Train at Home with Top Cybersecurity Experts - SANS OnDemand

Cyber Defense Initiative® 2013

Washington, DC | Thu, Dec 12 - Thu, Dec 19, 2013
This event is over,
but there are more training opportunities.

SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses Waitlist

Thu, December 12 - Tue, December 17, 2013

SEC617 gave me the knowledge and skill sets in areas that I lacked, allowing me to become a better InfoSec professional.

Kirk Wah Yick, US Bank

If you're thinking about wireless, take SEC617. If you're not, take SEC617.

Greg Notch, NHL

Despite the security concerns many of us share regarding wireless technology, it is here to stay. In fact, not only is wireless here to stay, but it is growing in deployment and utilization with wireless LAN technology and WiFi as well as with other applications, including cordless telephones, smart homes, embedded devices, and more. Technologies like ZigBee and Z-Wave offer new methods of connectivity to devices, while other wireless technology, including WiFi, Bluetooth, Bluetooth Low Energy, and DECT continue their massive growth rate, each introducing their own set of security challenges and attacker opportunities.

To be a wireless security expert, you need to have a comprehensive understanding of the technology, the threats, the exploits, and the defense techniques along with hands-on experience in evaluating and attacking wireless technology. Not limiting your skill-set to WiFi, you'll need to evaluate the threat from other standards-based and proprietary wireless technologies as well. This course takes an in-depth look at the security challenges of many different wireless technologies, exposing you to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, you'll navigate your way through the techniques attackers use to exploit WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other systems, including developing attack techniques leveraging Windows 7 and Mac OS X. We'll also examine the commonly overlooked threats associated with Bluetooth, ZigBee, DECT, and proprietary wireless systems. As part of the course, you'll receive the SWAT Toolkit, which will be used in hands-on labs to back up the course content and reinforce wireless ethical hacking techniques.

Using assessment and analysis techniques, this course will show you how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems.

Course Syllabus

Larry Pesce
Thu Dec 12th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Understanding the Wireless Threat

  • Wireless impact on traditional security approaches, signal exposure threats, common misconceptions in wireless security, wireless LAN and MAN signal leakage, information disclosure threats, DoS attacks, rogue AP attacks, wireless protocol deficiencies, anonymity attacks, home user threats, criminal exploitation of wireless networks

Wireless LAN Organizations and Standards

  • Understanding wireless standards bodies, role of the WiFi Alliance for interoperability testing, capabilities and features of WPA and WPA2, IETF standards, understanding the RADIUS and EAP protocols
  • Identifying and understanding the enterprise impact of security-pertinent wireless standards including: 802.11z "Direct Link Setup", 802.11ac "Gigabit over WiFi", 802.11af "WiFi in TV White Space"
  • Obtaining information about standards bodies work and working group resources

Using the SANS Wireless Auditing Toolkit

  • Identifying the components and hardware, understanding the operating characteristics of antennas, using the GPS for location mapping, using an industrial Bluetooth interface

Sniffing Wireless Networks: Tools, Techniques and Implementation

  • Using wireless sniffing as an analysis mechanism, understanding WLAN card operating modes, sniffing in managed mode, sniffing in monitor mode, advantages of RFMON sniffing, RFMON implementations
  • Monitor mode sniffing on Windows, Linux and Mac OS X
  • Analuzing wireless traffic with Tcpdump, Wireshark and Kismet
  • Lab: Sniffing Wireless, using Wireshark, identifying wireless networks with Kismet, mapping wireless networks with gpsmap, Google Maps, Google Earth
  • Lab: Live Network Mapping, using gpsmap to map wireless networks in the area

IEEE 802.11 MAC: In-Depth

  • Common capabilities of the IEEE 802.11 MAC, understanding the architecture and operating of ad-hoc and infrastructure networks, phases of station authentication and association, understanding the operation and behavior of IEEE 802.1X authentication
  • Identifying capabilities and features of EAP types including PEAP, EAP/TLS, TTLS, EAP-FAST
  • Packet framing on wireless networks, understanding the 802.11 header format and fields, significance of FromDS and ToDS fields, 802.11 address field ordering and behavior, 802.11 management frames and data encoding, 802.11 management action frames, decoding frames in hex

