Securing the Spectrum: An Intensive Wireless Security Course for Red and Blue Teams
Today I’m proud to announce a first-of-its-kind Wi-Fi security course – beta. Spanning 12 intensive weeks, this course goes well beyond what’s possible in traditional trainings and will transform you into a wireless security professional.
My goal with this course is to take you from Wi-Fi hacking enthusiast to a wireless security professional and practitioner. You will know common (and uncommon) vulnerabilities, how to discover them, how to exploit them, how to report them and how to protect against them.
By the end of the 12-week course, you will be in a good position to configure secure networks, work as a security consultant, and generally break/secure every wireless network that comes in the vicinity.
There are no written tests or fill-in-the-blanks homework. Since this is a beta version, you’ll be going through various tasks every week as a practical home-work.
Security professionals are more in demand than ever; whether you’re looking to move up as a developer or jump into the security field, you will get your money’s worth.
- Just a Laptop that can connect to a VPN.
- A Browser, and
- Basic working knowledge of Linux and Wireless technology.
Since the course is targeted towards training in the Cloud, you might want to replicate the setup and attacks on your personal machine/VM. For that you’d need:
- 2 Wireless Adapters
- Simple USB Adapter for client simulation
- A Packet-injection capable Wireless adapter. Alfa AWUS036NH is preferred
- A Machine capable of running 2 VMs
- Basic working knowledge of Linux and Wireless technology.
What to expect
As mentioned before, you will be finding bugs on day one. You can expect 2-4 hours of coursework in the week following each class. Your success in this course is highly dependent upon completing the assigned work in a timely fashion, due to the depth and breadth covered.
If you start to get in the weeds or just have some questions, I’ll be available to help you out and get you back on track. You’ll also have access to private forums for students, and Since I am not a super-busy person you can expect prompt responses from me as well, via email/chat.
First week we start with an introduction followed by the basics of networking, OS and some ground building hardware theory that’ll help you in creating secure wireless environment and also select your wireless hardware for best use case.
2nd Class of the session would focus more on getting you started practically, configuring lab and wireless pentesting and you’ll find one bug at the end of this week.
Introduction and basics of Wireless, Networking and Hardware
- Structure of the course
- How to contact me
- Tools and setup
- Card Selection and Hardware theory
- Choosing Antenna
- Wireless signals and Attenuation
- Understanding terminologies – dB, dBm, dBi, mW, W
- Understanding Linux Wireless Stack and Drivers
- Different ways of interacting with Wireless card
- Monitoring the data in the air
- Understanding the effect of nearby networks
- Your First Bug
Packet theory, Capturing packets and Cracking WLAN Encryption
In this week you’ll learn more about networking in wireless domain. You’ll do deeper analysis of wireless data packets, learn what each frame does and understand use of each frame.
In 2nd class of the week you’ll be getting your feet into wireless pentesting practically. You’ll do hands-on penetration testing of various WLAN security mechanisms and authentication. It’ll set the ground for deeper data analysis and advanced techniques for penetration testing and security altogether.
- Understanding a Packet
- Types of Frames
- 802.11 MAC Frame
- Management Frame
- Beacon Frame
- Probe Frame
- Data Frame
- Introduction to wireless security tools
- Aircrack-ng suite
- Active and Passive Sniffing
- Understanding the 802.11 Wireless LAN MAC frame format in depth
- Deep analysis of Wireless packet data with Wireshark
- Bypassing WLAN Authentication
- Shared Key
- MAC Filtering
- Hidden SSIDs
Cracking WLAN Encryption
- Fake authentication attack
- Cracking via Client
- Vivek Ramachandran’s Café Latte Attack
- Clientless WEP Cracking – In depth Packet Analysis
- Fragmentation attack
- Korek’s chop-chop Attack (Theory and attack)
Breaking WPA2, in the Clouds
Starting off with the WPA2 theory, we’ll move on to capturing and cracking the key out of WPA2’s 4-way handshake. You’ll learn the dictionary and script your own dictionary-based WPA2 cracker.
After that we will learn how to speed things up, Locally. And then finally. We’ll move into the clouds.
- WPA/WPA2 – The 4-way handshake
- Understanding WPA/2 Hashing method and its cracking mechanism
- How to generate complex wordlists for cracking
- AP-Less WPA/2 Cracking – Dictionary Attack
- Speeding up cracking with GPU based tools
- Moving on to cloud for High performance cracking (Hashcat, AWS cloud GPU)
- Setting up your own cracking rig on the AWS cloud
- Attaching GPU to Amazon EC2
- Converting Pcap to hccap
- High Speed WPA2 cracking on cloud GPU
As an attacker, Breaking the WLAN Authentication is one thing and actually getting some useful information out of the network is another. Which leads us to exploiting into the network and fetching information out of it. There are numerous ways to achieve that. We’ll focus on the most effective ones. The ones which, hopefully, will stay longer and work for next few years at least.
