OnSite

Topics

Understanding the Wireless Threat

• Wireless impact on traditional security approaches, signal exposure threats, common misconceptions in wireless security, wireless LAN and MAN signal leakage, information disclosure threats, DoS attacks, rogue AP attacks, wireless protocol deficiencies, anonymity attacks, home user threats, criminal exploitation of wireless networks

Wireless LAN Organizations and Standards

• Understanding wireless standards bodies, role of the WiFi Alliance for interoperability testing, capabilities and features of WPA and WPA2, IETF standards, understanding the RADIUS and EAP protocols
• Identifying and understanding the enterprise impact of security-pertinent wireless standards including: 802.11z "Direct Link Setup", 802.11ac "Gigabit over WiFi", 802.11af "WiFi in TV White Space"
• Obtaining information about standards bodies work and working group resources

Using the SANS Wireless Auditing Toolkit

• Identifying the components and hardware, understanding the operating characteristics of antennas, using the GPS for location mapping, using an industrial Bluetooth interface

Sniffing Wireless Networks: Tools, Techniques and Implementation

• Using wireless sniffing as an analysis mechanism, understanding WLAN card operating modes, sniffing in managed mode, sniffing in monitor mode, advantages of RFMON sniffing, RFMON implementations
• Monitor mode sniffing on Windows, Linux and Mac OS X
• Analuzing wireless traffic with Tcpdump, Wireshark and Kismet
• Lab: Sniffing Wireless, using Wireshark, identifying wireless networks with Kismet, mapping wireless networks with gpsmap, Google Maps, Google Earth
• Lab: Live Network Mapping, using gpsmap to map wireless networks in the area

IEEE 802.11 MAC: In-Depth

• Common capabilities of the IEEE 802.11 MAC, understanding the architecture and operating of ad-hoc and infrastructure networks, phases of station authentication and association, understanding the operation and behavior of IEEE 802.1X authentication
• Identifying capabilities and features of EAP types including PEAP, EAP/TLS, TTLS, EAP-FAST
• Packet framing on wireless networks, understanding the 802.11 header format and fields, significance of FromDS and ToDS fields, 802.11 address field ordering and behavior, 802.11 management frames and data encoding, 802.11 management action frames, decoding frames in hex

Topics

Wireless LAN Assessment Techniques

• Identifying the goals of a WLAN audit, passive AP fingerprinting techniques, information element disclosure on Cisco networks, client post-processing analysis with Kismet XML files, identifying the authentication and encryption options used on the WLAN with Kismet and Wireshark, techniques for mapping the range of indoor and outdoor WLANs, assessing traffic captured in monitor mode for information disclosure, identifying multicast protocols with MAC analysis, evaluating encrypted traffic and proprietary encryption functions
• Evaluating policy compliance, using DoDD 8100.2 as a baseline policy, HIPAA implications and wireless networks, PCI requirements and wireless networks
• Lab: Wireless Auditing, evaluating supplied traffic for information disclosure and risks, evaluating and identifying the security of the network

Rogue AP Analysis

• Defining and understanding rogue networks, how attackers exploit rogue networks, types of rogue networks, examples of malicious rogue AP compromises, ad-hoc rogue networks, behavior and spread of the "Free Public WiFi" ad-hoc network, Windows bridging and the ad-hoc threat, SOHO devices as a node threat, threat of Windows soft APs
• Techniques for identifying rogue devices: wired-side AP fingerprinting, wired-side MAC prefix analysis, wireless-side warwalking, wireless-side client monitoring, wireless-side IDS, Nmap rogueap scripting analysis
• Correlating devices and the LANs they attach to, function of WLAN IPS systems and rogue prevention
• Locating rogue devices through RSSI signal analysis, triangulation
• Cheating at rogue detection using CDP and MAC address variations
• Lab: Identifying rogue AP's with Nmap, using RSSI characteristics to locate unauthorized transmitters

Wireless Hotspot Networks

• Proliferation of hotspots, motivators for hotspot deployment, difference with traditional network deployments, hotspot architecture, example case: "attwifi"
• Risks with hotspot networks including hotspot controller vulnerabilities, service theft, spoofed provider access, direct client attacks
• Mobile devices and hotspot access, susceptibility for mobile applications and sidejacking attacks
• Defensive measures for administrators and service providers

Attacking WEP

• Introduction to WEP technology, WEP key selection, IV transmission, WEP framing
• Understanding the XOR truth table
• Introduction to RC4, WEP ICV processing, WEP encryption process, WEP decryption process
• WEP failures including lack of replay protection, weak message integrity check, no key rotation mechanism, initialization vector is too short, challenge/response reveals PRGA and key is reversible from ciphertext
• Reliable mechanisms for exploiting and decrypting WEP networks
• Applying WEP failures to other network protocols
• Lab: Attacking WEP networks, live