Larry Pesce
Fri Dec 13th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Wireless LAN Assessment Techniques

  • Identifying the goals of a WLAN audit, passive AP fingerprinting techniques, information element disclosure on Cisco networks, client post-processing analysis with Kismet XML files, identifying the authentication and encryption options used on the WLAN with Kismet and Wireshark, techniques for mapping the range of indoor and outdoor WLANs, assessing traffic captured in monitor mode for information disclosure, identifying multicast protocols with MAC analysis, evaluating encrypted traffic and proprietary encryption functions
  • Evaluating policy compliance, using DoDD 8100.2 as a baseline policy, HIPAA implications and wireless networks, PCI requirements and wireless networks
  • Lab: Wireless Auditing, evaluating supplied traffic for information disclosure and risks, evaluating and identifying the security of the network

Rogue AP Analysis

  • Defining and understanding rogue networks, how attackers exploit rogue networks, types of rogue networks, examples of malicious rogue AP compromises, ad-hoc rogue networks, behavior and spread of the "Free Public WiFi" ad-hoc network, Windows bridging and the ad-hoc threat, SOHO devices as a node threat, threat of Windows soft APs
  • Techniques for identifying rogue devices: wired-side AP fingerprinting, wired-side MAC prefix analysis, wireless-side warwalking, wireless-side client monitoring, wireless-side IDS, Nmap rogueap scripting analysis
  • Correlating devices and the LANs they attach to, function of WLAN IPS systems and rogue prevention
  • Locating rogue devices through RSSI signal analysis, triangulation
  • Cheating at rogue detection using CDP and MAC address variations
  • Lab: Identifying rogue AP's with Nmap, using RSSI characteristics to locate unauthorized transmitters

Wireless Hotspot Networks

  • Proliferation of hotspots, motivators for hotspot deployment, difference with traditional network deployments, hotspot architecture, example case: "attwifi"
  • Risks with hotspot networks including hotspot controller vulnerabilities, service theft, spoofed provider access, direct client attacks
  • Mobile devices and hotspot access, susceptibility for mobile applications and sidejacking attacks
  • Defensive measures for administrators and service providers

Attacking WEP

  • Introduction to WEP technology, WEP key selection, IV transmission, WEP framing
  • Understanding the XOR truth table
  • Introduction to RC4, WEP ICV processing, WEP encryption process, WEP decryption process
  • WEP failures including lack of replay protection, weak message integrity check, no key rotation mechanism, initialization vector is too short, challenge/response reveals PRGA and key is reversible from ciphertext
  • Reliable mechanisms for exploiting and decrypting WEP networks
  • Applying WEP failures to other network protocols
  • Lab: Attacking WEP networks, live

Larry Pesce
Sat Dec 14th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Cisco LEAP Attacks

  • Cisco LEAP operation and use, understanding LEAP goals, identifying Cisco LEAP networks
  • Understanding MS-CHAPv2, LEAP 5-way handshake, storing MS-CHAPv2 hashes, LEAP MS-CHAPv2 exchange and weaknesses, brute-forcing the 3rd MS-CHAPv2 DES key
  • Applying LEAP and MS-CHAPv2 failures to modern wireless environments
  • Lab: Exploiting Cisco LEAP and MS-CHAPv2

Wireless Client Attacks

  • Understanding why attackers target client systems
  • Hotspot injection attacks, manipulating unencrypted network transmissions
  • Publicly Secure Packet Forwarding (PSPF) and wireless network isolation vulnerabilities, defeating PSPF for direct client exploits
  • Attacking the Preferred Network List (PNL) with the WiFi Pineapple
  • Exploiting privacy weaknesses in Apple the iPhone and iPad for location tracking
  • Leveraging Metasploit Framework exploits against wireless client vulnerabilities
  • Lab: Using AirPWN to manipulate client devices

