EC-Council Certified Penetration Testing Professional

Certified Penetration Testing Professional

Methodology: Wireless Penetration Testing

Penetration Tester:
Organization:
Date: Location:

Confidential 1 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1: Wireless Local Area Network (WLAN) Penetration Testing

Test 1.1: Discover the Wireless Networks

Target Organization
URL
Techniques Used 1.
2.
3.
4.
5.

Access Points 1.
Discovered
2.
3.
4.
5.

Soft Access Points 1.

Discovered
2.
3.
4.
5.

Data of Discovered Access Points

Access Points Encryption
SSID BSSID Beacon Strength
Discovered Technique
1.
2.
3.

Confidential 2 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

4.
5.
6.
Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 3 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.2: Check Physical Security of AP

Target Organization
URL
Physical Location of
Authorized APs

Physical Access to APs Is Controlled? Yes No

Network’s Physical
Security Policy

Details of Authorized 1.
Persons having
2.
Physical
Access to APs 3.
4.
5.

Details of Access Points

APs Discovered Location Model Type MAC Address IP Address
1.
2.
3.
4.
5.
Tools/Services Used 1.
2.
3.
4.
5.

Confidential 4 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 5 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.3: Detect Wireless Connections

Target Organization
URL
Scanning Methodologies
Wireless Connections Detected using Active Wireless Connections Detected using
Scanning Passive Scanning
1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
Gathered AP Information
Encryption Beacon
Access Points Discovered SSID BSSID
Technique Strength
1.
2.
3.
4.
5.
6.
7.
8
9.
10.
Identified Network 1.
Vulnerabilities
2.
3.
4.
5.

Confidential 6 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 7 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.4: Sniff Traffic between the AP and Linked Devices

Target Organization
URL
Information gathered from Sniffed Traffic
BSSID STATION
PWR PWR
Beacons Packets
#Data Probes
CH Others:
HB
ENC
ESSID
BSSID
Sensitive 1.
Information
2.
obtained Through
Sniffing 3.
4.
5.
6.
7.

Tools/Services Used 1.
2.
3.
4.
5.

Confidential 8 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 9 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.5: Create a Rogue Access Point and Try to Create a Promiscuous Client

Target Organization
URL
Details of Rogue Access Point

Location of Rogue Access Point

SSID Broadcast Disabled? Yes No
Details of Firewall Used to the
Place the Rogue AP

Promiscuous Client Creation Successful? Yes No

Details of Users Connected to 1.
Rogue AP
2.
3.
4.
5.

Sensitive Information Gathered 1.

from Network Data
2.
3.
4.
5.

Tools/Services Used 1.
2.
3.
4.
5.

Confidential 10 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 11 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.6: Use a Wireless Honeypot to Discover Vulnerable Wireless Clients

Target Organization
URL
Details of Honeypot or
Evil Twin AP Used

Discovered Vulnerable Wireless Clients? Yes No

Details of Vulnerable 1.
Wireless Clients
2.
3.
4.
5.

Captured any Email or FTP Connections? Yes No

Details of Email or FTP 1.
Connections Captured
2.
3.
4.
5.

Able to Access the User’s File Shares? Yes No

Details of User’s File 1.
Shares Captured
2.
3.
4.
5.

Captured Login Credentials via Captive Portal or Spoofed DNS Caching? Yes No

Confidential 12 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

List of User Credentials 1.

Captured
2.
3.
4.
5.

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 13 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.7: Perform a Denial-of-Service Attack (De-authentication Attack)

Target Organization
URL
Commands Used

Is De-authentication Attack Successful? Yes No

Response Received

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 14 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.8: Attempt Rapid Traffic Generation

Target Organization
URL
Commands Used

Captured Source 1.
MAC Addresses
2.
3.
4.
5.

Captured Destination 1.
MAC Addresses
2.
3.
4.
5.

Discovered Hosts on 1.
the Wireless
2.
Network
3.
4.
5.

Discovered Hosts on 1.
the Bridged or Wired
2.
LAN
3.
4.
5.
Confidential 15 CPENT Template Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Is Replay Attack on the Target Wireless Network Successful? Yes No

WEP Keys Cracked 1.
2.
3.
4.
5.

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 16 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.9: Attempt Single-packet Decryption

Target Organization
URL
Commands Used

Techniques Used

Source MAC Address

Destination MAC
Address
Recovered Plain Text

Security Level of the

Target Network

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 17 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.10: Perform an ARP Poisoning Attack

Target Organization
URL
Fake MAC Address Used
IP Address of the AP
Is ARP Poisoning Attack Successful? Yes No
Details Hosts/Subnet 1.
Compromised
2.
3.
4.
5.

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 18 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.11: Try to Inject the Encrypted Packet

Target Organization
URL
Commands Used

Is Encrypted Packet Injection Attack Successful? Yes No

List of APs 1.
Responded to
2.
Broadcast Probes
3.
4.
5.

Identified Network 1.
Vulnerabilities
2.
3.
4.
5.