Topics

Cisco LEAP Attacks

• Cisco LEAP operation and use, understanding LEAP goals, identifying Cisco LEAP networks
• Understanding MS-CHAPv2, LEAP 5-way handshake, storing MS-CHAPv2 hashes, LEAP MS-CHAPv2 exchange and weaknesses, brute-forcing the 3rd MS-CHAPv2 DES key
• Applying LEAP and MS-CHAPv2 failures to modern wireless environments
• Lab: Exploiting Cisco LEAP and MS-CHAPv2

Wireless Client Attacks

• Understanding why attackers target client systems
• Hotspot injection attacks, manipulating unencrypted network transmissions
• Publicly Secure Packet Forwarding (PSPF) and wireless network isolation vulnerabilities, defeating PSPF for direct client exploits
• Attacking the Preferred Network List (PNL) with the WiFi Pineapple
• Exploiting privacy weaknesses in Apple the iPhone and iPad for location tracking
• Leveraging Metasploit Framework exploits against wireless client vulnerabilities
• Lab: Using AirPWN to manipulate client devices

Attacking WPA2-PSK Networks

• Introduction to hashing mechanisms, understanding HMAC hashes
• WPA2 key hierarchy architecture and establishment mechanisms
• Identifying the components of the WPA2 4-way handshake, identifying WPA2-PSK networks
• Attacking the passphrase selection of WPA/WPA2-PSK networks, using cryptographic accelerators for effective pre-shared key attacks
• Establishing Amazon EC2 cloud computing systems for private, inexpensive, and high-speed cracking services
• Exploiting unrecoverable weaknesses in WiFi Protected Setup (WPS)
• Exploiting Windows, Mac OS X, and Android WPA2 key storage weaknesses
• Lab: WPA2-PSK Attacks

Assessing Enterprise WPA2

• Understanding the risks and challenge of legacy authentication sources, how PEAP addresses this weakness using TLS
• Understanding TLS tunnel establishment exchange and validation, behavior of PEAP Phase 1 and PEAP Phase 2 connections, identity disclosure in PEAP supplicants
• Differences between WPA2-PSK and WPA-Enterprise authentication, EAPOL-Key distribution and use, PMK generation and delivery from RADIUS, PTK derivation and key rotation mechanisms
• Attacks against PEAP networks including authentication attacks, man-in-the-middle attacks, EAPOL key-distribution attacks, client-specific attacks
• Exploiting weaknesses in certificate validation mechanisms in Windows, Apple iOS, and Android platforms
• Evading EAP/TLS and other secure EAP mechanisms on Apple iOS devices
• Protecting PEAP networks, WZC recommended supplicant configuration properties, mitigating PEAP username disclosure with third-party supplicants, client firewall devices and wireless security recommendations

Topics

Deficiencies in TKIP Networks

• TKIP improvements over WEP networks including keying, message integrity checks (MIC), IV sequencing
• QoS deficiencies and the TKIP break, TKIP replay attacks
• TKIP countermeasure DoS attacks
• TKIP plaintext recovery attacks
• Applying TKIP failures to modern cryptographic systems
• Vendor failures exacerbating TKIP flaws

Leveraging WiFi DoS Attacks

• Understanding the impact of DoS attacks, differentiating persistent and non-persistent DoS attacks, IEEE 802.11 DoS attack targets including PHY, MAC and client attacks
• Physical medium attacks with the Wave Bubble, common jammers
• IEEE 802.11 MAC attacks, authentication and association floods, deauthenticate and disassociation floods, Beacon DS Set DoS
• Impact of IEEE 802.11w and management frame protection and DoS attacks
• IEEE 802.11 medium management techniques, hidden node problem, RTS/CTS medium management, medium reservation attacks, RTS/CTS co-opting
• Client attacks including rogue AP DoS, NULL SSID DoS, 802.1X authentication flood
• Impact of range in a DoS attack, IEEE 802.11 committee stance on DoS attacks, defensive measures
• Lab: Leveraging a DoS attack against course participants

Wireless Fuzzing for Bug Discovery

• Value of protocol fuzzing for fault determination in wireless networks
• Leveraging free and commercial fuzzing tools including Scapy, the Metasploit Framework, file2air, Codenomicon Test Suite
• Implementing fuzzing testing operationally, scoping, monitoring, recording and analyzing results
• When to use fuzzing as a test mechanism
• Strategies for vulnerability disclosure
• Lab: Live 802.11 fuzzing

Bridging the Airgap: Remote WiFi Pentesting

• Leveraging remote client compromises for wireless exploitation
• Configuring Metasploit Framework Meterpreter exploits
• Navigating Windows 7/8 NDIS 6 wireless setting storage and management
• Remote monitor mode packet capture on Windows 7/8 with NetMon
• Leveraging compromised hosts to create remote rogue AP entry points into an enterprise network with the Metasploit

Framework and post-exploitation modules

• Bridging the Airgap on OS X platforms with the airport command
• Exploiting the OS X keychain for root privilege escalation

Topics

DECT Attacks

• DECT as a cordless telephony and data application technology
• Advantages for consumers, enterprises in the adoption of DECT technology
• DECT physical and MAC layer fundamentals
• Evaluating the DECT authentication and encryption mechanisms
• Eavesdropping and recording audio conversations on DECT cordless phones
• Looking forward with DECT's replacement technology CAT-iq
• Lab: Extracting audio from DECT network activity

