SensePost Unplugged: Modern Wi-Fi Hacking

Abstract

If you want to learn how to understand and compromise Wi-Fi networks, this is your course.

Learning modern Wi-Fi hacking can be a pain. There is lots of outdated material for technologies we rarely see deployed in the real world anymore. Numerous tools overly rely on automation, and leave you wondering when they don't work, because neither the fundamentals nor underlying attack is understood. Even worse, some popular attacks will rarely if ever work in the real world.

If you want to really understand what's going on, and master the attacks in such a way that you can vary them when you encounter real world complexities, this course will teach you what you need to know.

We've been pentesting Wi-Fi networks for nearly two decades, and have built some popular Wi-Fi hacking tools such as Snoopy, MANA, wpa_sycophant, berate_ap & shinai-fi - https://w1f1.net/.

This course is highly practical, with concepts taught through theory delivered while your hands are on the keyboard, and semi-self directed practicals at the end of each section to reinforce the learning. The course is hosted in a "Wi-Fi in the cloud" environment we invented several years ago, which means no more fiddling with faulty hardware or turning the classroom into a microwave.

Learning Objectives

  • How Wi-Fi hacking fits into wider attack or defence objectives
  • Important physical and low level RF concepts and how to reason through/debug strange situations
  • Understanding how monitor mode works, when to use or not use it, and practical examples of what to do with collected frames or data
  • Grokking the WPA2 4-way handshake and the numerous ways of recovering PSKs and what do with them
  • First looks at attacking WPA3's Dragonfly handshake with downgrades
  • Grokking EAP & EAP vulnerabilities relating to certificate validation, tunnelled mode key derivation and how to practically attack them with downgrades, relays and manipulating state
  • How to use numerous Wi-Fi tools, but with a particular focus on the aircrack suite and SensePost's MANA

Agenda

  • Introduction
    • How & Why
      • When and why to use Wi-Fi attacks
    • Physical & Low Level
      • Understanding spectrum, signals and propagation
      • Peculiarities of crowded Wi-Fi spectrum & resulting behaviour in Tx & Rx
      • Understanding hardware - cards, antennas. Practical recommendations
      • Specifics of Wi-Fi signalling
    • LAB: Getting comfortable & understanding your tools
  • Monitor Mode
    • What it is
      • How it works. What you get. Why it isn't promiscuous.
      • Prism/Radiotap headers & how driver implementations differ.
    • How to use it
      • LAB: Snoopy Tracking, Spectrum & Deanonymisation
      • LAB: Interception & Cookie Theft
  • WPA/2/3 PSK
    • What it is
      • IEEE & WEP history
      • 4-way handshake crypto
    • How to attack it
      • LAB: Vanilla de-auth & capture handshake
      • LAB: MANA Rogue AP Half Handshake
      • LAB: PMKID
      • LAB: Cracking
      • LAB: WPS attacks
    • Advanced
      • Approaches and methodologies for the real world
      • LAB: Real World WPA/2
    • WPA3
      • The Dragonfly handshake
      • LAB: MANA WPA3 downgrade
  • EAP
    • What it is
      • Generic EAP flow
      • Specific EAP types and how they work
    • How to attack it
      • LAB: MANA Evil-Twin WPE
      • LAB: MANA GTC downgrade
      • LAB: MANA EAP-TLS isn't safe
      • LAB: Sycophant Relaying Tunnelled Modes
  • CAPTURE THE FLAG

Pre-requisites

Students should have at least a basic understanding/familiarity with the Linux command line. Prior Wi-Fi hacking experience will help but is not required. The lab exercises are designed so that more advanced students can progress further and students new to the field can complete the base requirements.

Hardware Requirements

A device with a working web browser and comfortable keyboard is all that is required. Labs are hosted at https://katacoda.com.

https://katacoda.com/singe/scenarios/monitor-mode can be used to test compatibility and give you a feel for the lab environment.

All other hardware required for the class shall be provided on-site.

What Students Will Be Provided With

The course material, custom scripts and tooling, ongoing access to the training environment for 3 months (extensions can be arranged).

Dominic White

Dominic White

Register Now >>

Dominic is the CTO of SensePost, and has been hacking for 15 years, the last nine of them at SensePost. He's been giving training at places like BlackHat since 2008. He's the primary author of mana-toolkit and hostapd-mana and builds SensePost's Wi-Fi hacking training. He has presented research at conferences such as Defcon, Hack In The Box, 44CON, Derbycon and more.

He tweets as @singe.