Course 6503: Ethical Wireless Hacking Training Boot Camp

TONEX Ethical Wireless Hacking course provides an in-depth, hands-on comprehensive information on wireless security and Penetration, Testing, and Defenses on wireless systems. The intensive labs give you in-depth knowledge and practical experience with the wireless security systems. You will learn how intruders escalate privileges and what steps can be taken to secure a wireless system. Attendees will also learn about Penetration Testing and Countermeasures, Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation.

Laptop Required:

Throughout the course, students will participate in hands-on exercises after booting into a live Linux environment based on the Backtrack 3 distribution. A bootable CD will be distributed in the class for all students.

Laptop Hardware Requirements:

• CPU: 1.5 GHz or higher is recommended
• CD  Drive
• 1 Gigabyte of RAM minimum
• System must be capable of booting from a CD (may require BIOS passwords to change device boot order)
• Two free USB 2.0 interfaces

• Overview of TCP/IP
• Overview of Network and Computer Architecture and Security Attacks 
• Ethical Hacking and Penetration Testing
• Footprinting and Reconnaissance
• TCP/IP Basics and Scanning
• Sniffers and Session Hijacking
• Intrusion Detection Systems
• Firewalls
• Ethics and Legal Issues
• Wireless Security Principles
• Wireless LAN and MAN Standards and Architecture
• Radio Frequency (RF) and Physical Layer Transmission Technology
• IEEE 802.x MAC Layer
• Understanding the Wireless Threat
• Overview of Linux
• Linux Commands
• Overview of Backtrack 3 Tools, Techniques and Implementation
• Wireshark
• Netslumber
• Kismit
• iwconfig
• macchanger
• Airmon
• Airodump
• Aircrack
• Aireplay

• Lab 1: Using basic TCP/IP Tools and Utilities: whois, ipconfig, ping, traceroute, Port Scanning, Sniffing
• Lab 2: Setting the WLAN card operating modes, sniffing in monitor mode
• Tools: Linux, Wireshark, Kismet

Day 2: Wireless Security Applied to 802.x

• WiFi, Bluetooth/Zigbee and WiMAX Security Principles
• Common Capabilities of the IEEE 802.x MAC
• Understanding the architecture and operating of ad-hoc and infrastructure networks
• Understanding the operation and behavior of IEEE 802.1X authentication
• Packet framing on wireless networks
• Understanding the 802.11 header format and fields
• 802.11 address field ordering and behavior
• 802.11 management, control and data frames
• 802.11 management action frames
• Rogue Network Threats
• Defining and understanding rogue networks
• Techniques for identifying rogue devices
• Overview of WEP, WPA/WPA2, 802.11i
• Assessing WEP Networks
• IV transmission
• Eavesdropping
• Spoofing
• Sniffing
• WLAN Denial of Service (DoD)
• WLAN Man-in-the-Middle Attacks
• War Driving
• Wireless Security Best Practices

• Sniffing MAC Layer
• Tool: Kismet, Wireshark
• Tool: Nessus
• Locating rogue devices through RSSI signal analysis, triangulation
• Tools: kis-snr, rapfinder
• Cheating at rogue detection using CDP and MAC address variations
• Lab: Identifying rogue AP's with Nessus, using RSSI characteristics to locate device

• TKIP hash weaknesses and countermeasures, Tool: WPA Hand Grenade
• Attacking the passphrase selection of WPA/WPA2-PSK networks
• Labs: Cowpatty, using cryptographic accelerators with coWPAtty, social engineering the passphrase, securing WPA/WPA2-PSK
• Denial of Service (DoS) Attacks on Wireless Networks
• IEEE 802.11 MAC attacks, authentication and association floods, deauthenticate and disassociation floods, Beacon DS Set DoS, Invalid Authentication flood, power-management attacks
• Labs: void11, hunter_killer, AirJack suite, file2air, fata-jack,

•  802.11 medium management techniques, hidden node problem, RTS/CTS medium management, medium reservation attacks, RTS/CTS co-opting
• Client attacks including rogue AP DoS, NULL SSID DoS, 802.1X authentication flood
• Labs: hunter_killer_imp

Day 4: Wireless Hacking Applied

• Wireless Hotspot Networks
• Labs: Service theft, passive and active session hijacking, Spoofed provider access, direct client attacks
• Hotspot injection attacks, manipulating unencrypted network transmissions
• Labs: ICMPTX, tmscam, Pickupline, Ettercap, Airsnarf
• Wireless Client Exposures and Vulnerabilities
• AirPWN, exploiting Internet Explorer with AirPWN
• Publicly Secure Packet Forwarding (PSPF), understanding PSPF filtering, defeating PSPF, Lab: Wifitap
• Attacking the Preferred Network List (PNL), Lab: Hotspotter for network redirection, Lab: KARMA for client attacks, weaknesses in the Windows XP PNL
• IEEE 802.11 protocol fuzzing, understanding the format of the SSID information element as an example and how an attacker would exploit it, impact of driver bugs, Lab: fragtestsuite, Lab: Metasploit, Lab: file2air, Lab: Scapy
• Client fingerprinting techniques, Lab: jc-duration-printer
• Techniques for protecting client systems
• Lab: Using AirPWN to manipulate client devices

Day 5: GSM/GPRS/EDGE, UMTS, HSPA/HSPA+ and LTE Security Attacks 

• GSM Family of Network Wireless Attacks
• WarViewing and exploiting wireless video transmitters, Tool: Mobile WarSpy
• Introduction to next-generation wireless attacks using software defined radio (SDR) and the Universal Software Radio Peripheral (USRP); Tool: USRP and GNURadio
• Introduction to cellular protocols and GSM networks, demodulating GSM traffic, GSM reference sources and data capture and analysis, risks with GSM use, Wireshark and GSM sniffing, exploiting weaknesses in GSM encryption
• Lab: BCCH Data collection and evaluating wireless devices
• Tools: gsmdecode, gammu, GSSM, Wireshark, gsm-tvoid
• Zigbee and Bluetooth Security Threats
• Exploiting range in Bluetooth networks, Bluetooth attacks including rogue AP s, Bluesnarfing, Blueline, wireless works
• Tools: Bluesnarfer, Linux BlueZ stack
• Understanding Bluetooth pairing, analyzing the Bluetooth authentication exchange and associated protocols, attacking the Bluetooth pairing process, implementing PIN attacks
• Tools: btpincrack, BTCrack
• Sniffing Bluetooth networks, hacker techniques for building Bluetooth sniffers; Tools
• FTS4BT, Linux BlueZ tools, frontline
• Exploiting Bluetooth non-discoverable mode, discovering non-discoverable devices;
• Tools: GNURadio, BTScanner
• Exploiting Bluetooth profile vulnerabilities, audio recording attacks, exploiting Bluetooth headsets, Bluetooth device impersonation attacks;
• Tools: CarWhisperer, ussp-push