Published on January 30, 2020
1. Advanced Wireless Reconnaissance and Testing #NSConclave2020 Rohit Jadav
2. [~]$ whoami Rohit Jadav - Manager Professional Services ● 5+ yrs experience in Information security domain ● Vast experience in VAPT on various business and banking applications, corporate networks. ● Performed PCI-DSS wireless assessment for an international client @54ucyv1p3r Rohit Jadav
3. Overview Wireless computing devices are everywhere and new products seem to appear daily, which poses signiﬁcant security risks to an organization. As a result, network and information security staff must understand the risks inherent in wireless computing. This workshop is designed to understand the basic wireless networking concepts. Hands-on activities are presented from the auditors perspective to help learners understand a wireless auditing methodology.
4. Workshop Objectives After the completion of the workshop the learners should be able to: ➔ Understand the operation of 802.11 and other wireless technologies. ➔ Perform passive 802.11b/g/n/a/ac scanning (2.4 and 5GHz bands) ➔ Perform packet capture and analysis of 802.11 trafﬁc ➔ Perform PCI-DSS compliance audit: ◆ Perform wardriving / warwalking ◆ RF signal capture and strength analysis ◆ Identify and analysing a frequency from the spectrum ◆ Isolate rogue frequency
5. Introduction to Wireless Technologies
6. Wireless Technology - Communication The wireless communication refers to the transfer of information using electromagnetic (EM) or acoustic waves over the atmosphere rather than using any propagation medium that employs wires.
7. Wireless Technology - Types NFC5 Bluetooth6 Ultra Wideband Radios7 Zigbee Radios8 Cellular Systems 1 Wi-Fi 2 WIMAX 3 GPS / Satellite Systems 4
8. Wireless LANs
9. Wireless LANs ● Are high frequency radio waves instead of cables for connecting the devices in LAN. ● Very ﬂexible within the reception area. ● Ad-hoc networks without previous planning possible. ● No wiring difﬁculties. ● More robust against disasters.
10. Local Wireless Networks Personal Wireless Networks Wireless Distribution Networks
11. Wireless LANs - Basics - Wi-Fi Wi-Fi is a generic term that refers to the IEEE 802.11 communications standard for Wireless Local Area Networks Wi-Fi works on physical as well as data link layer. Wi-Fi uses radio technologies: IEEE 802.11b IEEE 802.11a IEEE 802.11 g ….n
12. Wireless LANs - Basics - Wi-Fi Access Point (AP): It is a Wireless LAN transerver or “base station” that can connect one or many wireless devices to the internet via wired network. Service Set Identiﬁer (SSID): The SSID identiﬁes a speciﬁc wireless LAN. Basic Service Set – (BSS): A set of stations controlled by a single coordination function. Can be classiﬁed as either an Independent BSS (IBSS) or an Extended Service Set (ESS).
13. Wireless LANs - Basics - Bluetooth Bluetooth is a short range and low power wireless technology developed for exchanging data over short distance, creating Personal Area Network (PANs) ● Operates on 2.4 GHz band ● Effective range 10 mtrs ● Supports data rate of 1 MB/s ● Uses radio technology called Frequency-Hopping Spread Spectrum
14. Wireless LANs - Basics - WiMax WiMax (Worldwide Interoperability for Microwave Access) is an IEEE 802.16 broadband standard. ● It is a wide area wireless network standard ● Operates in 2.5 to 3.5 GHz ● Providing high-speed mobile data and telecommunications services ● Highly scalable and distributed architecture
15. On what does the wireless technologies actually work on??
16. World of Wireless
17. 1. Analog video - Amplitude modulated from 50MHz to 800MHz 2. Digital video - complex modulation from 200MHz to 800MHz 1. Voice - analog or digital modulation from 800MHz to 900MHz 2. 3G, 4G or LTE - 1700 MHz to 1900 MHz and others 3. Bluetooth - digital modulation at 2400MHz 1. Many types of signals - voice, audio, video, data 2. Many modulation types - analog and digital 3. Many, many frequencies - 3400MHz, 5900MHz, 10.7GHz 1. Wi-Fi - digital modulation at 2400MHz or 5000 to 5800MHz. 2. Bluetooth - digital modulation at 2400MHz 1. AM Radio - AM modulation from 0.6MHz to 1.6MHz 2. FM Radio - FM modulation from 88MHz to 108MHz Television Cellular Phones Satellite Signals Wi-Fi Bluetooth AM/FM
18. ISM UNII Bands INDUSTRIAL, SCIENTIFIC AND MEDICAL (ISM) BANDS They are defined by ITU Telecommunication Standardization Sector (ITU-T). The IEEE 802.11 standard and the subsequent 802.11b and 802.11g amendments all define communications in the frequency range between 2.4 GHz and 2.4835 GHz. UNLICENSED NATIONAL INFORMATION INFRASTRUCTURE BANDS (UNII) The IEEE 802.11a amendment assigns data transmissions within the frequency space of the 5 GHz UNII bands. The 802.11a amendment uses three groupings, or bands, of UNII frequencies. All three bands are 100 MHz wide Wireless Networks
19. 802.11 and other ISM/UNII band
20. ISM Bands ● 900 MHz ISM band ● 26 MHz Wide ● Allocated to the Global System for Mobile Communications (GSM) ● 2.4 GHz ISM band is currently the most common band used band ● 83.5 MHz wide and spans from 2.4000 GHz to 2.4835 GHz. ● 5.8 GHz ISM band is 150 MHz wide ● Spans from 5.725 GHz to 5.875 GHz. ● The 5.8 GHz ISM band is a preferred spectrum for long distance wireless bridging. Industrial Band Scientific Band Medical Band
