Checkout our previous posts on Cheat Sheet
InfoSec books | InfoSec tools | InfoSec services
Jan 18 2023
Wireless Penetration Testing Checklist – A Detailed Cheat Sheet
Wireless Penetration testing actively examines the process of Information security Measures which is Placed in WiFi Networks and also analyses the Weakness, technical flows, and Critical wireless Vulnerabilities.
The most important countermeasures we should focus on are Threat Assessment, Data theft Detection, security control auditing, Risk prevention and Detection, information system Management, and Upgrade infrastructure and a Detailed report should be prepared.What is Wireless Penetration Testing?
Wireless Penetration Testing is aimed to test wireless infrastructure to find vulnerabilities in the network. Testing involves both manual testing techniques and automated scans to simulate a real-world attack and identify risks.Why is wireless penetration testing important?
Usage of Wi-Fi access dramatically increased nowadays, and the quality of Wi-Fi security is in question. By using Wi-Fi access thousands of transaction processing every minute.
If the network is vulnerable it allows hackers to launch various attacks and intercept the data.
Common Wireless Network Vulnerabilities
- Deployment of Vulnerable WEP Protocol
- Man-in-the-Middle Attacks
- Default SSIDs and Passwords
- Misconfigured Firewalls
- WPA2 Krack Vulnerability
- NetSpectre – Remote Spectre Exploit
- Warshipping
- Packet Sniffing
- Warshipping
Wireless Penetration Testing Checklist
- Framework for Wireless Penetration Testing
- Wireless Pentesting with WEP Encrypted WLAN
- Wireless Penetration Testing with WPA/WPA2 Encrypted WLAN
- LEAP Encrypted WLAN
- Wireless Penetration Testing with Unencrypted WLAN
Let’s take a detailed look at the Wireless Penetration Testing Checklist and the steps to be followed.
Framework for Wireless Penetration Testing
- Discover the Devices connected with Wireless Networks.
- Document all the findings if Wireless Device is Found.
- If a wireless Device is found using Wifi Networks, then perform common wifi Attacks and check the devices using WEP Encryption.
- If you found WLAN using WEP Encryption then Perform WEP Encryption Pentesting.
- Check whether WLAN Using WPA/WPA2 Encryption. If yes then perform WPA/WPA2 pen-testing.
- Check Whether WLAN using LEAP Encryption. If yes then perform LEAP Pentesting.
- No other Encryption Method was used which I mentioned above, Then Check whether WLAN using unencrypted.
- If WLAN is unencrypted then perform common wifi network attacks, check the vulnerability which is placed in the unencrypted method and generate a report.
- Before generating a Report make sure no damage has been caused to the pentesting assets.
Wireless Pentesting with WEP Encrypted WLAN
- Check the SSID and analyze whether SSID is Visible or Hidden.
- Check for networks using WEP encryption.
- If you find the SSID as visible mode then try to sniff the traffic and check the packet capturing status.
- If the packet has been successfully captured and injected then it’s time to break the WEP key by using a WiFi cracking tool such as Aircrack-ng, or WEPcrack.
- If packets are not reliably captured then sniff the traffic again and capture the Packet.
- If you find SSID is the Hidden mode, then do Deauthentication for the target client by using some deauthentication tools such as Commview and Airplay-ng.
- Once successfully Authenticated with the client and Discovered the SSID is, then again follow the Above Procedure which is already used for discovering SSID in earlier steps.
- Check if the Authentication method used is OPN (Open Authentication) or SKA (Shared Key Authentication). If SKA is used, then bypassing mechanism needs to be performed.
- Check if the STA (stations/clients) are connected to AP (Access Point) or not. This information is necessary to perform the attack accordingly.
If clients are connected to the AP, an Interactive packet replay or ARP replay attack needs to be performed to gather IV packets which can be then used to crack the WEP key.
If there’s no client connected to the AP, Fragmentation Attack or Korex Chop Chop attack needs to be performed to generate the keystream which will be further used to reply to ARP packets.
10. Once the WEP key is cracked, try to connect to the network using WPA-supplicant and check if the AP is allotting any IP address or not.”EAPOL handshake“.
Wireless Penetration Testing with WPA/WPA2 Encrypted WLAN
- Start and Deauthenticate with WPA/WPA2 Protected WLAN client by using WLAN tools Such as Hotspotter, Airsnarf, Karma, etc.
