Four Days Left to Get an iPad (32G), Galaxy Tab A, or $250 Off Online Training!

Sydney 2012

Sydney, Australia | Mon, Nov 12 - Tue, Nov 20, 2012
This event is over,
but there are more training opportunities.

SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses

Mon, November 12 - Sat, November 17, 2012

The detailed cryptographic explanations in SEC617 made it easier to understand how various encryption algorithms work--which for me is a first!

Jonathan Wilhoit, Fluor

SEC617 is great for someone looking for a top-to-bottom rundown of wireless attacks.

Garret Picchioni, Salesforce

Despite the security concerns many of us share regarding wireless technology, it is here to stay. In fact, not only is wireless here to stay, but it is growing in deployment and utilization with wireless LAN technology and WiFi as well as with other applications, including cordless telephones, smart homes, embedded devices, and more. Technologies like ZigBee and WiMAX offer new methods of connectivity to devices, while other wireless technology, including WiFi, Bluetooth and DECT, continue their massive growth rate, each introducing their own set of security challenges and attacker opportunities.

To be a wireless security expert, you need to have a comprehensive understanding of the technology, the threats, the exploits, and the defense techniques along with hands-on experience in evaluating and attacking wireless technology. Not limiting your skill-set to WiFi, you'll need to evaluate the threat from other standards-based and proprietary wireless technologies as well. This course takes an in-depth look at the security challenges of many different wireless technologies, exposing you to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, you'll navigate your way through the techniques attackers use to exploit WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other systems, including developing attack techniques leveraging Windows 7 and Mac OS X. We'll also examine the commonly overlooked threats associated with Bluetooth, ZigBee, DECT, and proprietary wireless systems. As part of the course, you'll receive the SWAT Toolkit, which will be used in hands-on labs to back up the course content and reinforce wireless ethical hacking techniques.

Using assessment and analysis techniques, this course will show you how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems.

Course Syllabus

Lawrence Pesce
Mon Nov 12th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Understanding the Wireless Threat

  • Wireless impact on traditional security approaches, signal exposure threats, common misconceptions in wireless security, wireless LAN and MAN signal leakage, information disclosure threats, DoS attacks, rogue AP attacks, wireless protocol deficiencies, anonymity attacks, home user threats

Radio Frequency Essentials

  • Understanding RF, RF behavior, Gain, Loss, Reflection, Refraction, Diffraction, Scattering, RF math, antenna gain, intentional radiator, equivalent isotropically radiated power, antenna types and functions, antenna polarization, antenna beamwidth

Physical Layer Transmission Technology

  • Understanding the operating and utilization of Frequency Hopping Spread Spectrum, Direct Sequence Spread Spectrum, Orthogonal Frequency Division Multiplexing, Multiple Input Multiple Output networks
  • Allocated frequencies and operating characteristics for IEEE 802.11a, 802.11b, 802.11g and 802.11n networks

Wireless LAN Organizations and Standards

  • Understanding wireless standards bodies, role of the WiFi Alliance for interoperability testing, capabilities and features of WPA and WPA2, IETF standards, understanding the RADIUS and EAP protocols
  • Identifying and understanding the security-pertinent wireless standards including: 802.11e, 802.11i, 802.11k. 802.11m, 802.11n, 802.11r, 802.11s, 802.11v, 802.11w, 802.11y
  • Obtaining information about standards bodies work and working group resources

Using the SANS Wireless Auditing Toolkit

  • Identifying the components and hardware, understanding the operating characteristics of antennas, using the GPS for location mapping

Sniffing Wireless Networks: Tools, Techniques and Implementation

  • Using wireless sniffing as an auditing mechanism, understanding WLAN card operating modes, sniffing in managed mode, sniffing in monitor mode, advantages of RFMON sniffing, RFMON implementations, Tool: Windows AirPcap, setting Linux RFMON mode, Tool: Libpcap, Tool: Tcpdump, Tool: Wireshark, Leveraging Wireshark display filters, Wireshark protocol dissectors, Tool: Kismet, configuring Kismet, Kismet dependencies, Tool: gpsmap, generating satellite WLAN mapping images, Tool: Google Earth mapping

Lab: Sniffing Wireless, using Wireshark, identifying wireless networks with Kismet, mapping wireless networks with gpsmap, Google Maps, Google Earth

Lab: Live Network Mapping, using gpsmap to map wireless networks in the area.

