SEC617: Wireless Penetration Testing and Ethical Hacking

GIAC Assessing and Auditing Wireless Networks (GAWN)
GIAC Assessing and Auditing Wireless Networks (GAWN)
  • In Person (6 days)
  • Online
36 CPEs
SEC617 will give you the skills you need to understand the security strengths and weaknesses in wireless systems. In this course, you will learn how to evaluate the ever-present cacophony of Wi-Fi networks and identify the Wi-Fi access points and client devices that threaten your organization; assess, attack, and exploit deficiencies in modern Wi-Fi deployments using WPA2 technology, including sophisticated WPA2-Enterprise networks; use your understanding of the many weaknesses in Wi-Fi protocols and apply it to modern wireless systems; and identify and attack Wi-Fi access points and exploit the behavioral differences in how client devices scan for, identify, and select access points.

What You Will Learn

This course is designed for professionals seeking a comprehensive technical ability to understand, analyze, and defend the various wireless technologies that have become ubiquitous in our environments and, increasingly, key entrance points for attackers.

The authors of SEC617, as penetration testers themselves, know that many organizations overlook wireless security as an attack surface, and therefore fail to establish required defenses and monitoring, even though wireless technologies are now commonplace in executive suites, financial departments, government offices, manufacturing production lines, retail networks, medical devices, and air traffic control systems. Given the known risks of insecure wireless technologies and the attacks used against them, SEC617 was designed to help people build the vital skills needed to identify, evaluate, assess, and defend against these threats. These skills are 'must-have' for any high-performing security organization.

NOW COVERING WI-FI, ZIGBEE, Z-WAVE, RFID, AND SOFTWARE -DEFINED RADIO

For many analysts, "wireless" was once synonymous with "Wi-Fi," the ever-present networking technology, and many organizations deployed complex security systems to protect these networks. Today, wireless takes on a much broader meaning -- not only encompassing the security of Wi-Fi systems, but also the security of Bluetooth, Zigbee, Z-Wave, RFID, NFC, contactless smart cards, and even proprietary wireless systems. To effectively evaluate the security of wireless systems, your skillset needs to expand to include many different types of wireless technologies.

EXPLORE WI-FI ATTACKS AGAINST WINDOWS, MacOS, iOS, AND ANDROID

SEC617 will give you the skills you need to understand the security strengths and weaknesses of wireless systems. You will learn how to evaluate the ever-present cacophony of Wi-Fi networks and identify the Wi-Fi access points (APs) and client devices that threaten your organization. You will learn how to assess, attack, and exploit deficiencies in modern Wi-Fi deployments using WPA2 technology, including sophisticated WPA2 Enterprise networks. You will gain a strong, practical understanding of the many weaknesses in Wi-Fi protocols and how to apply that understanding to modern wireless systems. Along with identifying and attacking Wi-Fi access points, you will learn to identify and exploit the behavioral differences in how client devices scan for, identify, and select APs, with deep insight into the behavior of the Windows 10, macOS, Apple iOS, and Android Wi-Fi stacks.

EXAMINE BLE TECHNOLOGY WITH NEW INSIGHT, CERTIFYING DEVICES FOR USE

A significant portion of the course focuses on Bluetooth and Bluetooth Low Energy (BLE) attacks, targeting a variety of devices, including wireless keyboards, smart light bulbs, mobile devices, audio streaming devices, and more. You will learn to assess a target Bluetooth device, identify the present (or absent) security controls, and apply a solid checklist to certify a device's security for use within your organization.

LEARN TO ATTACK POPULAR WIRELESS TECHNOLOGY BEYOND WI-FI TARGETS

Beyond analyzing Wi-Fi and Bluetooth security threats, analysts must also understand many other wireless technologies that are widely utilized in complex systems. SEC617 provides insight and hands-on training to help analysts identify and assess the use of Zigbee and Z-Wave wireless systems used for automation, control, and smart home systems.

ATTACK AND MANIPULATE RFID AND NFC SYSTEMS

Radio frequency identification (RFID), near field communication (NFC), and contactless smart card systems are more popular than ever in countless applications such as point of sale systems and data center access control systems. You will learn how to assess and evaluate these deployments using hands-on exercises to exploit the same kinds of flaws discovered in mass transit smart card systems, hotel guest room access systems, and more.

