Hands-on Workshop on Wireless Reconnaissance using Open source wireless frequency analyzer. Also covering topics on wireless perimeter security.
https://nsconclave.net-square.com/advance-wireless.html
2. [~]$ whoami
Rohit Jadav - Manager Professional Services
● 5+ yrs experience in
Information security
domain
● Vast experience in VAPT
on various business and
banking applications,
corporate networks.
● Performed PCI-DSS
wireless assessment for
an international client
@54ucyv1p3r
Rohit Jadav
3. Overview
Wireless computing devices are everywhere and new products
seem to appear daily, which poses significant security risks to an
organization. As a result, network and information security staff
must understand the risks inherent in wireless computing.
This workshop is designed to understand the basic wireless
networking concepts.
Hands-on activities are presented from the auditors perspective to
help learners understand a wireless auditing methodology.
4. Workshop Objectives
After the completion of the workshop the learners should be able to:
➔ Understand the operation of 802.11 and other wireless
technologies.
➔ Perform passive 802.11b/g/n/a/ac scanning (2.4 and 5GHz bands)
➔ Perform packet capture and analysis of 802.11 traffic
➔ Perform PCI-DSS compliance audit:
◆ Perform wardriving / warwalking
◆ RF signal capture and strength analysis
◆ Identify and analysing a frequency from the spectrum
◆ Isolate rogue frequency
6. Wireless Technology - Communication
The wireless
communication refers to
the transfer of
information using
electromagnetic (EM) or
acoustic waves over the
atmosphere rather than
using any propagation
medium that employs
wires.
9. Wireless LANs
● Are high frequency radio waves instead of cables for
connecting the devices in LAN.
● Very flexible within the reception area.
● Ad-hoc networks without previous planning possible.
● No wiring difficulties.
● More robust against disasters.
11. Wireless LANs - Basics - Wi-Fi
Wi-Fi is a generic term that refers to the IEEE 802.11
communications standard for Wireless Local Area Networks
Wi-Fi works on physical as well as data link layer.
Wi-Fi uses radio technologies:
IEEE 802.11b
IEEE 802.11a
IEEE 802.11 g ….n
12. Wireless LANs - Basics - Wi-Fi
Access Point (AP): It is a Wireless LAN transerver or “base
station” that can connect one or many wireless devices to the
internet via wired network.
Service Set Identifier (SSID): The SSID identifies a specific
wireless LAN.
Basic Service Set – (BSS): A set of stations controlled by a
single coordination function. Can be classified as either an
Independent BSS (IBSS) or an Extended Service Set (ESS).
13. Wireless LANs - Basics - Bluetooth
Bluetooth is a short range and low power wireless technology
developed for exchanging data over short distance, creating
Personal Area Network (PANs)
● Operates on 2.4 GHz band
● Effective range 10 mtrs
● Supports data rate of 1 MB/s
● Uses radio technology called Frequency-Hopping Spread
Spectrum
14. Wireless LANs - Basics - WiMax
WiMax (Worldwide Interoperability for Microwave Access) is
an IEEE 802.16 broadband standard.
● It is a wide area wireless network standard
● Operates in 2.5 to 3.5 GHz
● Providing high-speed mobile data and
telecommunications services
● Highly scalable and distributed architecture
15. On what does the
wireless technologies
actually work on??
17. 1. Analog video - Amplitude modulated from 50MHz to 800MHz
2. Digital video - complex modulation from 200MHz to 800MHz
1. Voice - analog or digital modulation from 800MHz to 900MHz
2. 3G, 4G or LTE - 1700 MHz to 1900 MHz and others
3. Bluetooth - digital modulation at 2400MHz
1. Many types of signals - voice, audio, video, data
2. Many modulation types - analog and digital
3. Many, many frequencies - 3400MHz, 5900MHz, 10.7GHz
1. Wi-Fi - digital modulation at 2400MHz or 5000 to 5800MHz.
2. Bluetooth - digital modulation at 2400MHz
1. AM Radio - AM modulation from 0.6MHz to 1.6MHz
2. FM Radio - FM modulation from 88MHz to 108MHz
Television
Cellular Phones
Satellite Signals
Wi-Fi
Bluetooth
AM/FM
18. ISM UNII Bands
INDUSTRIAL, SCIENTIFIC AND MEDICAL (ISM)
BANDS
They are defined by ITU Telecommunication
Standardization Sector (ITU-T). The IEEE 802.11 standard
and the subsequent 802.11b and 802.11g amendments all
define communications in the frequency range between 2.4
GHz and 2.4835 GHz.
UNLICENSED NATIONAL INFORMATION
INFRASTRUCTURE BANDS (UNII)
The IEEE 802.11a amendment assigns data transmissions
within the frequency space of the 5 GHz UNII bands. The
802.11a amendment uses three groupings, or bands, of
UNII frequencies. All three bands are 100 MHz wide
Wireless
Networks
20. ISM Bands
● 900 MHz ISM
band
● 26 MHz Wide
● Allocated to the
Global System
for Mobile
Communications
(GSM)
● 2.4 GHz ISM
band is currently
the most
common band
used band
● 83.5 MHz wide
and spans from
2.4000 GHz to
2.4835 GHz.
● 5.8 GHz ISM band
is 150 MHz wide
● Spans from 5.725
GHz to 5.875 GHz.
