Over the Air Red-Teaming with RF and SDR
Learn how to add Over The Air attacks to Red Team Engagements.
Day 1
The first day will introduce you the challenges of doing Red team tests and why radio can unlock a lot of new opportunities during assessments.
During this day, we will focuses on Wi-Fi, Bluetooth 4 targets that could help us gaining accesses remotely:
- Monitoring and capturing signal over-the-air;
- Analyzing the signal;
- Using the right tools at the right moment;
- Attacking communications (injection, cracking, etc.)
- etc.
Theory
- Introduction on actual Wi-Fi setups, standards, and common attacks
- Introduction to Bluetooth 4 and its security
- Some more insights on Bluetooth 5
Assignment 1
- Monitoring Wi-Fi
- Capturing Wi-Fi packets
- Analysis
Assignment 2
- Attacks in WEP, WPA/WPA2
- Study the case of WPA3
Assignment 3
- The case of open networks
- Steal secrets with rogue AP
- Introduction to stack prococol vulnebabilities
Assignment 4
- Monitor and discover BLE devices
- Interacting with BLE targets
- Man-In-The-Middle
Day 2
The second day will show how to mix physical intrusion with radio attacks to get a permanent access to targets by challenging physical intrusion systems, but also turning some devices into implants or using specific implants.
Theory
- Introduction to RFID security
- Introduction to nRF devices and the use implants
Assignment 1
- Attacking ID systems, or weak and common intrusion system setups
- Challenging other identification systems
Assignment 2
- Actual MIFARE classic attacks
- Attacks on MIFARE Ultralight
- Analysing and crafting dumps
- Challenging other authentification systems
Assignment 3
- Detecting vulnerable nRF based devices
- Turning nRF devices into implants
Assignment 4
- Using specific USB implants
Requirements
Students will need to purchase the following to follow along with all the parts of the hands on assignments. Students can complete the hands-on assignments at a later date with access to the recordings of the live class.
- For RFID: Proxmark3 rdv4 (EU: https://lab401.com/products/proxmark-3-rdv4, US: https://hackerwarehouse.com/product/proxmark3-rdv4-kit/)
- For Bluetooth: Nordic nRF52840 Dongle and Logitech K400 or any Logitech Mouse and Keyboard. Plus a Logitech CU-0007 dongle
- For Wi-Fi: Alfa AWUS036ACH AC1200
- For all: Raspberry pi 4