Lawrence Pesce
Tue Nov 13th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


IEEE 802.11 MAC Layer

  • Common capabilities of the IEEE 802.11 MAC, understanding the architecture and operating of ad-hoc and infrastructure networks, phases of station authentication and association, understanding the operation and behavior of IEEE 802.1X authentication
  • Identifying capabilities and features of EAP types including PEAP, EAP/TLS, TTLS, EAP-FAST, LEAP
  • Packet framing on wireless networks, understanding the 802.11 header format and fields, significance of FromDS and ToDS fields, 802.11 address field ordering and behavior, 802.11 management frames and data encoding, 802.11 management action frames, decoding frames in hex

WLAN Auditing Methodologies

  • Identifying the goals of a WLAN audit, passive AP fingerprinting techniques, information element disclosure on Cisco networks, client post-processing analysis with Kismet XML files, identifying the authentication and encryption options used on the WLAN with Kismet and Wireshark, techniques for mapping the range of indoor and outdoor WLANs, assessing traffic captured in monitor mode for information disclosure, identifying multicast protocols with MAC analysis, evaluating encrypted traffic and proprietary encryption functions
  • Evaluating policy compliance, using DoDD 8100.2 as a baseline policy, HIPAA implications and wireless networks, PCI requirements and wireless networks
  • Lab: Wireless Auditing, evaluating supplied traffic for information disclosure and risks, evaluating and identifying the security of the network

Rogue Network Threats

  • Defining and understanding rogue networks, how attackers exploit rogue networks, types of rogue networks, examples of malicious rogue AP compromises, network port knocking, Tool: WKnock, Ad-hoc rogue networks, behavior and spread of the "Free Public WiFi" ad-hoc network, Windows XP bridging and the Ad-hoc threat, SOHO devices as a node threat, threat of Soft APs, Windows Vista implications and Soft AP
  • Techniques for identifying rogue devices: wired-side AP fingerprinting, wired-side MAC prefix analysis, wireless-side warwalking, wireless-side client monitoring, wireless-side IDS
  • Tool: Nessus
  • Correlating devices and the LANs they attach to, function of WLAN IPS systems and rogue prevention,
  • Locating rogue devices through RSSI signal analysis, triangulation
  • Tools: kis-snr, rapfinder
  • Cheating at rogue detection using CDP and MAC address variations
  • Lab: Identifying rogue AP's with Nessus, using RSSI characteristics to locate device

Wireless Hotspot Networks

  • Proliferation of hotspots, motivators for hotspot deployment, difference with traditional network deployments, hotspot architecture, example case: Tmobile
  • Risks with hotspot networks including hotspot controller vulnerabilities, service theft, passive and active session hijacking, spoofed provider access, direct client attacks
  • Tools: ICMPTX, tmscam, Pickupline, Ettercap, Airsnarf
  • Defensive measures for consumers, administrators, and service providers

Lawrence Pesce
Wed Nov 14th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Assessing WEP Networks

  • Introduction to WEP technology, WEP key selection, IV transmission, WEP framing
  • Understanding XOR truth table
  • Introduction to RC4, WEP ICV processing, WEP encryption process, WEP decryption process
  • WEP failures including lack of replay protection, weak message integrity check, no key rotation mechanism, initialization vector is too short, challenge/response reveals PRGA and key is reversible from ciphertext
  • Tools: HashCalc, nwepgen, wep_crack, wepattack, Aircrack-ng, packetforge-ng, aireplay-ng, wesside-ng, aesside-ng, ivcoltest
  • Understanding the operation and functions of dynamic WEP (DWEP), relationship between WEP, IEEE 802.1X and the EAP type
  • Identifying key update intervals with DWEP, DWEP weaknesses including implementation failures, traffic replay attacks, inverse inductive attacks, PRGA determination attacks
  • Identifying WEP networks, auditing WEP networks
  • Decrypting WEP traffic with Wireshark, airdecap-ng
  • Recommendations for Securing WEP
  • Lab: Attacking WEP networks, live

