Sally and I recently ventured to an on-site wireless engagement with a very security-mature customer. Long story short, the level of protection that WPA2 Enterprise with certificate validation provides is worth the investment. If your wireless is running just pre-shared keys and provides access to critical infrastructure, it is time to invest in full wireless PKI.
The question Sally and I tried to answer before traveling was the obvious one before any engagement: “What should we bring?” Joff, being one of the almighty seers at BHIS recommended that “…if it can wireless, bring it.”
After a couple of days spent on site, my emptied backpack ended up looking like this:
Sally’s look like so (she is way more orderly!)
So, I ended with a couple of Raspberry Pi’s, several battery packs, a couple of Ubiquiti devices, one 5GHz client and another 2.4GHz AP, another Engenius AP for testing PoE and port security (yes, this customer had all ports on lock-down too).
- Various antennae for use with vehicle-based and on-foot investigations of the area
- Alfa black 1000mW / 1W 802.11g/n High Gain Adapter
- Alfa black 7dBi RP-SMA Panel
- Alfa gray AWUS036NH
- Alfa gray AWUS051NH
- Joylive Yagi wireless antenna – 2.4gHZ 802.11b/g
- Multitude of small wifi adapters
- Raspberry Pi all running Kali with a custom hostapd config
- The Pi 3’s have an onboard wireless NIC, which was configured to broadcast a hidden cell for remote access
- Another hostapd config broadcasts an 802.1X network that matched the customer’s and offers a self-signed cert for authentication
- The Alfa Panel Antenna worked fantastic here! I could walk around and overwhelm the signal strength of the ceiling mount APs and cause clients to jump over and attempt mutual authentication. That said, no hashes were gathered in the fake EAP tunnel, due to client configuration.
- Raspberry Pi running Kismet with an Alfa antenna and Kismet for capturing PSK handshakes
- Hardware access point of convenience for use testing physical ports and Rogue AP countermeasures.
- NetSpot software for the heat map.
- Proxmark 3 RFID Cloner
- Rubber ducky with the WLAN profile retrieval script. This was deemed to be outside the scope of our engagement.
- Wi-Fi Pineapple
- Portable Keyboards
- USB Hubs; both powered and not powered
- TP Link Wireless N Mini Router
- Engenius EAP350
- Portable Power Packs (to wander freely with devices); Solar Charger, 10000mAh Solar Power Bank (20 bucks on Amazon)
- Josh Wright’s Hacking Wireless Exposedfor reference
Wifi pineapple, laptops
Burner mobile device
The best information we were able to gather was through the Wi-Fi Pineapple. With the mini-monitor, we were able to get the Raspberry Pi authenticated to their guest network. From there, we could create NAT rules and appropriate routing to allow the physical ethernet interface access out to the world. Once the Pineapple was powered up and routing through the Pi’s guest connection, we were able to launch a generic SSID harvesting attack and some other basically low value rogue wireless activities.
What’s in your onsite wireless kit?