Sr.

SOC Analyst Training

System Hacking
System Hacking Overview
 System Hacking - Goals
§ Stages:
§ Gaining Access = to bypass access controls to gain access to the system by using
password cracking, social engineering
§ Escalating privileges = to acquire the rights of another user or admin by exploiting
known system vulnerabilities
§ Executing applications = To create & maintain remote access to the system by
installing Trojans, spyware or keyloggers
§ Hiding files = To hide attackers malicious activities & data theft by installing rootkits
onto the target
§ Covering tracks = To hide the evidence of compromise by clearing the system log
files
System Hacking – Cracking
Passwords
 Password Cracking
§ Password cracking is a technique that is used to recover passwords from computer
systems; attackers use these techniques to gain unauthorized access to vulnerable
systems
 Types of Password Attacks
§ Non-electronic attacks – no technical knowledge to crack passwords
§ Shoulder surfing, social engineering, dumpster diving
§ Active Online attacks – password cracking is done by directly communicating with the
victim machine
§ Dictionary / Brute force attacks, Hash injection & phishing, password guessing
§ Passive Online attacks – password cracking without communication with the authorizing
party
§ Wire sniffing, man-in-the-middle
§ Offline attacks – attackers copy the target’s password file & then tries to crack passwords
on his own system
§ Pre-computed hashes (rainbow table)
 Password Cracking Countermeasures
§ Do not use any system’s default passwords
§ Do not cleartext protocols or protocols w/weak encryption
§ Set the password change policy to 30 days
§ Use 8-12 alphanumeric characters when setting a password
§ Use a random string (salt) as a prefix or suffix with the password before encrypting
 Active Online Attacks
§ Dictionary attacks – loaded into the cracking application that runs against user accounts

§ Brute Forcing attacks – program tries every combination of characters until the password
is broken

§ Rule-based attacks – this attack is used when the attacker gets some information about
the password
 Hash Injection Attacks
§ A hash injection attack allows an attacker to inject a compromised hash into a local
session and use the hash to validate to network resources
§ The attacker finds & extracts a logged on domain admin account hash
§ The attacker uses the extracted hash to log on to the domain controller
 Passive Online Attacks: Wire Sniffing
§ Attackers run packet sniffing tools on the LAN to access & record the raw network
traffic
§ The captured data may include sensitive information such as passwords (FTP, rlogin),
and emails
§ Sniffed credentials are used to gain unauthorized access to the target system
 Passive Online Attacks: MITM & Replay
§ In a MITM attack, the attacker acquires access to the communication channels between the victim
& server to extract the information
§ In a replay attack, packets & authentication tokens are captured using a sniffer. After the info is
extracted, the tokens are placed back on the network to gain access
 Offline Attacks: Rainbow Table Attacks
§ A rainbow table is a precomputed table which contains word lists like dictionary files & brute
force lists and their hash values
§ An attacker will capture the hash of the passwords & compare it with the precomputed hash
table. If a match is found, then the password is cracked.
System Hacking – Privilege
Escalation
 Privilege Escalation
§ An attacker can gain access to the network using a non-admin user account, then gain
administrative privileges
§ Attackers perform these attacks, which takes advantage of design flaws, programming errors, and
SW bugs in the OS & software application in order to gain admin access to the network
§ These privileges allows attackers to view critical/sensitive information, deletes files, install
malicious programs (i.e. Trojans, worms)
 Privilege Escalation: Using DLL Hijacking
§ Most Windows applications do not use the fully qualified path when loading an external DLL library
§ If attackers can place a malicious DLL in the application directory, it will be executed in place of the
real DLL. For example:
System Hacking – Executing
Applications
 Executing Applications
§ At this stage, attackers can execute malicious applications in this stage, which is called
“owning” the system
§ They execute malicious programs remotely to gather information that leads to:
§ Exploitation or loss of privacy,
