Dear PenTest Readers,
In the current edition, we take a closer look at WiFi pentesting tools and techniques. Our contributors brought in really interesting articles on different levels of advancement, so no matter if you’re already a skilled pentester, or you're just beginning your journey - you will definitely find something for yourself!
The write-ups dedicated to the main topic start with a historical perspective on WiFi hacking, while the article by Joël Kerleguér depicts practical techniques as they have been evolving throughout years. If you’re looking for useful tools, check out the article on Kavat Nerve fork by Andrea Cavallini. Next, you will also find great tutorials on WiFi Pentesting with Airodump-ng, cybersecurity survey on LoRa And LoRaWAN industrial radio, Man-In-the-Middle Attacks on WiFi/LAN, and WPA/WPA2 password cracking.
If you’re looking for articles on other topics, we have that too! Dive into the reading of part of the book “Ransomwared” by Erik Westhovens and Mike Jansen, which explains technical cybersecurity concepts in an entertaining manner. You will also find a nice tutorial on GPC pentesting, and more!
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Wi-Fi Hacking Evolution Over Time
by Joël Kerléguer
If you are a security veteran you know to appreciate, like a good drink, current pentest tools completeness, easiness, and automation: bettercap, wifipumpkin3… Jump with me into the past for a moment, we shall evoke some nostalgia. If you are a fresh newbie on the field, this article will teach you how things started, and what is under the hood. However, both of you might wonder about the Wi-Fi hacking perspective. At the end of the day, the newbie could join the veteran at the bar for a drink.
Cybersecurity Survey of LoRa and LoRWAN Industrial Radio
by Leonard Jacobs
Another tool is called “LoRa Craft”. It intercepts packets using Software Defined-Radio, and craft packets using dedicated LoRaWAN v1.0 and v1.1. This tool is mainly do-it-yourself and needs much more support than those already released, like crypto helpers for Join-Accept payloads and Message Integrity Code (MIC) to help crack weak keys.
KAVAT NERVE Fork
by Andrea Cavallini
Offensive cybersecurity is always awake, it doesn't sleep, ever. Assessments are necessary and need to be run fast and continuously. Fast and continuously, words more relevant and yet so difficult to reach and to understand. Does a tool exist that can implement these requirements? In addition, it should be easy, and allow everyone to make their own modifications to this tool in order to reach their targets, basically, source free and open-source.
Dream? Reality? Fantasy? A tool designed to reach these goals exists and it is called NERVE.
WiFi Pentesting with Airodump-ng
by Juan Morales
Within the Aircrack Suite there is a tool named Airodump-ng. Airodump-ng serves as a packet sniffer, it also helps in attaining information regarding the networks in our vicinity and can even tell us information about the clients connected to those networks. In order to start using Airodump, we must first set our Wi-Fi adaptor to monitor mode. Monitor mode simply enables the Wi-Fi adaptor to receive different types of Wi-Fi packets, including “Beacon Packets”, which are sent by APs (Access Points) at regular intervals, “Deauthentication Packets”, which essentially reset a client’s network connection, and much more. The ability to receive the host of different packets is what allows Airodump not only to display different APs in the vicinity but also display clients connected to them.
Man in the Middle in WIFI / LAN
by Deepan Naveen
In this article, I want to divide the MITM and the path to MITM into categories and distribute them on different chains. We all understand that with the MITM attacks we have different situations in which we can use something, there is something not and we pursue different goals - a mass attack, an individual (point) attack.
Wi-Fi Hacking: WPA / WPA2 Password Cracking Attack
by Mohamed Assane Seck alias <<waserby>>
WPA protocol was created in response to huge security weaknesses in another protocol named WEP (Wired Equivalent Privacy), which is barely used nowadays. However, when WPA is used in pre-shared key mode, we can carry out an attack in order to crack the key, then access the Wi-Fi network. Note that it is a dictionary-based attack, which means that the password we are trying to figure out must be in our dictionary file. Otherwise, we will not be able to determine the key.
GCP Penetration Testing: Enumerating the GCP
by Dinesh Sharma
In this article, we discussed the ways to perform the enumeration in the GCP environment. There are commands related to every service in GCP for gcloud CLI. There are other ways as well to communicate with GCP services like Rest API calls, web-based console, third party SDKs, terraform scripts, codes, etc. In the coming article, we will be seeing the exploitation scenarios as well as lateral movement and privilege escalation in GCP environment.
Ransomwared: Every Manager’s Worst Nightmare
by Erik Westhovens and Mike Jansen
Part of recovery is also discovery of methods used and that means the hackers will try to erase their footprint as much as possible. They might, for example, execute a Group Policy Object that halts all antivirus software on domain joined systems. They can do the same to delete log files. This hinders forensics of the event. As a company, you would like to know what happened, find root causes. How did they get in? How long have they been inside? Important to know, as that may indicate how long backups have been compromised. The average number of days between the moment of entry of the hackers to the actual ransomware attack execution is around 57 days.
VPN Security: A Pentester's Guide to VPN Vulnerabilities [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Gilad David Mayaan
There are two main types of VPNs—secure sockets layer (SSL) and Internet protocol security (IPSec)—each requires applying different steps during a penetration test. However, there are several steps common to both, which you can apply to your VPN security assessment. These include planning, port scanning and fingerprinting, exploiting known vulnerabilities, and reports.
Secure OT for Industry 4.0
by Joshua Rebelo
OT network and system monitoring solutions, like Claroty, converge IT-OT security solutions to the unique characteristics of OT environments and integrate seamlessly with SIEMs, analysis platforms, ticketing systems, firewalls, and several other IT security solutions, plus it also gives visibility into all of the OT assets present in the network. These network monitoring tools also have the capability to report vulnerabilities based on the protocols and versions of firmware, libraries, etc.