Transcription
SANS SEC617 (GAWN) Wireless Ethical Hacking,Penetration Testing, and DefensesBook 617.1Wireless Architecture and Analysis617.1 Module 1: The Wireless Threat . 1-1 ----- 1-25Introducing Wireless Security Misconceptions, Attacks & VulnerabilitiesMobility Changes Traditional Security Approaches . 1-2Outdoor WMAN Signal Exposure . 1-3Common Misconceptions .1-4 –1- 7Wireless LAN Signal Leakage .1-8 –1- 9Information Disclosure Threats . 1-10 - 1-11Outdoor Wireless MAN – UnencryptedDenial-of-Service Attacks .1-12 – 1-13Rogue Treats . 1-14Protocol Weaknesses . 1-15Albert Gonzalez (TJ Max, etc.) . 1-16Bluetooth Data Extrusion . 1-17Home Users. 1-18Anonymity Attacks . 1-19Capturing Network Probes . 1-20Wireless Geographic Locating . 1-21www.wigle.netGoogle Maps . 1-22Summary – Wireless Threats .1-23 – 1-25Additional Reading:http://www.sans.org/reading sks-practices-mitigate 1350SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 1 of 38
617.1 Module 2: Wireless LAN Organizations & Standards . 2-2 ----- 2-24“802.11 Alphabet Soup” and the Responsible PartiesIntroduction . 2-2Standards Bodies . 2-3FCC . 2-4Institute of Electrical & Electronics Engineers (IEEE) . 2-5Internet Engineering Task Force . 2-6Wi-Fi Alliance. 2-7Standards Bodies and OSI . 2-8IETF Standard - EAP . 2-9IEEE Wireless Standards . 2-10 ------ 2-21 802.11i . 2-11 802.11k . 2-12 802.11n . 2-13 802.11r. 2-14 802.11s . 2-15 802.11w .2-16 – 2-17 802.11y . 2-18Upcoming Technology .2-19 – f802.11ah802.11 WG Resources . 2-21Summary . 2-22Backup . 2-23IETF Standards - RADIUS . 2-24617.1 Module 3: SWAT Kit Components . 3-1 ------ 3-5Introduction to the SANS Wireless Auditing ToolkitSWAT . -------- 3-2Hardware – ALFA USB Adapter . 3-3Hardware – Parani SENA UD-100 Bluetooth Adapter . 3-4Hardware – TripNav GPS . 3-5SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 2 of 38
617.1 Module 4: Sniffing Wireless . 4-1 ---- 4- 49Tools, Techniques and ImplementationSniffing Wireless Introduction . 4-2Tools for this Module . 4-3Libpcap – http://www.tcpdump.orgTcpdump – http://www.tcpdump.org (Unix / Linux)http://www.winpcap.org/ (Windows)Wireshark – www.wireshark.orgKismet – www.kismetwireless.netNetMon ?FamilyID 983b941d-06cb-4658b7f6-3088333d062f&displaylang enDefinitions and Terms . 4-4Wireless Sniffing .4-5 – 4-6Managed Mode Sniffing (1) . 4-7Monitor Mode Sniffing (2) . 4-8Using RFMON Sniffing . 4-9Windows XP/Vista/7 - Airpcap . 4-10RFMON – Vista/7 . 4-11NetMon 3.3 Wi-Fi Capture . 4-12Mac OS X – Snow Leopard . 4-13Linux – Setting RFMON Mode .4-14 – 4-15Linux Auditing Tools . 4-16Libpcap . 4-17Tcpdump . 4-18Common Tcpdump Options . 4-19-i : Specify interface-n : No DNS name Resolution-s : Specify snap length-X: Print payload in ASCII & Hex-r : read from capture file-w : save to libpcap-formatted fileUsing Tcpdump . 4-20Wireshark . 4-21 ------ 4-28Using Wireshark . 4-22Wireshark Display Filters .4-23 – 4-24Identifying Wireshark Display Fields . 4-25Creating Display Filters .4-26 – 4-27Wireshark Protocol Dissectors. 4-28Kismet . 4-29 ------ 4-38Kismet Features .4-30 – 4-31Kismet Requirements . 4-32Using Kismet Detecting Networks . 4-33– (Module 4 is continued on next page) –SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 3 of 38
– (Module 4, continued from previous page) –Using Kismet Common UI Commands .4-34 – 4-35 s: change sort order h: help i: get detailed info on selected network c: show clients p: real-time packet dump d: clear-text strings x: quit current window Q: Quit KismetUsing Kismet Network Detail . 4-36Using Kismet Client Listing . 4-37Using Kismet Network Mapping. 4-38GPSMAP Reporting .4-39 – 4-40GPSMAP – Range Map . 4-41GPSMAP – Google Maps . 4-42GPSMAP – Google Earth . 4-43Kismet - Newcore .4-44 – 4-45Kismet Newcore UI . 4-46Summary .4-47 – 4-48Lab - Sniffing Wireless. ------ 4-49 Using Backtrack Using Wireshark display filters Monitor mode sniffing Introduction to using Kismet Network mapping with gpsmapWorkbook Lab 1 - Sniffing WirelessPages 1-1 – 1-51 : Answers on Pages 1-52 – 1-53Workbook Lab 2 - Live Network MappingPages 2-1 – 2-9Workbook Lab 2A – Outdoor Live Network MappingPages 2A-1 – 2A-12SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 4 of 38
