Wireless LAN Penetration Testing
In this episode I spend some time with Mark Wuergler of Immunity Inc. talking about their SILICA-U Wireless LAN Pentration testign utilitiy. It is quite simple to use, single click kind of thing, and runs from a custom USB stick.
I think you’ll enjoy our conversation!
You can find Mark at immunityinc dot com.
SILICA-U will quickly and automatically grab screenshots or password hashes, upload and execute software on target systems, or intercept and record network data. The unit includes standard Wi-Fi auditing features such as capturing live signal, spectrum and packet data. Immunity’s advanced research team continues to contribute updates to the software so the latest attacks are programmed in.
Bypassing 802.11b/g security: Enable hidden session identification discovery and the unit will reveal the non-broadcasted SSID of remote access points. Fed up of being filtered from MAC protection lists? Enable MAC address evasion and escape any MAC address filters set by the AP administrator. If you already know an allowed MAC, this feature also allows it to be manually set in order to audit your network. This feature can also be used to reveal hidden SSID’s configured by system administrators.
Aggressive attack: Want to enumerate which systems can be broken into remotely? SILICA-U will attempt to gain unrestricted access to all systems connected to your access points and extract valuable information in the form of screenshots, password hashes, or configuration details. It will even upload and execute your own remote access utility on target systems, giving you remote wireless access to insecure systems.
Evading personal firewalls: Unique passive operating system identification techniques will even identify machines running a personal firewall.
Gather usage data: Ever wanted to identify the most commonly used access points in a geographical location? Use probe mode along with non-stop scan, walk in an area collecting access point type information and configuration details such as encryption methods and signal levels. This scan will extract a list of operating systems and machines behind the wireless access point or ad-hoc network, allowing you to evaluate what networks are the most heavily used.
Map a network: Walk around running SILICA-U in non-stop scanning mode with GPS enabled. It will map out an entire area by constantly seeking for new access points and ad-hoc networks. GPS locations on the reports can be used to plot over mapping applications or services.
Security compliance: Launch the software in interactive scan mode with the attack option selected. Eliminate false-positives with our unique methods of breaking in to verify that a flaw does exist and is exploitable.
Advanced man-in-the-middle attacks: Our software allows interception of all HTTP traffic in a switched network between the wireless router, including any bridged wired network and all associated clients. The data includes cookie and authentication data within HTTP requests, which can be fed into a separate web browser session to allow email review, capture of sensitive authenticated traffic such as banking information, viewing of network device administration, password gathering, etc.
System identification: SILICA-U has unique methods for extracting information remotely from network printers, embedded devices, PDA’s, Windows systems, routers, Unix workstations, and more. Our remote identification and reconnaissance methods are found no-where else.
Rogue access point detection: Leave the unit running in your desk while in non-stop mode and it will identify any new access points or Ad-hoc networks discovered in range. This is particularly useful for monitoring buildings for suspicious devices being inserted into the premise without permission, or monitoring unapproved ad-hoc networks from open laptops.
Detect network misconfiguration: Often enough employees will open up wireless ad-hoc connections in their laptops, bridging them to a wired network without realizing the security implications. This imposes a serious threat to a company’s perimeter security. The software can detect this if launched in probe mode with any type of scanning method. Immunity recommends a scan-all scan that specifically targets your network. If anything is found it will be included in the report.
Pinpointing access points: Ever discovered a suspicious access point and wanted to find its location? SILICA-U will allow you to do this by viewing the interactive signal meter which displays various information about the device while you move around and approach it. Noise levels and quality may increase or drop depending how close you are to the access point. Alternatively, SILICA-U includes GPS.
Client-side exploitation: SILICA-U will allow you to bypass any firewall or host protection mechanisms by directing the attack on a client side application through an advanced connection hijacking attack which cannot be found in any other software.
Thanks for listening.
We’d love to have you subscribe to our RSS feed – just click the button in the upper right corner of the web page. Until next week, thanks for listening!
If you have any feedback on the show – please drop an e-mail to feedback@WirelessLANProfessionals.com.
Subscribe To The Wireless LAN Weekly Podcast: