- Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
- Site Map
- RF Map
- Lines of Sight
- Signal Coverage
- Standard Antenna
- Directional Antenna
- Physical Map
- Triangulate APs
- Satellite Imagery
- RF Map
- Network Map
- MAC Filter
- Authorised MAC Addresses
- Reaction to Spoofed MAC Addresses
- Encryption Keys utilised
- WEP
- Key Length
- Crack Time
- Key
- Key Length
- WPA/PSK
- TKIP
- Temporal Key Integrity Protocol, (TKIP), is an encryption protocol desgined to replace WEP
- Key
- Attack Time
- Temporal Key Integrity Protocol, (TKIP), is an encryption protocol desgined to replace WEP
- AES
- Advanced Encryption Standard (AES) is an encryption algorithm utilised for securing sensitive data.
- Key
- Attack Time
- Advanced Encryption Standard (AES) is an encryption algorithm utilised for securing sensitive data.
- TKIP
- 802.1x
- Derivative of 802.1x in use
- WEP
- Access Points
- ESSID
- Extended Service Set Identifier, (ESSID). Utilised on wireless networks with an access point
- Broadcast ESSIDs
- Extended Service Set Identifier, (ESSID). Utilised on wireless networks with an access point
- BSSIDs
- Basic service set identifier, (BSSID), utilised on ad-hoc wireless networks.
- Vendor
- Channel
- Associations
- Rogue AP Activity
- Basic service set identifier, (BSSID), utilised on ad-hoc wireless networks.
- ESSID
- Wireless Clients
- MAC Addresses
- Vendor
- Operating System Details
- Adhoc Mode
- Associations
- Intercepted Traffic
- Encrypted
- Clear Text
- MAC Addresses
- MAC Filter
- Site Map
- Wireless Toolkit
- Wireless Discovery
- Packet Capture
- EAP Attack tools
- eapmd5pass
- eapmd5pass -w dictionary_file -r eapmd5-capture.dump
- eapmd5pass -w dictionary_file -U username -C EAP-MD5 Challengevalue -R EAP_MD5_Response_value -E 2 EAP-MD5 Response EAP ID Value i.e.-C e4:ef:ff:cf:5a:ea:44:7f:9a:dd:4f:3b:0e:f4:4d:20 -R 1f:fd:6c:46:49:bc:5d:b9:11:24:cd:02:cb:22:6d:37 -E 2
- eapmd5pass
- Leap Attack Tools
- WEP/ WPA Password Attack Tools
- Frame Generation Software
- Airgobbler
- airpwn
- Airsnarf
- Commview
- fake ap
- void 11
- wifi tap
- wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
- FreeRADIUS – Wireless Pwnage Edition
- Mapping Software
- File Format Conversion Tools
- ns1 recovery and conversion tool
- warbable
- warkizniz
- warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
- ivstools
- IDS Tools
- WLAN discovery
- Unencrypted WLAN
- Visible SSID
- Sniff for IP range
- MAC authorised
- MAC filtering
- Spoof valid MAC
- Linux
- ifconfig [interface] hw ether [MAC]
- macchanger
- Random Mac Address:- macchanger -r eth0
- mac address changer for windows
- madmacs
- TMAC
- SMAC
- Linux
- Spoof valid MAC
- Sniff for IP range
- Hidden SSID
- Deauth client
- Aireplay-ng
- aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
- Commview
- Tools > Node reassociation
- Void11
- void11_penetration wlan0 -D -t 1 -B [MAC]
- Aireplay-ng
- Deauth client
- Visible SSID
- WEP encrypted WLAN
- Visible SSID
- WEPattack
- wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]
- Capture / Inject packets
- Break WEP
- Aircrack-ptw
- aircrack-ptw [pcap file]
- Aircrack-ng
- aircrack -q -n [WEP key length] -b [BSSID] [pcap file]
- Airsnort
- Channel > Start
- WEPcrack
- perl WEPCrack.pl
- ./pcap-getIV.pl -b 13 -i wlan0
- Aircrack-ptw
- Break WEP
- Capture / Inject packets
- wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]
- WEPattack
- Hidden SSID
- Deauth client
- Aireplay-ng
- aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
- Commview
- Tools > Node reassociation
- Void11
- void11_hopper
- void11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]
- Aireplay-ng
- Deauth client
- Visible SSID
- WPA / WPA2 encrypted WLAN
- Deauth client
- Capture EAPOL handshake
- WPA / WPA 2 dictionary attack
- coWPAtty
- ./cowpatty -r [pcap file] -f [wordlist] -s [SSID]
- ./genpmk -f dictionary_file -d hashfile_name -s ssid
- ./cowpatty -r cature_file.cap -d hashfile_name -s ssid
- Aircrack-ng
- aircrack-ng -a 2 -w [wordlist] [pcap file]
- coWPAtty
- WPA / WPA 2 dictionary attack
- Capture EAPOL handshake
- Deauth client
- LEAP encrypted WLAN
- Deauth client
- Break LEAP
- asleap
- ./asleap -r data/libpcap_packet_capture_file.dump -f output_pass+hash file.dat -n output_index_filename.idx
- ./genkeys -r dictionary_file -f output_pass+hash file.dat -n output_index_filename.idx
- THC-LEAPcracker
- leap-cracker -f [wordlist] -t [NT challenge response] -c [challenge]
- asleap
- Break LEAP
- Deauth client
- 802.1x WLAN
- Create Rogue Access Point
- Airsnarf
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook
- Obtain user’s certificate
- Acquire passphrase / certificate
- Compromise client
- Associate client
- Deauth client
- fake ap
- perl fakeap.pl –interface wlan0
- perl fakeap.pl –interface wlan0 –channel 11 –essid fake_name –wep 1 –key [WEP KEY]
- Hotspotter
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook
- Obtain user’s certificate
- Acquire passphrase / certificate
- Compromise client
- Associate client
- Deauth client
- Karma
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook
- Obtain user’s certificate
- Acquire passphrase / certificate
- Compromise client
- Associate client
- ./bin/karma etc/karma-lan.xml
- Deauth client
- Linux rogue AP
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook
- Obtain user’s certificate
- Acquire passphrase / certificate
- Compromise client
- Associate client
- Deauth client
- Airsnarf
- Create Rogue Access Point
- Resources
- URL’s
- White Papers
- Weaknesses in the Key Scheduling Algorithm of RC4
- 802.11b Firmware-Level Attacks
- Wireless Attacks from an Intrusion Detection Perspective
- Implementing a Secure Wireless Network for a Windows Environment
- Breaking 104 bit WEP in less than 60 seconds
- PEAP Shmoocon2008 Wright & Antoniewicz
- Active behavioral fingerprinting of wireless devices
- Common Vulnerabilities and Exploits (CVE)
- Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
- Unencrypted WLAN