2010 and 2011, m obile platform s ove rtook desktop platform s in percentage of
W i-Fi devices.
9 The iPhone is now the single m ost popula r W i-Fi device w ith 32% share.
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 5
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s

C E H
W i - F i N e t w o r k s a t H o m e a n d
P u b l i c P l a c e s
J You can fin d fre e /p a id W i-Fi access
available in coffee shops, shopping malls,
bookstores, offices, airpo rt te rminals,
schools, hotels, and oth e r public places
J W i-Fi ne tworks at home a llo w you to be
w he reve r you w ant w ith y o u r laptop,
iPad, o r handheld device, and not have to
make holes fo r hide Ethernet cables
W i-Fi a t P u b lic P la c e s
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i - F i N e t w o r k s a t H o m e a n d P u b l i c P l a c e s
A t H o m e
W i-Fi netw o rks at hom e allo w you to be w here ver you w an t w ith laptop, iPad, or
handheld device, and you d o n 't need to make holes to hide Ethernet cables. If you have a
wireless connection in your home, you can connect any num ber o f devices th a t have Wi-Fi
capabilities to yo ur com p uter. The devices w ith W i-Fi capability include W i-Fi-capable printe rs
and radios.
P u b l i c P l a c e s
Though these Wi-Fi netw orks are convenient ways to connect to the In te rnet, the y are
n ot secure, because, anyone, i.e., be it a genuine user or an attacker, can connect to such
netw orks or hotspots. When you are using a public Wi-Fi netw ork, it is best to send inform ation
only to encrypted websites. You can easily determ ine w hether a w ebsite is encrypted or not by
looking at th e URL. If the URL begins w ith "h ttps," then it is an encrypted w ebsite. If the
netw ork asks you fo r WPA password to connect to th e public W i-Fi network, then you can
consider th a t hotsp ot a secure one.
W i-F i a t H o m e
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il

A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 6
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
T y p e s o f W i r e l e s s N e t w o r k s
The follo w ing are the four types of wireless netw orks:
E x t e n s i o n t o a W ir e d N e t w o r k
n etw o rk and the wireless devices. The access points are basically tw o types:
9 S oftw are access points
9 H ardware access points
A w ireless netw o rk can also be established by using an access poin t, or a base station. W ith this
type of netw ork, th e access p o in t acts like a hub, providing conn ec tivity fo r th e wireless
com puters on its system. It can connect a wireless LAN to a w ired LAN, which allows w ireless
co m pute r access to LAN resources, such as file servers or existing Internet connections.
To sum m arize:
9 S oftw are Access P oints (SAPs) can be connected to the w ired ne tw ork, and run on a
com pu ter equipped w ith a wireless ne tw ork interface card.
C E H
Urtifwtf ithiu! Ikcka
T y p e s o f W i r e l e s s N e t w o r k s
1 1 B
3G/4G Hotspot
LAN-to-LAN Wireless Netw ork
M u ltiple Access PointsExtension to a W ired Network
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 7
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s

9 H ardw are Access Points (HAPs) provide com prehensive su pp ort to most wireless
features. W ith suitable n etw orkin g software support, users on the wireless LAN can
share files and printers situated on the wired LAN and vice versa.
Internet
FIGURE15.3: Extension to a W ired N e tw ork
M u l t i p l e A c c e s s P o in t s
This type of n etw ork consists of wireless com puters connected wirelessly by using
m u ltiple access p oints. If a single large area cannot be covered by a single access point,
m ultiple access points or extension points can be established. A lthough extension po int
capability has been developed by some manufacturers, it is not defined in the wireless
standard.
W hen using m ultiple access points, each access poin t wireless area needs to overlap its
neighbor's area. This provides users the ability to m ove around seamless using a fe ature called
roam ing. Some m anufacturers develop extension points th a t act as wireless relays, extending
the range of a single access point. M ultiple extension points can be strung to g eth e r to provide
wireless access to locations far from th e central access point.
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 8
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
Intern et
FIGURE15.4: M u ltip le Access P oints
* r L A N t o L A N W ir e l e s s N e t w o r k
Access points provide wireless connectivity to local com pu te rs, and local com puters on
d iffere n t netw orks can be interconne cted. All hardw are access points have the capability o f
being interconne cted w ith oth e r hardw are access points. H owever, intercon ne cting LANs over
wireless connections is a m onum ental and complex task.
FIGURE15.5: D ia g ramm atical re pre s e nta tio n o f LAN-to-LAN W ireless N e tw o rk
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il

