Building a Pentesting Lab for Wireless Networks Build your own secure enterprise or home penetration testing lab to dig into the various hacking techniques Vyacheslav Fadyushin Andrey Popov BIRMINGHAM - MUMBAI Building a Pentesting Lab for Wireless Networks Copyright © 2016 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: March 2016 Production reference: 1180316 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78528-315-4 www.packtpub.com Credits Authors Project Coordinator Vyacheslav Fadyushin Izzat Contractor Andrey Popov Proofreader Safis Editing Reviewers Edward Frye Borja Merino Indexer Hemangini Bari Acquisition Editor Reshma Raman Graphics Kirk D'Penha Disha Haria Content Development Editor Priyanka Mehta Production Coordinator Shantanu N. Zagade Technical Editor Siddhi Rane Cover Work Shantanu N. Zagade Copy Editor Roshni Banerjee About the Authors Vyacheslav Fadyushin (CISA, CEH, PCI ASV) is a security consultant and a penetration tester with more than 9 years of professional experience and a diverse background in various aspects of information security. His main points of interest and fields of expertise are ethical hacking and penetration testing, infrastructure and application security, mobile security, and information security management. He is also an author of the book, Penetration Testing: Setting Up a Test Lab How-to, published by Packt Publishing in 2013. I'd like to thank Vladimir Kozerovsky (CCNA) for his advice and Olesya Sergeeva for her support. I also want to thank our content development editors Aparna Mitra and Priyanka Mehta, who helped us stick to the schedule. Andrey Popov is a security consultant and penetration tester with rich professional experience and a diverse background in infrastructure and application security, information security management, and ethical hacking. He has been working for a market-leading company along with another security professional since 2007. About the Reviewers Edward Frye is an information security professional with over 20 years of experience in network engineering, systems administration, risk management, and security and compliance across many industries, including the financial sector, healthcare, and software/platform/infrastructure as a service (XaaS) industries. He has focused primarily on security engineering and risk management since 2002. He has a masters of science in information security and assurance, as well as many industry certifications including CISSP, CCNA-Security, CEH, CHFI, and GIAC Web Application Penetration Tester. Borja Merino is a Spanish security researcher certified in OSCP, OSWP, OSCE, Cisco CCSP, and SANS GREM. He has published several papers about pentesting and exploiting and he is the author of the book, Instant Traffic Analysis with Tshark How-to, Packt Publishing. He is a Metasploit community contributor and the owner of http://www.shelliscoming.com/. You can follow him on Twitter at @BorjaMerino. www.PacktPub.com eBooks, discount offers, and more Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM https://www2.packtpub.com/books/subscription/packtlib Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books. Why subscribe? • Fully searchable across every book published by Packt • Copy and paste, print, and bookmark content • On demand and accessible via a web browser Table of Contents Preface vii Chapter 1: Understanding Wireless Network Security and Risks 1 Understanding wireless environment and threats 1 An overview of wireless technologies 2 An overview of wireless threats 6 Wi-Fi media specifics 8 Common WLAN protection mechanisms and their flaws 11 Hiding SSID 11 MAC filtering 12 WEP 13 WPA/WPA2 15 Pre-shared key mode 16 Enterprise mode 18 WPS 19 Getting familiar with the Wi-Fi attack workflow 20 General Wi-Fi attack methodology 20 The active attacking phase 21 WPA-PSK attacks 22 Enterprise WLAN attacks 22 Summary 23 Chapter 2: Planning Your Lab Environment 25 Understanding what tasks your lab should fulfill 26 Objectives of a lab 26 Lab tasks 27 Network reconnaissance 28 Web application hacking 29 Hacking and researching network services 29 AD hacking 29 DBMS hacking 30 Network layer attacks 30 [ i ] Table of Contents Wi-Fi penetration testing 30 Planning the network topology 31 Choosing appropriate components 34 Network devices 35 Server and workstation components 37 Planning lab security 38 Access control 38 Integrated security mechanisms 39 Security solutions 41 Security hints 42 Summary 43 Chapter 3: Configuring Networking Lab Components 45 General lab network communication rules 45 Configuring hardware wired devices 47 Preparing the console connection on Windows 49 Core switch 51 Initial configuration 52 Configuring interfaces and VLANs 53 Hardening the core switch 58 Configuring subinterfaces and subnets 58 Configuring auxiliary services 60 Basic gateway hardening 62 Configuring virtual wired network devices 62 Network virtualization platform 63 Software installation 64 Initial configuration 65 Network topology implementation 68 Switch 69 Gateway 72 Virtual host emulation 73 Wireless hardware devices 74 Configuring WLANs 76 Guest WLAN 76 Preparing the hardware access point 77 Summary 78 Chapter 4: Designing Application Lab Components 79 Planning services 80 Creating virtual servers and workstations 82 VirtualBox overview and installation 82 Creating virtual machines 83 Configuring network settings of lab components 84 [ ii ] Table of Contents Installing and configuring domain services 86 Creating a domain 87 Creating users 89 Adding hosts to the domain 90 Certification authority services 92 Creating a root certificate 92 Creating a working certificate 93 Installing a root certificate 94 Installing a remote management service 94 Corporative e-mail service 96 Configuring a DNS server 96 Installing and configuring hMailServer 98 Installing vulnerable services 100 Installing web applications 100 Preparing a web server 101 WebGoat 103 DVWA 104 Liferay Portal 106 Metasploitable 109 Vulnerable VoIP server 111 Summary 112 Chapter 5: Implementing Security 113 Network-based security solutions 113 Configuring network access control 114 Isolating external and guest networks 114 Isolating internal VLANs 116 Securing wireless access 117 Preparing the RADIUS server 118 Preparing the certificates 119 Configuring RADIUS 120 Configuring the access point 121 Configuring the WLAN client 123 Installing a network intrusion detection system 124 Activating SPAN 124 Snort 125 Host-based security solutions 129 Workstation security 129 EMET 130 HIPS 133 Web application firewall 137 ClamAV 141 Installing 142 Configuring 142 [ iii ]