Duration:
10 Days
Course Code: OFFWIFI
Audience:
Employees of federal, state and local governments; and businesses working with the government.
Prerequisites:
- Good knowledge of TCP/IP and networking
- Ability to configure Wireless Access Points and clients
- Solid Linux CLI Fundamentals (i.e. you can get around the command line, can SSH into things, create directories, edit files using nano or vim, etc.)
- The inner-workings of 802.11-based WLANs should not be new to you
- This course is ideally suited to specialized military personnel, law enforcement and penetration testers.
- Basic knowlege of Bluetooth and ZigBee is a plus but we fill in any gaps you might have.
Things you should know before coming to class:
As you read the bulleted list below don’t get discouraged if you aren’t prepared to teach a class on the topics. We can fill in the gaps or give you a quick refresher if you need some reminding. But if you have no idea what the bullets below are talking about then this is not the best course for you. We recommend you start with our WLAN administration & security course. After that, you will be ready for this course.
Ideally, you should have a good background in the following (but we can fill in any gaps you might have). However, this is not an introductory course. It is very technical and almost exclusively hands-on. You will get the most from it if you already have a reasonable base of Linux, networking and RF knowledge.
- 802.11 Operation Modes (Infrastructure, Ad-Hoc)
- Understanding 802.11 frame types (Beacon Frames, Probe Request, Probe Response, etc.)
- Client / AP interaction – Specifically, how do client and AP interact as it relates to authentication, association, disassociation, etc.
- Understanding signal strength – milliwats, dBm, RSSI and what they, in a practical sense, mean for a WLAN.
- Antenna and hardware selection – Yagi vs Omni vs Parabolic Dish. Why would you use one versus another and what impact antenna gain has on their use.
- Some fundamental knowledge of Python will serve you well in this course. It is not a requirement but certainly a plus.
Course Description:
This built-from-scratch course, which evolves as tactics and techniques evolve, is ~90% hands-on and puts you in the offensive position. You learn to attack 802.11 Wireless LANs, as well as explore techniques to analyze and prosecute Bluetooth and ZigBee networks.
No long lectures on concepts or memorization of IETF standards, here. You explore attack considerations, approaches and techniques. Our goal is to create the perspective and mindset you need, equip you with the skills and then let you get busy doing it. Defense of WLAN networks is an indirect consequence of this course. Through an offensive mindset you will be better able to defend wireless LANs but this course emphasizes the offensive, cyber warfare perspective.
Post-compromise actions vary from organization to organization. We help you with whatever direction your mission objectives take you. This course, however, focuses on WLAN compromise and exploitation. What happends after the compromise is ultimately up to you and your customer.
We neither advocate or condone the use of these attacks techniques for illegal, unethical or unsanctioned reasons. We provide these services to legitimate organizations with a need to use these techniques for lawful purposes. ITdojo only works with industry professionals so this isn’t something that needs to be said over and over. We should all know right versus wrong so we can go ahead and get down to pushing, poking and prodding a WLAN to see how we are going to get in.
Course Objectives:
Develop expert-level skill using the following tools for WiFi-related analysis and attack:
- hcxtools
- hcxdumptool
- AngryOxide
- Kismet
- Reaver / Bully
- Bettercap
- Aircrack-ng (Suite)
- Wireshark/tshark
- EAP Hammer
- Other tools like Airgeddon, Wifite, Wifiphisher, Fluxion & WiFi Pumpkin
You will become intimate with the tools referenced above and develop an appreciation for their pros/cons and general indications of use. Some will prove very valuable to you; others …not so much.
Other topics explored:
- Bluetooth and BlueZ
- BTScanner
- nRF Connect for Bluetooth and ZigBee captures
- PMKID attacks vs 4-Way Handshakes
- WPA3 – The current state of affairs regarding compromise opportunities (this is an evolving topic that can/will change over time)
- Detecting and bypassing MAC filters
- Denial of service attacks
- Evil Twin attacks
- Creating your own purpose-specific tools using scapy and python
- Enterprise-level attacks. The challenges and complexities of attacking enterprise WLAN networks (good ones)
- WEP compromise. Amazingly, it is still out there so knowing how to defeat it in the odd chance you need to, you will learn it.
- Ubertooth One
Operating systems used during class:
- Linux (Debian-based: Ubuntu, PopOS, Kali, ParrotOS, etc.)
- Microsoft Windows
- MacOS
- Apple iOS
- Android
Standard Linux Tools Used:
* vim, nano, ifconfig, iw, wpa_supplicant, ss, ip, apt, lynx, wget, wc, grep, uniq, sort, tail, time, less, git, zcat, yum, chmod, nmcli, curl, watch, head, tail, less, etc.
Wireless tools / other utilities used:
Some custom python scripts, crunch, tshark, wireshark, gpsd, cgps, gpsmon, iw, iwlist, iwconfig, rfkill, hcxtools, hcxdumptool, bettercap, eaphammer, airgeddon, pwnagotchi, wifite, aircrack-ng suite (airmon-ng, airodump-ng, aircrack-ng, aireplay-ng, airbase-ng, airdecap-ng, ), wpa-supplicant, wifite, pw-inspector, wpa_cli, cowpatty, genpmk, wifiphisher, dnsmasq, msfvenom, msfconsole, Fluxion, mdk3, wash, hostapd, hostapd-wpe, reaver, pixieWPS, wpaclean, Kismet, macchanger, airport (MacOS), netsh (Windows), noobify, RSMangler, JTR (John the Ripper) and hashcat.
Hardware used in class:
This course leverages the Raspberry Pi as the attack platform. We also use Alfa WLAN adapters to provide a consistent, expected level of performance from the tools you utilize. We regularly evaluate the various WLAN adapter model in the marketplace and always provide the most versative and best supported hardware.