stepping into science: chip selection and scanner use knowledge that wireless security needs to know

Posted by fierce at 2020-03-09


1. Software and hardware selection and physical and electrical parameters required for wireless security research

Before the actual wireless security attack and research, we need to prepare some hardware devices, including the supporting software. Basically, wireless hacking involves the following components

One thing to note:

As we said earlier, the "main difference" of different types of network cards lies in the built-in chipset. However, the quality of a wireless network card is not only related to the chipset and driver mentioned above, but also related to its own physical and electrical characteristics. Let's learn one by one.

Generally speaking, the comprehensive evaluation of the performance of a network card has the following dimensions

0 × 1: chipset model

In my personal experience, the chip performance of the mainstream chip manufacturers is not much different (at least not for the low-end network card). I chose the "rt3070l" chip in the experiment, and it also provides driver support under BT5 by default, so it is convenient to prepare this chip in the early stage. Generally speaking, when the price of network card reaches thousands of levels, the difference of chip model may bring performance difference.

During chip selection, we should pay attention to the driver support of this chip. The following commands can help us better achieve this goal

0 × 2: TX power

Transmission power is a dimension we need to focus on. When we need to send data packets in the wireless mode, the protocol stack will package our data packets layer by layer, and finally package them into "data frame". Finally, the data will be converted into radio frequency signal (an electromagnetic pulse) through wireless network card, and transmitted to the antenna through feeder (cable), and radiated out by the antenna in the form of electromagnetic wave (if You plug in the Internet cable and send it through the Internet port). The electromagnetic wave will be continuously attenuated in the process of propagation in the medium (air), which is also the reason why we can't receive the Wi Fi signal far away from us. When the electromagnetic wave arrives at the receiving place, it is received by the antenna (only a small part of the power is received, because the electromagnetic wave spreads around at the same time), and it is sent to the target wireless receiving equipment through the feeder In the engineering of wireless network, it is very important to calculate the transmitting power of the transmitter and the radiation ability of the antenna. TX is short for transmissions. The transmitting power of radio wave refers to the energy within a given frequency band. There are usually two standards:

Conversion of power units MW and dBm

In a "small power" system (such as a WLAN device), every DB is very important. In particular, remember the "3dB rule", that is:

Every time the power is doubled, the level value is increased by 3dbm. There are many tools to measure the signal strength of AP or local network card

0 × 3: antenna support (signal gain, type)

Antenna is very important for the performance of a wireless network card. Although they often don't seem to be so important, if the medium for connection between wired broadband is cable or optical fiber, then for wireless network, air is its transmission medium, and antenna is equivalent to the "connector" of NIC network card and air medium (similar to crystal head)

In wireless system, antenna is used to convert current wave into electromagnetic wave. In the process of conversion, the transmitted and received signals can also be "amplified". This energy amplification measure is called "gain". The unit of measurement of antenna gain is "DBI". Since the electromagnetic wave energy in the wireless system is generated by the emission energy of the transmitting equipment and the amplification and superposition of the antenna, the best measurement of the emission energy is the same - gain (DB). For example, if the power of the transmitting equipment is 100MW (20dbm), and the gain of the antenna is 10dbi, then the total emission energy is:

It should be noted that we may have a preconceived concept about the word "antenna", such as the metal bar seen on the radio when we were children. In fact, from the perspective of physics, "antenna" should be an abstract concept, which refers to all devices that can gather, gain and send electromagnetic signals. We can understand it as follows:

Antennas can be roughly divided into two types:

0 × 4: sensitivity

Sensitivity is also a dimension we need to pay attention to. When we use an ammeter, we have heard a concept. The sensitivity of this device indicates how much the device can "sense" the minimum current. For the antenna, the sensitivity determines how weak the signal our wireless network card can receive, that is, how far the AP can receive This is very important when hacking, because it means that you can launch a wireless attack at a greater distance from the principle target.

0 × 4: frequency range

The frequency here refers to the working frequency band of the wireless network card. The wireless signal under IEEE802.11 works in

Frequency itself only represents the "number of vibrations per second" of electromagnetic wave, which has no other significance. The transmission speed of 2.4 and 4.9/5.8ghz are the same, and they do not interfere with each other. Note that because there is no interference with each other, it means that if your device is in the 2.4GHz working mode, it can't receive data packets working at 5GHz. Similarly, the mainstream wireless network cards and khars sold in the market are 2.4GHz, while 5GHz devices are many in foreign shops, but the price is relatively expensive. So to some extent, switching the working frequency to 5GHz is a way to combat the wireless sniffer attack

0 × 5: working channel (frequency hopping supported or not)

Wi Fi has a total of 14 channels (IEEE standards, different national standards)

Channel division in other countries

0 × 5: supported modes

At present, the main working modes of wireless network card are as follows:

At the beginning of this article, I will list the current working modes of 802.11 family

When selecting the network card, it is important to see the working mode clearly, because there will be a working mode negotiation process when connecting and interacting with the AP:

Only when both the client and the AP support a certain working mode can the two sides continue to connect.

0 × 6: whether USB interface is supported

Does the wireless network card have a USB interface for peripherals

0 × 7: price

For the selection of wireless network card, please refer to the following link

2. The first step of wireless attack: "network AP detection", use of scanner

After knowing the selection of wireless network card, we are ready for the basic work of wireless security research. Next, we will start the first step of wireless security research, which is also the first problem we face. How to find our attack target, namely "network AP detection (service discovery)", to achieve this target, we need to use scanner

As we said before, basically speaking, wireless security software needs to complete the following functions:

Next, let's take a look at the software and how it works to accomplish these goals

0 × 1: packet sniffing

Packet sniffer software monitors the wireless signal of packets on a given "channel" and does not send packets by itself. Instead, they use monitor mode to listen for all packets on the channel. Setting a wireless card to monitor mode is similar to setting a normal wired Ethernet card to promiscuous mode. In this case, you can see all packets passing through the "cable" (or channel). However, the key differences between them are:

The principle of packet sniffer scanning tool

Use Kismet for wireless sniffing

Kismet is not only a scanning tool, but also a framework for 802.11 protocol packet capture and analysis (packets captured by Kismet can be dumped for use by other analysis frameworks). It consists of three parts:

Input Kismet under BT5, and Kismet will automatically detect the appropriate source network card

Click "s" in the menu bar to sort the AP, and click the specific SSID to view the details:

0 × 2: packet injection

There are many "WEP password cracking", "WPA", "WP2 password cracking" and many automation tools (such as WiFi, fern WiFi cracker) on Google. The principle of their cracking is packet injection

Use airdump ng series software to inject wireless packets and crack passwords

It should be noted that the data frame is injected into WEP, while the management frame is injected into WPA cracking. On the format of IEEE802.11 frame, I summarize it in another article

0 × 3: service discovery, active sending of probe packets

In order to combat the wireless sniffer attack to a certain extent, many wireless network APS adopt some configurations:

For this kind of defense, the scanner also adopts the corresponding technology to obtain the hidden SSID

3. postscript

There are many directions for wireless security research. There are many articles on Google about password cracking and tool use, which are very exciting. In addition, I think they can be combined with traditional intranet security issues, such as:

Related learning materials: