10 - Wireless Pen Testing Flashcards
What is a wireless network?
A wireless network provides an extension to the organization’s infrastructure perimeter. It includes:
- WLAN
- Radio Frequency Identification (RFID)
- Near Field Communication (NFC)
- Mobile Devices
- Internet of Things (IoT)
What are the steps of Wireless Pen Testing?
- Discover the Wireless Networks
- War Driving
- Identify Rogue Access Point
- Detect Hidden SSIDs
- Run airmon-ng to find hidden SSID
- De-auth client
- Run airmon-ng again to catch actual name of SSID
- Check Physical Security of AP
- Check physical location
- Is access controlled?
- Check network’s
- Detect Wireless Connections
- Active Scanning (Broadcasting a probe and wait for response)
- Passive Scanning (Sniffs packets from airwaves)
- Sniff Traffic between the AP and Linked Devices
- Passively monitor transmissions to identify patterns and participants
- Create Ad Hoc Associations with an Unsecured AP
- Create ad hoc association for connecting directly to an unsecured AP and check enterprise client operating in ad hoc mode
- Create a Rogue Access and Try to Create a Promiscuous Client
- Use a Wireless Honeypot to Discover Vulnerable Wireless Clients (Evil Twin)
- Try to capture any email or FTP connections
- Try to access the user’s file shares
- Try to capture user’s login credentials
- Perform a DoS Attack (De-authentication Attack)
- Attempt a Rapid Traffic Generation
- Sniff wireless MAC addresses
- Determine bridged and wired LAN hosts
- Use the aireplay-ng tool to generate traffic
- Jam the Signal
- Jamming signal appears to be 802.11 transmission
- 2.4 GHz jamming signals for drowning the legit AP
- Attempt Single-packet Decryption
- Perform chopchop attack which decrypts a WEP data packet without knowing the key
- Perform Fragmentation Attack
- Perform frag attack to obtain 1500 bytes of PRGA (Pseudo Random Generation Algorithm)
- Need at least one packet to originate from AP to initiate attack
- Perform an ARP Poisoning Attack
- Try to Inject the Encrypted Packet
- Inject a packet to determine if wireless card can effectively inject and determine the ping response time to the AP
- Attack lists AP’s in the zone that respond to broadcast probes and perform a 30 packet test
- Crack Static WEP keys
- Use aircrack-ng tool to crack static WEP keys
- Monitor wireless traffic with airmon-ng
- Collect traffic with airodump-ng
- Associate your wireless card with the AP you are accessing with aireplay-ng
- Start packet injection with aireplay-ng
- Decrypt the WEP key with aircrack-ng
- Use aircrack-ng tool to crack static WEP keys
- Crack WPA-PSK Keys
- Sniff 4-way handshake
- Use dictionary attack where you need to try each passphrases in dictionary file and generate PSK
- Observer the Message Integrity Check (MIC) of packet which is signed by using the PTK
- By using the PTK, reconstruct the MIC and compare it to MIC of sniffed packet
- Crack WPA/WPA2 Enterprise Mode
- Only susceptible to MitM using fake AP
- Crack WPS PIN
- Wi-Fi Protected Setup (WPS) feature activated by default
- Check for MAC Filtering
- Use aireplay-ng tool to determine whether target access point used MAC filtering
- Spoof the MAC Address
- Spoof MAC addresses with BackTrack tool
- Create a Direct Connection to Wireless Access Point
- Plugging machine into WAP will get machine an IP in same range automatically via DHCP
- Find IP of WAP by doing ipconfig command on CLI
- Try accessing IP via browser
- Attempt default login
- Attempt an MitM Attack
- Test for Wireless Driver Vulnerabilities
What are the RFID Pen Testing Steps?
- Perform Reverse Engineering
- Gain access to chip, read its memory, biometric data, personal info, etc
- Perform Power Analysis Attack
- Analyzing power consumption patterns allow you to determine when the RFID receives correct and incorrect bits
- By means of directional antenna and oscilloscope
- Perform Eavesdropping
- By eavesdropping
- Perform an MitM Attack
- Vulnerable because RFID tags are small and low-priced
- RFID tags send and receive data in clear text
- Perform a DoS Attack
- Provide more data than RFID system can handle
- Implement jamming and interference techniques
- Perform RFID Cloning/Spoofing
- Capture data of legit tag then create clone using a new chip
- Using a “magic” MIFARE Classic card which allows block 0 information
- Perform RFID Replay Attack
- Perform a Virus Attack
- If RFID tag is infected with a virus, and a reader scans it, it can be compromised in the backend via SQLi
- You can inject viruses to the memory space of RFID tags
What are the NFC Pen Testing steps?
