ABSTRACT
If you want to learn how to understand and compromise Wi-Fi networks, this is your course.
Key Points:
• Foundations of wireless network technologies
• How to approach wireless network exploitation when facing obstacles
• New approaches and tooling in the Wi-Fi hacking field
If you want to really understand what’s going on and master the attacks in such a way that you can vary them when you encounter real world complexities, this course will teach you what you need to know.
Details:
• 4-day course
• 80% practical and 20% theoretical
• Practical led learning
• Delivered by active penetration testers
Topics covered:
• Wi-Fi Technologies
• Monitor mode
• Probing, Tracking and Deanonymizing
• WPA 2/3/PSK
• EAP
• EAP-TLS
• Tunnelled EAP Relays
This course is highly practical, with concepts taught through theory delivered while your hands are on the keyboard, and semi-self-directed practicals at the end of each section to reinforce the learning. The course is hosted in a “Wi-Fi in the cloud” environment we invented several years ago, which means no more fiddling with faulty hardware or turning the classroom into a microwave. Designed, developed and delivered by the team behind some of the most commonly used Wi-Fi hacking tools such as hostapd-mana, berate_ap and wpa_sycophant. This course aims to expose you to the Wi-Fi hacking methodologies used by active penetration testers on their day to day journey with clients and assessments.
By the end of the course, you will have a thorough understanding of the security of Wi-Fi, how attackers approach and attack different Wi-Fi systems, and how to hack wireless networks yourself.
Our training is delivered via SensePost, the specialist ethical hacking team of Orange Cyberdefense.
SensePost have trained thousands of students on the art of network and application exploitation for the past decade. It’s safe to say we enjoy teaching others how to own networks and applications. Our courses are developed from the work we perform for clients, so that you get a better understanding of how to exploit real-world scenarios. As one of Blackhat briefings longstanding training partners since 2002, our courses have taught thousands of students about the art of offensive and defensive approaches.
This course aims to expose you to the methodologies used by active penetration testers on their day to day journey with clients and assessments.
Join us and hack hard!
INTENDED AUDIENCE
This course is for anyone who wants to understand how to attack and defend Wi-Fi networks. It's an offensive course and has obvious benefits for pentesters and red teamers, however it's also essential for disabusing defenders of false notions of security as well as what defences have a meaningful impact.
KEY LEARNING OBJECTIVES
• Wi-Fi fundamentals and technologies from an offensive perspective
• How to approach wireless network exploitation when facing obstacles
• New approaches and tooling in the Wi-Fi hacking field
COURSE DETAILS
This course is made up of 7 Modules and 20 Sub-modules, with a total of 17 Hands-on practical scenarios
Learning Objectives
• How Wi-Fi hacking fits into wider attack or defence objectives
• Important physical and low level RF concepts and how to reason through/debug strange situations
• Understanding how monitor mode works, when to use or not use it, and practical examples of what to do with collected frames or data
• Grokking the WPA2 4-way handshake and the numerous ways of recovering PSKs and what do with them
• First looks at attacking WPA3's Dragonfly handshake with downgrades
• Grokking EAP & EAP vulnerabilities relating to certificate validation, tunnelled mode key derivation and how to practically attack them with downgrades, relays and manipulating state
Course Outline:
Module 1 – Introduction
• How & Why
• When and why to use Wi-Fi attacks
• Physical & Low Level
• Understanding spectrum, signals and propagation
• Peculiarities of crowded Wi-Fi spectrum & resulting behaviour in Tx & Rx
• Understanding hardware - cards, antennas. Practical recommendations
• Specifics of Wi-Fi signalling
Module 2 – Monitor Mode
• How it works. What you get. Why it isn't promiscuous.
• Prism/Radiotap headers & how driver implementations differ.
• Investigating different frequencies such as 5GHz and 6GHz.
Module 3 - Probing, Tracking & Deanonymisation
• Management frames - beacons & probes
• Device probe'ing behaviour
Module 4 - WPA/2/3 PSK
• What it is
• IEEE & WEP history
• 4-way handshake crypto
• Handshakes
• Capturing, deauthing
• Broken handshake debugging
• PMKID attacks
• WPS attacks
• Advanced attacks
• Approaches and methodologies for the real world
• WPA3
• The Dragonfly handshake
• Other WPA3 improvements/defences
• Opportunistic Wireless Encryption (OWE) overview
Module 5 - EAP
• What it is
• Generic EAP flow
• Specific EAP types and how they work
• PEAP
• Deep inside the second tunnel
• CVE-2019-6203
• EAP-GTC downgrade attack (LootyBooty)
Module 6 - EAP-TLS
• What it is
• Understanding/breaking cert validation
• Module 7 - Tunnelled EAP Relays
• What it is
• Understanding defences
Practicals dispersed throughout the course:
• Practical 1: Getting comfortable & understanding your tools
• Practical 2: Learn to passively intercept and understand Wi-Fi traffic.
• Practical 3: Track a person based on their Wi-Fi emissions.
• Practical 4: Steal a person's login information
• Practical 5: Learn to bypass captive portals.
• Practical 6: Getting comfortable with 5GHz
• Practical 7: How to capture, crack and use WPA/2 handshakes.
• Practical 8: How to deal with difficult WPA/2 handshakes.
• Practical 9: Attacking WPA/2 in the real world.
• Practical 10: Attacking WPA/2 without any clients.
• Practical 11: How to attack PEAP clients with WPE attacks.
• Practical 12: How to attack EAP-TLS clients & why.
• Practical 13: How to connect to PEAP networks without password cracking.
• Practical 14: Identifying and understanding WPA/3 networks.
• Practical 15: Identifying and understanding OWE networks.
• Practical 16: Tool compilation and online brute-force attacks.
• Practical 17: Better understanding of how wireless devices decrypt/handle traffic (CVE-2022-47522) (Kr00k)
Knowledge Prequisites
You should have at least a basic understanding/familiarity with the Linux command line. Prior Wi-Fi hacking experience will help but is not required. The practicals are designed so that more advanced students can progress further and students new to the field can complete the base requirements.
System Requirements
You only need your laptop with a web browser. We do Wi-Fi hacking in the cloud!
YOUR INSTRUCTOR: Jacques Coertze
Jacques Coertze - Jacques is a security analyst at SensePost. He got his PhD in Information Technology from Nelson Mandela Metropolitan University in 2017, while also working at the university as a lecturer for undergraduate and postgraduate courses in the IT security department. He has worked in the IT audit industry for several years as both a private contractor and later as a member of one of the big five audit houses. During his tenure in audit, he encountered and assisted several multi-national corporations and small-to-medium sized organizations in addressing their IT security requirements (including obtaining ISO 27001 certification). Since joining SensePost, he has performed numerous penetration tests for leading organizations in the automotive, finance, manufacturing, agriculture, education, and public sectors. These include web, API, mobile, internal, external and thick application assessments. He is also an active red team member within SensePost, well versed in the activities and techniques used by APT groups. He currently holds OSCP, CEH and CISA certifications.