- If the Client is Deaauthenticated, then sniff the traffic and check the status of captured EAPOL Handshake.
- If the client is not Deauthenticate then do it again.
- Check whether the EAPOL handshake is captured or Not.
- Once you captured the EAPOL handshake, then perform a PSK Dictionary attack using coWPAtty, Aircrack-ng to gain confidential information.
- Add Time-memory trade-off method (Rainbow tables) also known as WPA-PSK Precomputation attack for cracking WPA/2 passphrase. Genpmk can be used to generate pre-computed hashes.
- If it’s Failed then Deauthenticate again and try to capture again and redo the above steps.
LEAP Encrypted WLAN
- Check and Confirm whether WLAN is protected by LEAP Encryption or not.
- De-authenticate the LEAP Protected Client using tools such as karma, hotspotter, etc.
- If the client is De authenticated then break the LEAP Encryption using a tool such as asleapto steal the confidential information
- If the process dropped then de-authenticate again
Wireless Penetration Testing with Unencrypted WLAN
- Check whether SSID is Visible or not
- Sniff for IP range if SSID is visible then check the status of MAC Filtering.
- If MAC filtering is enabled then spoof the MAC Address by using tools such as SMAC
- Try to connect to AP using IP within the discovered range.
- If SSID is hidden then discover the SSID using Aircrack-ng and follow the procedure of visible SSID which I Declared above.
Wireless Penetration Testing
Checkout our previous posts on InfoSec “Cheat Sheet”
InfoSec books | InfoSec tools | InfoSec services
Jan 17 2023
Windows PowerShell Cheat Sheet
Jan 16 2023
Most Important Network Penetration Testing Checklist
Network Penetration Testing determines vulnerabilities in the network posture by discovering Open ports, Troubleshooting live systems, services and grabbing system banners.
The pen-testing helps administrator to close unused ports, additional services, Hide or Customize banners, Troubleshooting services and to calibrate firewall rules.You should test in all ways to guarantee there is no security loophole.
Let’s see how we conduct a step by step Network penetration testing by using some famous network scanners.
1.HOST DISCOVERY
Footprinting is the first and important phase were one gather information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, CNAME) resolving to the target domain.
- A – A record is used to point the domain name such as gbhackers.com to the IP address of it’s hosting server.
- MX – Records responsible for Email exchange.
- NS – NS records are to identify DNS servers responsible for the domain.
- SRV – Records to distinguish the service hosted on specific servers.
- PTR – Reverse DNS lookup, with the help of IP you can get domain’s associated with it.
- SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
- CNAME – Cname record maps a domain name to another domain name.
We can detect live hosts, accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, NESSUS.
Ping&Ping Sweep:
Whois Information
To obtain Whois information and name server of a webisteroot@kali:~# whois testdomain.com
- http://whois.domaintools.com/
- https://whois.icann.org/en
Traceroute
Network Diagonastic tool that displays route path and transit delay in packetsroot@kali:~# traceroute google.com
Online Tools
- http://www.monitis.com/traceroute/
- http://ping.eu/traceroute/
2.PORT SCANNING
Perform port scanning using tools such as Nmap, Hping3, Netscan tools, Network monitor. These tools help us to probe a server or host on the target network for open ports.
Open ports are the gateway for attackers to enter in and to install malicious backdoor applications.root@kali:~# nmap –open gbhackers.com To find all open portsroot@kali:~# nmap -p 80 192.168.169.128 Specific Portroot@kali:~# nmap -p 80-200 192.168.169.128 Range of portsroot@kali:~# nmap -p “*” 192.168.169.128 To scan all ports
Online Tools
- http://www.yougetsignal.com/
- https://pentest-tools.com/information-gathering/find-subdomains-of-domain
3.Banner Grabbing/OS Fingerprinting
Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, NMAP determines the operating system of the target host and the operating system.
Once you know the version and operating system of the target, we need to find the vulnerabilities and exploit.Try to gain control over the system.root@kali:~# nmap -A 192.168.169.128root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level
IDserve another good tool for Banner Grabbing.
Online Tools
- https://www.netcraft.com/
- https://w3dt.net/tools/httprecon
- https://www.shodan.io/
4.Scan for Vulnerabilities
Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us in finding vulnerabilities with the target system and operating systems.With this steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch Management, Vulnerability assessment, and network auditing services.