§ Gain unauthorized access to system resources,
§ Crack passwords
§ Install backdoors
 Keylogger
§ SW applications or HW devices that monitor each keystroke (as the user types on a
keyboard, logs onto a file, or transmits them to a remote location)
§ It allows an attacker to gather confidential information about a target, such as email ID,
IRC, chat messages
System Hacking – Hiding Files
 Rootkits
§ They are programs that hide their presence as well as attacker’s activities, granting them
full access
§ They replace certain OS calls allowing malicious functions to be executed on the target
system
§ A typical rootkit consists of backdoor programs, DDoS programs, packet sniffers, log
wiping
Rootkits – How They Work
How to Detect Rootkits
 Rootkits Countermeasures
§ Verify the integrity of system files regularly using strong digital
§ Avoid logging in an account with admin privileges
§ Perform kernel memory dump analysis to determine the presence of rootkits
§ Harden the workstation or server; update OS patches & applications
 Steganography
§ It is the technique used to hide a secret message within an ordinary message & extracting
it at the destination to maintain confidentiality of the data
§ This technique typically utilizes a graphic image as a cover is the most popular method to
conceal the data files
§ Attackers can use “stego” to hide messages such as list of compromised servers, source
code for the hacking tools and plans for future attacks
 Detecting Text & Image Steganography
§ Text files:
§ Alterations are made to the character positions for hiding the data
§ The alterations are detected by looking for text patterns or disturbances, language used and
unusual amount of blank spaces
§ Image Files:
§ Hidden data in an image can be detected by determining changes in size, file format,
timestamp, and the color palette pointing to the existence of the hidden data
System Hacking – Covering
Tracks
 Covering Tracks
§ Once intruders have successfully gained admin privileges, they will try to cover their
tracks to avoid detection
§ An attacker uses the following techniques
§ Disable auditing
§ Clearing logs
§ Manipulating logs
Penetration Testing
 Password Cracking
§ Identify password protected systems
§ Check for password complexity
§ Perform social engineering, then shoulder surfing
§ Attempt dumpster diving
§ Performa a ‘dictionary attack’
§ Perform a brute force attack
§ Perform a MITM attack
§ Perform a Replay attack
§ Perform Rainbow Table attacks
 Privilege Escalation
§ Attempt to logon with enumerated user names & cracked passwords
§ Use privilege escalation tools, such as Offline NT Password, Windows Password Recovery
tool
 Executing Applications
§ Verify antivirus SW is installed and is up-to-date
§ Check to see if FW and anti-keylogging software are installed
§ Verify the HW systems are secured in a locked environment
§ Try to use key loggers
§ Attempt to use tools for remote code execution
 Hiding Files
§ Attempt to install rootkits onto the target system
§ Perform integrity-based detection technique
§ Perform signature-based detection technique
§ Perform steganalysis technique
§ Use steganography to hide secret messages
§ Verify the OS/Application patches are updates
 Covering Tracks
§ Remove any system or web application tracks
§ Disable system auditing and remove all log files
§ Close all remote connections to the victim machine, as well as any open ports
Hacking Web Servers &
Applications Overview
Web Server Attacks
 DoS/DDoS Attacks
§ Attackers send numerous fake requests to the web server, which would lead to a server
crash or services become unavailable
§ They may target high-profile web servers in order to steal sensitive information
 DNS Server Hijacking
§ An attacker compromises a DNS server & changes the DNS settings so requests coming
toward the target web server would be redirected to the malicious server
 DNS Amplification Attacks
§ Attackers take advantage of the DNS recursive method of DNS redirection to perform DNS
amplification attacks.
 Phishing Attacks
§ Attackers trick users to submit login details for a website that appears legitimate, but
redirects the user to a malicious web site
§ Attacker can then perform unauthorized or malicious operations against the targeted
web server
 Website Defacements
§ An attacker maliciously alters the visual appearance of a web page by inserting offending
data
§ Attackers can use a variety of methods such as SQL injection in order to deface it.
 Webserver Misconfiguration
§ This refers to the configuration weaknesses in the web infrastructure that can be
exploited to launch various web server attacks
§ Anonymous or default Users/Passwords
§ Misconfigured/Default SSL Certificates
§ Unnecessary Services Enabled
§ Sample Configuration & script files left on server
 SSH Bruteforce Attack
§ Attackers can use brute force SSH login credentials to gain unauthorized access to a SSH
tunnel
§ SSH tunnels can be used to transmit malware & other exploits to victims w/out being
detected
Web Application Attacks
 Web Application Threats
§ Vulnerabilities in web applications running on a web server can provide a broad attack
path for any webserver compromise
§ Threats include:
§ SQL Injection
§ Cross-site Scripting (XSS)
§ Buffer Overflow
§ Directory Traversal
§ Cross-site Request Forgery (CSRF)
§ Session Hijacking
§ Cookie Poisoning
 Directory Traversal Attacks
§ Attackers use ../ (dot-dot-slash) sequence to access restricted directories outside of the
web server root directory
§ They can use a “trial and error” method to navigate the outside of the root directory and
access sensitive information in the system
 Injection Flaws
§ These are web application vulnerabilities that allows untrusted data to be interpreted &
executed as part of a command or query
§ They are prevalent in legacy code, often found in SQL, LDAP, XPATH queries, and can be
easily discovered by app vulnerability scanners
 Cross-Site Scripting (XSS) Attacks
§ These are attacks that exploit vulnerabilities in dynamically generated web pages, which
enables attackers to inject client-side scripts into web pages
§ Attackers can inject malicious JavaScript, ActiveX, HTML or Flash for execution on a
victim’s system
§ Effects of XSS:
§ Redirection to a malicious server
§ Ads in hidden iFRAMES
§ Data manipulation & theft
§ Session hijacking
§ Brute force password cracking
 Cross-Site Request Forgery (CSRF) Attacks
§ These are attacks that exploit web page vulnerabilities that allow an attacker to force an
target’s user browser to send malicious requests they did not intend
§ The victim’s user holds an active session with a trusted site & simultaneously visits a
malicious site, which injects an HTTP request for the trusted site
 Buffer Overflow Attacks
§ This condition occurs when an application writes more data to a block of memory or a
buffer, than the buffer is allocated to hold
§ It enables the attacker to modify the target process’s address space in order to control
the process execution, crash the process, and modify internal values
 Cookie Poisoning
§ Three stages:
§ Modify the Cookie Content:
§ These attacks involve the modification of the
contents of a cookie in order to bypass security mechanisms
§ Inject the Malicious Content:
§ Poisoning allows an attacker to inject the malicious content,
modify the user's online experience and obtain unauthorized info
§ Rewriting the Session Data:
§ A proxy can be used for rewriting the session data, displaying the cookie data, and/or
specifying a new user ID or session identifiers
Hacking Webservers – Attack
Methodology
 Information Gathering
§ This involves collecting valuable information about the targeted company
§ Attackers search newsgroups, bulletin boards, etc for info about the company
§ They would use tools such as Whois, traceroute and query the database to get details
such as domain name, an IP address, or network range
 Webserver Footprinting
§ In this phase, you gather system-level data such as account details, OS, SW versions,
server names and database schemas
§ An attacker may use Telnet to footprint a webserver gather info such as server type, apps
running, etc
 Mirroring a Website
§ By mirroring a web site, you can create a complete profile of the site’s directory structure,
files structure, etc
§ Use tools such as: HTTrack, WebCopier
 Session Hijacking
§ An attacker sniffs valise session IDs to gain unauthorized access to the Web server
§ Session hijacking techniques, such as session fixation, session sidejacking, XSS are used
to capture valid session cookies & IDs
§ Tools: Burp Suite, Firesheep
 Hacking Web Passwords
§ Attackers will use password cracking methods such as brute force or dictionary attacks to
crack web server passwords
§ Tools: THC-Hyrda, Brutus
Web App Hacking
Methodology
 Hacking Methodology - Steps
§ Footprint Web Infrastructure
§ Server / service discovery
§ Server identification / banner grabbing
§ Hidden content discovery
§ Detecting Web App FWs & Proxies on Target Site
§ Attack Web servers (WebInspect)
§ Analyze web applications on servers