Auditing Cisco LEAP Networks

  • Cisco LEAP operation and use, understanding LEAP goals including mutual authentication and man-in-the-middle mitigation, centralized key management, passive key attack mitigation, centralized policy control, simple - no digital certificates
  • Identifying Cisco LEAP networks
  • Understanding MS-CHAPv2, LEAP 5-way handshake, storing MS-CHAPv2 hashes, LEAP MS-CHAPv2 exchange and weaknesses, brute-forcing the 3rd MS-CHAPv2 DES key
  • Tool: Asleap, genkeys
  • Asleap requirement, using Asleap on Windows, auditing LEAP networks, suggestions for improving the security of LEAP

Wireless Client Exposures and Vulnerabilities

  • Understanding why attackers target client systems
  • Hotspot injection attacks, manipulating unencrypted network transmissions, Tool: AirPWN, exploiting Internet Explorer with AirPWN
  • Publicly Secure Packet Forwarding (PSPF), understanding PSPF filtering, defeating PSPF, Tool: Wifitap
  • Attacking the Preferred Network List (PNL), Tool: Hotspotter for network redirection, Tool: KARMA for client attacks, weaknesses in the Windows XP PNL
  • IEEE 802.11 protocol fuzzing, understanding the format of the SSID information element as an example and how an attacker would exploit it, impact of driver bugs, Tool: fragtestsuite, Tool: Metasploit, Tool: file2air, Tool: Scapy
  • Client fingerprinting techniques, Tool: jc-duration-printer
  • Techniques for protecting client systems
  • Lab: Using AirPWN to manipulate client devices

Auditing Wireless MAN Environments

  • Risks to outdoor networks, types of WMAN networks, operating characteristics of outdoor networks, outdoor signal propagation, capturing traffic from outdoor networks
  • Standards based WMAN: Cisco 1400 series AP, identifying available security mechanisms, identifying WDS networks, auditing WDS networks
  • Lucent Outdoor Router networks, understanding the KarlNet architecture, identifying KarlNet networks, auditing KarlNet networks
  • Proxim QuickBridge networks, analysis of the Wireless Outdoor Router Protocol, capturing and analyzing traffic, Tool: qbextract
  • Proprietary Western Multiplex Tsunami networks, configuration of devices, leveraging the Proxim Service Unit Test Mode for sniffing
  • Overview of WiMAX technology, applications slated for WiMAX networks, WiMAX physical layer details, authentication and security negotiation in WiMAX, privacy features in WiMAX, weaknesses in WiMAX networks

Lawrence Pesce
Thu Nov 15th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Assessing WPA-PSK Networks

  • Introduction to hashing mechanisms, understanding HMAC hashes
  • Introduction to WPA technology, TKIP security mechanisms and improvements over WEP including replacement MIC, IV sequence enforcement, rekeying and key mixing
  • Understanding TKIP Michael hash weaknesses and countermeasures, Tool: WPA Hand Grenade
  • TKIP key utilization and hierarchy including PSK, PMK and PTK
  • Formula for deriving the PMK from the PSK, formula for deriving the PTK from the PMK, understanding the PTK key mapping
  • Identifying the components of the WPA/WPA2 4-way handshake, identifying WPA/WPA2-PSK networks
  • Attacking the passphrase selection of WPA/WPA2-PSK networks, Tool: Cowpatty, using cryptographic accelerators with coWPAtty, social engineering the passphrase, securing WPA/WPA2-PSK

