10 - Wireless Pen Testing Flashcards

1
Q

What is a wireless network?

A

A wireless network provides an extension to the organization’s infrastructure perimeter. It includes:

  • WLAN
  • Radio Frequency Identification (RFID)
  • Near Field Communication (NFC)
  • Mobile Devices
  • Internet of Things (IoT)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the steps of Wireless Pen Testing?

A
  • Discover the Wireless Networks
    • War Driving
    • Identify Rogue Access Point
  • Detect Hidden SSIDs
    • Run airmon-ng to find hidden SSID
    • De-auth client
    • Run airmon-ng again to catch actual name of SSID
  • Check Physical Security of AP
    • Check physical location
    • Is access controlled?
    • Check network’s
  • Detect Wireless Connections
    • Active Scanning (Broadcasting a probe and wait for response)
    • Passive Scanning (Sniffs packets from airwaves)
  • Sniff Traffic between the AP and Linked Devices
    • Passively monitor transmissions to identify patterns and participants
  • Create Ad Hoc Associations with an Unsecured AP
    • Create ad hoc association for connecting directly to an unsecured AP and check enterprise client operating in ad hoc mode
  • Create a Rogue Access and Try to Create a Promiscuous Client
  • Use a Wireless Honeypot to Discover Vulnerable Wireless Clients (Evil Twin)
    • Try to capture any email or FTP connections
    • Try to access the user’s file shares
    • Try to capture user’s login credentials
  • Perform a DoS Attack (De-authentication Attack)
  • Attempt a Rapid Traffic Generation
    • Sniff wireless MAC addresses
    • Determine bridged and wired LAN hosts
    • Use the aireplay-ng tool to generate traffic
  • Jam the Signal
    • Jamming signal appears to be 802.11 transmission
    • 2.4 GHz jamming signals for drowning the legit AP
  • Attempt Single-packet Decryption
    • Perform chopchop attack which decrypts a WEP data packet without knowing the key
  • Perform Fragmentation Attack
    • Perform frag attack to obtain 1500 bytes of PRGA (Pseudo Random Generation Algorithm)
    • Need at least one packet to originate from AP to initiate attack
  • Perform an ARP Poisoning Attack
  • Try to Inject the Encrypted Packet
    • Inject a packet to determine if wireless card can effectively inject and determine the ping response time to the AP
    • Attack lists AP’s in the zone that respond to broadcast probes and perform a 30 packet test
  • Crack Static WEP keys
    • Use aircrack-ng tool to crack static WEP keys
      • Monitor wireless traffic with airmon-ng
      • Collect traffic with airodump-ng
      • Associate your wireless card with the AP you are accessing with aireplay-ng
      • Start packet injection with aireplay-ng
      • Decrypt the WEP key with aircrack-ng
  • Crack WPA-PSK Keys
    • Sniff 4-way handshake
    • Use dictionary attack where you need to try each passphrases in dictionary file and generate PSK
    • Observer the Message Integrity Check (MIC) of packet which is signed by using the PTK
    • By using the PTK, reconstruct the MIC and compare it to MIC of sniffed packet
  • Crack WPA/WPA2 Enterprise Mode
    • Only susceptible to MitM using fake AP
  • Crack WPS PIN
    • Wi-Fi Protected Setup (WPS) feature activated by default
  • Check for MAC Filtering
    • Use aireplay-ng tool to determine whether target access point used MAC filtering
  • Spoof the MAC Address
    • Spoof MAC addresses with BackTrack tool
  • Create a Direct Connection to Wireless Access Point
    • Plugging machine into WAP will get machine an IP in same range automatically via DHCP
    • Find IP of WAP by doing ipconfig command on CLI
    • Try accessing IP via browser
    • Attempt default login
  • Attempt an MitM Attack
  • Test for Wireless Driver Vulnerabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the RFID Pen Testing Steps?

A
  • Perform Reverse Engineering
    • Gain access to chip, read its memory, biometric data, personal info, etc
  • Perform Power Analysis Attack
    • Analyzing power consumption patterns allow you to determine when the RFID receives correct and incorrect bits
    • By means of directional antenna and oscilloscope
  • Perform Eavesdropping
    • By eavesdropping
  • Perform an MitM Attack
    • Vulnerable because RFID tags are small and low-priced
    • RFID tags send and receive data in clear text
  • Perform a DoS Attack
    • Provide more data than RFID system can handle
    • Implement jamming and interference techniques
  • Perform RFID Cloning/Spoofing
    • Capture data of legit tag then create clone using a new chip
    • Using a “magic” MIFARE Classic card which allows block 0 information
  • Perform RFID Replay Attack
  • Perform a Virus Attack
    • If RFID tag is infected with a virus, and a reader scans it, it can be compromised in the backend via SQLi
    • You can inject viruses to the memory space of RFID tags
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the NFC Pen Testing steps?

