Out of the ESSIDs shown above the ones that are highlighted in red were also

Out of the essids shown above the ones that are

This preview shows page 7 - 10 out of 48 pages.

Out of the ESSIDs shown above, the ones that are highlighted in red were also found at the first Evil Corp location that we visited. Given the lack of common third-parties present at each of the sites, this is very strong evidence that these ESSIDs are used by Evil Corp, and are therefore in- scope. Expanding The Scope By Identifying Sequential BSSIDs Let’s return to the first client site. Notice that the BSSIDs outlined in red increment sequentially. As previously mentioned, this usually occurs when the APs are part of the same network. We know that EC7293 is in-scope (we confirmed this using geographic cross-referencing). Given that the access points serving EC7293 and ECwnet1 are part of the same group of sequentially incrementing BSSIDs, we can conclude they are both parts of the same network. Therefore, it follows that ECwnet1 is in-scope as well. CH 11 ][ Elapsed: 1 min ][ 2017-02-02 13:49 BSSID PWR RXQ Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID 1C:7E:E5:E2:EF:D9 -66 10 572 283 0 1 54 WPA2 CCMP MGT EC7293 1C:7E:E5:E2:EF:D8 -66 11 569 83 1 1 54 WPA2 CCMP MGT EC7293 1C:7E:E5:E2:EF:D7 -66 12 580 273 0 1 54 WPA2 CCMP MGT EC7293 1C:7E:E5:E2:EF:D6 -66 10 566 43 0 1 54 WPA2 CCMP MGT 1C:7E:E5:62:32:21 -68 11 600 24 0 6 54 WPA2 CCMP MGT 1C:7E:E5:97:79:A4 -68 0 598 82 2 6 54 WPA2 CCMP MGT ECwnet1 1C:7E:E5:97:79:A5 -68 9 502 832 0 6 54 WPA2 CCMP MGT ECwnet1 1C:7E:E5:97:79:B1 -64 14 602 23 0 6 54 WPA2 CCMP MGT ECwnet1 1C:7E:E5:97:79:A6 -65 12 601 42 0 11 54 WPA2 CCMP MGT ECMNV32 1C:7E:E5:97:79:A7 -62 12 632 173 0 11 54 WPA2 CCMP MGT ECMNV32 1C:7E:E5:97:79:A8 -62 10 601 21 1 11 54 WPA2 CCMP MGT ECMNV32 00:17:A4:06:E4:C6 -74 10 597 12 0 6 54 WPA2 TKIP MGT MNBR83 00:17:A4:06:E4:C7 -74 8 578 234 0 6 54 WPA2 TKIP MGT MNBR83 00:17:A4:06:E4:C8 -74 10 508 11 1 6 54 WPA2 TKIP MGT MNBR83 00:17:A4:06:E4:C9 -72 11 535 12 0 1 54 WPA2 TKIP MGT 00:13:E8:80:F4:04 -74 11 521 132 0 1 54 WPA2 TKIP MGT prN67n
Image of page 7
Advanced Wireless Attacks Against Enterprise Networks Target Identification Within A Red Team Environment © 2017 Gabriel Ryan All Rights Reserved 8 00:22:18:38:A4:64 -68 12 576 10 0 3 54 WPA2 CCMP MGT ASFWW 00:22:18:38:A4:65 -68 12 577 431 0 3 54 WPA2 CCMP MGT ASFWW We’ve mapped our in-scope attack surface. Our targets will be the following access points: BSSID ESSID 1C:7E:E5:E2:EF:D9 EC7293 1C:7E:E5:E2:EF:D8 EC7293 1C:7E:E5:E2:EF:D7 EC7293 1C:7E:E5:E2:EF:D6 1C:7E:E5:62:32:21 1C:7E:E5:97:79:A4 ECwnet1 1C:7E:E5:97:79:A5 ECwnet1 1C:7E:E5:97:79:B1 ECwnet1 1C:7E:E5:97:79:A6 ECMNV32 1C:7E:E5:97:79:A7 ECMNV32 1C:7E:E5:97:79:A8 ECMNV32 00:13:E8:80:F4:04 prN67n
Image of page 8
Advanced Wireless Attacks Against Enterprise Networks Attacking And Gaining Entry To WPA2-EAP Wireless Networks © 2017 Gabriel Ryan All Rights Reserved 9 Attacking And Gaining Entry To WPA2-EAP Wireless Networks Chapter Overview Rogue access point attacks are the bread and butter of modern wireless penetration tests. They can be used to perform stealthy man-in-the-middle attacks, steal RADIUS credentials, and trick users into interacting with malicious captive portals. Penetration testers can even use them for traditional functions such as deriving WEP keys and capturing WPA handshakes [1]. Best of all, they are often most effective when used out of range of the target network. For this workshop,
Image of page 9
Image of page 10

You've reached the end of your free preview.

Want to read all 48 pages?

  • Fall '18
  • fasdfasdfasd
  • Wi-Fi, Wireless access point, Gabriel Ryan

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes