Chapter 3. Wireless and Mobile
So I don't think it's possible to go to a conference these days and not see a talk on mobile or wireless. (They tend to schedule the streams to have both mobile and wireless talks at the same time—the sneaky devils. There is no escaping the wireless knowledge!) So, it makes sense that we work out some ways of training people how to skill up on these technologies. We're going to touch on some older vulnerabilities that you don't see very often, but as always, when you do, it's good to know how to insta-win.
In this chapter, we will specifically focus on the following topics:
Prerequisites for this chapter
Network setup
In-depth setup of a WEP network and dummy traffic
In-depth setup of a WPA-2 network for handshake capture
In-depth setup of vulnerable phones and devices
In-depth setup of a secondary vulnerable phone scenario
Exploit guides for all scenarios
Wireless environment setup
This chapter is a bit of an odd one, because with Wi-Fi and mobile, it's much harder to create a safe environment for your testers to work in. For infrastructure and web app tests, you can simply say, "it's on the network, yo" and they'll get the picture. However, Wi-Fi and mobile devices are almost everywhere in places that require pen testing. It's far too easy for someone to get confused and attempt to pwn
a random bystander. While this sounds hilarious, it is a serious issue if that occurs. So, adhere to the following guidelines for safer testing:
Where possible, try and test away from other people and networks. If there is an underground location nearby, testing becomes simpler as floors are more effective than walls for blocking Wi-Fi signals (contrary to the firmly held beliefs of anyone who's tried to improve their home network signal). If you're an individual who works for a company, or you know, has the money to make a Faraday cage, then by all means do...
Scenario 1 – WEP, that's me done for the day
Sometime in the past, someone thought it would be a really good idea to encrypt wireless network traffic so that others couldn't snoop on it and steal their things. There were some initial forays into the field until Wired Equivalent Protocol (WEP) came along. WEP was great, it was fast, it had a cool name, and was relatively easy to implement. The problem was that other naughty people realized that if you listened to WEP traffic long enough, you could decrypt the traffic, and furthermore, gain access to the network. Not good. Needless to say, you shouldn't use WEP anymore (though legacy systems are legacy systems, so people still do).
We are going to create a WEP network through one of a number of ways and generate some fake traffic for our attackers to watch. We're going to use Airbase, Python, and a little bit of iptables, though not so much that you'll cry yourself to sleep tonight.
Before we get into the creation of wireless networks...
For this scenario, we're going to create a WPA-2 secured network with hostapd and link a client to it. This will allow your testers to practice disassociating clients with networks and capturing handshakes. These are not related to their social equivalents; we're not going to have someone ostracized and steal all of their friends—that's the next chapter.
The WPA-2 crack is very similar to the WEP network except that you can't use either of the methods I've described earlier. Airbase-ng will create a dummy WPA-2 network that is good enough to fool the unobservant, but if I thought you were unobservant I wouldn't have even started writing this book. You are a security-minded individual, and I'm going to give you the real deal… sort of.
Hostapd is managed through a file called hostapd.conf
. On Kali Linux, hostapd is usually already installed and present in /etc/hostapd
. For everyone using a legitimate operating system, you may need to install it. The apt-get install hostapd...
Scenario 3 – pick up the phone
In this section, we are going to create several devices probing for Wi-Fi networks that will allow individuals to test their ability to identify phone ownership or details without touching the phone. The setup from this scenario can be used in three different ways, so there are three exploit guides for this scenario.
Remember when I said that that the -e
operator was important in the WEP setup; this is why.
I like to use phones for this, but you can use different devices: laptops, PCs, toasters—anything with a wireless interface. Basically, the premise of this exercise is to prepopulate multiple devices with probe request profiles. Basically, when Wi-Fi is turned on, on any device, it probes out for networks that it has previously connected to. As a professional malicious user, you can listen to these and make judgments about people. Judging people is fun!
So, in order to populate the phones with the networks, we need to create them. So, we go back off to...
The following are the exploitation guides for the scenarios created in this chapter. These are guidelines, and there are more ways to exploit the vulnerabilities.
Scenario 1 – rescue the WEP key
The brief provided for this exploitation guide is assumed to be: Crack the WEP network and recover the WEP key. Perform the following steps:
This is reasonably straightforward. First, we need to record traffic in the area. We use airodump-ng
to do this with the following command line:
<Interface>
is the active interface to record on.
<output prefix>
is what the output will be called.
<MAC>
is the Mac address of the router you wish to target.
<channel>
is the channel that the target network is operating on.
--ivs
tells airodump
to only record IVs. For this, my command will be as follows:
We need to...
In this chapter, we covered how to snoop on wireless devices, identify something about their histories, perform a man-in-the-middle attack on them, and perform a limited range of exploits against them. We set up WEP and WPA-2 secured networks and successfully performed exploits against them. These skills form the basis of the understanding of wireless penetration testing, and the core concepts will carry you a long way as a basis for a methodology. From these core skills, you should be able to perform tests against wireless networks as well as apply these skills in other tests. For example, man-in-the-middle toolkits can be used to proxy other devices to view data in transit where normal proxies are unavailable.
The next chapter covers social engineering in broad terms. It has some challenges for face-to-face social engineering practice: some attacks will require social engineering to perform and set up a rabbit trail across the Internet. This will be a fun chapter, so if you're feeling...