Attacking WPA2-PSK Networks

  • Introduction to hashing mechanisms, understanding HMAC hashes
  • WPA2 key hierarchy architecture and establishment mechanisms
  • Identifying the components of the WPA2 4-way handshake, identifying WPA2-PSK networks
  • Attacking the passphrase selection of WPA/WPA2-PSK networks, using cryptographic accelerators for effective pre-shared key attacks
  • Establishing Amazon EC2 cloud computing systems for private, inexpensive, and high-speed cracking services
  • Exploiting unrecoverable weaknesses in WiFi Protected Setup (WPS)
  • Exploiting Windows, Mac OS X, and Android WPA2 key storage weaknesses
  • Lab: WPA2-PSK Attacks

Assessing Enterprise WPA2

  • Understanding the risks and challenge of legacy authentication sources, how PEAP addresses this weakness using TLS
  • Understanding TLS tunnel establishment exchange and validation, behavior of PEAP Phase 1 and PEAP Phase 2 connections, identity disclosure in PEAP supplicants
  • Differences between WPA2-PSK and WPA-Enterprise authentication, EAPOL-Key distribution and use, PMK generation and delivery from RADIUS, PTK derivation and key rotation mechanisms
  • Attacks against PEAP networks including authentication attacks, man-in-the-middle attacks, EAPOL key-distribution attacks, client-specific attacks
  • Exploiting weaknesses in certificate validation mechanisms in Windows, Apple iOS, and Android platforms
  • Evading EAP/TLS and other secure EAP mechanisms on Apple iOS devices
  • Protecting PEAP networks, WZC recommended supplicant configuration properties, mitigating PEAP username disclosure with third-party supplicants, client firewall devices and wireless security recommendations

Larry Pesce
Sun Dec 15th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Deficiencies in TKIP Networks

  • TKIP improvements over WEP networks including keying, message integrity checks (MIC), IV sequencing
  • QoS deficiencies and the TKIP break, TKIP replay attacks
  • TKIP countermeasure DoS attacks
  • TKIP plaintext recovery attacks
  • Applying TKIP failures to modern cryptographic systems
  • Vendor failures exacerbating TKIP flaws

Leveraging WiFi DoS Attacks

  • Understanding the impact of DoS attacks, differentiating persistent and non-persistent DoS attacks, IEEE 802.11 DoS attack targets including PHY, MAC and client attacks
  • Physical medium attacks with the Wave Bubble, common jammers
  • IEEE 802.11 MAC attacks, authentication and association floods, deauthenticate and disassociation floods, Beacon DS Set DoS
  • Impact of IEEE 802.11w and management frame protection and DoS attacks
  • IEEE 802.11 medium management techniques, hidden node problem, RTS/CTS medium management, medium reservation attacks, RTS/CTS co-opting
  • Client attacks including rogue AP DoS, NULL SSID DoS, 802.1X authentication flood
  • Impact of range in a DoS attack, IEEE 802.11 committee stance on DoS attacks, defensive measures
  • Lab: Leveraging a DoS attack against course participants

Wireless Fuzzing for Bug Discovery

  • Value of protocol fuzzing for fault determination in wireless networks
  • Leveraging free and commercial fuzzing tools including Scapy, the Metasploit Framework, file2air, Codenomicon Test Suite
  • Implementing fuzzing testing operationally, scoping, monitoring, recording and analyzing results
  • When to use fuzzing as a test mechanism
  • Strategies for vulnerability disclosure
  • Lab: Live 802.11 fuzzing

Bridging the Airgap: Remote WiFi Pentesting

  • Leveraging remote client compromises for wireless exploitation
  • Configuring Metasploit Framework Meterpreter exploits
  • Navigating Windows 7/8 NDIS 6 wireless setting storage and management
  • Remote monitor mode packet capture on Windows 7/8 with NetMon
  • Leveraging compromised hosts to create remote rogue AP entry points into an enterprise network with the Metasploit

Framework and post-exploitation modules

  • Bridging the Airgap on OS X platforms with the airport command
  • Exploiting the OS X keychain for root privilege escalation

Larry Pesce
Mon Dec 16th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


DECT Attacks

  • DECT as a cordless telephony and data application technology
  • Advantages for consumers, enterprises in the adoption of DECT technology
  • DECT physical and MAC layer fundamentals
  • Evaluating the DECT authentication and encryption mechanisms
  • Eavesdropping and recording audio conversations on DECT cordless phones
  • Looking forward with DECT's replacement technology CAT-iq
  • Lab: Extracting audio from DECT network activity

Exploiting ZigBee

  • Introduction to ZigBee, ZigBee use cases and deployment
  • Attacker interest in ZigBee and industrial control systems
  • ZigBee and IEEE 802.15.4 physical and MAC layer architecture
  • ZigBee and IEEE 802.15.4 security mechanisms; authentication and cryptographic controls
  • Weaknesses in ZigBee key provisioning and management mechanisms
  • Tools for eavesdropping on and manipulating ZigBee networks
  • Exploiting ZigBee Over-the-Air (OTA) key provisioning
  • Locating ZigBee devices with signal analysis tools
  • Lab: Exploiting ZigBee OTA key provisioning

Enterprise Bluetooth Threats

  • Bluetooth technology introduction, assessing the Bluetooth protocol stack
  • Bluetooth Classic device analysis, procedure for joining a Bluetooth piconet, physical layer components
  • Bluetooth Low Energy (4.0) technology analysis, use cases, deployment models and structure
  • Bluetooth profiles and application features, Bluetooth security options, leveraging Bluetooth link authentication and encryption
  • Exploiting range in Bluetooth networks, Bluetooth attacks including rogue APs, Bluesnarfing, Blueline; exploiting Bluetooth deficiencies on mobile devices
  • Techniques for auditing and identifying Bluetooth devices, techniques for locating Bluetooth transmitters on Windows and Android platforms
  • Bluetooth policy and device configuration best practices

Advanced Bluetooth Threats

  • Understanding Bluetooth pairing, analyzing the Bluetooth authentication exchange and associated protocols, attacking the Bluetooth pairing process, implementing PIN attacks
  • Attacking the Bluetooth E0 encryption algorithm
  • Sniffing Bluetooth networks, hacker techniques for building Bluetooth sniffers, interacting with Bluetooth networks using the Ubertooth One
  • Exploiting Bluetooth non-discoverable mode, discovering non-discoverable devices
  • Exploiting Bluetooth profile vulnerabilities, audio recording attacks, exploiting Bluetooth headsets, Bluetooth device impersonation attacks
  • Bluetooth device auditing, Bluetooth protocol fuzzing techniques, device enumeration
  • Lab: Identifying, locating, and assessing an unauthorized Bluetooth device

Larry Pesce
Tue Dec 17th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


WLAN IDS Analyst Techniques

  • Introduction to IDS concepts, differentiating true positives from false positives, assessing events of interest
  • WIDS deployment models including overlay, integrated, and hybrid deployments
  • Techniques for identifying attacks including signature analysis, trend analysis and anomaly analysis
  • Evaluating attacks through traffic analysis, several examples
  • Evaluating WIDS systems, event aggregation, light bulb deployment, secure communication protocols, intrusion protection services, integration with third-party IDS systems
  • WIDS deployment considerations including facility coverage, dwell time, logging fidelity, event storage, trend analysis

Evaluating Proprietary Wireless Technology

  • WarViewing and exploiting wireless video transmitters, Tool: Mobile WarSpy
  • Introduction to next-generation wireless attacks using software defined radio (SDR) and the Universal Software Radio Peripheral (USRP); Tool: USRP and GNURadio
  • Exploiting wireless keyboard devices, manufacturer design motivators, pairing process, common keyboard analysis and security flaw disclosure, wireless keystroke logging and insertion
  • Hacking your own wireless devices, applying analysis techniques to non-standard hardware, retrieving documentation on devices, analysis of wireless presentation slide advancer
  • Using the GoodFET for IC bus analysis, eavesdropping, replay, and manipulation attacks
  • Introduction to cellular protocols and GSM networks, demodulating GSM traffic, GSM reference sources and data capture and analysis, risks with GSM use, Wireshark and GSM sniffing, exploiting weaknesses in GSM encryption
  • Lab: Data collection and evaluating wireless devices

Deploying a Secure Wireless Infrastructure

  • Recommendations for managing an authentication architecture, leveraging the RADIUS protocol for authentication validation, RADIUS data encoding rules, EAP transmitted over RADIUS
  • Understanding the impact of a compromised CA, "evil twin" attack
  • Recommendations and preferences for selecting an EAP type, understanding the advantages and disadvantages of EAP/TLS, PEAP, PEAPv1, PEAPv2, TTLS, EAP-FAST, PEAP-EAP-TLS.
  • Summary and recommendations for selecting an EAP type