Assessing PEAP and WPA/WPA2

  • Understanding the risks and challenge of legacy authentication sources, how PEAP addresses this weakness using TLS
  • Understanding TLS tunnel establishment exchange and validation, behavior of PEAP Phase 1 and PEAP Phase 2 connections, identity disclosure in PEAP supplicants
  • Differences between WPA2-PSK and WPA-Enterprise authentication, EAPOL-Key distribution and use, PMK generation and delivery from RADIUS, PTK derivation and key rotation mechanisms
  • Attacks against PEAP networks including authentication attacks, man-in-the-middle attacks, EAPOL key-distribution attacks, client-specific attacks
  • Protecting PEAP networks, WZC recommended supplicant configuration properties, mitigating PEAP username disclosure with third-party supplicants, client firewall devices and wireless security recommendations
  • Securing the authentication server by disabling unused EAP types, selecting a strong RADIUS shared secret, overall wireless defense strategies

Denial of Service Attacks on Wireless Networks

  • Understanding the impact of DoS attacks, differentiating persistent and non-persistent DoS attacks, IEEE 802.11 DoS attack targets including PHY, MAC and client attacks
  • Physical medium attacks, Tools: YDI Signal Generator, Intersil Prism2 Test Utility, HostAP DSSSTEST
  • IEEE 802.11 MAC attacks, authentication and association floods, deauthenticate and disassociation floods, Beacon DS Set DoS, Invalid Authentication flood, power-management attacks
  • Tools: void11, hunter_killer, AirJack suite, file2air, fata-jack,
  • Impact of IEEE 802.11w and management frame protection and DoS attacks
  • 802.11 medium management techniques, hidden node problem, RTS/CTS medium management, medium reservation attacks, RTS/CTS co-opting
  • Client attacks including rogue AP DoS, NULL SSID DoS, 802.1X authentication flood
  • Tool: hunter_killer_imp
  • Impact of range in a DoS attack, IEEE 802.11 committee stance on DoS attacks, defensive measures
  • Lab: DoS'ing other classroom participants

Auditing VPN/Segmented Networks

  • Identifying a typical segmented deployment, features of layer 3 encryption mechanisms, understanding the ISAKMP main mode and aggressive mode operating features, understanding the AH and ESP protocols, NAT interoperability and IPSec
  • Weaknesses in VPN/Segmented Networks including the lack of data-link layer authentication, lack of data-link layer encryption, exposure of critical services and common implementation weaknesses
  • Tool: SuperScan, Tool: Cain & Abel, Tool: Cisco VPN Decryptor, Tool: nstx, Tool: ozy2
  • Identifying IPSec/Segmented WLAN through passive traffic analysis, active network identification through DNS, scanning VPN servers, Tool: ike-scan
  • Auditing VPN/Segmented networks for implementation weaknesses, suggestions for improving VPN/Segmented networks

Lawrence Pesce
Fri Nov 16th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


802.11 Fuzzing Techniques

  • Value of protocol fuzzing for fault determination, Tool: Sulley fuzzer
  • Adapting fuzzing to 802.11 specifications, successful vulnerability discovery through fuzzing in the Apple Airport
  • Methods and tools for wireless fuzzing, Tools: Fuzz-e, Metasploit, Codenomicon 802.11 Test Suite, file2air, Scapy
  • Implementing fuzzing testing operationally, scoping, monitoring, recording and analyzing results
  • When to use fuzzing as a test mechanism
  • Strategies for vulnerability disclosure
  • Lab: Live 802.11 fuzzing

"Other" Wireless Attacks

  • WarViewing and exploiting wireless video transmitters, Tool: Mobile WarSpy
  • Introduction to next-generation wireless attacks using software defined radio (SDR) and the Universal Software Radio Peripheral (USRP); Tool: USRP and GNURadio
  • Exploiting wireless keyboard devices, manufacturer design motivators, pairing process, common keyboard analysis and security flaw disclosure, wireless keystroke logging and insertion
  • Hacking your own wireless devices, applying analysis techniques to non-standard hardware, retrieving documentation on devices, analysis of wireless presentation slide advancer; Tool: Parallax USB Oscilloscope
  • Introduction to cellular protocols and GSM networks, demodulating GSM traffic, GSM reference sources and data capture and analysis, risks with GSM use, Wireshark and GSM sniffing, exploiting weaknesses in GSM encryption; Tools: gsmdecode, gammu, GSSM, Wireshark, gsm-tvoid
  • Lab: Data collection and evaluating wireless devices

