Hands-On Labs and In-Class Demonstrations
you must bring your laptop to participate in the hands-on labs during this course.
1) Hands-on—Network Discovery: Wireless Devices, Access Points and Packet Capture
2) Hands-on—Discovery of Closed Networks using Probe Requests and Probe Responses
3) Demo—Wired-Side Network Discovery using SNScan
4) Demo—Network Discovery with a Spectrum Analyzer
5) Hands-on—Capture and Decode Packets using Ethereal
6) Hands-on—Use AirSnort to Crack Web Encryption
7) Demo—Set-up Soft Access Points to Decoy and Masquerade
8) Hands-on—Counterfeit Packet Injection and Replay Attack
9) Demo—Mock Denial of Service Attack Using Signal Bombing
10) Hands-on—MAC Spoofing to Circumvent MAC Access Lists
11) Demo—Security Capabilities for Consumer to Enterprise Grade Access Points
12) Hands-on—Setup and Run Fake AP to Simulate War Drivers
13) Demo—Demonstrate the Configuration and Operation of a Wireless Intrusion Detect System
Section 1: Reconnaissance — Wireless Network Discovery
In this section, we will explore both active and passive scanning techniques for detecting and locating wireless networks. You will learn to use the freeware products most commonly used by hackers to detect wireless networks. You'll learn about the communications that normally occur between a Wireless Access Point and a Wireless Client device, and how that information can be used to detect even supposedly "closed" networks. We'll also take a look at several commercial wireless detection products.
- What does the WiFi Finder tell us?
- Passive scanning with PocketPC
- MiniStumbler
- PrismStumbler
- MAC address
- Service Set Identifier (SSID)
- Using Signal Strength for AP location
- Beacon Frames
- Active scanning with Windows Laptop
- Wireless Client Utility
- NetStumbler
- Probe Request & Probe Response
- Rogue Access Point detection
- Friendly vs. Hostile Rogue Access Points
- Active scanning with Linux Laptop
- Kismet
- Wellenreiter
- WiFiScanner
- WlanProbe
- AirTraf
- Mapping Authorized Access Points
- Wireless Perimeter Definition
- Directional Antennas
- Periodic Security Scan
Section 2: Intelligence - Packet Capture & Analysis
In this section you will learn to use a variety of freeware and commercial tools to capture and decode wireless network traffic. You'll see firsthand the vulnerability of unencrypted traffic. You'll learn to capture and decode logins and passwords for email, FTP and other applications.
- Windows-based capture and analysis tools
- Ethereal and WinPCap
- AiroPeek
- AirMagnet
- Linux-based capture and analysis tools
- Wellenreiter
- WiFiScanner
- AirTraf
- 802.11 MAC Frame Format
- Wired Equivalent Privacy (WEP) Encryption
Section 3: Threat Models
In this section you will learn to use a wide variety of tools and methods commonly used by hackers to attack your network. You'll learn to use AirSnort to crack a WEP key. You'll set up a Man-in-the-Middle attack. You'll learn how to combine RF Jamming with a Decoy Access Point. You'll see MAC Spoofing used to circumvent a MAC Access List.
- Confidentiality
- Cracking WEP encryption
- AirSnort
- WEPcrack
- WEPWedgie
- Man in the Middle
- Decoy Access Points
- Man in the Middle
- Packet Injection
- Replay Attack
- Access
- Denial of Service (DoS)
- RF Jamming
- Disassociate Signal Bombing
- War Spamming
- ARP Attacks
- MAC Spoofing
- SMAC
Section 4: Countermeasures
Now that you have a good understanding of the potential vulnerabilities of Wireless LANs, and the attack methods designed to exploit them, we turn our attention to countering those attacks. You'll learn who and where the threat comes from, and how to configure any and all parameter settings to minimize your risk. What are the new security-related standards all about, and what can they do to defend your network?
- Who is the Hacker?
- Insider
- Outsider
- Social Engineering
- Access Point Configuration Guidelines
- Password
- SSID
- DHCP
- MAC Access List
- SNMP
- DMZ
- Authentication
- WiFi Protected Access (WPA)
- Extensible Authentication Protocol (EAP)
- Lightweight EAP
- Protected EAP
- 802.1x
- RADIUS
- Virtual Private Network (VPN)
- Encryption
- Enhanced WEP (802.11i)
- Temporal Key Integrity Protocol
- Message Integrity Check
- Advanced Encryption Standard
- Counterattacks
Section 5: Multi-Layer Security
This section is a comprehensive review of configuration options and security policies. You'll learn to implement a multi-layered defense strategy. This strategy is intended to minimize wireless network vulnerabilities and significantly increase the time and effort required to penetrate your network.
- Access Filters
- Server-based Authentication
- Authorization
- Encryption
- Wireless Security Policy Addendum
Section 6: Intrusion Detection Systems
In this section you'll learn about wireless Intrusion Detection Systems (IDSs). These systems attempt to identify network intrusions and misuse by gathering and analyzing data. You'll explore how wireless IDSs monitor and analyze user and system activities, recognize patterns of known attacks, identify abnormal network activity, and detect policy violations for WLANs. You will learn how wireless IDSs gather local wireless transmissions and generate alerts based either on predefined signatures or on anomalies in the traffic.
- Wireless Intrusion Detection Architecture
- Threat Detection
- Threat Response
- Commercial Products
- Airdefense RogueWatch and Airdefense Guard
- Internet Security Systems Realsecure Server
- AirMagnet Distributed
- Neutrino Wireless Intrusion Detection System
- Linux & Shareware Solutions
- Snort-Wireless
- WIDZ
- AirSnare
