SEC617: Wireless Penetration Testing and Ethical Hacking™

Overview

The first section of the course quickly looks at wireless threats and attack surfaces and analyzes where you will likely see non-Wi-Fi systems deployed in modern networks. We start off with a look at fundamental analysis techniques for evaluating Wi-Fi networks, including the identification and analysis of rogue devices, and finish with a dive into remote penetration testing techniques using compromised Windows 10 and macOS devices to pivot.

Topics

Characterize the Wireless Threat

• Recognizing protocol weaknesses and cryptographic failures across wireless technologies
• Why popular smart phones increase our exposure to attack
• Anatomy of a wireless attack: How real-world attackers exploit wireless systems
• Introduction to the SWAT kit

Sniffing Wi-Fi

• Leveraging built-in functionality in every Wi-Fi card for penetration testing
• Wireless packet capture on Linux, Windows, and macOS
• Overcoming physical-layer challenges in IEEE 802.11n, IEEE 802.11ac packet sniffers
• Detecting cheaters: Radio regulatory domain bypass hacks
• Packet capture, filter, and analysis with tcpdump, Wireshark, and Kismet
• Tools and techniques for understanding your radio frequency exposure with topographic range maps

Rogue Access Point (AP) Analysis

• Characterizing the threat and attacker motives for rogue APs
• Wired-side analysis for rogue APs using open-source tools
• Filtering out Wi-Fi noise to focus on and characterize rogue device threats
• Correlating Wi-Fi devices with your network infrastructure
• Effective unauthorized transmitter location analysis techniques

Overview

After developing skills needed to capture and evaluate Wi-Fi activity, we start our look at exploiting Wi-Fi, targeting AP and client devices. We cover techniques that apply to any Wi-Fi products, from consumer to enterprise-class devices, focusing on understanding protocol-level deficiencies that will continue to be applied throughout the course on non-Wi-Fi wireless systems as well.

Topics

Exploiting Wi-Fi Hotspots

• Bypassing authentication on hotspot networks
• Exploiting mobile application data disclosure on open networks
• Luring Wi-Fi client victims with Wi-Fi hotspot impersonation
• Leveraging sidejacking attacks against hotspot networks

Wi-Fi Client Attacks

• Leveraging Wi-Fi timing attacks for traffic manipulation
• Bypassing client isolation security on Wi-Fi networks
• Wi-Fi client privacy and isolation attacks through preferred network list disclosure
• Leveraging commercial tools such as the Wi-Fi Pineapple for AP impersonation
• Integrating Metasploit Meterpreter payloads in Wi-Fi network injection attacks

Exploiting WEP

• A brief look at WEP technology and exploitation
• Applying the cryptography in WEP to non-Wi-Fi protocols

Denial of Service (DoS) Attacks

• Identifying types of DoS attacks and attack targets
• Leveraging RF jammers in a pen test
• Selective client DoS targeting to manipulate network roaming events
• Single-client to entire-network Wi-Fi DoS techniques

Wi-Fi Fuzzing for Bug Discovery

• Introduction to fuzzing techniques
• Identifying complex parsing issues in Wi-Fi protocols
• Using Scapy to build malformed packets
• Identifying bugs in APs and client devices through fuzzing
• Applying fuzzing as part of an overall Wi-Fi security analysis

Overview

We finish our look at Wi-Fi attack techniques with a detailed look at assessing and exploiting WPA2 networks. Starting with WPA2 consumer networks, we investigate the flaws associated with pre-shared key networks and Wi-Fi Protected Setup (WPS) deployments, continuing with a look at exploiting WPA2 Enterprise networks using various Extensible Authentication Protocol (EAP) methods. We round out the section with a detailed look at WPA3 and its several authentication and security modes (OWE, PSK, DPP), examining attacks for each one.

We continue to investigate the security of wireless networks on day 3, switching to non-Wi-Fi analysis with a look at exploiting security of Zigbee and IEEE 802.15.4 networks, looking at cryptographic flaws, key management failures, and an introduction to hardware attacks.

Topics

Attacking WPA2 Pre-Shared Key Networks

• In-depth analysis of key derivation functions in WPA2
• Capturing and evaluating WPA2-PSK client network authentication exchanges
• Attacking the passphrase selection of WPA2-PSK

Attacking WPA2 Enterprise Networks

• Differentiating PSK-based WPA2 and WPA2 Enterprise networks
• Leveraging identity disclosure in WPA2 Enterprise networks
• Exploiting Windows 10 Native Wi-Fi and PEAP networks
• Exploiting iOS and Android Enterprise Wi-Fi network roaming behavior
• Using Hostapd-WPE for Enterprise network impersonation
• Password recovery through MS-CHAPv2 cracking

Attacking WPA3 Networks

• Introduction to WPA3 enhanced features
• Analysis of WPA3 authentication and encryption methods
• Deciphering WPA3 beacon frames
• Exploiting client systems with Evil Twin attacks for WPA3
• Attacking the passphrase selection of WPA3-PSK