21. UNII Bands ● Operates between 5.15–5.25 GHz ● 100 MHz wide ● Operates between 5.25–5.35 GHz ● 100 MHz wide ● Operates between 5.725–5.825 GHz ● 100 MHz wide UNII-1 Band UNII-2 Band UNII-3 Band
22. Hands on - Identify the wireless devices Warwalking / Wardriving
23. Requirements: ● Wi-Fi card (Alfa card) ● Kali Linux ● Kismet ● Aircrack-ng Wi-Fi network security assessment suite Wardriving / Warwalking Tasks: ● Hands-on of the assessment tools ● Identify the wireless access points ● Observing the wireless properties ● Identifying clients properties ● Handshake capturing
24. What did we learn? ● Detect Wireless devices in the vicinity ● Identifying the clients connected to the access points ● Wireless access points properties (signal strength, channel details, etc)
25. Packet capture and analysis
26. Packet capturing (using Kismet and Wireshark) Requirements: ● Kismet ● Aircrack-ng suite Tasks: ● Capture and analyse 802.11 trafﬁc ● Identify the handshake
27. What did we learn? ● Capturing the 802.11 trafﬁc ● Analysis of the 802.11 trafﬁc ● Hand-on of the trafﬁc analysis tools
28. RF Wireless Spectrum Capture and Analysis
29. Sound waves Visible Light Harmful Radiation VHF = VERY HIGH FREQUENCY UHF = ULTRA HIGH FREQUENCY SHF = SUPER HIGH FREQUENCY EHF = EXTRA HIGH FREQUENCY ISM Bands 2.4 GHz ISM Band 4G Cellular Electromagnetic Spectrum
30. How am I supposed to scan this spectrum ??
32. Hands-on with the RF Explorer
33. Scanning the RF spectrum Requirements: ● RF Explorer ● RF Explorer client installed on the machine Tasks: ● Analyse spectrum ● Identify the frequencies ● Identify between a rogue and authentic radio frequencies ● Isolating a rogue frequency
34. RF Jargons ● Attenuation –a loss in force or intensity –As radio waves travel in media such as coaxial cable attenuation occurs. ● Noise Floor –The measure of the signal created from the sum of all the noise sources and unwanted signals appearing at the receiver. This can be adjacent signals, weak signals in the background that don’t go away, electrical noise from electromechanical devices etc. ● Receiver Sensitivity –The minimum received power needed to successfully decode a radio signal with an acceptable BER. This is usually expressed in a negative number depending on the data rate. ● SNR–Signal to Noise Ratio –The ratio of the transmitted power from the AP to the ambient (noise ﬂoor) energy present.
35. Antennas Nagoya Telescopic NA-773 ● This is a telescopic, high quality 2dBi antenna ideally suited for 144MHz and 430MHz bands. ● Use this antenna in all ranges of frequencies between 15-1000MHz.
36. Antennas Whip dipole antennas ● These are quality 2dBi antennas designed for narrow band application ● RF Explorer 6G, includes a 2dBi antenna tuned for 2450MHz
37. Antennas Rubber duck 5.8GHz antenna ● This is a quality antenna with good coverage in the range of 5.4-5.9GHz ● Offers reasonable coverage in the 2.4 Ghz band too, so can be used as dual band antenna for WiFi
38. Frequency Settings ● dBm –decibels milliwatt --abbreviation for the power ratio in decibels (dB) ● Center Freq: Center frequency in MHz ● Freq Span: Frequency span (or range) to display on screen in MHz ● Start Freq: Lower frequency range to display on screen in MHz ● Stop Freq: Higher frequency range to display on screen in MHz
39. Calculator ● Max: Peak values are used from the last sweep Iterations. This is the standard mode. ● Max Hold: Capture all activity in the band including the Max signal envelope mode with vector graphics and real-time activity with vertical bars. ● Average: Arithmetic media average is calculated over the last sweep Iterations. This is the best possible choice to remove unwanted white noise from screen, particularly useful in constant wave (CW) and channel signals display. ● Normal: No calculation is done, just raw data as result of the realtime sweep.
40. What did we learn? ● Operating the RF Explorer ● Analyzing the RF spectrum ● Scanning ISM UNII bands ● Identifying and isolating rogue frequency
41. What PIC-DSS has to say? PCI DSS wireless requirements can be broken down into the following two primary categories: 1. All organizations should have these controls in place to protect their wired networks from attacks via rogue or unknown wireless access points (APs) and clients. 2. All organizations that transmit payment card information over wireless technology should have these controls in place to protect those systems.
42. What PIC-DSS has to say?
43. What PIC-DSS has to say?
44. Revisiting the workshop objectives 1. Understand the operation of 802.11 and other wireless technologies. 2. Perform passive 802.11b/g/n/a/ac scanning (2.4 and 5GHz bands) 3. Perform packet capture and analysis of 802.11 trafﬁc 4. Perform PCI-DSS compliance audit: a. Perform wardriving / warwalking b. RF signal capture and strength analysis c. Identify and analysing a frequency from the spectrum d. Isolate rogue frequency
45. You can proudly say….