Wireless Reconnaissance in Penetration Testing.pdf

(9975 KB) Pobierz
CHAPTER 1
Why Radio Profiling?
Information is everywhere, if you know where to look. When performing
penetration tests, uncovering the correct information during the reconnaissance
phase can often mean the difference between a successful test and failure.
While many of us are familiar with the often used data gathering methods
employed by penetration testers, radio traffic can provide a great deal of
valuable information. This rarely used reconnaissance method, when used
effectively, can provide a wealth of data. The information gathered by the meth-
ods described in this book is useful for both physical and logical penetration
tests.
In addition, as with any other methods used by penetration testers, understanding
the methods that can be used by penetration testers and attackers is useful when
securing networks and facilities. To protect against attackers, it is necessary to think
like an attacker.
Not everything in this book will work in every situation, which is of course
not unique of this method of reconnaissance. However, as the included case
CONTENTS
Guard Radios,
Wireless Headsets,
Cordless Phones,
Wireless Cameras,
Building Control
Systems .......................3
Case Study ..................5
NOTE
This book assumes that you are familiar with the basic concepts of penetration testing. Physical
penetration testing is the process of testing the physical security of an organization or facility,
while logical penetration testing is the process of testing the network and computer security
of an organization or facility. Often, physical and logical penetration tests are combined; for
example, once a facility is penetrated, we will then use the physical access to plug into the
network or physically access computing equipment.
1
Wireless Reconnaissance in Penetration Testing
http://dx.doi.org/10.1016/B978-1-59-749731-2.00001-6
Copyright
©
2013 Elsevier, Inc. All rights reserved.
2
C HAPT ER 1:
Why Radio Profiling?
studies will show, when the methods in this book are used the results can be
immensely valuable.
The equipment necessary to perform what is described in this book doesn’t
have to be expensive. While there are radios costing thousands of dollars, a
basic receiver purchased second hand can provide much of the functional-
ity that you will need. Once the basics are mastered, a determination can be
made as to whether to invest in more expensive and more complex equipment.
Where possible, multiple methods using varied equipment will be described,
with a focus on practicality.
Penetration testers and attackers tend to spend a lot of time looking at 802.11
and other wireless networks, and occasionally will look for Bluetooth to see
if there is any valuable traffic on devices such as keyboards. This is only the
beginning when it comes to what is available on the radio spectrum.
Figure 1.1
shows the radio spectrum (3 kHz–300 GHz) as it is divided up in the US and
highlights the portions of spectrum used by 802.11 and Bluetooth. As you can
see, these services use just a fraction of the entire radio spectrum.
Figure 1.2
shows the radio spectrum, as well as the radios and wireless devices that most
penetration testers miss.
FIGURE 1.1
The Portion of the Radio Spectrum Most Penetration Testers Look At
Guard Radios, Wireless Headsets, Cordless Phones, Wireless Cameras
3
FIGURE 1.2
What Most Penetration Testers Miss
GUARD RADIOS, WIRELESS HEADSETS, CORDLESS
PHONES, WIRELESS CAMERAS,
BUILDING CONTROL SYSTEMS
The targets on the radio spectrum consist of those that have been around for
decades, such as the two-way radios used by guards, and those that are just
beginning to proliferate such as wireless video cameras. Some of the target
radio traffic may have an obvious use for a security professional, such as Blue-
tooth keyboards. The ability to capture keystrokes can be invaluable for clear
reasons. Other traffic, however, may have less obvious advantages. Later chap-
ters will cover the details of on- and off-site reconnaissance, and how to use
the appropriate equipment. It is, however, important to first gain a basic under-
standing of the types of information available to an enterprising attacker. If the
target organization has a guard force, the guard’s radio transmissions provide a
wealth of intelligence. From the guard’s names, to the time of shift changes, to
internal jargon, there is much to glean. When launching a social engineering
assessment, or attack, knowing the guard’s names adds credibility to the pen-
etration tester or attacker. Listening in to guard traffic may also let the attacker
know when the guards will not be at their posts, either because of scheduled
rounds or unscheduled bathroom or smoke breaks. To take things further, in
combination with a police scanner, an attacker can learn the response times to
4
C HAPT ER 1:
Why Radio Profiling?
incidents. Knowing the time between the discovery of an incident and alerting
of authorities, and then authorities’ response time can let an attacker know
how long they can be inside the facility without being caught.
