Evading detection during wifi hacking

[s0nar]

Hi,

I've been wetting my feet in penetration testing. I've been ramping up on metasploit and aircrack, etc.

Now I know that detection evasion is a big topic when it comes to pentesting computers, and servers,

etc, but I'm curious about guidelines and evasion techniques for wifi hacking. I've used systems like

wifite and aircrack, but how susceptible are these types of attacks to detection, and are there any

guidelines to avoid detection?

Thank you

[cooper]

I would always, ALWAYS recommend when you're doing anything on one side of a border, you're at least familiar with what happens on the other side of the border. In this instance, an attacker is going to be considerably more effective when (s)he has knowledge of defence. So what I suggest you do isn't to read up on evasion techniques, but to take the time to practice defending against your attack.

People may correct me on this, but I feel that by far the most important thing when it comes to defence is to know that you're being attack when that is in fact the case. So try to work on discovering this as you attack the box. Now that you know where an admin can look to see you're attacking the box, see if there are ways to still perform that specific attack without showing any signs of attack in that location.

Take turns in being the cat and the mouse.

[naruichia]

Backing on with Cooper, a good way to do this if you don't have a target to practice yet and you need one. Grab a Raspberry Pi, good to practice as a target computer or web server. In terms of WiFi cracks, it wouldn't make sense for them to be detected, because aircrack-ng in terms of WiFi hacks only collects information for later use. I'm not sure about Wifite since I haven't used it before.

[s0nar]

Hi guys,

Thank you for the info. I'll keep on practicing.

In regards to wifite I know that it automates different types of attacks. This depends on the protocol, since it'll do different attacks for WEP than for WPA.

Now for WPA I know that the first one is pixie dust which is supposed to be offline aside from sending some EAPOL packets (but I really don't know much more about it).

If all fails afterwards it'll attempt to brute force the WPS pin; which I guess it's totally detectable, although I'm not sure if most routers and modems will attempt to

analyze these...

[cooper]

Pixiedust works by discovering the state of the prng, which should have a cryptographically strong source and be unpredictable yet for many APs it's VERY predictable (and having your firmware open sourced helps to prove it).

[0phoi5]

I would always, ALWAYS recommend when you're doing anything on one side of a border, you're at least familiar with what happens on the other side of the border. In this instance, an attacker is going to be considerably more effective when (s)he has knowledge of defence. So what I suggest you do isn't to read up on evasion techniques, but to take the time to practice defending against your attack.

People may correct me on this, but I feel that by far the most important thing when it comes to defence is to know that you're being attack when that is in fact the case. So try to work on discovering this as you attack the box. Now that you know where an admin can look to see you're attacking the box, see if there are ways to still perform that specific attack without showing any signs of attack in that location.

Take turns in being the cat and the mouse.

Couldn't agree more.

Install Wireshark, Snort and Aircrack on one of your own machines that you can practice against, and examine how your attacks against WiFi show up on the target end.

Read up on methods to slow down your scans/attacks and use things like SYN packets to obfuscate the attack.

I would also recommend thinking about the hardware you use. Are you going to use a laptop that you also use for gaming and surfing Facebook, or are you going to use a cheap, second-hand laptop with no traceable history back to you? Or maybe a Raspberry Pi that you don't mind getting rid of the moment you feel unsafe?

*Edit* Corrected spelling.

Edited December 10, 2015 by haze1434

[Buff_r]

You can forbid your device from replying to ping, Also change your mac address to a device that is already connected so if they choose to filter mac addresses one of the device they use will be hit offline, check what ports are open.

You can do this with the command:

netstat -atun

Make sure your device doesn't have any suspicious port open such as port: 1337 (Never use this port it's obvious)

Don't give your device weird names.

Evade network scanners by setting your IP out of its range. eg: If a network scanner has a range of 192.168.0.255 then set your ip to 192.168.9.10.

A Nice scheme is to make your device look like a printer or fax just download the whole webpage from the real printer (If it supports HTTP or HTTPS) (You can also use iframes)

Then direct all the requests to the real printer in case they test print. (Sometimes you can hide things in plain sight) (Make sure the real printer is always online if its not and your fake page is still up then most likely your cover has been broken.)

Use programming skills if you have any at hand.

Some of these won't be convincing together such as a printer out of the IP range, 2 of the same printers on the same network.

Choose carefully.

[0phoi5]

I found this nice article on Null Byte as well;

http://null-byte.wonderhowto.com/how-to/cover-your-tracks-after-hacking-wifi-0165952/

[s0nar]

Thanks for the article Haze. That was a good read!

[metatron]

Pentesting tools can be quite loud as generally speaking if someone is paying you to test their network/site they know you are coming. If you are doing things passively, like sniffing for the handshake and cracking it offline then you are safe. I've always found the field of anti-forensic interesting too.

[Karit]

Seriously in the real world. No one notices. Most organisations can't notice stuff on their wired LAN.

Sometime saying you were nosiey and they didn't detect you is a very important finding.

[vailixi]

Pentesting tools can be quite loud as generally speaking if someone is paying you to test their network/site they know you are coming. If you are doing things passively, like sniffing for the handshake and cracking it offline then you are safe. I've always found the field of anti-forensic interesting too.

I tend to agree here. If you are not actually running any attacks you are less likely to be detected. Is there a way to check for monitor mode devices? Are they actually sending anything or communicating at all? I know airodump will show probes and such from non-associated clients but is there a way to detect a monitor mode device?

I know you can filter for deauthentication frames in wireshark. Changing your mac address is a must if you are actively penetrating.

Edited January 1, 2016 by vailixi

[barry99705]

I tend to agree here. If you are not actually running any attacks you are less likely to be detected. Is there a way to check for monitor mode devices? Are they actually sending anything or communicating at all? I know airodump will show probes and such from non-associated clients but is there a way to detect a monitor mode device?

I know you can filter for deauthentication frames in wireshark. Changing your mac address is a must if you are actively penetrating.

A monitor mode device is just that. It's not transmitting anything, just listening, no probes, nothing.

[s0nar]

Thank you guys.

I just got the Pineapple NANO, so hopefully I can build a nice environment to play around and practice stealth.