Different types of wireless hardware will have different attack surfaces. Attacks against commercial grade access points and other infrastructure are usually limited to the wireless attacks included in the main checklist. Consumer grade hardware may include features like Wifi Protected Setup (WPS) that may present other opportunities for attack. Some time should be spent investigating hardware capabilities to ensure adequate testing of features exposed through the hardware.
Procedure
- Review passive analysis results, focusing on identification of the hardware in use on in-scope networks. Are the MAC Organizationally Unique Identifiers (OUIs) associated with:
- Commercial grade hardware (Cisco, Aruba, etc)
- Consumer grade hardware (Netgear, ASUS, etc)
- While performing attacks throughout the facility, attempt to determine the make/model of wireless hardware used by the organization through physical inspection.
- How are the access points physically secured
- Could an attacker easily access them without being conspicuous
- Note any potential physical security issues in the report
- After connecting to any of the in-scope networks, attempt to identify the make/model of wireless hardware used by the organization via scanning or other methods.
- Capture network traffic and inspect that traffic for Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) packets. This traffic includes:
- Device make
- Device model
- System name
- VLAN details
- Firmware revision
- Actively scan APs using Nessus or Nmap. Attempt to determine hardware details from scan results. Navigate to web portals or any other exposed services and attempt to determine make/model.
- Capture network traffic and inspect that traffic for Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) packets. This traffic includes:
- Determine supported features that may be useful for attack using the information gathered from the previous steps.