GAIN NEW INSIGHT INTO WIRELESS PROTOCOLS WITH SOFTWARE-DEFINED RADIO

In addition to standards-based wireless systems, we also dig deeper into the radio spectrum using software-defined radio (SDR) systems to scour for signals. Using SDR, you will gain new insight into how widely pervasive wireless systems are deployed. With your skills in identifying, decoding, and evaluating the data these systems transmit, you will be able to spot vulnerabilities even in custom wireless infrastructures.

JUMPSTART YOUR TOOLKIT WITH SOFTWARE AND HARDWARE ASSESSMENT TOOLS SUPPLIED IN CLASS

SEC617 is a technical, hands-on penetration testing skill-development course that requires a wide variety of super-useful hardware and software tools to successfully build new skills. In this course, you will receive the SANS Wireless Assessment Toolkit (SWAT), which is a collection of hardware and software tools that will jumpstart your ability to assess wireless systems. The toolkit includes a high-powered 802.11b/g/n/a/ac Wi-Fi card, a long-range Bluetooth Classic/Low Energy adapter, a high-frequency RFID reader and writer, and a software-defined radio receiver. You will also receive a customized Linux software environment so you can work on assessing systems and avoid fighting hardware/software incompatibility.

You Will Be Able To

  • Identify and locate malicious rogue access points using free and low-cost tools
  • Conduct a penetration test against low-power wireless devices to identify control system and related wireless vulnerabilities
  • Identify vulnerabilities and bypass authentication mechanisms in Bluetooth networks
  • Implement a WPA2 Enterprise penetration test to exploit vulnerable wireless client systems for credential harvesting
  • Utilize Scapy to force custom packets to manipulate wireless networks in new ways, quickly building custom attack tools to meet specific penetration test requirements
  • Identify Wi-Fi attacks using network packet captures traces and freely available analysis tools
  • Identify and exploit shortcomings in the security of proximity key card systems
  • Decode proprietary radio signals using Software-Defined Radio
  • Mount a penetration test against numerous standards-based or proprietary wireless technologies

What You Will Receive

  • Step-by-step instructions for all lab exercises
  • Cheatsheets used for quick reference to detailed information sources
  • Access to associated software, files, and analysis resources
  • MP3 audio files of the complete course lectures

SWAT Hardware Kit

  • ALFA AWUS036ACM Wi-Fi card
  • Panda PAU6 Wi-Fi card
  • Bluetooth UD100 adapter
  • ACR122U RFID read/writer
  • RTL-SDR radio and antenna (R820T2)
  • MIFARE Ultralight key fob
  • Raspberry Pi 4 (PiPoint) (32gb) (SD Card)
  • 4 port powered USB hub

    • Note: This comes with a US plug. International students, please obtain an adapter.
  • Cat5 Cable Retractable
  • String Bag
  • ACR122U RFID read/writer #2
  • Raspberry Pi 4 (PiSense) (32gb) (SD Card)

    • Note: this comes with a US plug. International students, please obtain an adapter.
  • MIFARE Classic 1K smart card

Syllabus (36 CPEs)

Download PDF
  • Overview

    The first section of the course quickly looks at wireless threats and attack surfaces and analyzes where you will likely see non-Wi-Fi systems deployed in modern networks. We start off with a look at fundamental analysis techniques for evaluating Wi-Fi networks, including the identification and analysis of rogue devices, and finish with a dive into remote penetration testing techniques using compromised Windows 10 and macOS devices to pivot.

    Topics

    Characterize the Wireless Threat

    • Recognizing protocol weaknesses and cryptographic failures across wireless technologies
    • Why popular smart phones increase our exposure to attack
    • Anatomy of a wireless attack: How real-world attackers exploit wireless systems
    • Introduction to the SWAT kit

    Wi-Fi MAC and PHY Layers

    • Learn the important characteristics of layers 1 and 2 for Wi-Fi

    Sniffing Wi-Fi

    • Leveraging built-in functionality in every Wi-Fi card for penetration testing
    • Wireless packet capture on Linux, Windows, and macOS
    • Overcoming physical-layer challenges in IEEE 802.11n, IEEE 802.11ac packet sniffers
    • Detecting cheaters: Radio regulatory domain bypass hacks
    • Packet capture, filter, and analysis with tcpdump, Wireshark, and Kismet
    • Tools and techniques for understanding your radio frequency exposure with topographic range maps

