Preview: EXTRABACON Exploit Postmortem: Analysis of Improvements

Dear PenTest Readers,

We offer to your attention a new issue of the PenTest Magazine. Hope that it will be a pleasure for you to read it.

In the issue we will discuss wireless penetration testing from various perspectives. One of the most interesting stories was offered by Sean Dillon, who had composed a brilliant article about RiskSense’s release, EXTRABACON 2.0, which contains improved shellcode to the original, a Metasploit auxiliary module, and a script that can automatically find necessary offsets to port the exploit to more ASA devices.   Author also reveal vices of the contemporary world of information security.

We will also cover topics such as The Caffe Latte Attack and the Implementation a PCI-Specific Wireless Pentest. Senior Security Expert Cody Carter will elaborate on the usage of 3rd parties to hide indicators of compromise. Another interesting piece of writing was provided by representatives from Bosch Engineering, who will discuss the topic of Wi-Fi security awareness. All in all, the issue contains a great number of interesting wireless penetration testing assessment. We will look on that topic from various professional attitudes. including both the technical and management perspectives.

The Christmas is coming, and we have a present for you, at the end of the issue Marcelo Mansur, Senior Recruiter from the United Kingdom, prepared a short fiction story about IT Security Recruitment World. At the very end James D. Perry II will share with you his creativity and will prove that penetration testing can be poetic.

Let’s begin our journey into the world of wireless penetration testing...

Thank you for your support,

Editorial team of the PenTest Magazine

If you are a subscriber, download your magazine here!

 If want to buy this magazine click here

TABLE OF CONTENTS

EXTRABACON Exploit Postmortem: Analysis of Improvements

Sean Dillon

One of the most unsettling breaches to happen this year, and perhaps ever, has gone largely ignored. Exploit code strongly evidenced to belong to the National Security Agency (NSA) was illegally leaked in a black market auction. Our red team at RiskSense, Inc. reviewed the files and crafted a more polished version of an exploit that targets the Cisco Adaptive Security Appliance (ASA) firewall. Our release, EXTRABACON 2.0, contains improved shellcode to the original, a Metasploit auxiliary module, and a script that can automatically find necessary offsets to port the exploit to more ASA devices.

Why is Security a Concern in WI-FI? An Awareness Article

Vinod Kumar Vasudevan and Dr. Kavitha Ammayappan

Due to the ingress of different wireless communication technologies, instant communication is ubiquitous, which is a positive outcome, but at the same time, due to a lack of basic techno awareness among consumers, every other consumer is getting compromised by attackers. Compromise happens due to immature technology, improper use of technology by consumers and last but not least, because of skilled hackers. In this article, we present a generic overview about Wi-Fi technology, its security features and mechanisms, technical limitations and real time hack scenarios. Finally, we have given a list of points as guidelines for configuring and connecting with a Wi-Fi network for achieving better security and minimizing the chance of personal and corporate compromise and data leakage.

The Architecture of Obfuscation: A Case Study in Using 3rd Parties to Hide Indicators of Compromise

Cody Carter

During the reconnaissance phase of penetration testing, attackers and researchers alike make use of a variety of tools and techniques to discern the potential methodology that will be most likely to result in a successful and undetected attack.  A great deal of focus is placed on identifying networks, hosts and services.  However, specialized architectural elements provided by vendors are rarely explored with the same level of detail.  Features specific to supporting applications or infrastructure can be leveraged for exploitation in unique and unexpected ways, which can result in trusted resource being utilized to the benefit of attackers.

Wireless Pen Testing: How To Overcome Objections With A New Value Proposition

James D. Perry II and Jeremy Parrott

Have you ever wished someone would stop beating around the bush and give it straight to you? Well, here it goes. We hope you're ready for this.We will explain why organizations aren't knocking down your door to get a wireless pen test. It will be rough but bear with us. We'll show you what to do to fix that, and give you five approaches you can use to push through objections.

Case Study Analysis: Implementing a PCI-Specific Wireless Pen-Test

Praveen Joseph Vackayil

Prior to version 3.0 of PCI DSS, pen-testing was often one of the poorly understood requirements of PCI DSS. Organizations were able to meet the PCI pen-test requirements by running automated scans and generating a formal report. A practitioner would, however, argue that penetration testing conducted in its true spirit would consist of a significant manual component induced by a skilled ethical hacker. The role of automated tools would not be as critical as the expertise and critical thinking brought in by the hacker.

The Caffe Latte Attack

Raghav Bisht

The Caffe Latte attack is another way to break into WEP encrypted Wi-Fi connection. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client. By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 300 seconds. Caffe Latte essentially tries and steals the password from the actual client machine by way of capturing an ARP packet, sending it back to the client and then recording the ensuing data (which will include IV's).

Step by Step Guide to Network Packet Analysis: To understand OSI model by analyzing network traffic using Wireshark

Jitendra Kumar

Many Protocol Analyzers are available and each of them provide different features. Wireshark is one of the Open Source packet analyzer known for its easy to use interface and useful set of features Wireshark previously known as "Ethereal". It is very similar to Tcpdump but has a rich GUI  allows a user to experience simple process of packet or protocol analysis. Wireshark uses Network Interface Controllers that support promiscuous mode which allows to see all traffic on that interface.

How It Is Possible to Intercept Network Traffic and Reproduce It

Stefano Lorenzi

As I had mentioned at the beginning of article, the ARP Spoof is possible in the most of the Companies. The solution to this problem is to configure the switch/router to reject the connection when two different IP address have the same MAC-Address. For the second problem, you have to prefer the encrypted protocol and not use cleartext protocol. Nevertheless, this is not easy because there are a lot of protocols that work without encryption (FTP, Telnet, SMB), and you have to remember that your credential in the cleartext mode is among the data which the attacker can steal.

Enterprise Wireless Network Audit

Jorge Mario Ochoa Vasquez

Every day it gets easier to hack Wi-Fi networks. There are several tools available, like Kali Linux or BlackArch. The IoT (Internet of Things) comes with big challenges, from smart watches to light bulbs in buildings, and Wi-Fi networks can provide access to all data. In this article, we will see some tools used to hack Wi-Fi networks, and some tips to secure it through best practices.

The Chronicles of Ben Chester

Marcelo Mansur

With Christmas approaching fast the festive season is well and truly upon us and the last thing that a lot of people want to think about is work. At this time of the year we often see a big disparity between companies who want to hire and onboard their new staff before the break (so they can be ready to start as soon as the new year begins) and people who would just rather...