Configuring and Securing Wireless Clients

  • Managing client certificate trust policies, default Windows root CA trust
  • Four techniques for deploying a new root certificate authority: manual, web-server delivery, scripted web-server delivery, automatic trust with GPO
  • Managing client configuration settings with Windows, cached authentication credentials with PEAP on Windows WZC, deploying GPO settings for preferred wireless network, specifying the configuration and settings of preferred WZC networks, editing and implementing wireless-specific GPO policies, recommendations for securing PEAP through GPO
  • Managing third-part wireless manager tools with the Funk Odyssey supplicant, creating a custom installer with Odyssey manager

Additional Information

Throughout the course, you will participate in numerous hands-on exercises using a Linux system based on Backtrack 5 that is provided at the beginning of class. You will need a laptop to run the Linux environment for lab exercises, using Windows or Mac OS X as the host environment.

You will use VMware to run the Linux environment used for lab exercises. You can download VMware Player for free from, or you may use VMware Workstation or VMware Fusion.

Mandatory Laptop Hardware Requirements:

  • CPU: x86-compatible 1.5 GHz or higher is recommended
  • DVD Drive (not a CD drive)
  • 2 GB of RAM minimum
  • Two free USB 2.0 interfaces
  • 10 GB free disk space
  • Windows XP or later, native or guest

Paranoia is Good

During the lab exercises, you will be connecting to a hostile wireless network! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if it is attacked.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Ethical hackers and penetration testers
  • Network security staff
  • Network and system administrators
  • Incident response teams
  • Information security policy decision makers
  • Technical auditors
  • Information security consultants
  • Wireless system engineers
  • Embedded wireless system developers
  • Powerful 500 mW ALFA 802.11a/b/g/n wireless card
  • USB Global Positioning System (GPS) adapter
  • High-power Bluetooth interface with external antenna connector
  • All software and tools used in lab exercises based on Backtrack 5
  • Identify and locate malicious rogue access points using free and low-cost tools
  • Conduct a penetration test against low-power wireless including ZigBee to identify control sys- tem and related wireless vulnerabilities
  • Identify vulnerabilities and bypass authentication mechanisms in Bluetooth networks using Uber- tooth, CarWhisperer, and btaptap to collect sensitive information from headsets, wireless keyboards and Bluetooth LAN devices
  • Utilize wireless capture tools to extract audio conversations and network traffic from DECT wireless phones to identify information disclosure threats exposing the organization
  • Implement an enterprise WPA2 penetration test to exploit vulnerable wireless client systems for credential harvesting
  • Utilize wireless fuzzing tools including Metasploit file2air, and Scapy to identify new vulnerabilities in wireless devices

Author Statement

It's been amazing to watch the progression of wireless technology over the past several years. WiFi has grown in maturity and offers strong authentication and encryption options to protect networks, and many organizations have migrated to this technology. At the same time, attackers are becoming more sophisticated, and we've seen significant system breaches netting millions of payment cards that start with a wireless exploit. This pattern has me very concerned, as many organizations, even after deploying WPA2 and related technology, remain vulnerable to a number of attacks that expose their systems and internal networks.

With the tremendous success of WiFi, other wireless protocols have also emerged to satisfy the needs of longer-distance wireless systems (WiMAX), lightweight embedded device connectivity (ZigBee and IEEE 802.15.4), and specialty interference-resilient connectivity (Bluetooth and DECT). Today, it's not enough to be a WiFi expert; you also need to be able to evaluate the threat of other standards-based and proprietary wireless technologies as well.

In putting this class together, I wanted to help organizations recognize the multi-faceted wireless threat landscape and evaluate their exposure through ethical hacking techniques. Moreover, I wanted my students to learn critical security analysis skills so that, while we focus on evaluating wireless systems, the vulnerabilities and attacks we leverage to exploit these systems can be applied to future technologies as well. In this manner, the skills you build in this class remain valuable for today's wireless technology, tomorrow's technology advancements, and for other complex systems you have to evaluate in the future as well.

- Joshua Wright