Bluetooth Security Threats

  • Bluetooth technology introduction, assessing the Bluetooth protocol stack, procedure for joining a Bluetooth piconet, Bluetooth profiles and application features, Bluetooth security options, leveraging Bluetooth link authentication and encryption
  • Exploiting range in Bluetooth networks, Bluetooth attacks including rogue APs, Bluesnarfing, Blueline, wireless works; Tools: Bluesnarfer, Linux BlueZ stack
  • Techniques for auditing and identifying Bluetooth devices, techniques for locating Bluetooth transmitters, Bluetooth policy and device configuration recommendations; Tools: BlueScanner, BTScanner, BTfind

Advanced Bluetooth Threats

  • Understanding Bluetooth pairing, analyzing the Bluetooth authentication exchange and associated protocols, attacking the Bluetooth pairing process, implementing PIN attacks; Tools: btpincrack, BTCrack
  • Attacking the Bluetooth E0 encryption algorithm
  • Sniffing Bluetooth networks, hacker techniques for building Bluetooth sniffers; Tools: FTS4BT, Linux BlueZ tools, frontline
  • Exploiting Bluetooth non-discoverable mode, discovering non-discoverable devices; Tools: GNURadio, BTScanner
  • Exploiting Bluetooth profile vulnerabilities, audio recording attacks, exploiting Bluetooth headsets, Bluetooth device impersonation attacks; Tools: CarWhisperer, ussp-push
  • Bluetooth device auditing, Bluetooth protocol fuzzing techniques, device enumeration; Tools: btaudit, Bluediving, bss

Lawrence Pesce
Sat Nov 17th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


WLAN IDS Technology

  • Introduction to IDS concepts, differentiating true positives from false positives, assessing events of interest
  • WIDS deployment models including overlay and integrated
  • Techniques for identifying attacks including signature analysis, trend analysis and anomaly analysis
  • Tool: NetStumbler
  • Evaluating attacks through traffic analysis, several examples
  • Evaluating WIDS systems, event aggregation, light bulb deployment, secure communication protocols, intrusion protection services, integration with third-party IDS systems
  • Deployment considerations: facility coverage, dwell time, logging fidelity, event storage, trend analysis

Introduction to Public Key Infrastructure (PKI)

  • Understanding what is involved in a PKI, PKI components including private and public encryption keys, digital certificates, digital signatures, certificate authorities
  • Key management protocols for a PKI, key file formats for certificate and key storage
  • Trust and key distribution mechanisms including distributed web of trust and hierarchical trust
  • Selecting a full or partial PKI model, using a local or a private CA
  • Techniques for scalable, secure PKI deployments

Deploying a Certificate Authority

  • Understanding the steps involved in the CA request process
  • OpenSSL as a CA: installing OpenSSL, using OpenSSL toolkit, establishing the CA environment, configuring OpenSSL, leveraging Windows XP OIDs, generating the root CA, converting certificates between PEM and DER, generating a CSR, validating the CSR, signing the CSR
  • Windows 2003 Server CA: Installing and configuring the CA server, generating a CSR using IIS, validating and signing the CSR

