The WiFi Auditing Workflow
Any successful engagement requires careful planning and execution. While every scenario differs, this basic workflow outlines the procedures most commonly followed during a WiFi audit. As guidelines they provide insight into responsible best practices.
The goal may be to harvest credentials from the client using a phishing page tailored to the organization, either by DNS poisoning attack or captive portal. It may be to deploy malware such as a reverse shell. Or perhaps it’s simply to passively monitor client traffic. Depending on the client device, you may even want it connected to your WiFi Pineapple network in order to attempt a remote exploit. In any case, the typical strategy is to snare a specific target – that is to get the client device of interest to connect to your WiFi Pineapple so that a payload may be delivered.
A crucial first step is to determine the scope and rules of engagement. This is extremely important since you’ll be using a shared spectrum, and ensuring zero collateral damage is key. The more you can obtain up front from the organization about their wireless network and any key targets, the better. Determine how many wireless networks are in operation and whether there is a guest network.
Moreover you’ll want to familiarize yourself with any bring your own device (BYOD) policy. For instance, say the organization employs software engineers with high level access to the company infrastructure. Find out if snaring these clients are on the table, and if possible obtain the WNIC MAC addresses of the key individuals.
The more you can learn about the organization’s facilities and its employees, the higher the likelihood of success. Remember, it’s not just the company’s network infrastructure we’re interested in as much as it is the associated staff. What wireless devices do they use? To what other networks do they connect? Do they travel? Do they use guest networks at client sites?
The WiFi Pineapple reconnaissance module facilitates Open Source Intelligence (OSINT) – that is the practice of gathering and analyzing publicly available information sources. It provides the auditor with a big picture of the WiFi landscape, with hooks to the PineAP suite to execute on actionable intelligence.
Once initial intelligence has been gathered, one must analyze vulnerabilities. Identify potentially vulnerable targets within the scope of engagement. Are these client devices transmitting probe requests? Are they general or directed at a specific access point? What SSIDs can you determine from their preferred network list? Are they associated to an access point? Are they susceptible to a deauth attack?
Once vulnerabilities have been identified they can be validated. Add the in-scope targets to the allow filter and test them against the available PineAP attacks. Do they connect to your WiFi Pineapple? Do they stay connected?
With in-scope targets identified and validated, the auditor can proceed to exploitation. This will vary greatly depending on the goal of the attack. If it is to capture network traffic for analysis, the tcpdump module may be most appropriate. If it is to harvest credentials from a captive portal using social engineering techniques, the Evil Portal module may be your best bet. In any case, exploitation comes down to setting up the attack, testing the attack, then finally executing it on the given targets.
It is in this phase that careful consideration is put towards tailoring the attack to the targeted individuals and ensuring proper filtering to limit collateral damage.
You’ve successfully obtained associations from your targeted individuals and executed your exploit – be it phishing, sniffing, remote exploit, etc. Now what? Depending on the engagement you may wish to set up persistent remote access in order to maintain a connection with these clients. Or you may have obtained credentials useful in pivoting your attack into the organization’s network. By integrating with other popular penetration testing frameworks, the WiFi Pineapple may play the important a role of maintaining your layer 3 network access to these clients throughout the course of the audit.
At the conclusion of the WiFi audit the organization will most likely require a report. While the executive level report regarding business impact and bottom line will require a human touch, the technical aspects of this report may be generated by the WiFi Pineapple reporting module. Further the PineAP reports may be analyzed using scripts to determine trends within the organization and its workforce.
In an ongoing WiFi audit, the reporting module may be configured to continuously provide the penetration tester with reports by email at set intervals.
With this basic WiFi auditing guidelines in mind, one may look at the workflow in terms of the PineAP suite and its accompanying modules. The procedures followed with regards to the WiFi Pineapple may look like the following:
Recon – Gather actionable intelligence about the wireless landscape. This module provides a dashboard for quickly identifying potential targets, and interfacing with the filtering and capturing capabilities of the PineAP suite.
Filter – Limiting the scope of engagement is key to a successful audit. Nobody wants collateral damage, so CYA and ensure that only permitted client devices are acquired.
Log – A plethora of actionable intelligence can be passively acquired by logging client device probe requests and associations. Logging is key to successful analysis.
Analyze – What in-scope targets are associated? Which are transmitting probe requests? General or directed? Can you determine the client devices preferred network list?
Capture – A pool of preferred network names are captured, either automatically from nearby probe requests or manually, to the SSID pool. A well curated and targeted SSID pool can be thought of as the sweet, sweet honey of the hot-spot honey-pot.
Prepare – Will you be passively collecting data for analysis? Setup the tcpdump module. Will you be social engineering with a captive portal? Develop the tailored phishing page. Prepare the attack before executing.
Test – Does the attack work as expected? What interaction is required by the client? Test with your own devices before executing.
Broadcast – Advertising the SSID pool to either all nearby devices or specifically targeted devices is an active way of attracting a potential client.
Associate – Finally with filters set for specific targets and a tailored attacked prepared you are ready to allow associations.
Deauthenticate – When permitted, a well placed deauthentication frame may encourage a device to disconnect from their currently associated network and join the WiFi Pineapple. Ensure first that this technique is within the rules of engagement.
Monitor / Manipulate – Capturing traffic for analysis? Set the appropriate modules to log. Manipulating traffic? This is where it pays to get creative with captive portals, DNS spoofing and the like.
Report – What was vulnerable? What wasn’t? The PineAP log will show. Further analysis will highlight trends. Compile these for the technical aspects of your report.
A thoughtfully planned and executed WiFi audit is possible by using a number of modules available to the WiFi Pineapple. When used in conjunction with popular penetration testing frameworks the audit will have the largest impact.
Like most productions, the more time spent in the planning stages the higher the likelihood of success. Nobody wants a messy audit. Spend the time to gather intelligence and carefully plan the attack. Going in guns blazing will increase the chances of collateral damage. It cannot be emphasized enough the importance of filtering and tailoring an attack specific to in-scope targets.
While the WiFi Pineapple is capable of executing blanket attacks, be mindful of the wireless landscape. It’s ever changing. Just because it’s free of civilians now doesn’t mean it won’t change mid-way through the audit. Target. Filter. Tailor. In short, don’t be that guy.