Exploiting ZigBee

• Introduction to ZigBee, ZigBee use cases and deployment
• Attacker interest in ZigBee and industrial control systems
• ZigBee and IEEE 802.15.4 physical and MAC layer architecture
• ZigBee and IEEE 802.15.4 security mechanisms; authentication and cryptographic controls
• Weaknesses in ZigBee key provisioning and management mechanisms
• Tools for eavesdropping on and manipulating ZigBee networks
• Exploiting ZigBee Over-the-Air (OTA) key provisioning
• Locating ZigBee devices with signal analysis tools
• Lab: Exploiting ZigBee OTA key provisioning

Enterprise Bluetooth Threats

• Bluetooth technology introduction, assessing the Bluetooth protocol stack
• Bluetooth Classic device analysis, procedure for joining a Bluetooth piconet, physical layer components
• Bluetooth Low Energy (4.0) technology analysis, use cases, deployment models and structure
• Bluetooth profiles and application features, Bluetooth security options, leveraging Bluetooth link authentication and encryption
• Exploiting range in Bluetooth networks, Bluetooth attacks including rogue APs, Bluesnarfing, Blueline; exploiting Bluetooth deficiencies on mobile devices
• Techniques for auditing and identifying Bluetooth devices, techniques for locating Bluetooth transmitters on Windows and Android platforms
• Bluetooth policy and device configuration best practices

Advanced Bluetooth Threats

• Understanding Bluetooth pairing, analyzing the Bluetooth authentication exchange and associated protocols, attacking the Bluetooth pairing process, implementing PIN attacks
• Attacking the Bluetooth E0 encryption algorithm
• Sniffing Bluetooth networks, hacker techniques for building Bluetooth sniffers, interacting with Bluetooth networks using the Ubertooth One
• Exploiting Bluetooth non-discoverable mode, discovering non-discoverable devices
• Exploiting Bluetooth profile vulnerabilities, audio recording attacks, exploiting Bluetooth headsets, Bluetooth device impersonation attacks
• Bluetooth device auditing, Bluetooth protocol fuzzing techniques, device enumeration
• Lab: Identifying, locating, and assessing an unauthorized Bluetooth device

Topics

WLAN IDS Analyst Techniques

• Introduction to IDS concepts, differentiating true positives from false positives, assessing events of interest
• WIDS deployment models including overlay, integrated, and hybrid deployments
• Techniques for identifying attacks including signature analysis, trend analysis and anomaly analysis
• Evaluating attacks through traffic analysis, several examples
• Evaluating WIDS systems, event aggregation, light bulb deployment, secure communication protocols, intrusion protection services, integration with third-party IDS systems
• WIDS deployment considerations including facility coverage, dwell time, logging fidelity, event storage, trend analysis

Evaluating Proprietary Wireless Technology

• WarViewing and exploiting wireless video transmitters, Tool: Mobile WarSpy
• Introduction to next-generation wireless attacks using software defined radio (SDR) and the Universal Software Radio Peripheral (USRP); Tool: USRP and GNURadio
• Exploiting wireless keyboard devices, manufacturer design motivators, pairing process, common keyboard analysis and security flaw disclosure, wireless keystroke logging and insertion
• Hacking your own wireless devices, applying analysis techniques to non-standard hardware, retrieving documentation on devices, analysis of wireless presentation slide advancer
• Using the GoodFET for IC bus analysis, eavesdropping, replay, and manipulation attacks
• Introduction to cellular protocols and GSM networks, demodulating GSM traffic, GSM reference sources and data capture and analysis, risks with GSM use, Wireshark and GSM sniffing, exploiting weaknesses in GSM encryption
• Lab: Data collection and evaluating wireless devices

Deploying a Secure Wireless Infrastructure

• Recommendations for managing an authentication architecture, leveraging the RADIUS protocol for authentication validation, RADIUS data encoding rules, EAP transmitted over RADIUS
• Understanding the impact of a compromised CA, "evil twin" attack
• Recommendations and preferences for selecting an EAP type, understanding the advantages and disadvantages of EAP/TLS, PEAP, PEAPv1, PEAPv2, TTLS, EAP-FAST, PEAP-EAP-TLS.
• Summary and recommendations for selecting an EAP type

Configuring and Securing Wireless Clients

• Managing client certificate trust policies, default Windows root CA trust
• Four techniques for deploying a new root certificate authority: manual, web-server delivery, scripted web-server delivery, automatic trust with GPO
• Managing client configuration settings with Windows, cached authentication credentials with PEAP on Windows WZC, deploying GPO settings for preferred wireless network, specifying the configuration and settings of preferred WZC networks, editing and implementing wireless-specific GPO policies, recommendations for securing PEAP through GPO
• Managing third-part wireless manager tools with the Funk Odyssey supplicant, creating a custom installer with Odyssey manager