§ Identify entry points for User Input
§ Identify Server-side Technologies/ Functionality
§ Map the attack surface
§ Attack Authentication Mechanism (password/session attacks, cookie exploitation)
 Hacking Methodology – Steps (cont’d)
§ Attack Authentication Schemes
§ Authorization attack (manipulate HTTP requests)
§ Query string tampering
§ Cookie Parameter Tampering
§ Attack Session Management Mechanism
§ Perform Injection Attacks
§ SQL/LDAP injection, buffer overflow
§ Attack Data Connectivity
§ Connection string injection
§ Attack the Web App Client (XSS, Frame Injection, HTTP Header Injection)
§ Attack web services (SOAP Injection, DB Attacks, DoS/DDoS)
Webserver Attack Tools
 Using Metasploit
§ This framework is a pen testing toolkit, exploit development platform that supports fully
automated exploitation of web servers by using known vulnerabilities
§ Architecture:
 Metasploit Exploit Module
§ It is the basic module used to encapsulate an exploit; comes with meta-information fields
§ Steps to exploit a system:
§ Configure an active exploit
§ Verifying the Exploit options
§ Selecting a target
§ Selecting the payload
§ Launching the exploit
 Metasploit Payload Module
§ The payload module establishes a communication channel between the Metasploit
framework & the victim host
§ It combines arbitrary code that is executed as the result of an exploit succeeding
 Metasploit Auxiliary Module
§ The auxiliary modules can be used to perform arbitrary, one-off actions such as port
scanning, denial of service and even fuzzing
§ To run an auxiliary module, either use the run command or use the exploit command
Hacking Webservers –
Countermeasures
 Countermeasures
§ Several countermeasures to safe guard web servers:
§ Place web servers in separate secure segments on the network (i.e. DMZ)
§ Regularly scan for vulnerabilities and patch those findings
§ Ensure that service packs & security patch levels are consistent on all DCs
§ Block all unnecessary ports, ICMP traffic and unnecessary protocols (SMB, NetBIOS)
§ Disable WebDAV if it is not used by the application
§ Harden the TCP/IP stack
§ Disable unused default user accounts (eliminate unnecessary DB users)
§ Run all processes using least privileged accounts
§ Eliminate unnecessary files within the .jar files
§ Disable serving of directory listings
 How to Defend Against Web Server Attacks
§ Ports
§ Audit the ports on server regularly to ensure that an insecure services is not active on your
web server
§ Limit inbound traffic to port 80 (HTTP) & port 443 (HTTPS)
§ Server Certificates
§ Ensure the certificate data ranges are valid
§ Ensure the certificate files have not been revoked & the certificate’s public key is valid
§ Machine.config
§ Ensure the protected resources are mapped to HttpForbiddenHandler & unused HttpModules
are removed
§ Code Access Security
§ Configure IIS to reject URLs with “../” and install new patches
Webserver Penetration
Testing
 Web Server Pen Testing
§ Web server pen testing is used to identify, analyze & report vulnerabilities such as
authentication weaknesses, config errors, protocol-related vulnerabilities
§ The best method is to conduct a series of methodical & repeatable tests and to work
through all the vulnerabilities
 Pen Testing - Steps
§ Identify the target
§ Search for open sources for information about the target (bulletin boards, newsgroups)
§ Perform social engineering attacks (social networking, dumpster diving)
§ Query the Whois database
§ Document all the information about the target
§ Fingerprint web server (ID Serve)
§ Crawl the websites
§ Enumerate web directories
§ Perform directory traversal attacks
 Pen Testing – Steps ( cont’d)
§ Examine configuration files
§ Perform a vulnerability assessment
§ Perform HTTP response splitting
§ Perform Web cache poisoning attacks
§ Crack web server authentication
§ Attempt brute force on SSH, FTP and other services
§ Perform Session Hijacking
§ Perform MITM attacks
§ Perform web application pen testing
§ Examine webserver logs
Hacking Wireless Networks -
Overview
 Wireless Technologies
§ Bandwidth = describes the amount of information that may be broadcasted over a
connection
§ Access Point = A device used to connect wireless devices to other wireless devices
§ BSSID = The MAC address of an access point that has setup a basic services set (BSS)
§ SSID = a token used to identify a 802.11 (Wi-fi) network; acts a single shared identifier
between access points & clients
§ Association = The process of connecting a wireless device to an access point
§ Frequency-hopping Spread Spectrum (FHSS) = method of transmitting radio signals by