- Breaking into the client using
- Post exploiting using
- Batch / BaSH
Rogue Access Point – Introduction
Moving ahead is not always the best thing to do. Sometimes it is better to take a break, look back in the hindsight and improve things you were good at already. This brings us to learning advanced methods of exploitation of a wireless network from a hacker’s perspective. This week will be a plain introduction to everything related to masquerading an access point and related physics behind the wireless signals.
Overview and Setup
- Required tools
- Information gathering
- Tuning transmission power (Tx Power) of wireless card
Rogue Access Points – A deeper dive
There’s a saying that “Deeper you go in a field, more ways to earn more you’ll find”. This is the actual beginning of your course. Rest was just building up the excitement and pace. Now things will go serious in a serious manner. You’d no longer be breaking simple simulated Aps. But a real simulation of an enterprise network.
You’ll also learn to fix the challenges that comes along as a red teamer. It will be more like scenario-based hacking, which you won’t find anywhere in any open (or closed) source tool. You’ll do it by hand and will learn in and out of how OS and networks work, at a much deeper level.
- Cracking WPA2 Enterprise Security
- Advanced Enterprise attacks
Interface Virtualisation: Setting up multiple wireless interface with one NIC
- Running AP + Client simultaneously on single card
Fixing “No Internet Access” Issue on Windows 7/10 victim devices
- Deep-packet and system level analysis of how Windows checks the network connection status
- Writing custom script to bypass the Network Connection Status Indicator mechanism
- Making the attack persistent and handy
Captive Portal – Advanced Rogue Access Point Attacks
Scenario based hacking is very targeted, what about the wide spread of the wireless devices? The mobile device, the actual consumer or employee that uses the wireless daily.
Kevin Mitnick has already said, Weakest link of an organisation is human being. As a red teamer where would you like to punch the hardest? The weak spot or the strong one?
Enter Captive Portals. Not only this will be targeted towards the widely available mobile devices but also, you’ll learn to make device specific attacks. No more reliance on outdated or buggy open-source tool. You’ll learn to show different attack vector to different kind of device. Intriguing, isn’t it?
- What is captive portal
- Captive Portal from a hacker’s perspective
- Basic strategy behind Captive portal Detections
- Different between client devices and C.P detection methods
- Windows’ NCSI
- Android’s Hotspot detect request
- Apple’s Secret WISPR request
Practical – Setting up
- What is mod_rewrite
- Advantages of mod_rewrite
- Mod_rewrite basics
- Using custom rules for traffic manipulation
- Rule syntax for apache
- Setting up User Agent Based Redirection
- Configuring Apache for mod_rewrite
- Captive Portal configuration for Apple Devices
- Captive Portal configuration for Android Devices
- Captive Portal configuration for Windows
- Set up iptables for redirection
- Enable modules
- Bypassing captive portals
- Protection against such attacks
In the final week of the second month you’ll be graduating with the amalgamation of everything you’ve learned. Take it as a mini project you used to (or would) do at your college. All your learning of Rogue access points, Social Engineering, Networking dynamics, Automation, Targeting and Social engineering, included with a few more concepts and a secret sauce, will be used in engineering the Ultimate fake wireless access point.
This is not the silver bullet, but definitely most effective of them all. You will learn how to fetch multitude of cleartext WPA2 passphrases from a single client on the go. Along with Bypassing firewalls and evading Anti-viruses. You will Engineer the God of the Evil Twins!
Dynamics of the God of Evil Twins
- How to get cleartext WPA2 Credentials, on the fly!
- Understanding required tools and configurations
Setting up the Ultimate Evil Twin Access Point
- Installing requirements
- 2 ways of Spoofing DNS
- A look at the secret sauce
Making it stealthier
- 2 ways of making the attack stealthier
- Bypassing firewall
- Encoding and Obfuscating information
Graduating as a read teamer isn’t the real aim of the course. Every wireless pentesting course under the sun does that. So, what’s different with this? The Final week will be totally focused on teaching you how you can detect a wireless hacker or Intruder, collect fingerprints and report them to the security team a.k.a. SOC (Security Operations Centre)
You’ll work as a security professional who keeps an eye on the network intruder. You’ll learn how to detect a leech (rogue devices) connected to your network.
It’s always better to build your own script rather than using a big-ol, super expensive “enterprise-friendly” tool. You’ll script your own tool to detect and report the rogue devices.
- Spectrum Analysis on Windows, Linux
- Wardriving: Mapping wireless networks, Geographically.
- Decrypt captured data from Wardriving
- Understanding data for Wireless Security Level and vulnerabilities
- Locating Wi-Fi Intruder, physically.
- What is IEEE OUI List
- Using Probemon
- Incident Detection and Response
- What is Incident Detection
- What is Incident Response
- What are possible Mitigation
- Detecting Rogue Devices using PowerShell
- Scanning basics
- Intrusion Detection
- Writing custom PowerShell script for Intrusion Detection
- Intrusion Response
- Reporting Intrusion to Security team via email, automatically – In real time
In this week you’ll learn about Boss of the SOC! Splunk>
Reporting threat doesn’t mean simply handing over the device information to the security team. It takes much deeper knowledge and analytical capability for an analyst to differentiate between the false positives and filter a real threat out of the storm.
