官术网_书友最值得收藏!

The scanning phase

Scanning is the initial phase of pentesting; the test plan for the entire pentest activity depends on the outcome of the scanning phase. The main objective of this phase is to discover much of the access points and clients operating in the target environment. To perform scanning, we can use laptops, smartphones, or any other device capable of wireless sniffing. In this chapter, we will use a variety of tools available in the Kali Linux distribution in order to detect wireless networks.

Wireless scanning tools, such as airodump-ng or Kismet, can be used to discover and capture traffic from wireless networks. They work on interfaces placed in the monitor mode and hop to different channels in the wireless spectrum in order to collect wireless packets. With most tools, the output is displayed on screen or can be stored in a file for later reference. The collected packets can be analyzed manually, or you can generate visual graphs of networks using analysis tools such as airgraph-ng. We can use the output of this phase in the penetration test to eliminate unauthorized access points and clients that are not defined in the scope of the engagement. It will also be used to prioritize the networks and clients that would be ideal targets based on their importance in the organization, their ease of exploitation, or, potentially, what data is carried over them.

In the later chapters of this book, we will show you how to use other devices, such as the Raspberry Pi, to accomplish this scanning functionality and conduct other wireless attacks demonstrated in the upcoming chapters.

Although we have already covered the two methods of scanning at the beginning of the chapter in brief, we will revisit them in depth once again:

  • Passive scanning
  • Active scanning

Passive scanning

Whenever you turn on the Wi-Fi on your mobile device, it discovers the access points in its range in two ways: either by passive scanning or by active scanning. This depends upon the configuration settings enabled in the client station. In passive scanning, the client station listens for the beacon frames from access points that are sent at regular intervals. The client station listens for the list of SSIDs that are already in its preferred network list; when such an SSID is seen, it tries to initiate a connection to that network. If two or more SSIDs are beaconed from nearby access points, the client station will choose the AP with the best signal. In this mode, the client station does not actively probe the target network.

One of the main limitations of passive scanning is that we may not be able to record the presence of non-beaconing APs. As a precautionary measure against wireless scanning activities, network/system administrators will often turn off the beacon feature on APs as an attempt to avoid detection. In this scenario, we may not be able to detect the WLAN in spite of its presence in our range using only a passive scanning technique. This limitation can be overcome if we are able to detect the client traffic and its association with these access points that are not beaconing.

The following figure depicts a scenario where the client is listening for beacons and thus conducting a passive scan:

Passive scanning

Active scanning

Active scanning is very different from passive scanning. When leveraging passive scanning, the client station listens for beacon frames from access points; however, with active scanning, the client station sends probe request frames with the SSID field set to null or a preferred SSID. The access points in the nearby range that hear this request will answer with the probe response frame. The probe response frame contains all the information that is present in the beacon frame. When a non-beaconing AP is present in the vicinity, it will reply to the probe request, revealing its presence. Thus, in active scanning, we are typically able to discover more access points than with passive scanning alone. As a countermeasure, some network/system administrators may configure an access point to ignore probe requests set to null in order to avoid discover the configured SSIDs. In this scenario, a client properly configured with a valid SSID will only be able to discover the presence of an access point and then connect to the network.

The following diagram represents the request/response nature of a client actively scanning the network:

Active scanning

主站蜘蛛池模板: 米易县| 镇原县| 龙口市| 灵丘县| 利辛县| 阿荣旗| 崇文区| 太仓市| 金坛市| 昆明市| 水城县| 濮阳市| 富裕县| 建平县| 兴宁市| 定陶县| 图们市| 双辽市| 绵阳市| 黄山市| 社旗县| 子长县| 蒲城县| 获嘉县| 赣州市| 崇义县| 安阳市| 磴口县| 申扎县| 深水埗区| 克什克腾旗| 北海市| 射阳县| 永福县| 类乌齐县| 饶阳县| 高邮市| 宣城市| 平湖市| 襄樊市| 定陶县|