switching a carrier among many frequency channels
§ Wi-Fi = refers to wireless local area networks (WLAN) based on the IEEE 802.11 standards
 Wireless Standards
Amendment Frequency Modulation Speed Range (ft)
s
802.11a 5 OFDM 54 25-75
802.11b 2.4 DSSS 11 150-150
802.11g 2.4 OFDM, DSSS 54 150-250
802.11n 2.4, 5 OFDM 54 100
802.16 10-66 70 – 1000 30 miles
Bluetooth 2.4 1-3 25
Type of Wireless Networks
Wi-fi Authentication Modes
 Wi-Fi Chalking
§ WarWalking = Attackers walk around with Wi-Fi enabled devices to detect open wireless
networks
§ WarChalking = A method used to draw symbols in public places to advertise open Wi-Fi
networks
§ WarFlying = In this technique, attackers use drones to detect open wireless networks
§ WarDriving = Attackers drive around Wi-Fi enable laptops to detect open wireless
networks
Wi-Fi Chalking Symbols
 Types of Wireless Antennas
§ Directional Antenna – used to broadcast from a single direction
§ Omnidirectional Antenna – provides a 360 degree horizontal pattern; used in a wireless
base station
§ Parabolic Grid Antenna – based on the principle of a satellite dish, can pickup Wi-Fi 10 or
more miles
§ Yagi Antenna – a unidirectional antenna commonly used for a frequency band of 10 MHZ
§ Dipole Antenna – Bidirectional antenna used to support client connections
Wireless Encryption
 Types of Wireless Encryption
§ EAP – supports multiple authentication methods such as token cards, Kerberos
§ WPA2 – uses AES (128 bit) and CCMP for wireless data encryption
§ CCMP – it utilizes 128-bit keys with a 48-bit initialization vector for replay detection
§ TKIP – security protocol used in WPA
§ WPA – advanced wireless encryption protocol using TKIP, AES encryption
§ AES – symmetric key encryption, used in WPA2, TKIP replacement
§ WEP – oldest encryption algorithm, keys can be cracked easily
WEP vs WPA vs WPA2
 Breaking WPA/WPA2 Encryption
§ WPA PSK
§ It uses a user-defined password to initialize the TKIP, which is not crackable as it is a per-packet
key, but the keys can be brute forces
§ Offline Attack
§ You have to be near the AP in order to capture the WPA/WPA2 authentication handshake
§ De-authentication Attack
§ Using a tool such as air replay, force the connected client to disconnect, then capture the re-
connect & authentication packets
§ Brute-force WPA Keys
§ You can use tools suck as Air Crack, KisMac to brute force WPA keys
 Defending Against WPA/WPA2 Cracking
§ Passphrases
§ The only way to crack WPA is to sniff the password PMK associated with the “handshake” auth
process
§ Passphrase Complexity
§ Select a random, complex passphrase (min of 20 characters) that is not made up dictionary
words
§ Client Settings
§ Use WPA2 with AES/CCMP encryption only
§ Additional Controls
§ Use a VPN or implement NAC (network access control)
Hacking Wireless Networks -
Threats
 Access Control Threats
§ Wireless access control attacks are designed to penetrate a WLAN by evading WLAN
access control measures, such as AP MAC filters & Wi-Fi port access controls
§ Some of those attacks:
§ War Driving
§ Rogue Access Points
§ MAC Spoofing
§ AP Misconfiguration
§ AD Hoc Associations
§ Promiscuous Client
§ Unauthorized Association
 Integrity Attacks
§ For these attacks, attackers send forged control, management or data frames over a
wireless remote to misdirect wireless devices in order to perform another type of attack
(DoS)
§ Some of those attacks:
§ Data Frame Injection
§ WEP Injection
§ Bit-Flipping Attacks
§ Extensible AP Replay
§ Initialization Vector Replay Attacks
§ RADIUS Replay
§ Data Replay
 Confidentiality Attacks
§ These attacks attempt to intercept confidential information sent over wireless
associations, whether sent in clear text or encrypted by Wi-Fi protocols
§ Some of those attacks:
§ Eavesdropping
§ Traffic Analysis
§ Cracking WEP keys
§ Evil Twin AP
§ Honeypot Access Point
§ Session Hijacking
§ Man-in-the-middle Attacks
 Availability Attacks
§ These attacks, like denial-of-service attacks aim to prevent legitimate users from
accessing resources in a Wi-Fi network
§ These attacks include:
§ Access Point Theft
§ Disassociation Attacks
§ EAP-Failure
§ Beacon Floods
§ ARP Cache Poisoning Attack
§ TKIP MIC Exploit
§ Routing Attacks
 Authentication Attacks
§ The objective of these attacks is to steal the identity of the Wi-Fi clients, their personal
information, login credentials in order to gain unauthorized access to network resources
§ These attacks include:
§ PSK Cracking
§ LEAP Cracking
§ VPN Login Cracking
§ Domain Login Cracking
§ Shared Key Guessing
§ Password Speculation
