As networks and computing systems have become more secure through the evolution of next generation firewalls, intrusion prevention systems (IPS), and endpoint security, attackers have shifted their focus. Web applications, mobile devices and apps, IoT (Internet of Things), wireless networks and the human element via social engineering have become more attractive targets for threat actors. Each of these targets are large enough subjects for books themselves, but in this article series we are going to focus on wireless network attacks. Although there are numerous types of wireless technologies such as Bluetooth, LTE and NFC, this series will cover wireless networks or WLANs (Wireless Local Area Network) using WiFi technology. In this four-part series on wireless pentesting we are going to discuss the following;
- Part 1 – An Overview
- Part 2 – Building a Rig
- Part 3 – Common Wireless Attacks
- Part 4 – Performing an Actual Wireless Pentest
In this first article of the series, we are going to learn what wireless pentesting consists of and why assessing wireless networks should be a stand-alone item and part of the scope of a wider pentest.
Before we get into the specific topic of wireless pentesting, let’s cover some of the basics of pentesting. If you are new to the topic, pentesting is short for penetration testing. Pentesting is commonly referred to as ethical hacking. Pentesting is the process of assessing the security of a computer, network, application or other device using adversarial tactics, techniques and procedures (TTPs). Assessing security from an offensive perspective allows security professionals to discover vulnerabilities that may otherwise be overlooked.
All security professionals should be familiar with the Penetration Testing Execution Standard (PTES) as a great set of technical guidelines for performing pentests. It covers the following main sections of a typical pentesting methodology:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
PTES is applicable for all types of pentests, and it includes the tools to be used in each step.
Pentesting Target Knowledge
The more information a pentester has from a client be it internal or external, the less time they need to test. The less information the more time. Time can be an issue for the client which can be a deciding factor on which type of pentest to choose. The amount of knowledge provided to a pentester falls into the following three categories:
- Black box – Little to no information supplied on the target(s) supplied to pentester. This is closer to mimicking an actual malicious actor.
- White box (aka crystal box) – A lot of information is provided to the pentester and, in the case of applications, accounts including passwords. More thorough tests can be performed in this type of engagement, since the pentester doesn’t have to use the time allotted to discover this basic information.
- Gray box – As the color suggest, this type of test is somewhere between black and white. Some knowledge of the system is provided to the pentester. Typically, this will include IP addresses and/or URLs but not much more than this.
There are three general assessment levels, and different levels are appropriate at different times. The following are the different testing levels:
- Vulnerability Detection – running a vulnerability scanner or other tools to detect vulnerabilities. Check out my previous article on Manual Vulnerability Detection
- Vulnerability Assessment – vulnerability detection and validation.
- Penetration Test – vulnerability detection, validation, and exploitation.
I once performed a wireless network vulnerability assessment of a hospital. The original scope for the wireless network assessment was a pentest of the entire wireless network, but, due to medical devices connected to the network, the scope was changed to a vulnerability assessment with a configuration review of the wireless controllers. The client and I wanted to avoid any possible interference with the medical devices on the wireless network while still providing an assessment of those devices.
What is wireless pentesting, and why is it needed?
Just as wired networks need to be pentested, wireless networks also need to be tested. Wireless networks are especially risky, since they can be attacked remotely. Potential attackers can hack wireless networks from the parking lot or down the street of the targeted network, so it is very critical to assess and secure wireless networks. This includes not only the placement of wireless devices and access points but also the encryption protocols.
Along with testing for wireless network vulnerabilities, guest wireless networks can be a security and privacy risk and should be included in wireless pentesting. Typically, guest networks are used to allow non-employees including customers and guests to have access to the Internet. If guest wireless networks are not secured properly by segmenting them from the production/corporate networks, this not only leaves your organization open to accidental leakage of data, but also the possibility of giving bad actors access to internal resources.
Another subset of wireless devices that should also be top of mind for the pentester is rogue access points, unauthorized wireless access points connected to the network without specific permission from or known by an organization’s IT department. They are typically in use to allow wireless network access by employees or contractors. This could be innocent in nature but is a potential security risk. Sometimes they are put in place specifically to get around security controls or just to allow unauthorized access. They can also be used by malicious actors to attempt to attack wireless clients on the network.
Where do we go from here?
In future articles in this series, we’ll cover everything you need to know to complete a basic wireless pentest. But before we cover common attack methods in Part 3 and the process of performing a professional wireless network pentest in Part 4, we’ll need to get you up to speed on the proper hardware and software to use. So next time we’ll cover building the rig needed to do this professionally (and for practice) on your own.
Until next time keep on pwning! But please have permission.
Phillip Wylie is a Principal InfoSec Engineer on the Assessment Services Penetration Testing Team in the financial sector. Phillip is also an Adjunct Instructor at Richland College teaching Ethical Hacking and System Defense, a Bugcrowd Ambassador and the founder of The Pwn School Project. Phillip has over 21 years of experience in InfoSec and IT and has performed pentests on networks, wireless networks, applications including thick client, web application and mobile. Phillip has a passion for sharing, mentoring and educating. This passion was his motivation to start teaching and founding The Pwn School Project, a free monthly educational meetup with a focus on hacking. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT. Follow him @PhillipWylieTags: pentest wifi wireless wylie