Traffic from wireless cameras can provide much of the same information
as traffic from guard force radios. Knowing where the guards are within the
facility or grounds, and which areas are unoccupied can mean the difference
between success and failure during a physical penetration assessment. Addi-
tionally being able to see the inside layout of a building before you step inside
of it can also be invaluable when performing a physical penetration test. While
far less likely to occur in the real world than in Hollywood, it may also be pos-
sible, depending on camera resolution and angles, to be able to view cipher
lock codes from the camera transmission.
In addition to profiling and reconnaissance, this book also offers valuable
insight into counterintelligence. Understanding what information leaks
unintentionally from your organization will help to ensure that confidential
information remains confidential. The authors have been involved in situa-
tions where confidentiality was essential, and have discovered information in
unlikely places. One example was while sweeping a conference room for bugs
wireless microphones were discovered. The conference room was to be used
for a presentation about a potential corporate merger. Despite a large security
budget and bug sweeping teams, had wireless microphones been used during
this high level meeting, anyone within the vicinity would have been able to
listen in on the entire presentation.
Before trying anything in this book, make sure that you understand the legal
and ethical ramifications of your actions. There are certain things that are always
illegal, such as interfering with radio transmissions, and there are many other
things that are illegal in most circumstances. Be sure to seek legal council prior
to getting in too deep. Of course, as security practitioners, it is often frustrating
TIP
It is extremely important that when performing any type of penetration assessment the scope
and ground rules are agreed upon in writing prior to starting. Be sure to stick to the scope. While
you may find additional items of interest while profiling, only assess those that are within scope.
Consider getting a “get out of jail free” card or letter from the organization that you are assess-
ing. If security or law enforcement catches you, the letter can be presented to explain that you
are a security professional on a contracted engagement, and not a common criminal. Include
the names, titles, and contact information of at least three people at the organization who know
that you are performing an assessment. Also, be sure to let those individuals know to keep their
phones nearby and to answer them no matter what the time.
Case Study
5
that we are bound by the law while attackers, by their very nature, are not.
This means that it isn’t possible to attempt everything an attacker would while
staying within the law. Thus, it is essential to understand the illegal tools and
techniques that attackers have at their disposal to understand how to defend
against them.
CASE STUDY
Perhaps the best way to understand the true value of radio reconnaissance
is with a case study. While this case study includes a fictionalized version of
events, the authors on actual engagements have used successfully all the tech-
niques described in the following paragraphs.
We knew we were lucky that the power company’s fence was not electrified.
Bad jokes aside, when attempting to enter a fenced power company facility,
the tools that come to mind may be bolt cutters and carpet to throw over
barbed wire rendering it useless. In this case, we had those with us, but it
turned out our radios would also prove valuable. The first thought when
you hear information security is probably not a couple guys dressed in black
tactical gear in the woods up to their ankles in cold mud. In today’s global
economy, the stakes are high and competitors and criminals will often stop
at nothing to gain the upper hand or steal and sabotage information and
equipment. As networks become hardened and information more protected,
many attacks have moved to the physical realm. It is often cheaper for nefari-
ous corporations or overseas criminals to send operatives to facilities and
attempt to steal information than it is to hack through the network. The
goal of a penetration test is to find vulnerabilities and help to mitigate them
before attackers can take advantage. On this dark night, that put us in the
woods.
The irony is that our target was an energy company, a fact not lost on us as
we shivered in the cold. The main gate was guarded, so we followed the fence
through the woods, and waded through a cold creek. Our reward was discov-
ering a break in the fence. The scraps of carpet we had in our bags remained
there. It is an old trick, but a well-known one, that placing a scrap of carpet
over barbed wire makes scaling the fence a breeze. Twenty yards away, a small
building stood alone in a field on the property. The door swung open with
just a twist of the handle—it was not locked. Inside we found a few company
shirts, and a breaker panel. We left the panel alone, because we are the good
guys, and didn’t know what dangers we could cause by flipping off the main
switch. We discovered later that it controlled all the parking lot and perim-
eter lights—very useful for a malicious attacker. We moved toward the main
facility unimpeded, and reached a locked door. The lock was one we knew
Zgłoś jeśli naruszono regulamin