Preface
Radio waves surround us and more and more devices are being made wireless. Most penetration testers focus only on the very small portion of the radio spectrum using by 802.11 and Bluetooth devices. Physical penetration tests often miss guard radios, wireless headsets, wireless cameras, and many other radio devices commonly used in the modern corporation. These systems transmit a wealth of information which can aid a penetration tester in a targeted attack.
This book aims to educate penetration testers on how to find these too often ignored radios and mine them for information. The following chapters include information ranging from choosing the best equipment to use and how to find frequency information, to actual case studies demonstrating how this information has been used during penetration tests. The authors draw on a combined knowledge derived from performing hundreds of penetration tests and decades of radio experience to share tips, tricks and helpful notes about this less explored avenue of attack. This book is the definitive resource for anyone interested in adding radio profiling to his or her arsenal of penetration testing tools.
The book is also a great resource for the people who need to defend computer systems and companies. Like penetration testers, defenders often ignore wireless traffic outside of 802.11. This book shows various radios that might be deployed in various environments and how attackers could exploit the information leaked by these radio systems. Essential information on how to prevent this information leakage from occurring is also included.
How this Book is Organized
The best way to read this book is in the order it’s presented, but the chapters are structured to assist the reader should he decide to read out of order. When key concepts are mentioned which were covered in earlier chapters, the page will reference the earlier chapter so the reader can flip back if he needs a refresher or is reading the chapters out of order. A glossary is also included at the end of the book to help with unfamiliar terms.
Chapter 1: Why Radio Profiling?
In the first chapter of the book the reader will learn what radio reconnaissance is and how it is useful during penetration tests. The chapter concludes with a short case study of radio reconnaissance used during a physical penetration test at a power company.
Chapter 2: Basic Radio Theory and Introduction to Radio Systems
In Chapter 2 the reader will learn the theory behind how radios work and gain an introduction to the different radios systems you will encounter while performing radio reconnaissance. The chapter starts by discussing basic radio theory. The authors cover the terminology needed to understand underlying concepts, give an overview of the radio spectrum and discuss how radio waves behave at different frequencies. Next, they cover how a radio works and the different components found in a radio receiver. After the reader learns how radios work, she will read about the most important part of a radio: the antenna. This part of the chapter starts out by covering antenna theory and wraps up with a discussion of the most common types of antennas one might encounter while performing radio reconnaissance during a penetration test. After antennas are discussed, the chapter moves on to the different ways radios encode data (modulation types). This section covers analog, digital and spread spectrum modulation types. Next is a rundown of the different types of most commonly used radio systems. This starts out simply, discussing simplex verses duplex radio systems, expands to cover repeaters, and concludes with an explanation of trunked radio systems. The chapter ends with recommendations on where to learn more about radios and radio theory.
Chapter 3: Targets
In Chapter 3 the reader will learn about some of the different types of targets which could be searched for during radio reconnaissance. Highlighted targets include guard radios, cordless phones and video cameras.
Chapter 4: Offsite Profiling
The Offsite Profiling chapter covers how to gather as much information as possible on a client’s radio systems before arriving onsite. The authors suggest terms to use in online searches, how to search the FCC license database, and specialty websites that can be used to gather more information on the client’s equipment. The chapter concludes with a case study covering the offsite profiling performed before a physical penetration test of a ship dock and how the information was used during the attack.
Chapter 5: On Site Radio Profiling
Chapter 5 continues on to the next step on a penetration test and covers information that can be gathered on a target’s radio systems onsite. The chapter starts out with radio related items to keep an eye open for while onsite and what a penetration tester can learn from these items. Next the chapter explores frequency counters and how to use one while profiling a target. Next the reader learns what can be discovered just by looking at a targets radio systems and antennas. The authors discuss what can be learned about the make, model and type of radio used and how to estimate the frequency range, based off of the radio’s antenna. Finally, this chapter also includes common frequencies and frequency ranges to search while onsite. The chapter concludes with a case study of intercepting wireless headsets used at an insurance company and the information this provided about the company’s internal network.
Chapter 6: How to Use the Information You Gather
In this chapter the reader will learn how to use the information gathered monitoring the targets radio systems. It includes specific advice on using the information gathered from guard radios, wireless headsets and phones and wireless cameras.
Chapter 7: Basic Overview of Equipment and How it Works
Chapter 2 explored the scanner and how it works. In Chapter 7 the authors cover the common controls and features found on scanners and how to operate them. Next the book explains how to select a scanner for wireless reconnaissance and provides recommendations on scanners to use for wireless reconnaissance. After recommending specific radios the authors also discuss and recommend the antennas which they have found the most valuable over the years. The authors conclude this chapter by discussing accessories a reader may want to add to his wireless kit for radio reconnaissance.
Chapter 8: The House Doesn’t Always Win: A Wireless Reconnaissance Case Study
Chapter 8 is a case study that pulls together all the information provided in the book. During this case study the authors outline how wireless reconnaissance was invaluable during a physical penetration test on a casino. They start out by showing offsite profiling using the techniques discussed in Chapter 4. Next they tell how they used the offsite information and then expanded it using the onsite profiling techniques discussed in Chapter 5. Throughout this case study the reader will see firsthand how the information gathered by monitoring the casino’s radio systems was key to the successful penetration of this high value target.
Chapter 9: New Technology
During Chapter 9 the reader will learn where the world of wireless reconnaissance and penetration testing are heading. The authors discuss the shift to digital transmissions, the challenge this presents to penetration testers and some ways to overcome these challenges. Next they talk about Software Defined Radios and how this technology will bring about a new golden age of wireless hacking. In this section the reader will learn what a software defined radio is, common commercial and open source software defined radios and some examples on how they can be used. Next the book covers the trend of VOIP enabling radio dispatch systems. This section includes a case study showing the security problems seen by the authors in VOIP enabled dispatch systems. The chapter ends with recommendations on resources to keep up to date on scanners, wireless security.