Deploying a Secure Wireless Infrastructure

  • Recommendations for managing an authentication architecture, leveraging the RADIUS protocol for authentication validation, RADIUS data encoding rules, EAP transmitted over RADIUS
  • Windows IAS as a RADIUS server: installing IAS, registering IAS for AD authentication, selecting the RADIUS shared secret, configuring IAS policies for AD group authentication and access times
  • FreeRADIUS as a RADIUS server: Installing and configuring FreeRADIUS using a local authentication source, configuring permitted client devices, configuring the users authentication source, configuring the preferred EAP methods, testing and debugging FreeRADIUS
  • Commercial RADIUS options, tips for troubleshooting RADIUS authentication on Windows XP
  • Understanding the impact of a compromised CA, "evil twin" attack
  • Recommendations and preferences for selecting an EAP type, understanding the advantages and disadvantages of EAP/TLS, PEAP, PEAPv1, PEAPv2, TTLS, EAP-FAST, PEAP-EAP-TLS.
  • Summary and recommendations for selecting an EAP type

Configuring and Securing Wireless Clients

  • Managing client certificate trust policies, default Windows root CA trust
  • Four techniques for deploying a new root certificate authority: manual, web-server delivery, scripted web-server delivery, automatic trust with GPO
  • Managing client configuration settings with Windows XP, cached authentication credentials with PEAP on Windows XP WZC, deploying GPO settings for preferred wireless network, specifying the configuration and settings of preferred WZC networks, editing and implementing wireless-specific GPO policies, recommendations for securing PEAP through GPO
  • Managing third-part wireless manager tools with the Funk Odyssey supplicant, creating a custom installer with Odyssey manager
  • Configuring WZC in login scripts, Tool: zwlancfg
  • Protecting client systems from attacks, hardening Windows XP recommendations, implementing change control for effective client security

Additional Information

Laptop Required

Throughout the course, you will participate in numerous hands-on exercises using a Linux system based on Backtrack 5 that is provided at the beginning of class. You will need a laptop to run the Linux environment for lab exercises, using Windows or Mac OS X as the host environment.

You will use VMware to run the Linux environment used for lab exercises. You can download VMware Player for free from, or you may use VMware Workstation or VMware Fusion.

Mandatory Laptop Hardware Requirements:

  • CPU: x86-compatible 1.5 GHz or higher is recommended
  • DVD Drive (not a CD drive)
  • 2 Gigabytes of RAM minimum
  • Two free USB 2.0 interfaces

Paranoia is Good

During the lab exercises, you will be connecting to a hostile wireless network! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if it is attacked.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Ethical hackers and penetration testers
  • Network security staff
  • Network and system administrators
  • Incident response teams
  • Information security policy decision makers
  • Technical auditors
  • Information security consultants
  • Wireless system engineers
  • Embedded wireless system developers
  • Powerful 500 mW ALFA 802.11a/b/g/n wireless card
  • USB Global Positioning System (GPS) adapter
  • High-power Bluetooth interface with external antenna connector
  • All software and tools used in lab exercises based on Backtrack 5

Author Statement

It's been amazing to watch the progression of wireless technology over the past several years. WiFi has grown in maturity and offers strong authentication and encryption options to protect networks, and many organizations have migrated to this technology. At the same time, attackers are becoming more sophisticated, and we've seen significant system breaches netting millions of payment cards that start with a wireless exploit. This pattern has me very concerned, as many organizations, even after deploying WPA2 and related technology, remain vulnerable to a number of attacks that expose their systems and internal networks.

With the tremendous success of WiFi, other wireless protocols have also emerged to satisfy the needs of longer-distance wireless systems (WiMAX), lightweight embedded device connectivity (ZigBee and IEEE 802.15.4), and specialty interference-resilient connectivity (Bluetooth and DECT). Today, it's not enough to be a WiFi expert; you also need to be able to evaluate the threat of other standards-based and proprietary wireless technologies as well.

In putting this class together, I wanted to help organizations recognize the multi-faceted wireless threat landscape and evaluate their exposure through ethical hacking techniques. Moreover, I wanted my students to learn critical security analysis skills so that, while we focus on evaluating wireless systems, the vulnerabilities and attacks we leverage to exploit these systems can be applied to future technologies as well. In this manner, the skills you build in this class remain valuable for today's wireless technology, tomorrow's technology advancements, and for other complex systems you have to evaluate in the future as well.

- Joshua Wright