A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 4 9
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
3 G H o ts p o t
A 3G ho tspot is a type o f wireless n etw o rk th a t provides W i-Fi access to Wi-Fi-
enabled devices including MP3 players, notebooks, cameras, PDAs, netbooks, and more.
Internet
3G Connection
A
Cell Tower
FIGURE15.6: Dia gramm atical re pre s e ntatio n o f 3G H o tspot
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 0
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
S t a n d a r d
A m e n d m e n ts
F re q .
(G H z )
M o d u la tio n
S p e e d
(M b p s )
R a n g e (ft)
802.11a
5
OFDM 54
2 5 -7 5
802.11b 2.4

DSSS 11 150 - 1 5 0
8 0 2.l l g
2.4 OFDM, DSSS 54
150 - 1 5 0
8 0 2.H i
Defines WPA2-Enterprise/WPA2-Personal for Wi-Fi
8 0 2.l l n 2.4, 5 OFDM 54
-1 00
802.1 6
(W iM A X )
1 0 -66 70 -1 0 0 0 30 miles
B lueto o th
2.4
1 -3
25
Copyright © by E&C au icil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i r e l e s s S t a n d a r d s
IEEE Standard 802.11 has evolved from an extension technolo gy for w ired LAN into
m ore complex and capable technology.
W hen it firs t came o ut in 1997, the w ireless local area n e tw o rk (W LAN) standard specified
op eratio n at 1 and 2 M b/s in the infrared, as w ell as in the license-exempt 2.4-GHz Industrial,
Scientific, and M edical (ISM) freque ncy band. An 802.11 n etw o rk in the early days used to have
few PCs w ith wireless capability connected to an Ethernet (IEEE 802.3) LAN thro ug h a single
n etw o rk access poin t. 802.11 networks now operate at higher speeds and in addition al bands.
W ith its grow th, new issues have risen such as security, roam ing among m ultiple access points,
and even qu ality of service. These issues are dealt w ith by extensions to th e standard id en tified
by letters of the alphabet derived from the 802.11 task groups th a t created them .
Q The 802.11a extension defines requirem ents for a physical layer (which determ ines,
am ong other param eters, the frequ ency of the signal and the m odula tion scheme to be
used) operating in the Unlicensed National Inform atio n In frastructure (UNII) band, at 5

GHz, at data rates ranging fro m 6 M b/s to 54 M b/s. The layer uses a scheme called
orthog onal frequency-division m o dulatio n (OFDM), which transm its data on m u ltiple
subcarriers w ith in the com m unications channel. It is in m any ways sim ilar to th e physical
G
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 1
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
layer specification for HiperLAN II, the European wireless standard prom ulgated by the
European Telecom m unications Standards Institute.
9 Commercially trade m arke d in 1999 by th e Wireless Ethernet C om pa tibility Alliance
(WECA) as Wi-Fi, this extension made 802.11b a household w ord. It defines operation in
the ISM 2.4GHZ band at 5.5 M b/s and 11 M b/s (as w ell as the fallback rates o f 1 M b/s
and 2 M b/s). This physical layer uses the m odula tion schemes com plem entary code
keying (CCK) and packet binary convolutiona l coding (PBCC). WECA is an in dustry
organization created to certify interop erab ility am ong 802.11b products fro m diverse
m anufacturers.
9 This task group's w ork on wireless LAN bridging has been folded in to the 802.11
standard.
9 This task group enhances the 802.11 specifications by spelling out its ope ration in new
regu latory dom ains, such as countries in the developing w orld. In its initia l form , the
standard covered ope ration only in North America, Europe, and Japan.
9 802.11 are used fo r real-tim e applications such as voice and video. To ensure tha t these
tim e-sensitive applications have th e n etw ork resources when th ey need them , it is
w orkin g on extra m echanisms to ensure quality o f service to Layer 2 of the reference
m odel, the medium-access layer, or MAC.
9 802.11 standards have developed from the small extension points o f wired LANs in to
m ultiple access points. These access points must com m unicate w ith one a nother to
allow users to roam am ong them . This task group is w orkin g on extensions th a t enable