- Perform Eavesdropping
- NFC is susceptible to eavesdropping, data corruption, data modification, spoofing, and MitM
- NFC broadcasts radio signals which can be grabbed
- Perform a Data Modification Attack
- NFC in active mode can be modified
- Perform Data Corruption Attack
- This is a DoS attack
- Interfere with data transmission, disturbing or blocking the data channel so that the reader fails to read the information
- Perform a MitM Attack
- Almost impossible
- Try to eavesdrop, manipulate, and transmit to the NFC reader
What are the steps for Mobile Device Pen Testing?
- Rooting Android Phone
- Connect phone to a workstation via USB and run rooting tools
- One Click Root, Kingo Android ROOT, SuperOneClick, Superboot
- Jailbreaking iPhone
- Cydia, Keen, Pangu,
- Intercept HTTP Requests sent from Phone Browser/Applications
- Intercept HTTP Request using Proxy when using Android Emulator
- Go to emulators APN settings
- Configure the Fiddler proxy details
- Launch the browser in Emulator
- Browse target site
- Intercept HTTP Request using proxy on iPhone
- Install and configure Charles proxy on the workstation browser
- Go to Settings –> WiFi and select wifi network you are connected to
- Go to HTTP Proxy setting and select Manual option
- Enter IP of your workstations on port 8888
- Leave Authentication setting to Off
- All the web traffic from iPhone’s browser goes through Charles
- Intercept HTTP Requests using Proxy on iOS Simulator
- iPhone simulator uses the OS X network settings to proxy traffic
- Intercept iOS Traffic using Burp Suite
- Sniff the Traffic using Wireshark
- Sniff the Traffic using FaceNiff
- Setting up the environment for Android Apps Pen Testing
- Identify if Android is rooted
- When device is rooted, new files, and packages are added on the device
- Look for: Superuser.apk or eu.chainfire.supersu (in system/app/)
- Check if Busybox is installed on the target device (in system/app/)
- Execute “su” and “id” commands to check the root UID
- Check for BUILD tag for test keys
- Test for App least privileged
- AndroidManifest.xml file defines the security permissions for the applications in Androids
- Explore installed packages on Android Phone with Package Play
- Use Package Play Tool to view Android package details, including permissions, services, activities, etc.
- Perform Intent Sniffing
- Intents are used for inter-application and intra-application communication
- Test Android App using Intent Fuzzer
- Fuzzer tool sends unexpected or incorrect input to an app in an attempt to cause it to fail in order to find bugs
- Test if app stores sensitive data
- Use Android Debug Bridge (ADB) shell to determine whether the application stores sensitive data
- Test if app logs have sensitive data
- Use logcat utility
- Reverse engineer Android App
- Use apk reverse engineering tools
- Discover processes running on Android app
- Use ADB shell to view running processes
- Discover the system calls made by processes
- Check for sensitive data on SD card
- SD cards do not abide by sandboxing rules
- Test whether SQLite DB reveals sensitive data
- Perform DoS attack on Android phone
- Use AnDOSid tool
- Find and Exploit Android app vulnerabilities using Drozer
- Conduct Pen testing using Smartphone Pentest Framework
- Conduct Vulnerability Scanning using zANTI
- Perform Android Pen Testing using dSploit
- Setting up the Environment for iOS Apps Pen Testing
- You can test on an emulator or phone itself
- Identify if iPhone is jailbroken
- Common files to look for are: cydia, stash, .plist, sshd, apt, etc.
- If root partition has read/write permissions
- Check if OpenSSH service is running on the device
- Inspect the Plist for sensitive info
- Plist stands for Property List and contains user prefs and config info of the app
- Investigate the Keychain Data Storage
- Check the iPhone Logs for Leakage of sensitive info
- Use Organizer window in Xcode to view iPhone logs
- Explore and Look for sensitive files in iOS File System
- Inspecting SQLite DB’s
- Inspect Error App Logs
- Navigate to /private/var/log/syslog/ to view error logs
- Inspect Device Logs
- Use Xcode to view logs
- Look for sensitive data cached in snapshots
- Sensitive data may be extracted from snapshot folder
- Inspect Keyboard Cache
- Cache contains every keystroke user types in text fields
- Navigate to: Library/Keyboard/en_GB-dynamic-text.dat file to view keyboard cache
- Use Hex Editor
- Inspect cookies.binarycookies File for Leakage of sensitive info
- View the persistent cookies
- Check URL schemes used by apps
- A specific URL scheme is assigned to each iOS app running on iPhone
- Check for Broken Cryptography
- Try to Reverse Engineer iOS App
- App binaries can be found at: private/var/mobile/Applications//.app/
- Reverse Engineer the binaries using class dump utility
What are the IoT Pen Testing steps?