Nessus
Nessus a vulnerability scanner tool that searches bug in the software and finds a specific way to violate the security of a software product.
- Data gathering.
- Host identification.
- Port scan.
- Plug-in selection.
- Reporting of data.
5.Draw Network Diagrams
Draw a network diagram about the organization that helps you to understand logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, Network view.
6.Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted contents such as ads and many other.
Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide yourself from being caught.
6.Document all Findings
The last and the very important step is to document all the Findings from Penetration testing.
This document will help you in finding potential vulnerabilities in your network. Once you determine the Vulnerabilities you can plan counteractions accordingly.
You can download rules and scope Worksheet here – Rules and Scope sheet
Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.
Important Tools used for Network Pentesting
Frameworks
Kali Linux, Backtrack5 R3, Security Onion
Reconnaisance
Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft
Discovery
Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager
Port Scanning
Enumeration
Scanning
Nessus, GFI Languard, Retina,SAINT, Nexpose
Password Cracking
Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack
Sniffing
Wireshark, Ettercap, Capsa Network Analyzer
MiTM Attacks
Exploitation
Metasploit, Core ImpactThese are the Most important checklist you should concentrate with Network penetration Testing .
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Checkout our previous posts on Pen Testing…
Contact DISC InfoSec
InfoSec books | InfoSec tools | InfoSec services
Jan 02 2023
Windows PowerShell Tutorial and Cheat Sheet
Dec 29 2022
Active Directory Exploitation Cheat Sheet
https://ethicalhackersacademy.com/blogs/ethical-hackers-academy/active-directory
Active Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.
Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000’s of computers in the single point of control called “Domain controller” which is one of the main targeted services by the APT Hackers.
Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.
- Recon
- Domain Enum
- Local Privilege Escalation
- User Hunting
- Domain Admin Privileges
- Database Hunting
- Data Exfiltration
- Active Directory Exploitation Tools
Reconnaissance
Recon Phase contains various modules, including Port scan that performs the following operations.
PORT SCAN
Import-Module Invoke-Portscan.ps1 <# Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts 172.16.0.0/24 -T 4 -TopPorts 25 -oA localnet #>
AD MODULE WITHOUT RSAT
The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.
Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.
Import-Module .\Microsoft.ActiveDirectory.Management.dll Get-Command get-adcom*
Domain Enumeration
DOMAIN
- Get current domain
Get-NetDomain (PowerView) Get-ADDomain (ActiveDirectory Module)
- Get object of another domain
Get-NetDomain -Domain domain.local Get-ADDomain -Identity domain.local
- Get domain SID for the current domain
Get-DomainSID (Get-ADDomain).DomainSID
- Get domain policy for the current domain
Get-DomainPolicy (Get-DomainPolicy)."system access"
- Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
- Get domain controllers for the current domain
Get-NetDomainController Get-ADDomainController
- Get domain controllers for another domain
Get-NetDomainController -Domain domain.local Get-ADDomainController -DomainName domain.local -Discover NETUSER More on: To Get a list of users in the current domain Infosec books | InfoSec tools | InfoSec services
Dec 21 2022
VirusTotal INTELLIGENCE CHEAT SHEET
VirusTotal cheat sheet makes it easy to search for specific results
Opening the Blackbox of VirusTotal, analyzing online phishing scan engines
The Antivirus Hacker’s Handbook
Infosec books | InfoSec tools | InfoSec services
Apr 13 2022
Cross-site scripting (XSS) cheat sheet
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.
You can download a PDF version of the XSS cheat sheet.
Cross-Site Scripting Attacks: Classification, Attack, and Countermeasures
Jan 13 2022
CPRA Cheat sheet
Jan 08 2022
WireShark Cheat Sheet
Learn Wireshark: Confidently navigate the Wireshark interface and solve real-world networking problems
Apr 26 2020
Blue Team Cheat Sheets
Blue Team Cheat Sheets
Open a PDF file The best practice guide for an effective infoSec function.
Cyber Security Fundamentals: What is a Blue team?
httpv://www.youtube.com/watch?v=kHLbmmPBBCg
Subscribe to DISC InfoSec blog by Email
Apr 17 2019
Two-factor authentication: A cheat sheet
A password alone will not protect sensitive information from hackers–two-factor authentication is also necessary. Here’s what security pros and users need to know about two-factor authentication.
Source: Two-factor authentication: A cheat sheet
Mar 23 2019