com m unication betw een access points fro m diffe rent vendors.
9 This task group is w orkin g on high-speed extensions to 802.11b. The c urren t d ra ft of
802.l l g contains PSCC and CCK OFDM along w ith old OFDM as m od ulatio n schemes.
D evelopm ent of this extension was m arked by a great deal o f contention in 2000 and
2001 over m odulatio n schemes. A breakthrough occurred in Novem ber 2001, and the
task group w orked to finalize its d ra ft during 2002.
9 This task group is working on m odifications to the 802.11a physical layer to ensure th a t
802.11a may be used in Europe. The task group is adding dynamic frequency selection
and po w er control transmission, which are required to meet regulations in Europe.
The original version of 802.11 incorporated a MAC-level privacy mechanism called
W ired Equivalent Privacy (WEP), which has proven inadequate in m any situations. This
task group is busy w ith im proved security mechanisms. The present d ra ft includes
Tem poral Key Integ rity Protocol (TKIP) as an im pro ve m ent over WEP. 802.11a
represents th e third generation of w ireless netw o rking standards and technology.
9 802.H i standard improves WLAN security. The encrypted transm ission o f data between
802.11a and 802.11b WLANS is best described by 8 02 .l l i . A new en cryptio n key
protocol such as Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption
Standard (AES) is defined by 802.l l i . TKIP is a pa rt of standards from IEEE. It is an
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 2
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
9 enhancem ent of WLANs. The o the r name fo r AES in cryptograph y is Rijndael. The U.S
go vern m e nt adopte d AES as the key fo r en cryptio n standard.
9 802.ll n is a revision which enhanced th e earlie r 802.11 standards w ith m u ltip le -in p ut
m u ltip le-o u tput (M IM O) antennas. It w orks alike w ith 2.4 GHz and the m inor used 5 GHz
bands. This is an IEEE industry standard for Wi-Fi wireless local netw ork transporta tion s.
OFDM is used in Digital A udio Broadcasting (DAB) and in W ireless LAN.
9 8 0 2 .1 6 a /d //e /m (W iM AX) is a wireless com m unications standard desgined to provide

30 to 40 mbps rates. The original version o f th e standard on which W iM AX is based (IEEE
802.16) specified a physical layer operating in the 10 to 66 GHz range. 802.16a, updated
in 2004 to 802.16-2004, added specifications for the 2 to 11 GHz range. 802.16-2004
was updated by 802.16e-2005 in 2005 and uses scalable orthogonal frequency-division
m ultiple access (O rthogonal frequency-divisio n m ultiplex ing (OFDM) is a m ethod of
encoding digital data on m ultiple carrier frequencies.
9 B luetooth is a wireless protoco l mostly intended to be used by the shorter-range
solicitations
The table th a t follo w s summ arizes all the wireless standards m entioned on this slide:
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 3
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
S t a n d a r d s
F r e q .
( G H z )
M o d u la tio n
S p e e d
( M b p s )
R a n g e (ft)
802.11a 5 OFDM
54
2 5 - 7 5
802.11b 2.4 DSSS
11
1 5 0 - 1 5 0
80 2.l l g 2.4 OFDM, DSSS
54
150 -1 5 0