- Testing an IoT device for insecure Web Interface
- Test Default Login creds
- Check for locked accounts
- Check if interface is susceptible
- Testing an IoT device for Poor Authentication
- Test simple passwords
- Check if passwords are sent in clear text
- Check password requirements
- Try to perform privilege escalation
- Testing an IoT device for Poor Insecure network services
- Port scan for insecure services
- Testing an IoT device for Lack of Transport Encryption
- Testing an IoT device for Privacy Concerns
- Testing an IoT device for insecure cloud interface
- Test default passwords
- Test if Accounts are locked after failed attempts
- Test password recovery mechanisms
- Testing an IoT device for insecure mobile interface
- Testing an IoT device for insufficient security configurability
- Separation of admin users from normal users
- Secure logging available?
- Testing an IoT device for insecure software/firmware
- Check if update file exposes sensitive data
- Check if production file is properly encrypted
- Testing an IoT device for Poor Physical security
- Can device be disassembled
- Can device be accessed via external ports
- Are all external ports needed?
- Can ports be deactivated?
What is considered a Rogue Access Point?
Any AP, MAC, radio media type, or radio channel that is not authorized is considered a rogue AP.
What are the steps in creating a Rogue Access Point?
- Choose appropriate location (Coverage, Connection Point)
- Disable the SSID Broadcast to avoid detection
- Place behind a firewall to avoid network scanners
- Set up rogue access point for shorter for shorter periods
- Try to gain access to network data
what frequencies are best to jam?
- AMPS: 869~894
- GSM: 925~960
- DCS: 1805~1880
- DECT: 1800~1900
- CDMA/TDMA: 825~894
- W-CDMA WLL: 1920~1980
- PHS WLL: 1900~1920
- PCS/TACS: 1930~1990
How WPA 2 handshake works?
- Passphrase and SSID are supplied to a Password-Based Key Derivation Function 2 (PBKDF2) to generate 256 bit pre-shared key or pairwise master (PMK)
- Either client or AP create PSK and then handshake takes place exchanging packets such as SNonce, ANonce, client’s MAC, and Access point’s MAC
- Info is then used to create PTK (Pairwise Transient Key) for current session
- The Message Integrity Check (signature) is generated for the packet and is signed by using the PT
What are the steps to perform a MitM attack?
- Run airmon-ng in monitor mode
- Start airodump-ng to discover SSID’s on the interface
- De-authenticate (deauth) the client using aireplay-ng
- Associate your wireless card (fake association) with the AP you are accessing with aireplay-ng
Why has mobile device Pen Testing grown?
The use of smartphones has grown exponentially with people using their phones to access official and personal info.
- Requirements:
- Deep understanding of architecture, OS, functionality, networks, communications, and pen testing tools
What is the Mobile Pen Testing Methodology?
- Communication Channel Testing
- Intercepting HTTP Request
- Sniffing Traffic
- App Testing
- Reading Stored Data
- Reverse Engineering
- Server-side Infrastructure Testing
- Regular Web server/application pen testing
What are the steps for Intercepting HTTP Requests sent from Phone?
- Android Steps:
- Keep mobile phone and workstation in same network
- install Fiddler on workstation
- Configure Fiddler to allow remote connections and decrypt HTTPS traffic
- Tap on Settings option of target Android phone
- Tap Wi-Fi option
- Find the Wi-Fi network of target device
- Tap and hold Wi-Fi network to explore context menu
- Select modify network from menu
- Enable “Show Advanced Options”
- Set “Proxy Settings” to Manual
- Set “Proxy host name” to Windows workstation IP address
- Set Proxy port to port on which fiddler is listening
- Tap Save and wait until network reconnects
- Launch Google Chrome Browser and turn off Bandwidth management
- Browse the target site and view the Fiddler on Windows workstation
*
What is IoT?
A proposed development of the Internet in which everyday physical devices are equipped sensors and network connectivity, allowing them to send and receive data