 Rogue Access Point Attacks
§ A rogue wireless access point placed into the network can be used to hijack the
connections of legitimate users
§ When the user turns on his/her machine, the rogue access point will offer to connect
with the network user’s NIC
§ All the traffic the user enters will pass through the rogue access point, thus enabling a
form a wireless packet sniffing
AP MAC Spoofing Attacks
Hacking Wireless Networks -
Methodology
 Wireless Hacking Methodology
§ Objective: to compromise a Wi-Fi network in order to gain unauthorized access to
network resources
§ Step 1: Wi-Fi Discovery
§ Attacking a wireless network begins with discovering & footprinting the wireless network in an
active or passive way
§ Passive footprinting – sniffing packets from the airwaves, which reveals SSID, AP
§ Active footprinting – attacker sends out a probe request with the SSID to see if the AP
responds
 Wireless Hacking Methodology: GPS Mapping
§ Attackers create a map of discovered Wi-Fi networks and create a DB collected by Wi-Fi
discovery tools
§ GPS is used to track the location of the discovered Wi-Fi networks and their coordinates
§ This information is typically shared among the hacker community for profit
 Wireless Hacking Methodology: Wireless Traffic Analysis
§ Identify Vulnerabilities = helps develop strategy for a successful attack
§ Wi-Fi Reconnaissance
§ Attackers analyze wireless networks to determine:
§ Broadcasted SSIDs
§ Presence of multiple access points
§ Authentication methods used
§ WLAN encryption algorithms
§ Tools
§ Wireshark
§ Omnipeek
 Wireless Hacking Methodology: Launch Wireless Attacks
§ Fragmentation attacks – obtains the PGRA (pseudo random generation algorithm),
doesn’t recover the WEP key; requires at least 1 data packet to be received from the
access point in order to initiate the attack
§ MAC Spoofing attack – attackers change the MAC address to that of an authenticated
user to bypass the MAC filtering configured in an access point
§ Wireless ARP Poisoning attack –
§ Attacker spoofs the MAC address & attempts to authenticate to the AP
§ The AP sends an updated MAC address to the network devices
§ Traffic is now destined from the backbone to the attacker’s system
Bluetooth Hacking
 Bluetooth Hacking
§ It refers to the exploitation of Bluetooth stack implementation vulnerabilities to
compromise sensitive data in Bluetooth-enabled devices
§ Various attacks:
§ Bluesmacking = DoS attack which overflows Bluetooth-enables devices with random packet
§ Bluejacking = the art of sending unsolicited messages over Bluetooth to Bluetooth-enabled
devices
§ Blue snarfing = theft of information from a wireless device through a Bluetooth connection
§ BlueSniff = PoC for a Bluetooth wardriving utility
§ Bluebugging = remotely accessing Bluetooth-enabled devices
§ BluePrinting = the art of collecting info about Bluetooth-enabled devices, such as
manufacturer, device model
Hacking Wireless Networks -
Countermeasures
 Defending Against Bluetooth Hacking
§ Use non-regular patterns as PIN keys while pairing a device
§ Keep the device in non-discoverable (hidden) mode
§ Keep BT in a disabled state, enable only if needed
§ DO NOT accept any unknown or unexpected requests for pairing your device
 Defending Against Wireless Attacks
§ Change the default SSID after a default WLAN configuration
§ Disable SSID broadcasts
§ Enable MAC address filtering on your access point on the router
§ Enable encryption on the Access Point and change passphrases often
§ Use SSID cloaking
§ Place a FW or packet filter in between the AP & the intranet
§ Implement IPSEC over wireless
§ Use WPA/WPA2 encryption instead of WEP
Defending Against Wireless Attacks (cont’d)
Wi-Fi Penetration Testing
 Wireless Penetration Testing
§ The processes involved with evaluating security measures that have been implemented in
a wireless network in order to assess design weaknesses, technical flaws, or
vulnerabilities
 Wireless Penetration Testing - Framework
§ Discover wireless devices; if found, document findings
§ Perform a general Wi-Fi attack and check to see if WEP encryption is being used
§ If WEP is discovered, conduct WEP encryption pen testing
§ Lf LEAP is found, then perform LEAP encryption pen testing
 Penetration Testing Steps
§ Create a rogue access point
§ Deauthenticate the client using tools such as Hotspotter, Airsnarf
§ If deauthenticated, associate with the client, sniff the traffic, and acquire the
passphrase/certificate (perform WPA/WPA2 Dictionary attack??)
§ If passphrase is acquired, try to steal confidential information
Q&A
Thank you.
www.microfocus.com