Wireless Reconnaissance in Penetration Testing This page is intentionally left blank Wireless Reconnaissance in Penetration Testing Matthew Neely Alex Hamerstone Chris Sanyk AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Development Editor: Meagan White Project Manager: Mohanambal Natarajan Designer: Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrange- ments with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experi- ence broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of p roducts liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. For information on all Syngress publications visit our website at www.syngress.com ISBN: 978-1-59749-731-2 Printed in the United States of America 13 14 15 10 9 8 7 6 5 4 3 2 1 Dedication I’d like to start out by thanking Joan Amaratti for believing I could write a book all those years ago. I’d also like to thank Ken Stasiak and the SecureState family for supporting me throughout the entire writing process. Finally I dedicate this book to Meagan Call for being a wonderfully supportive wife through this and all my projects. --Matt I dedicate this book to BNH, ELH, and JAH. --Alex v This page is intentionally left blank Contents DEDICATION ..............................................................................................v AUTHOR BIOGRAPHY ..............................................................................xi PREFACE ..............................................................................................xiii Chapter 1 Why Radio Profiling? .............................................................1 Guard Radios, Wireless Headsets, Cordless Phones, Wireless Cameras, Building Control Systems ................................3 Case Study ........................................................................................5 Chapter 2 Basic Radio Theory and Introduction to Radio Systems ....7 The Electromagnetic Spectrum .......................................................7 Terminology ..................................................................................8 Wavelength/Frequency Characteristics ...................................11 How Materials Affect Radio Waves ..........................................13 Regulatory Agencies ......................................................................14 Applying the Science: Radio Technology Basics .........................15 Filters ..........................................................................................20 Antennas .........................................................................................22 Antenna Theory .........................................................................23 Signal Strength ...........................................................................25 Antenna Diagrams .....................................................................25 Popular Types of Antennas .......................................................26 Modulation ......................................................................................29 Analog Modulation ....................................................................30 Digital Modulation .....................................................................31 Common Types of Spread Spectrum Modulation ....................33 Radio Systems ................................................................................34 Simplex and Duplex ...................................................................34 Repeaters ....................................................................................35 Media Access Control in Radio .................................................36 Trunking .....................................................................................38 Summary .........................................................................................42 vii viii Contents Further Learning ............................................................................43 Chapter 3 Targets ..................................................................................45 Two-Way Radios Used for Verbal Communication......................45 Devices that Use Radio Frequencies ............................................46 Chapter 4 Offsite Profiling ....................................................................49 What is Offsite Profiling? ...............................................................49 What to Look For ........................................................................49 Using RadioReference.com for Offsite Profiling ......................53 Case Study: Offsite Profiling .........................................................55 Remediation and Lessons Learned ..........................................62 Chapter 5 Onsite Radio Profiling .........................................................65 Initial Onsite Reconnaissance .......................................................65 The Guard Force .............................................................................66 Using a Frequency Counter ...........................................................67 Visual Recon ...................................................................................73 Antennas ....................................................................................75 Search Common Frequency Ranges .............................................76 Family Radio Service (FRS)........................................................76 General Mobile Radio Service (GMRS) .....................................77 Multi Use Radio Service (MURS) ...............................................78 Dot Frequencies .........................................................................78 Common Ranges ............................................................................79 Common Business Ranges ........................................................79 Common Cordless Phone and Headset Ranges ......................80 Scanner Tips ...................................................................................80 Finding Trunked Systems..............................................................80 Case Study: Onsite Profiling .........................................................81 Remediation and Lessons Learned ..........................................85 Chapter 6 How to Use the Information You Gather ...........................87 Who is Guarding the Guards? .......................................................87 Monitoring Phone Calls .................................................................88 Wireless Cameras ...........................................................................89 Pan Tilt Zoom (PTZ) Cameras ...................................................89 Chapter 7 Basic Overview of Equipment and How it Works.............91 Common Scanner Controls and Features .....................................91 Channels and Banks ..................................................................91 Squelch ........................................................................................92 Scan Button.................................................................................92 Hold Button.................................................................................92 Contents ix Manual Button ............................................................................93 Program .......................................................................................93 Lockout Button ...........................................................................93 Search ..........................................................................................93 Priority.........................................................................................94 Selecting a Scanner ........................................................................94 Form Factor ................................................................................95 Programmable Verse Pre-Programmed Scanners ....................95 Frequency Coverage ..................................................................96 Useful Scanner Feature .............................................................97 Additional Considerations When Buying Used or Older Model Scanners ..............................................................104 Scanners Recommended for Wireless Reconnaissance ............105 Uniden Bearcat BCD-396XT ....................................................105 GRE PSR-310 .............................................................................105 AOR 8200MKIII .........................................................................106 Building You Kit: Helpful Accessories ........................................107 Antenna Connectors ................................................................107 Antennas for Handheld Scanners ...........................................108 Mobile Antennas ......................................................................111 Coax Cable ................................................................................111 DTMF Decoder .........................................................................111 Camera ......................................................................................112 Headphones or External Speakers .........................................114 Audio Recording Equipment ...................................................114 Video Decoder ..........................................................................114 RF Amplifiers ............................................................................115 Voice Inversion Decoder ..........................................................115 Chapter 8 The House Doesn’t Always Win: A Wireless Reconnaissance Case Study .............................................119 Introduction ..................................................................................119 Office Work ...................................................................................119 Out in the Field .............................................................................121 Glitz and Glamour ........................................................................122 Learning the Local Lingo .............................................................123 Time to Gamble ............................................................................123 Inside .............................................................................................124 Chapter 9 New Technology ................................................................127 Everything is Going Digital .........................................................127 Beyond 802.11—Digital Wireless Protocols ...........................128