This week will get your feet down in the world of SIEM (Security Information and Event Management). You’ll learn how to deploy Splunk in the cloud and configure different operating systems to forward logs to your centralised log aggregator system
- Deploying Splunk, configuring logging and forwarding
- Installing Splunk on Cloud
- Configuring logging in Windows and Linux
- Setting up log forwarding from Windows and Linux
- Understanding how Windows Event logging works
Leading into the final week, we will generate several advanced exploitation techniques and learn how to detect, analyse, automate and report them to the security team.
- Learning attacker tools/tactics/procedures (TTPs)
- Generating real-world Wireless security events to analyse
- Learning what types of security events generate log events
- Writing basic queries for common attacks
- Analysing PCAP files with Splunk
In the final lesson, we will review all that has been learned as a blue teamer, then run through several real-world scenarios from both an attacker and defender’s perspective.
- Understanding IOCs/IOAs
- Indicators of Compromise (IOCs)
- Indicators of Attack (IOAs)
- Visualising data in Graphs, tables and charts
- Creating custom dashboards
- Integrating data from popular security products
- Writing complex queries
I have plans for taking the course beyond simple 2.4Ghz band and 802.11n only networking. World is moving ahead, IT is moving even faster. And you should move with it. My plans are to teach
- Wireless pentesting on 802.11ac type networking devices
- Wireless sniffing and packet analysis on 5Ghz band
- SU-MIMO and MU-MIMO of 802.11ac type networking
- Challenges faced during Very High-speed Throughput (VHT)
- Why USB Based adapters aren’t a good choice for 802.11ac type wireless pentesting
- Access Point Based Sniffing for red team
- Access Point based monitoring for blue team
- Ingesting and storing Access Point data stream into Centralised SIEM system
- Threat hunting with Splunk with 802.11ac based AP
- Packet Analysis in the cloud with Live SSH data stream
I have also submitted my research paper for Wireless sniffing and pentesting in the cloud (Yes! WiFi Hacking in the Cloud, not just cracking, real sniffing with monitor mode, gotta be exciting) and I am waiting for approval/rejection from the HackIT conference, Ukraine. Either the paper is accepted or rejected, I’d anyway include the lab and CTFs in the course after the official launch. and meanwhile I’d be taking suggestions from you guys (students who purchase the course) for ideas on CTF in the Wireless sphere. I want to build OSCP like labs for Wireless pentesting and security researchers and CTFs for fun and knowledge. Let’s build it together. World’s first commercial Wireless Pentesting lab in the Cloud 🙂
Since this is a beta version, If I get enough orders (>40) I’ll surely include the mentioned topics as well.
Or I’ll add them after the official launch at no extra cost to the early birds.
After all we are running a beta, right? 😉
Schedule and Support
Classes have begun as of September 28th, 2018, and the subsequent 12 weeks from there, each class will be 1-2 hour long and take place twice weekly. Followed by a LIVE session at the end of every week for queries and home-work.
Students would also be able to post queries on the student’s forum that’ll be answered asap. I am not a super busy person, you can expect a prompt response on the forum. Except the sleeping hours.
Though I am thinking of providing lab support for the students who cannot run multi VM setup on their machines or can’t afford expensive hardware for home labs. But that’d need more data from students that’ll enable me to plan the costs and pricing of the lab-based model of the course.
If required, I’d provide labs in the current plan only at no extra cost. Just that they’ll be time specific to keep the costs lower.
– or –
If you have trouble using payment options, email me on firstname.lastname@example.org with your preferred method.
Who are you and why are you doing this?
I’m Harry, Founder of rootsh3ll.com, a wireless security consultant, practitioner and a Security Analyst with nearly 6 years of experience in the field.
The reason I’m doing this is that I absolutely love the security industry and having more people in the field makes it more exciting and makes the world a better place. Whether you stay in software development or become a security consultant, you will be making software safer and more secure for all of us.
How are the classes being run?
Each class is a downloadable video where I give the class, diagram things out as necessary, and show relevant code and attacks. While that’s going on, you’ll be in an IRC channel where you can discuss the class and ask me questions in real time. The recorded class and IRC logs will be available after the fact for review.
In addition to this, you’ll receive an outline of what the class covered and anything else that may help you along with your coursework.
What is the coursework? What about exams?
The majority of the coursework will be styled as a CTF (capture the flag). In essence, you will be breaking from day one and putting these attacks in practice. The exceptions are some of the crypto and the secure architecture/threat modelling portions of the course. These will be graded for your benefit but do not count towards your score.
Exams are largely practical as well, but will be more open-ended, as you will see in real-world security testing.
Can we work in groups?
Absolutely! I encourage you to form groups — local study groups especially, if you’re able — and make use of the forums and IRC channel that will be provided. The one exception is on exams, as those are graded.
What do I get for completing the course?
You will receive a unique certificate upon successful completion of the course — cryptographically signed, of course!
I have a question that isn’t covered. How can I reach you?
Feel free to shoot me an email at email@example.com with any questions you may have. I look forward to speaking with you!
-Harry (Founder, rootsh3ll.com)