● The 5.8 GHz ISM
band is a preferred
spectrum for long
distance wireless
bridging.
Industrial Band Scientific Band Medical Band
21. UNII Bands
● Operates
between
5.15–5.25 GHz
● 100 MHz wide
● Operates
between
5.25–5.35 GHz
● 100 MHz wide
● Operates
between
5.725–5.825 GHz
● 100 MHz wide
UNII-1 Band UNII-2 Band UNII-3 Band
24. Hands on - Identify
the wireless
devices
Warwalking / Wardriving
25. Requirements:
● Wi-Fi card (Alfa card)
● Kali Linux
● Kismet
● Aircrack-ng Wi-Fi network
security assessment suite
Wardriving / Warwalking
Tasks:
● Hands-on of the assessment
tools
● Identify the wireless access
points
● Observing the wireless
properties
● Identifying clients properties
● Handshake capturing
26. What did we learn?
● Detect Wireless devices in the vicinity
● Identifying the clients connected to the access points
● Wireless access points properties (signal strength, channel details, etc)
31. Sound waves Visible Light Harmful Radiation
VHF = VERY HIGH FREQUENCY
UHF = ULTRA HIGH FREQUENCY
SHF = SUPER HIGH FREQUENCY
EHF = EXTRA HIGH FREQUENCY
ISM Bands
2.4 GHz
ISM Band 4G Cellular
Electromagnetic Spectrum
35. Scanning the RF spectrum
Requirements:
● RF Explorer
● RF Explorer client installed on
the machine
Tasks:
● Analyse spectrum
● Identify the frequencies
● Identify between a rogue and
authentic radio frequencies
● Isolating a rogue frequency
36. RF Jargons
● Attenuation –a loss in force or intensity –As radio waves travel in
media such as coaxial cable attenuation occurs.
● Noise Floor –The measure of the signal created from the sum of all the
noise sources and unwanted signals appearing at the receiver. This can
be adjacent signals, weak signals in the background that don’t go away,
electrical noise from electromechanical devices etc.
● Receiver Sensitivity –The minimum received power needed to
successfully decode a radio signal with an acceptable BER. This is
usually expressed in a negative number depending on the data rate.
● SNR–Signal to Noise Ratio –The ratio of the transmitted power from the
AP to the ambient (noise floor) energy present.
37. Antennas
Nagoya Telescopic NA-773
● This is a telescopic, high
quality 2dBi antenna ideally
suited for 144MHz and
430MHz bands.
● Use this antenna in all
ranges of frequencies
between 15-1000MHz.
38. Antennas
Whip dipole antennas
● These are quality 2dBi
antennas designed for
narrow band application
● RF Explorer 6G, includes a
2dBi antenna tuned for
2450MHz
39. Antennas
Rubber duck 5.8GHz antenna
● This is a quality antenna with
good coverage in the range
of 5.4-5.9GHz
● Offers reasonable coverage
in the 2.4 Ghz band too, so
can be used as dual band
antenna for WiFi
40. Frequency Settings
● dBm –decibels milliwatt --abbreviation for the power ratio in decibels
(dB)
● Center Freq: Center frequency in MHz
● Freq Span: Frequency span (or range) to display on screen in MHz
● Start Freq: Lower frequency range to display on screen in MHz
● Stop Freq: Higher frequency range to display on screen in MHz
41. Calculator
● Max: Peak values are used from the last sweep Iterations. This is the
standard mode.
● Max Hold: Capture all activity in the band including the Max signal
envelope mode with vector graphics and real-time activity with vertical
bars.
● Average: Arithmetic media average is calculated over the last sweep
Iterations. This is the best possible choice to remove unwanted white
noise from screen, particularly useful in constant wave (CW) and
channel signals display.
● Normal: No calculation is done, just raw data as result of the realtime
sweep.
42. What did we learn?
● Operating the RF Explorer
● Analyzing the RF spectrum
● Scanning ISM UNII bands
● Identifying and isolating rogue frequency
43. What PIC-DSS has to say?
PCI DSS wireless requirements can be broken down into the following two
primary categories:
1. All organizations should have these controls in place to protect their
wired networks from attacks via rogue or unknown wireless access
points (APs) and clients.
2. All organizations that transmit payment card information over wireless
technology should have these controls in place to protect those
systems.
46. Revisiting the workshop objectives
1. Understand the operation of 802.11 and other wireless
technologies.
2. Perform passive 802.11b/g/n/a/ac scanning (2.4 and 5GHz bands)
3. Perform packet capture and analysis of 802.11 traffic
4. Perform PCI-DSS compliance audit:
a. Perform wardriving / warwalking
b. RF signal capture and strength analysis
c. Identify and analysing a frequency from the spectrum
d. Isolate rogue frequency