Saturday, September 18, 2010

Free (as in beer) wireless pentesting class

As a contribution to the incredibly awesome Security B-Sides unconference in Atlanta, the gang at Errata Security has put together a free training class based on our techniques for completing a professional wireless penetration test. We'll be going over the 5 basic areas of the "gold standard" wireless security assessment, as we do from time to time for a living.

To see what prerequisite knowledge is required to participate, and to register for the class (only a few spots left!), please read more.

WiFi pentesting in 5 parts.

#1 Sniffing


Get a proper WiFi adapter. Only 50% of them work for WiFi hacking. If your laptop doesn't have one, get a USB. The best one to have built into your laptop is an Atheros chipset. The best USB is the Alfa AWUS036H (based on the RTL8187L). What's great about the Alfa is its range. It is more sensitive (can listen to packets from further away), and has a more powerful transmitter. The Alfa is $40. You can also find excellent USB adapters for less than $15, but you have to work at it.

List of compatible USB chipsets:
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers

Where to buy: http://www.newegg.com/Store/SubCategory.aspx?SubCategory=31&name=Wireless-Adapters&Order=PRICE

Before the class, test your wifi on programs like WireShark for a successful capture in promiscuous mode. You might also consider a small directional antenna, to boost range even further.

#2 Stumbling


Use NetStumbler, Kismet, or Airdump to find networks to break into (or
Squirrel).

#3 Cracking


Use the "aircrack-ng" suite.
  • If they use 40-bit WEP, you can brute-force the key with just one packet.
  • If they use 128-bit WEP, you need to capture 10,000 packets. You often need to transmit packets in order to encourage them to send more packets.
  • If they use some oddball thing, like LEAP, you need to do special things. (Leapcrack).
  • If they use WPA-PSK, then need to capture a logon. To do that, you probably need to kick somebody off the network by transmitting a disassociate.
  • If they use WPA-enterprise, you are probably screwed.

#4 Eavesdropping (passive)

Once you've cracked the encryption, one thing to do is just eavesdrop and do things like "Sidejacking" (stealing session cookies to get into their e-mail). (Hamster, Ferret)

#5 Hacking (active)

Or, you can connect to their network, nmap scan their company, use Metasploit to hack into their servers.

Some time will be spent at the end of the class reviewing proper documentation for a penetration test as well.

Registration for the class is closed. Class will take place during Security B-Sides Atlanta from 1:00PM to 3:45PM. Bring your laptop for testing, and we'll provide the target environment.

2 comments:

mokum von Amsterdam said...

Very sweet!
As I can't attent I wondered if the contents of the course will be make public at anytime?

Matt Johansen said...

Very awesome addition to the conference! Wish I could be on that coast!