Archive for the ‘wireless pen testing’ Tag

And the winner is…

Andrew vonNagy!

If you haven’t been following along, I ran a contest over the past week for the best wireless pen testing tip or trick.

As promised, I will be pre-ordering a copy of “Wireless Hacking Exposed” for Andrew.

Here was Andrews submission for the contest:

To PenTest WPA2 secured wireless networks, setup a honeypot AP and a Free-RADIUS WPE (wifi pwnage edition by Josh Wright) to harvest EAP/MS-CHAP credential hashes from improperly secured client devices which are not validating the RADIUS server. Then use John the Ripper or similar password cracking tool to crack the user password using a dictionary attack.

If you want more of Andrew’s wisdom, you can also check out his blog, “Revolution Wi-Fi” – It has some quality content.

Related Posts:

Advertisements

Just a Reminder….

I am giving away a FREE copy of “Wireless Hacking Exposed”.  All you have to do is submit a comment to the post about the book stating your favorite wireless pen testing tip or trick.  Technical or non-technical.

I am going to choose the best comment at the close of business tomorrow (July 1st).  There are only two submissions right now, so if you enter with less than 24 hours left, I’d say that you have a decent chance of winning.  🙂

Here are even a few ideas to get you started:

  • What’s your favorite wireless card for pen testing?  Why?
  • What’s the best application / piece of software for wireless pen testing?  Why?
  • What a common myth about wireless security that you can dispel through pen testing?
  • Tell me about your favorite pen testing experience.  (Mine is below….)

Personally, my favorite part of wireless pen testing is social engineering.  For example, one time I was assigned to do a security assessment for an oil & gas company.  I targeted the IT department of the company, figuring the report would hit home if it contained *their* passwords, sensitive data, etc.

The IT department of this company was on the 5th and 6th floors of a multistory building.  Part of the social engineering I utilized was implemented when I checked into my hotel for the project.  You see, the hotel I checked into was in a building adjacent to my customer / target.  When I checked in, I specifically requested a room on the side of the building closest to “ABC Company”, that had a balcony, and was on either the 5th or 6th floor.  Do you think the hotel clerk hesitated one second before they fulfilled my request?  Of course not.

On top of that, when I checked into my room, I set up 2 different computers, each with multiple wireless cards, spectrum analyzers, and external antenna connected to them.  Even to the point where I had a tripod mounted -13.5 dB Yagi antenna with a laser pointer on the balcony pointed at my customer / target company.  The maids came in and out of my room, and if anyone ever said anything, it certainly wasn’t filtered back to me.

Could I still have done the pen test without this?  Yes.  But did having this location make it more convenient to collect packets, circumvent authentication & encryption, redirect/attack wireless clients, etc.?  Of course it did.

FREE Copy of “Wireless Hacking Exposed”

There has been a thread going on the WiFiSec mailing list at SecurityFocus the past couple days about Wi-Fi testing on a Mac.

My friend and colleague, Joshua Wright weighed in with his tremendous expertise with the following post:

Johnny Cache, Vinnie Liu and I are just putting the finishing touches on

Hacking Exposed Wireless, 2nd Edition. It’s available for pre-order on

Amazon, and should be shipping in the middle of July (http://amzn.to/d4D2SU). In this fully-revised book we present step-by-step help for implementing multiple attacks against 802.11, Bluetooth, ZigBee and DECT, with countermeasures for each attack.

Pertinent to this discussion is Johnny’s chapter “Bridging the Airgap on

OS X” where he illustrated an example of compromising a remote OS X box

and leveraging it to attack local wireless networks. In this discussion

he talks about the OS X “airport” utility.

The airport utility is located at

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport.

In 10.6 systems, you can use this tool to initiate a monitor-mode

packet capture saving to a libpcap file, as well as active scanning and

other interesting functions. During a packet capture with the airport

utility, the Airport icon on the task bar will turn into what we decided

is the “Eye of Sauron”.

While Windows Vista and 7 have native monitor-mode support in drivers,

there are no native tools, forcing us to rely on the NetMon package.

Fortunately with OS X, we have the native airport utility.

Some of Johnny’s scripts and tools from this chapter have been put

online at www.hackingexposedwireless.com. I’ll continue to post

materials there this week, as well as the free online chapters providing

in-depth analysis of 802.11, Bluetooth (including attacks against

Simple, Secure Pairing) and RF fundamentals.

–Josh

I can tell you from taking Josh’s Wireless Ethical Hacking, Penetration Testing, and Defenses course through the SANS Institute, that he *definitely* knows his stuff, and therefore, this book is a must read.

I think this book is such a must read, that I am giving away a copy for FREE.  Leave a comment with your best Wi-Fi Pentesting Tip. I’ll choose the best one a week from today (July 1st) and I’ll pre-order this book on your behalf.

Advertisements