Wireless Reconnaissance in Penetration Testing
Authors: Matthew Neely, Alex Hamerstone and Chris Sanyk
Reconnaissance should always be the first stage of a cyber attack or penetration test, and the success of these attempts is usually closely tied with the quality of information gathered during this phase. This book gives insight into the information that can be gathered from radio traffic between a number of wireless devices used by the target, and how that information can come in handy.
About the authors
Matthew Neely is the Director of Research, Innovation and Strategic Initiatives at SecureState, a security management consulting firm.
Alex Hamerstone is the Compliance Officer for TOA Technologies, and international workforce management software company. He is a certified auditor.
Chris Sanyk is an IT professional with over twelve years of experience in everything from PC and server hardware to system administration and software development.
Inside the book
By concentrating on wireless networks and Bluetooth, penetration testers and attackers often miss the wealth of information that can be extracted from the remaining radio spectrum used by two-way radios, building control systems, wireless headsets and cameras, and other cordless devices.
Listening on to the guards’ radios can reveal details like their names, shift schedules, and other information that can be used in social engineering attempts; accessing traffic from wireless cameras can offer insight into the guards’ movements and the layout of a building; and so on.
The book contains a great chapter on basic radio theory and radio systems: the electromagnetic spectrum, antennas, radio technology, and regulatory agencies. Even people who are familiar with it all will find it helpful, as the authors keep it short and to the point. For those interested in learning more, the chapter also contains links to books and (occasionally free) online courses.
There is also a thorough chapter on equipment (scanners, antennas, cameras, recording and decoding equipment, etc.) you need to know how to use and on how to choose the right ones (cheap but good ones to start with). Also, the last chapter will give you much needed insight into new technology (digital wireless protocols, software defined radios, network-enabled dispatch systems and more) that can be used for this type of reconnaissance.
For being such a slim book, it surprisingly thoroughly addresses this (admittedly) narrow subject. The basics are well explained, but the best part of it are the real-world case studies of pentests using radio profiling that are interspersed throughout the book – just for them alone is worth to pick it up. They give great insight both for pentesters and those who are tasked with keeping unauthorized personnel physically and logically out of restricted areas.