[Editor's Note: We're continuing our series on useful tips and tricks for different kinds of pen testing, based on the SANS Pen Test Poster. In this installment, Mr. Larry "Hax0r the Matrix" Pesce covers some great tips, ideas, and resources for wireless penetration tests. Great stuff!
Earlier in this series, we covered:
- John Strand's tips on network penetration testing
- Steve Sims' tips on exploit development
- Josh Wright's tips on mobile device penetration testing
- Recon - Channel hopping with Kismet is your best friend while performing recon. It is passive (silent) and will cycle through all of the available wireless channels supported by the wireless driver. Be mindful that while the wireless card is channel hopping, it misses all of the activity on the channels where it is not tuned.
- Scanning - Channel hopping is great for discovery, as it will eventually tell us about every wireless network in the environment but sometimes we need to just focus on one channel to gain more information about the network. Locking your wireless card to a specific channel can be helpful in uncloaking a hidden network, capturing WPA-PSK 4-way handshake or more packets for further exploitation (such as WEP). Having TWO (or more) wireless cards allow one to channel hop and perform discovery, while the locked cards can gather more information for additional attacks in a more directed manner.
- Exploitation - Exploitation comes in many forms in wireless networks; weak enterprise encryption, mis-configured authentication configuration, direct client attacks through ad-hoc connections. The best place for exploitation occurs at the weakest link; often the places where corporate assets go when outside of the enterprise environment: a local coffee shop, hotel, or even employee homes where open wireless networks may be de rigueur. These are great places to attack clients directly and observe plaintext traffic that can be leveraged for additional attacks against the enterprise.
- Post-Exploitation - While exploitation often relies on leveraging a wireless vulnerability or mis-configuration, one can leverage compromised systems to gain information about additional wireless networks, and perhaps even participate in those already in the system's preferred network list; use what you've gained access to in order to push further!
- Misc (Reporting) - How do you get all of that information from the test into a format that makes sense as part of a vulnerability report? This will take some massaging, but output from tools (such as Kismet capture files and XML output) can often be leveraged within other standard tools to help illustrate risk. One example would be to utilize Kismet's XML output to generate graphs based on observed wireless network configurations. One could also leverage other tools in new ways, such as leveraging the GISKismet database to query discovered network configurations. (http://www.haxorthematrix.com/2012/ 12/how-i-use-giskismet-for-more-than- mapping.html) GISKismet, Joshua D. Abraham — http://giskismet.org
- Kismet - The best passive wireless discovery and analysis tool that will find all of the Wifi networks supported by the selected adapter (even cloaked/hidden networks). It is extensible through a plug-in architecture to support attacks, and additional wireless discovery, such as Bluetooth, Zigbee, DECT and others. Linux and OSX only. By Kismet, Mike Kershaw http://www.kismetwireless.net
- Wireshark - A packet capture and analysis tool that is continually updated to improve protocol dissectors to translate the raw captures to human-readable format. Supports 802.11, 802.15.4, DECT and many other common wireless protocols. Supported on Linux, Windows and OSX. By Wireshark, Riverbed Technology, & Gerald Combs http://www.wireshark.org
- Aircrack-ng suite - A "swiss-army" collection of tools from WEP and WPA cracking, packet capture decrypting, packet capture relationship analysis, and tunnel building tools supported under Linux, Windows and OSX. By Aircrack-ng, Thomas d'Otreppe http://www.aircrack-ng.org
- Netmon - If you absolutely must capture in monitor mode under Windows, this is your huckleberry. In fact, it is the only huckleberry in town under Vista/7/8. By Netmon, Microsoft Corporation http://www.microsoft.com/en-us/download/details.aspx?id=4865
- Kali Linux - Need some other wireless or other penetration testing tool? Chances are that the developers of Kali Linux (the successor to Backtrack 5) have gone through the trouble of making it work for you in this preconfigured penetration testing LiveCD/VM. By Kali Linux, Offensive Security http://www.kali.org/downloads