80 2.H i
Provides WPA2 encryption for 802.11a, 802.11b and 802.l l g
networks
80 2.l l n 2 .4-2.5
OFDM 54
~100
80 2 .1 6a /d//e/
m (W iM A X )
10-66 70 -1 0 0 0 30 miles
B lu etoo th 2.45 1 -3 25
TABLE 15.1: D iffe rent W ireless S tandards
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 4
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
S e r v i c e S e t I d e n t i f i e r ( S S I D ) C E H
Urtiffetf itkNjI lUilwt
It ac ts as a s in g le s h are d id e n t ifie r b e tw e en
the a cces s p o in ts a n d clie n ts
A cc es s p o in ts c o n tinu o u s ly
b ro a d cas ts SSID. if e n a b le d , fo r the
c lie n t m a chin e s to id e n tify th e
p re sen c e o f w irele s s n e tw o rk
SSID is a hum an -rea d a b le te x t
s trin g w it h a m a x im u m le n g th o f
32 byte s
If th e SSID o f th e n e tw o rk is c h ang ed,
reco n figu ra tio n o f th e SSID o n every host is
required, as eve r y u ser o f th e n e tw o rk

c o n fig u res the SSID in to t h e ir sy ste m
SSID is a toke n to id e n tify a 802.11 (W i-
Fi) n e tw o r k : b y d e fa u lt it is th e p a r t o f
th e fra m e header sent o v e r a w irele s s
lo cal area n e tw o rk (W LA N )
T he SSID re m a in s secre t o n ly o n
the clo sed n e tw o r k s w ith no
a c tiv it y , th a t is in co n v e n ie n t to
th e le g itim a te users
Secu r ity conc e rn s aris e w h e n th e
d e fa u lt va lu es are n o t c hang e d , as
th e se u n its can be c o m p ro m is e d
A non-se c ure access m ode a llow s
c lie n ts to co nn ect to th e access p o in t
u sin g th e configure d SSID, a b la n k
SSID, o r an SSID co n fig ure d as " a n y "
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e r v i c e S e t I d e n t i f i e r ( S S I D )
י£ The Service Set Id en tifie r (SSID) is a unique id en tifier tha t is used to establish and
m aintain w ireless co nnectivity. SSID is a to ken to ide n tify a 802.11 (W i-Fi) ne twork; by default it
is the pa rt o f the packet header sent over a w ireless local area n etw o rk (WLAN). It act as a
single shared password betw een access points and clients. Security concerns arise when the
defau lt values are not changed, since these units can th en be easily com prom ised. SSID access
points broadcasts the radio signals continuously received by the clie nt machines if enabled. A
non-secure access m ode station communicates w ith access points by broadcasting configured
SSID, a blank SSID, or an SSID configured as "any." Because SSID is the unique name given to
WLAN, all devices and access points present in WLAN m ust use the same SSID. It is necessary
fo r any device tha t wants to jo in the WLAN to give the unique SSID. If th e SSID of the n etw o rk is
changed, reconfig uration o f the SSID on every netw ork is required, as every user of the ne twork
configures the SSID into their system . U n fo rtun ately, SSID does not provide security to WLAN,

since it can be sniffed in plain te xt from packets.
The SSID can be up to 32 characters long. Even if the access points (APs) of these netw orks are
very close, the packets of the tw o are not going to in te rfere. Thus, SSIDs can be considered a
password fo r an AP, but it can be sent in clear text and can be easily discovered. In o the r words,
SSIDs can be called a shared secret tha t everyone knows, and anyone can determ ine. The SSID
remains secret only on the closed netw orks w ith no activity, which is in convenient to the
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 5
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
le gitim ate users. A key m anagem ent problem is created fo r the ne tw ork adm in istrator, as SSID
is a secret key instead of a public key. Some com m on SSIDs are:
0 com comcom
9 D efault SSID
0 Intel
0 Linksys
9 W ireless
e WLAN
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 6
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
H a c k in g W ire le s s N e t w o r k s
W i - F i A u t h e n t i c a t i o n M o d e s C E H
UrtrfW* itfciul NmIm
Probe Request
vl/
Probe Response (Security Parameters)
SV ₪ ₪l ^2/