A
  • Perform Eavesdropping
    • NFC is susceptible to eavesdropping, data corruption, data modification, spoofing, and MitM
    • NFC broadcasts radio signals which can be grabbed
  • Perform a Data Modification Attack
    • NFC in active mode can be modified
  • Perform Data Corruption Attack
    • This is a DoS attack
    • Interfere with data transmission, disturbing or blocking the data channel so that the reader fails to read the information
  • Perform a MitM Attack
    • Almost impossible
    • Try to eavesdrop, manipulate, and transmit to the NFC reader
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the steps for Mobile Device Pen Testing?

A
  • Rooting Android Phone
    • Connect phone to a workstation via USB and run rooting tools
    • One Click Root, Kingo Android ROOT, SuperOneClick, Superboot
  • Jailbreaking iPhone
    • Cydia, Keen, Pangu,
  • Intercept HTTP Requests sent from Phone Browser/Applications
  • Intercept HTTP Request using Proxy when using Android Emulator
    • Go to emulators APN settings
    • Configure the Fiddler proxy details
    • Launch the browser in Emulator
    • Browse target site
  • Intercept HTTP Request using proxy on iPhone
    • Install and configure Charles proxy on the workstation browser
    • Go to Settings –> WiFi and select wifi network you are connected to
    • Go to HTTP Proxy setting and select Manual option
    • Enter IP of your workstations on port 8888
    • Leave Authentication setting to Off
    • All the web traffic from iPhone’s browser goes through Charles
  • Intercept HTTP Requests using Proxy on iOS Simulator
    • iPhone simulator uses the OS X network settings to proxy traffic
  • Intercept iOS Traffic using Burp Suite
  • Sniff the Traffic using Wireshark
  • Sniff the Traffic using FaceNiff
  • Setting up the environment for Android Apps Pen Testing
  • Identify if Android is rooted
    • When device is rooted, new files, and packages are added on the device
    • Look for: Superuser.apk or eu.chainfire.supersu (in system/app/)
    • Check if Busybox is installed on the target device (in system/app/)
    • Execute “su” and “id” commands to check the root UID
    • Check for BUILD tag for test keys
  • Test for App least privileged
    • AndroidManifest.xml file defines the security permissions for the applications in Androids
  • Explore installed packages on Android Phone with Package Play
    • Use Package Play Tool to view Android package details, including permissions, services, activities, etc.
  • Perform Intent Sniffing
    • Intents are used for inter-application and intra-application communication
  • Test Android App using Intent Fuzzer
    • Fuzzer tool sends unexpected or incorrect input to an app in an attempt to cause it to fail in order to find bugs
  • Test if app stores sensitive data
    • Use Android Debug Bridge (ADB) shell to determine whether the application stores sensitive data
  • Test if app logs have sensitive data
    • Use logcat utility
  • Reverse engineer Android App
    • Use apk reverse engineering tools
  • Discover processes running on Android app
    • Use ADB shell to view running processes
  • Discover the system calls made by processes
  • Check for sensitive data on SD card
    • SD cards do not abide by sandboxing rules
  • Test whether SQLite DB reveals sensitive data
  • Perform DoS attack on Android phone
    • Use AnDOSid tool
  • Find and Exploit Android app vulnerabilities using Drozer
  • Conduct Pen testing using Smartphone Pentest Framework
  • Conduct Vulnerability Scanning using zANTI
  • Perform Android Pen Testing using dSploit
  • Setting up the Environment for iOS Apps Pen Testing
    • You can test on an emulator or phone itself
  • Identify if iPhone is jailbroken
    • Common files to look for are: cydia, stash, .plist, sshd, apt, etc.
    • If root partition has read/write permissions
    • Check if OpenSSH service is running on the device
  • Inspect the Plist for sensitive info
    • Plist stands for Property List and contains user prefs and config info of the app
  • Investigate the Keychain Data Storage
  • Check the iPhone Logs for Leakage of sensitive info
    • Use Organizer window in Xcode to view iPhone logs
  • Explore and Look for sensitive files in iOS File System
  • Inspecting SQLite DB’s
  • Inspect Error App Logs
    • Navigate to /private/var/log/syslog/ to view error logs
  • Inspect Device Logs
    • Use Xcode to view logs
  • Look for sensitive data cached in snapshots
    • Sensitive data may be extracted from snapshot folder
  • Inspect Keyboard Cache
    • Cache contains every keystroke user types in text fields
    • Navigate to: Library/Keyboard/en_GB-dynamic-text.dat file to view keyboard cache
    • Use Hex Editor
  • Inspect cookies.binarycookies File for Leakage of sensitive info
    • View the persistent cookies
  • Check URL schemes used by apps
    • A specific URL scheme is assigned to each iOS app running on iPhone
  • Check for Broken Cryptography
  • Try to Reverse Engineer iOS App
    • App binaries can be found at: private/var/mobile/Applications//.app/
    • Reverse Engineer the binaries using class dump utility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the IoT Pen Testing steps?