- Scapy - Want to take your wireless testing to the next level by fuzzing all manner of protocols? Use Scapy with python to craft your own packets from scratch. Linux only. By Scapy, Philippe Biond http://www.secdev.org/projects/scapy
- Wireless Adapter* - ALFA AWUS051NH a/b/g/n card. This isby far the best wireless card on the market, featuring excellent receive sensitivity and high output power. That is, if you can find them as they have been discontinued by the manufacturer. A solid replacement is the ALFA AWUS036NHA, but it does not include 802.11a AWUS051NH: http://store.rokland.com/products/alfa-awus051nh-802-11n- dual-band-300-mbps-wireless-n-usb-adapter AWUS051NH: http:// hakshop.myshopify.com/products/alfa-usb-wifi-awus036nha ALFA wireless adapters, ALFA, http://www.alfa.com.tw
- Bluetooth* - Parani SENA UD-100 USB Adapter. One of the few Class 1 devices available on the market WITH a removable antenna. We used to be relegated to modifying adapters to receive removable antennas with less than professional-looking results. http://www. sena.com/products/industrial_bluetooth/ud100.php Parani SENA UD-100, SENA, http://www.sena.com
- Ubertooth One* (nice to have) - For advanced Bluetooth enumeration the Ubertooth One is the most cost-effective device for doing so. The Ubertooth One is under active development to add more features, including channel hopping. http://hakshop.myshopify. com/collections/gadgets/products/ubertooth-one Ubertooth One, Michael Ossmann, Dominic Spill http://ubertooth.sourceforge.net
- WiFi Pineapple* - A pint-size device for abusing wireless clients and their preferred network list. It is extensible, highly configurable and community supported, one could use this device for a standard rogue AP, Enterprise attacks, remote testing for security methods (WEP, WPA, etc), and other wireless protocols via USB expansion. http://hakshop.myshopify.com/products/wifi-pineapple WiFi Pineapple, Robin Wood, Darren Kitchen, Sebastian Kinne, Rob Fuller —http://wifipineapple.com
- GPS* - No Wireless kit would be complete without a GPS receiver to mark the location of the devices you've found. Just about any USB Puck will work, but the TripNav BU-353 is a solid choice. http://www.amazon. com/GlobalSat-BU-353-USB-Navigation-Receiver/dp/B000PKX2KA TripNav BU-353, GlobalSat — http://www.globalsat.com.tw
- GPU* (nice to have) - If you want to accelerate your brute force attacks against passwords, pre-shared keys and various hashes, having inexpensive math acceleration at your fingertips is bar none. There are too many options to list here, but the Bitcoin Community has done a great job in analyzing the best cards with the bang for your buck in mind. A great analysis can be found here: https://en.bitcoin.it/wiki/Mining_hardware_comparison
- Antennas* (nice to have) - With this one there are too many options to list. Just be sure to match the beam width (directionality), connector, and frequency ranges (2.4Ghz vs 5Ghz or both) to your intended application. Here's one reputable distributor that the authors have had great success: http://www.fab-corp.com/home.php?cat=276
- ZigBee* (nice to have) - Atmel RZUSB - Modified with the KillerBee firmware, this is a solid, cost-effective device to get started in exploring wireless devices attached to the kinetic world. http://www.digikey.com/ product-search/en?x=0&y=0&lang=en&site=us&KeyWords=rzusb Atmel RZUSB, Atmel, http://www.atmel.com
- SDR (nice to have) - USRP N200, RTL-SDR compatible device or RFCat - These devices are for the serious Wireless security enthusiast - the Software Defined Radio (SDR) where you get to tell the radio what to do with a steep learning curve and possible large expense. The RTL-SDR devices are a great way to start with monitor only. USRP: Ettus Research, https://www.ettus.com/product/details/UN200-KIT RFcat, Atlas of d00m, http://www.ti.com/tool/cc1111emk868-915 RTL-SDR, Antti Palosaari, Steve Markgraf, Dimitri Stolnikov, Kyle Keen, Hoernchen, Christian Vogel, Harald Welte — http://www.rtlsdr.org
*These tools are available on a commercial (cost) basis.
Great Resources for Staying Current
- SANS Pentest Blog - http://pen-testing.sans.org/blog
- PaulDotCom Security Weekly - www.pauldotcom.com
- Security Bloggers Network - www.securitybloggersnetwork.com
- Security Twits - www.infosecramblings.com/securitytwits
- Twitter - @joswr1ght | @KismetWireless | @travisgoodspeed | @haxorthematrix @michaelossman
Associated SANS Courses
- SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses www.sans.org/sec617