* j Open System Authentication Request
Open System Authentication Response
Association Request (Security Parameters)
Association Response
Open System Authentication Process
Authentication request sent to AP
ends challenge text
Client encrypts challenge f U \ V
text and sends it back to AP
AP decrypts challenge text, and if
correct, authenticates client
Access P oint (AP)
Client connects to network
Shared Key Authentication Process
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i - F i A u t h e n t i c a t i o n M o d e s
Wi-Fi authentication can be perform ed in tw o m odes:
1. Open system a uthentica tion
2. Shared key authentica tion
O p e n S y s t e m A u t h e n t i c a t i o n P r o c e s s
In the open system authen ticatio n process, any wireless station can send a request fo r
authentica tion. In this process, one station can send an a uthe nticatio n m anagem ent
fram e containing the id e ntity o f the sending station, to get authenticated and connected w ith
oth er w ireless station. The o the r wireless station (AP) checks th e client's SSID and in response
sends an authentication verification fram e, if the SSID matches. Once the verifica tion fram e
reaches the client, the clie nt connects to the n etw o rk or intended w ireless station.
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 7
E x a m 3 1 2 - 5 0 C e r tif ie d E t h ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s

H a c k in g W ire le s s N e t w o r k s
Probe Request .
• v l/ >
Probe Response (Security Param eters)
־3׳ < VS/־ i W יי
2 Open System A u then tication Request
< /3•־\
^ OjDen System A u then tic ation Response y
. . . _ . C o o » Switch or Cable
Association Request (Security Parameters)
י' Access Point (AP) M odem
C lient a tte m p tin g י״ " In tern e t
to connect < Association Response o
FIGURE 15.7: O pen System A uth en tic ation m ode
S h a r e d K e y A u t h e n t ic a t i o n P r o c e s s
In this process each wireless station is assumed to have received a shared secret key
over a secure channel that is distinct from th e 802.11 wireless netw ork com m un ication
channels. The fo llow in g steps illustrate how the connection is established in Shared Key
A u thentic atio n process:
9 The station sends an auth en ticatio n request to the access point.
9 The access point sends challenge te xt to the station.
9 The station encrypts the challenge text by making use of its configured 64-bit or 128-bit
defau lt key, and it sends the encrypted text to the access point.
9 The access p oin t uses its configured WEP key (th at corresponds to th e d efault key of
statio n) to de crypt the encrypted text. The access po int com pares the decrypted tex t
w ith th e original challenge te xt. If the decrypted te xt matches the original challenge
text, the access p oint authenticates the station.
9 The station connects to the netw ork.
The access p oint can reject to au th en ticate the station if the decrypted tex t does not match the
original challenge text, th en station will be unable to com m unicate w ith e ither the E thernet

n etw o rk or 802.11 networks.
Auth entication request sent to AP
AP sends challenge te xt
Client encrypts challenge
te x t and sends it back to AP

/3־־■\
AP d ecrypts challenge text, and if
~ correct, auth en ticates clie nt
<
Access Point (AP) iw llc rl o r 1 6 י0־®
. _ . _ . Modem
Client attem ptin g > lnternet
to connect
FIGURE 15.8: Shared key A u the n tic a tio n mode
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C 0 U n C il
A ll R i g h ts R e s e r v e d . R e p r o d u c t io n is S t r ic t ly P ro h i b i t e d .
M o d u le 1 5 P a g e 2 1 5 8