Attacking Zigbee Deployments

• In-depth analysis of Zigbee and IEEE 802.15.4 physical and MAC layer architecture
• Zigbee and IEEE 802.15.4 authentication and cryptographic controls
• Weaknesses in Zigbee key provisioning and management mechanisms
• Tools for eavesdropping on and manipulating Zigbee networks
• Exploiting Zigbee Over-the-Air key provisioning
• Locating Zigbee devices with signal analysis tools
• Lab: WPA2-PSK Attacks

Overview

Bluetooth technology is nearly as pervasive as Wi-Fi, with widespread adoption in smart phones, fitness trackers, wireless keyboard, smart watches, and more. In this module, we dig into the Bluetooth Classic, Enhanced Data Rate, and Low Energy protocols, including tools and techniques to evaluate target devices for vulnerabilities.

Immediately following our look at Bluetooth technology, we jump into the practical application of Software Defined Radio (SDR) technology to identify, decode, and assess proprietary wireless systems. We investigate the hardware and software available for SDR systems, and look at the tools and techniques to start exploring this exciting area of wireless security assessment.

Topics

Bluetooth Introduction and Attack Techniques

• Understanding the physical layer evolution of Bluetooth and packet capture techniques
• Bluetooth pairing techniques and vulnerabilities
• Attacking Bluetooth pairing for PIN and key recovery
• Techniques for identifying non-discoverable Bluetooth devices

Bluetooth Low Energy Introduction and Attack Techniques

• Recognizing BLE Frequency-Hopping RF patterns
• Security analysis of BLE pairing options -- just works, OOP, passkey, and numeric comparison
• Analysis of expensive and inexpensive BLE packet capture tools for Windows, Linux, and Android devices
• Scanning BLE device services with bluetoothctl, Android apps, and related tools

Practical exploitation of BLE services

• Practical Application of Software-Defined Radio (SDR)
• Guide to using SDR in a penetration test
• RF spectrum visualization and signal hunting with SDR# and GQRX
• Decoding ADS-B aircraft beacon traffic
• Eavesdropping on POCSAG and FLEX pager messaging
• GSM cell tower scanning and evaluation with SDR
• Leveraging capture and replay attacks to exploit vehicle keyless entry systems

Overview

On day 5, we evaluate RFID technology in its multiple forms to identify the risks associated with privacy loss and tracking, while also building an understanding of both low-frequency and high-frequency RFID systems and NFC. We examine the security associated with contactless Point of Sale (PoS) terminals, including Apple Pay and Google Wallet, and proximity lock access systems from HID and other vendors. We also examine generalized techniques for attacking smart card systems, including critical data analysis skills needed to bypass the intended security of smart card systems used for mass transit systems, concert venues, bike rentals, and more.

Topics

RFID Overview

• Understanding the components, transmission frequencies, and protocols in RFID systems
• Differentiating active and passive RFID systems
• Understanding NFC systems components and protocols
• Practical range extensions in RFID attacks

RFID Tracking and Privacy Attacks

• Practical location disclosure attacks in RFID systems
• Case study: E-Z Pass location disclosure threats
• Manipulating Apple iBeacon location tracking systems
• RFID tracking through Ultra-High Frequency (UHF) tags

Low-Frequency RFID Attacks

• Case study: cloning RFID tags used for bike rental systems
• Leveraging RFIDiot for low-frequency RFID attacks
• Attacking HID ProxCard proximity lock systems
• Leveraging the ProxMark RDV2 for low-frequency RFID attacks
• Brute-forcing HID identifiers for unauthorized access
• Extending range in HID cloning attacks
• Manual low-frequency tag analysis and bitstream decoding

Exploiting Contactless RFID Smart Cards

• Conducting smart card reconnaissance analysis with Linux and Android
• Attacking Europay-Mastercard-Visa (EMV) PoS systems
• Exploiting MIFARE Classic smart card systems
• Effective smart card cloning with UID impersonation
• Attacking MIFARE Ultralight, Ultralight-C, and DESFire smart card systems
• Emulating smart cards with the ProxMark RDV2

Attacking NFC

• Decoding the NFC Data Exchange Format (NDEF) protocol
• Reading and writing NFC/NDEF tags
• Analysis of Android Beam, Google Wallet, and Apple Pay NFC systems
• Exploiting NFC smart toys
• Attacking Android devices with malicious NFC tags

Overview

On the last day of class we will pull together all the concepts and technology we have covered during the week in a comprehensive Capture the Flag event. In this hands-on exercise, you will have the option to participate in multiple roles: identifying unauthorized/rogue Wi-Fi access points, attacking live and recorded Wi-Fi networks, decoding proprietary wireless signals, exploiting smart card deficiencies, and more.

During this wireless security event you will put into practice the skills you have learned in order to evaluate systems and defend against attackers, simulating the realistic environment you will be prepared to protect when you get back to the office.