    Rogue Access Point (AP) Analysis

    • Characterizing the threat and attacker motives for rogue APs
    • Wired-side analysis for rogue APs using open-source tools
    • Filtering out Wi-Fi noise to focus on and characterize rogue device threats
    • Correlating Wi-Fi devices with your network infrastructure
    • Effective unauthorized transmitter location analysis techniques
  • Overview

    After developing skills needed to capture and evaluate Wi-Fi activity, we start our look at exploiting Wi-Fi, targeting AP and client devices. We cover techniques that apply to any Wi-Fi products, from consumer to enterprise-class devices, focusing on understanding protocol-level deficiencies that will continue to be applied throughout the course on non-Wi-Fi wireless systems as well.

    Topics

    Exploiting Wi-Fi Hotspots

    • Bypassing authentication on hotspot networks
    • Exploiting mobile application data disclosure on open networks
    • Luring Wi-Fi client victims with Wi-Fi hotspot impersonation
    • Leveraging sidejacking attacks against hotspot networks

    Wi-Fi Client Attacks

    • Leveraging Wi-Fi timing attacks for traffic manipulation
    • Bypassing client isolation security on Wi-Fi networks
    • Wi-Fi client privacy and isolation attacks through preferred network list disclosure
    • Leveraging commercial tools such as the Wi-Fi Pineapple for AP impersonation
    • Integrating Metasploit Meterpreter payloads in Wi-Fi network injection attacks

    Exploiting WEP

    • A brief look at WEP technology and exploitation
    • Applying the cryptography in WEP to non-Wi-Fi protocols

    Denial of Service (DoS) Attacks

    • Identifying types of DoS attacks and attack targets
    • Leveraging RF jammers in a pen test
    • Selective client DoS targeting to manipulate network roaming events
    • Single-client to entire-network Wi-Fi DoS techniques

    Wi-Fi Fuzzing for Bug Discovery

    • Introduction to fuzzing techniques
    • Identifying complex parsing issues in Wi-Fi protocols
    • Using Scapy to build malformed packets
    • Identifying bugs in APs and client devices through fuzzing
    • Applying fuzzing as part of an overall Wi-Fi security analysis
  • Overview

    We finish our look at Wi-Fi attack techniques with a detailed look at assessing and exploiting WPA2 networks. Starting with WPA2 consumer networks, we investigate the flaws associated with pre-shared key networks and Wi-Fi Protected Setup (WPS) deployments, continuing with a look at exploiting WPA2 Enterprise networks using various Extensible Authentication Protocol (EAP) methods. We round out the section with a detailed look at WPA3 and its several authentication and security modes (OWE, PSK, DPP), examining attacks for each one.

    We continue to investigate the security of wireless networks on day 3, switching to non-Wi-Fi analysis with a look at exploiting security of Zigbee and IEEE 802.15.4 networks, looking at cryptographic flaws, key management failures, and an introduction to hardware attacks.

    Topics

    Attacking WPA2 Pre-Shared Key Networks

    • In-depth analysis of key derivation functions in WPA2
    • Capturing and evaluating WPA2-PSK client network authentication exchanges
    • Attacking the passphrase selection of WPA2-PSK

    Attacking WPA2 Enterprise Networks

    • Differentiating PSK-based WPA2 and WPA2 Enterprise networks
    • Leveraging identity disclosure in WPA2 Enterprise networks
    • Exploiting Windows 10 Native Wi-Fi and PEAP networks
    • Exploiting iOS and Android Enterprise Wi-Fi network roaming behavior
    • Using Hostapd-WPE for Enterprise network impersonation
    • Password recovery through MS-CHAPv2 cracking

    Attacking WPA3 Networks

    • Introduction to WPA3 enhanced features
    • Analysis of WPA3 authentication and encryption methods
    • Deciphering WPA3 beacon frames
    • Exploiting client systems with Evil Twin attacks for WPA3
    • Attacking the passphrase selection of WPA3-PSK