617.1 Module 5: 802.11 MAC . 5-1 ----- 5-38Examining the 802.11 MAC Layer and Associated StandardsIntroduction . 5-2Definitions and Terms . 5-3IEEE 802.11 Specification . 5-4MAC Layer.5-5 – 5-6IBSS Architecture . 5-7Infrastructure Architecture . 5-8Authentication and Association.5-9 – 5-10Client --------- APIEEE 802.11X .5-11 – 5-12IEEE 802.11X Authentication . 5-13(EAP)EAP and 802.1X . 5-14What’s in an EAP?.5-15 – 5-16802.11 Framing . 5-17Generic 802.11 Frame Header . 5-18802.11 Frame Control Field .5-19 – 5-20To DS and from DS Significance .5-21 – 5-22802.11 Frame Control Field .5-19 – 5-20802.11 Duration/ID Field . 5-23802.11 Addressing. 5-24 – 5-25Address Order, Infrastructure . 5-26Address Order, Special . 5-27 – 5-28802.11 Sequence Control Field . 5-29802.11 Frame Check Sequence . 5-30802.11 Management Frames (1) . 5-31802.11 Management Frames (2) . 5-32802.11 Management Action Frames. 5-33Sample Decode . 5-34Summary .5-35 – 5-37Lab - 802.11 Fundamentals . ------ 5-38 Examine supplied sniffer traces Inspect management frames Follow the exchange of EAPWorkbook Lab 3 - 802.11 MACPages 3-1 – 3-13: Answers on Pages 3-14 – 3-18Book 617.1Wireless Architecture and Analysis– END –SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 5 of 38
SANS SEC617 (GAWN) Wireless Ethical Hacking,Penetration Testing, and DefensesBook 617.2Wireless Security Exposed Part 1617.2 Module 6: WLAN Auditing Methodologies . 1-1 ----- 1-45Identifying WLAN Components from Network AnalysisIntroduction . 1-2Tools for this Module . 1-3Kismet – www.kismetwireless.netWireshark – www.wireshark.orgEkahau HeatMapper – http://www.ekahau.com/heatmapperMicrosoft Excel – www.microsoft.comPCAPhistogram – http://802.11ninja.net/code/pcaphistogram.pl (Dead Link)Definitions and Terms .1-4 – 1-5Assumptions so Far . 1-6Passive AP Fingerprinting . 1-7Fingerprinting – MAC Prefixes . 1-8Fingerprinting – Beacons .1-9 – 1-10IE Information Disclosure . 1-11Cisco WLC Disclosure . 1-12Client Post – Processing Analysis . 1-13XML Analysis Example . 1-14Security Methods - Kismet . 1-15Manual Analysis - Wireshark . 1-16Mapping Range - Outdoor . 1-17Kismet Outdoor Mapping . 1-18Ekahau Heat Mapper. 1-19Visualizing Clients/APs . 1-20Client to AP Relationship Map . 1-21Client Probe Graph Map . 1-22Assessing Traffic . 1-23Interesting Strings.1-24 – 1-25What’s in a MAC? .1-26 – 1-27Identifying Encrypted Traffic . 1-28PCAP Histogram . 1-29Policy Compliance . 1-30DoDD 8100.2 .1-31 – 1-32Auditing DoDD 8100.2 . 1-33PCI Implications.1-34 – 1-35Summary . 1-36 -- 1-38– (Module 6 is continued on next page) –SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 6 of 38
– (Module 6, continued from previous page) –Lab – Wireless Auditing . -- 1-39 Determine encrypted traffic with pcaphistogram Use “strings” to identify ASCII strings in a pcap file Identify all usernames in EAP transactions for a capture fileWorkbook Lab 4 - WLAN Audit MethodologiesPages 4-1 – 4-14 : Answers on Pages 4-15 – 4-19Backup (Additional Content). 1-44 ------ 1-45Mapping Range - Indoor .1-41 – 1-42Netstumbler for Indoor Mapping . 1-43Netstumbler - www.stumbler.net – v0.4.0Indoor Mapping AirMagnet Survey . 1-44AirMagnet Survey Example . 1-45SEC617SANS Wireless Ethical Hacking,Penetration Testing and Defenses – IndexPage 7 of 38
617.2 Module 7: Rogue Network Threats . 2-1 ----- 2-40Identifying, Locating and Defeating Rogue APsIntroduction . 2-2Tools for this Module . 2-3Nmap – www.insecure.orgRogue AP.nse– smet – www.kismetwireless.netWireshark – www.wireshark.orgDefinitions and Terms .2-4 – 2-5Types of Rogue Threats . 2-6Malicious Rogue Compromise . 2-7IBSS Rogues . 2-8“Free Public WiFi” . 2-9Windows Bridging .
SEC617 SANS Wireless Ethical Hacking, Penetration Testing and Defenses – Index Page 6 of 38 SANS SEC617 (GAWN) Wireless Ethical Hacking, Penetration Testing, and Defenses Book 617.2 Wireless Security Exposed Part 1 617.2
