Antisyphon KB

1. Wireless Checklist

Nov 04, 20246 min read

Wireless Penetration Test Checklist

Pre-Test Activities

  • During ROE call obtain:
    • Physical addresses for in-scope facilities.
    • SSID count and in-scope SSID list.
    • Facility maps if heatmap generation is requested.
  • Perform reconnaissance against target organization facilities using https://wigle.net. Details on common search techniques are included in Wigle.net.
  • Consider pre-computing dictionaries for any Pre-Shared Key (PSK) networks to expedite handshake and PMKID cracking. This is necessary because the SSID is used during the handshake process. The case of the SSID must be correct for dictionary pre-computation.
  • Ensure that required hardware is available for executing the test:

On-Site Customer Questions

It can be useful to have a discussion with the onsite point of contact to get a feel for the security posture of the organization’s wireless infrastructure. This discussion may be used to guide test case execution during later phases of testing. Potentially useful questions include:

  1. What SSIDs are you responsible for and what is the purpose of each network?
  2. Do you have a policy to disable/secure wireless on IoT devices when you deploy them, such as disabling wireless APs on printers?
  3. Does the organization employ any Pre-Shared Key (PSK) networks? If so: a. How long is your PSK (i.e. 12 characters, 8 characters, etc)? b. Is the PSK regularly rotated? c. Who has knowledge of the PSK, is it shared publicly or only deployed via MDM/profiles? d. Describe the use case of your PSK networks.
  4. Does the organization employ any enterprise authentication networks? if so: a. Do you require EAP-TLS on enterprise networks? b. Do you require clients to validate the AP certificate? c. If you use your own CA to validate the certificate, how is that CA managed, do you revoke keys? d. How are clients configured? (i.e. GPO, MDM, etc) e. Can you provide a representative device for us to analyze?
  5. Does the organization employ any open wireless networks, if so: a. What are your open networks used for (i.e. guest networks) b. Are they segmented from the corporate network c. Do they use captive portals? (i.e. ToS agreement, passphrase requirement) d. Do they enforce client isolation?
  6. Are you concerned about signal bleed? a. Are you in a shared tenant building? b. Are there publicly accessible restaurants or other locations in your building that you cannot monitor? c. If not shared tenant/publicly accessible, do you have physical security controls that would detect/prevent someone from attacking wireless networks from nearby? i.e. guard patrols after hours, cameras, etc
  7. Do you have a policy that disallows deploying your own access point (rogue AP)?
  8. Do you have a NAC that would prevent a rogue AP from bridging to the internal network?
  9. How do you manage internet access for employees outside of the office? Do you provide wireless hotspots? If so, how are they secured? Do you provide any policies/recommendations to secure employee home wireless networks?

Test Execution

  • Perform passive analysis within the target customer facility using tools like Kismet, Bettercap, Netspot, or the Aircrack-ng Suite. Passive analysis should be conducted while wandering the facility, advertisement of unexpected or undocumented SSIDs may be restricted to a specific subset of access points within the facility. Unexpected or undocumented SSIDs may have a weaker security posture than well-known SSIDs. During passive analysis, identify the following characteristics:
    • Customer SSIDs within in-scope area.
    • Authentication and encryption strategies employed on all customer networks.
    • Protections applied to open networks (captive portals, MAC filtering, etc).
    • Ad-hoc wireless devices deployed in the target facility.
  • Perform BSSID Correlation on passive analysis results to identify any related SSIDs that might exist in the customer environment. Discuss adding any previously unidentified wireless networks to your scope.
  • Perform Rogue Device Searches against passive analysis results.
  • Uncloak Hidden SSIDs on any in-scope networks that are configured to be non-broadcasting.
  • Analyze Wireless Hardware in use for potential attack alternatives.
  • Perform Pre-Shared Key (PSK) Attacks against networks utilizing PSK authentication.
  • Check for PSK reuse across in-scope SSIDs, where applicable.
  • Perform Enterprise Network Attacks against networks deployed using WPA-Enterprise (EAP) authentication.
  • Perform Open and Guest Network Attacks against networks that do not require authentication or encryption and PSK networks used for guest access.
  • Perform Segmentation Testing between the corporate network and non-corporate wireless networks (BYOD, Guest, etc).

Extra Time

Some wireless deployments have few SSIDs and those that are deployed may appear to be properly configured and the organization may have solid defenses against attacks. Typically this conclusion will be drawn through a combination of active testing and discussions with the customer. If the customer is using a Mobile Device Manager (AirWatch, InTune, Jamf, etc), pushing client certificates to devices, and using EAP-TTLS then the probability of success will be exceptionally low. This may result in some extra time left in the engagement. Before committing to “extra time” activities, ensure that your reporting is completely up to date. Onsite engagements are an excellent source to accrue reporting debt. The following are some activities that can be accomplished with extra time:

  • Assess other wireless protocols

    Note: Software defined radios should be used on physical hardware to avoid buffering issues. Use on a virtual machine typically results in significant difficulty.

    WARNING: Attacks against non-802.11 protocols should be executed with extreme care. Targeting with protocols like BLE and Zigbee is usually very difficult. As a result, testers should ask the customer for a representative device or physically inspect a customer device to confirm targeting before attacks are executed.

    • Check RFID badges for clonability using the Flipper Zero, Keysy, or Proxmark3 RDV4
    • Check for wireless keyboards and attempt keystroke injection against potentially vulnerable devices
    • Check for Zigbee issues
    • Check for BLE issues
    • Perform spectrum analysis to identify other interesting protocols

  • Ad-hoc cooperative physical assessment.

    • Check RFID badges for clonability using the Flipper Zero, Keysy, or Proxmark3 RDV4
    • Check door hasps to check for bypass conditions
    • Check request to exit sensors for bypass conditions
    • Check crash bar doors for bypass conditions

  • Ad-hoc NAC bypass testing

    • Gather configuration details from printers and VoIP handsets
    • Clone MAC address of authorized device for sticky MAC bypass
    • Collect network traffic and analyze for potentially dangerous protocols
    • Connect to each device segment (printer and VoIP) and check for internet and corporate access

Graph View

Backlinks

  • No backlinks found