    Attacking Zigbee Deployments

    • In-depth analysis of Zigbee and IEEE 802.15.4 physical and MAC layer architecture
    • Zigbee and IEEE 802.15.4 authentication and cryptographic controls
    • Weaknesses in Zigbee key provisioning and management mechanisms
    • Tools for eavesdropping on and manipulating Zigbee networks
    • Exploiting Zigbee Over-the-Air key provisioning
    • Locating Zigbee devices with signal analysis tools
  • Overview

    Bluetooth technology is nearly as pervasive as Wi-Fi, with widespread adoption in smart phones, fitness trackers, wireless keyboard, smart watches, and more. In this module, we dig into the Bluetooth Classic, Enhanced Data Rate, and Low Energy protocols, including tools and techniques to evaluate target devices for vulnerabilities.

    Immediately following our look at Bluetooth technology, we jump into the practical application of Software Defined Radio (SDR) technology to identify, decode, and assess proprietary wireless systems. We investigate the hardware and software available for SDR systems, and look at the tools and techniques to start exploring this exciting area of wireless security assessment.

    Topics

    Bluetooth Introduction and Attack Techniques

    • Understanding the physical layer evolution of Bluetooth and packet capture techniques
    • Bluetooth pairing techniques and vulnerabilities
    • Attacking Bluetooth pairing for PIN and key recovery
    • Techniques for identifying non-discoverable Bluetooth devices

    Bluetooth Low Energy Introduction and Attack Techniques

    • Recognizing BLE Frequency-Hopping RF patterns
    • Security analysis of BLE pairing options -- just works, OOP, passkey, and numeric comparison
    • Analysis of expensive and inexpensive BLE packet capture tools for Windows, Linux, and Android devices
    • Scanning BLE device services with bluetoothctl, Android apps, and related tools
    • Practical exploitation of BLE services

    Practical Application of Software-Defined Radio (SDR)

    • Guide to using SDR in a penetration test
    • RF spectrum visualization and signal hunting with SDR# and GQRX
    • Decoding ADS-B aircraft beacon traffic
    • Eavesdropping on POCSAG and FLEX pager messaging
    • GSM cell tower scanning and evaluation with SDR
    • Leveraging capture and replay attacks to exploit vehicle keyless entry systems
  • Overview

    On day 5, we evaluate RFID technology in its multiple forms to identify the risks associated with privacy loss and tracking, while also building an understanding of both low-frequency and high-frequency RFID systems and NFC. We examine the security associated with contactless Point of Sale (PoS) terminals, including Apple Pay and Google Wallet, and proximity lock access systems from HID and other vendors. We also examine generalized techniques for attacking smart card systems, including critical data analysis skills needed to bypass the intended security of smart card systems used for mass transit systems, concert venues, bike rentals, and more.

    Topics

    RFID Overview

    • Understanding the components, transmission frequencies, and protocols in RFID systems
    • Differentiating active and passive RFID systems
    • Understanding NFC systems components and protocols
    • Practical range extensions in RFID attacks

    RFID Tracking and Privacy Attacks

    • Practical location disclosure attacks in RFID systems
    • Case study: E-Z Pass location disclosure threats
    • Manipulating Apple iBeacon location tracking systems
    • RFID tracking through Ultra-High Frequency (UHF) tags
    • Apple Airtags

    Low-Frequency RFID Attacks

    • Case study: cloning RFID tags used for bike rental systems
    • Leveraging RFIDiot for low-frequency RFID attacks
    • Attacking HID ProxCard proximity lock systems
    • Leveraging the ProxMark RDV2 for low-frequency RFID attacks
    • Brute-forcing HID identifiers for unauthorized access
    • Extending range in HID cloning attacks
    • Manual low-frequency tag analysis and bitstream decoding

    Exploiting Contactless RFID Smart Cards

    • Conducting smart card reconnaissance analysis with Linux and Android
    • Attacking Europay-Mastercard-Visa (EMV) PoS systems
    • Exploiting MIFARE Classic smart card systems
    • Effective smart card cloning with UID impersonation
    • Attacking MIFARE Ultralight, Ultralight-C, and DESFire smart card systems
    • Emulating smart cards with the ProxMark RDV2