A
  • Testing an IoT device for insecure Web Interface
    • Test Default Login creds
    • Check for locked accounts
    • Check if interface is susceptible
  • Testing an IoT device for Poor Authentication
    • Test simple passwords
    • Check if passwords are sent in clear text
    • Check password requirements
    • Try to perform privilege escalation
  • Testing an IoT device for Poor Insecure network services
    • Port scan for insecure services
  • Testing an IoT device for Lack of Transport Encryption
  • Testing an IoT device for Privacy Concerns
  • Testing an IoT device for insecure cloud interface
    • Test default passwords
    • Test if Accounts are locked after failed attempts
    • Test password recovery mechanisms
  • Testing an IoT device for insecure mobile interface
  • Testing an IoT device for insufficient security configurability
    • Separation of admin users from normal users
    • Secure logging available?
  • Testing an IoT device for insecure software/firmware
    • Check if update file exposes sensitive data
    • Check if production file is properly encrypted
  • Testing an IoT device for Poor Physical security
    • Can device be disassembled
    • Can device be accessed via external ports
    • Are all external ports needed?
    • Can ports be deactivated?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is considered a Rogue Access Point?

A

Any AP, MAC, radio media type, or radio channel that is not authorized is considered a rogue AP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the steps in creating a Rogue Access Point?

A
  • Choose appropriate location (Coverage, Connection Point)
  • Disable the SSID Broadcast to avoid detection
  • Place behind a firewall to avoid network scanners
  • Set up rogue access point for shorter for shorter periods
  • Try to gain access to network data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what frequencies are best to jam?

A
  • AMPS: 869~894
  • GSM: 925~960
  • DCS: 1805~1880
  • DECT: 1800~1900
  • CDMA/TDMA: 825~894
  • W-CDMA WLL: 1920~1980
  • PHS WLL: 1900~1920
  • PCS/TACS: 1930~1990
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How WPA 2 handshake works?

A
  • Passphrase and SSID are supplied to a Password-Based Key Derivation Function 2 (PBKDF2) to generate 256 bit pre-shared key or pairwise master (PMK)
  • Either client or AP create PSK and then handshake takes place exchanging packets such as SNonce, ANonce, client’s MAC, and Access point’s MAC
  • Info is then used to create PTK (Pairwise Transient Key) for current session
  • The Message Integrity Check (signature) is generated for the packet and is signed by using the PT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the steps to perform a MitM attack?

A
  • Run airmon-ng in monitor mode
  • Start airodump-ng to discover SSID’s on the interface
  • De-authenticate (deauth) the client using aireplay-ng
  • Associate your wireless card (fake association) with the AP you are accessing with aireplay-ng
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why has mobile device Pen Testing grown?

A

The use of smartphones has grown exponentially with people using their phones to access official and personal info.

  • Requirements:
    • Deep understanding of architecture, OS, functionality, networks, communications, and pen testing tools
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Mobile Pen Testing Methodology?

A
  • Communication Channel Testing
    • Intercepting HTTP Request
    • Sniffing Traffic
  • App Testing
    • Reading Stored Data
    • Reverse Engineering
  • Server-side Infrastructure Testing
    • Regular Web server/application pen testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the steps for Intercepting HTTP Requests sent from Phone?

A
  • Android Steps:
    • Keep mobile phone and workstation in same network
    • install Fiddler on workstation
    • Configure Fiddler to allow remote connections and decrypt HTTPS traffic
    • Tap on Settings option of target Android phone
    • Tap Wi-Fi option
    • Find the Wi-Fi network of target device
    • Tap and hold Wi-Fi network to explore context menu
    • Select modify network from menu
    • Enable “Show Advanced Options”
    • Set “Proxy Settings” to Manual
    • Set “Proxy host name” to Windows workstation IP address
    • Set Proxy port to port on which fiddler is listening
    • Tap Save and wait until network reconnects
    • Launch Google Chrome Browser and turn off Bandwidth management
    • Browse the target site and view the Fiddler on Windows workstation
      *
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is IoT?

A

A proposed development of the Internet in which everyday physical devices are equipped sensors and network connectivity, allowing them to send and receive data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some WLAN countermeasures?

A
  • Change default SSI
  • Set router access and enable FW protection
  • SSID cloaking
  • Hard to guess passphrases
  • Place FW in between AP and corporate intranet
  • Limit strength of wireless network
  • Check device configs regularly for problems
  • Encrypt traffic
  • Disable remote router login and administration
  • Change passphrases regularly
  • Use WPA instead of WEP
  • Implemet WPA2 Enterprise when possible
  • Disable network when possible
  • Place AP’s in secured location
  • Keep drivers updated
  • Use centralized server for authentication
17
Q

What are some Mobile Device countermeasures?

A
  • Strong implementation of BYOD policy
  • Enable rooting or jailbreaking preventative controls
  • Strong security implementation
  • Choose phone based on security features
  • Set limit on password attempts
  • Enable remote wipe feature
  • Maintain physical control of device
  • Use SIM lock or Pin feature
  • Turn on Phone Finder Service
  • Regularly update and patch
  • Do not root/jailbreak
  • Use secure apps
  • Secure source code with encryption
  • Avoid caching app data
  • Validate input data
  • Encrypt data at rest or in transit
  • Disable interfaces when not in use
  • Connect to encrypt wi-fi networks only