    Attacking NFC

    • Decoding the NFC Data Exchange Format (NDEF) protocol
    • Reading and writing NFC/NDEF tags
    • Analysis of Android Beam, Google Wallet, and Apple Pay NFC systems
    • Exploiting NFC smart toys
    • Attacking Android devices with malicious NFC tags
  • Overview

    On the last day of class we will pull together all the concepts and technology we have covered during the week in a comprehensive Capture the Flag event. In this hands-on exercise, you will have the option to participate in multiple roles: identifying unauthorized/rogue Wi-Fi access points, attacking live and recorded Wi-Fi networks, decoding proprietary wireless signals, exploiting smart card deficiencies, and more.

    During this wireless security event you will put into practice the skills you have learned in order to evaluate systems and defend against attackers, simulating the realistic environment you will be prepared to protect when you get back to the office.

GIAC Assessing and Auditing Wireless Networks

The GIAC Assessing and Auditing Wireless Networks (GAWN) certification is designed for technologists who need to assess the security of wireless networks. The certification focuses on the different security mechanisms for wireless networks; the tools and techniques used to evaluate and exploit weaknesses; and the techniques used to analyze wireless networks. Candidates will have an understanding of how the tools operate and the weaknesses in protocols that they evaluate.

  • Attacking weak encryption, 802.11 fuzzing attacks, and bluetooth attacks
  • Bridging the air gap, DoS on wireless networks, high-frequency RFID attacks, and RFID applications
  • Hotspots, low-frequency RFID attacks, NFC, practical SDR attacks, and rogue networks
  • Sniffing wireless, wireless basics, wireless client attacks, WPA, and Zigbee
More Certification Details

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC617 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 60GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • A wired Ethernet network adapter is required for this course. This can be either an internal or an external USB-based network adapter but you cannot use wireless networking alone.

Additional requirements for this course:

  • You will need a pair of headphones to listen to audio and video components of the labs in this course.

Additional optional components for this course:

  • At times during the labs in this class, your host laptop will be connected to a local-device network. You will NOT have Internet access from your laptop during those labs. If you wish to retain Internet access (to include class Slack access for Live/Live Online students, access to the instructor's session for Live Online students, or access to the OnDemand player for OnDemand students), you may wish to have an additional device with Internet access during those labs.
MANDATORY SEC617 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

It has been amazing to watch the progression of wireless technology and the near ubiquitous adoption of it over the past several years. Wi-Fi has grown in maturity and offers strong authentication and encryption options to protect networks. Yet many organizations continue to fail to implement these protections appropriately. We have also watched attacker sophistication grow with their toolsets, giving them the upper hand in exploiting technology we rely on for critical tasks. This pattern has us concerned. With implementation of wireless technology on the rise, the attack surface continues to grow as well.

It is not surprising that other wireless protocols have also emerged to satisfy the needs of lightweight embedded device connectivity (Zigbee, IEEE 802.15.4, and Z-Wave), specialty interference-resilient connectivity (Bluetooth Classic and Bluetooth Low Energy) physical security and contactless payments (NFC and RFID), and many others using unknown standards-based and proprietary wireless technologies. It is no longer enough to just be a Wi-Fi expert; you also need to be able to evaluate the entire wireless threat landscape across a whole host of technologies.

We are very excited to deliver even more hands-on labs and a suite of hardware tools to equip modern wireless security analysts with practical skills that they can bring back to their organization and apply on day one. The skills you will build in this class will be valuable for today's wireless technology, for tomorrow's technology advancements, and for other complex systems you have to evaluate in the future.

- Larry Pesce and James Leyte-Vidal

"I learned a tremendous amount, and I look forward to applying what Larry Pesce taught in SEC617." - K.C. Yerrid, Amazon

Reviews

SEC617 will not only give you a basic understanding of wireless threats and vulnerabilities, but it can be as advanced as you want to make it with the questions that you ask.
Daniel Mayernik
Integrity Applications Incorporated
SEC617 is great for someone looking for a top-to-bottom rundown of wireless attacks.
Garret Picchioni
Salesforce
The detailed cryptographic explanations in SEC617 made it easier to understand how various encryption algorithms work--which for me is a first!
Jonathan Wilhoit
Fluor

    Register for SEC617

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...