Ping Response Time

to the AP
Hidden SSIDs 1.
Detected
2.
3.
4.
5.

Tools/Services Used 1.
2.

Confidential 19 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

3.
4.
5.

Results Analysis:

Confidential 20 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.12: Crack WPA-PSK Keys

Target Organization
URL
Command Used to
Monitor Traffic

Command Used to
Collect Traffic Data

Information gathered by Cracking WPA-PSK Keys

BSSID: CIPHER:
PWR: AUTH:
RXQ: ESSID:
Beacons: Others:
#Data:
CH:
MB:
ENC:
Information 1.
Extracted from
2.
WPA2 4-way
handshake 3.
communication
4.
5.

Techniques Used to
Recover the Keys

Confidential 21 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Recovered WPA-PSK
Keys

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 22 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.13: Crack WPA/WPA2 Enterprise Mode

Target Organization
URL
Commands Used

Details of Fake AP
Used

IS the Man-in-the-Middle (MITM) Attack Successful? Yes No

Captured and Recovered Authentication Credentials? Yes No
Recovered
Authentication
Credentials

Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 23 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.14: Check for MAC Filtering

Target Organization
URL
Commands Used

Is Target Access Point Using MAC Filtering? Yes No

Fake Auth
Commands
Is Authentication Successful? Yes No
Is Association Successful? Yes No
Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 24 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.15: Spoof the MAC Address

Target Organization
URL
Commands Used

Details of Legitimate
Device Used for
Impersonation

Name of the SSID

tested
Spoofed MAC 1.
Address
2.
3.
4.
5.

New MAC Address

and Vendor Settings
Is MAC Spoofing Successful? Yes No
Identified Attack 1.
Vectors
2.
3.
4.
5.

Tools/Services Used 1.
2.
3.

Confidential 25 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

4.
5.

Results Analysis:

Confidential 26 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.16: Create a Direct Connection to the Wireless Access Point

Target Organization
URL
DHCP Enabled
Wireless AP Yes No
Laptop Yes No
Does the Target Wireless Network is Allowing Direct Connections to Yes No
Malicious Devices?
IP Address of
Wireless AP
Tools/Services Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 27 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 1.17: Additional Wireless Penetration Testing Tools

Target Organization
URL
Commands Used

Wireless Adapter BSSID Associated Vulnerabilities

1. 1. 1.
2. 2. 2.
3. 3. 3.
4. 4. 4.

Information 1.
Gathered from
2.
Wireless Penetration
Testing 3.
4.
5.
1.
2.
3.
4.
5.

Tools/Services Used 1.
2.
3.
4.
5.

Confidential 28 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 29 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2: RFID Penetration Testing

Test 2.1: Perform Reverse Engineering

Target Organization
URL
Target RFID System
Methods/Techniques 1.
Used
2.
3.
4.
5.

Is RFID Reverse Engineering Successful? Yes No

Step-1: Visual inspection
Manufacturer Details

RFID Model
RFID Standard
Other Information, if
any
Step-2: Monitoring Coupling and Frequencies
RFID Operational
Frequency
Suspected
Frequencies Recorded
using Spectrum
Analyzer/Oscilloscope
Step-3: Monitoring Energy supply and modulations
How the RFID Tag
Own Battery Reader Signal
Powered

Confidential 30 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Details of RFID
Battery

Modulation
Parameters

Step-4: Line encoding, Syntax inference, and Protocol inference using signal Spectrogram
Symbol Coding
Implemented in the
RFID Tag

Step-5: Cryptanalysis
Encoding Techniques
Used

Other Information 1.
Collected
2.
3.
4.
5.

Identified 1.
Vulnerabilities in RFID
2.
Systems
3.
4.
5.

Tools/Services Used 1.
2.
3.
4.
5.

Confidential 31 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 32 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.2: Perform Power Analysis Attack

Target Organization
URL
Target RFID System
Details of Devices Used 1.
in Power Analysis
2.
3.
4.
5.

Performed Power Analysis Attack Successfully? Yes No

Did the Device Leaked any Information During Cryptographic Yes No
Operations?
Identified Secret Keys

Devices/Tools Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 33 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.3: Perform Eavesdropping

Target Organization
URL
Target RFID System
Equipment Used for 1.
Eavesdropping
2.
3.
4.
5.

Eavesdropping the Legitimate Transmission between the RFID Tag and Yes No
the Reader Successful?
Sensitive Information 1.
Obtained through
2.
Eavesdropping
3.
4.
5.

Identified Vulnerabilities 1.
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.
5.

Confidential 34 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 35 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.4: Perform an MITM Attack

Target Organization
URL
Target RFID System
Equipment Used for 1.
Eavesdropping and
2.
Intercepting Traffic
3.
4.
5.

Interception of the Communication between the RFID Tag and the Yes No
Reader Successful?
Data Transmitted in Clear Text? Yes No
Information Recovered 1.
2.
3.
4.
5.
6.
7.
8.
9.

Devices/Tools Used 1.
2.
3.
4.
5.

Confidential 36 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 37 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.5: Perform a DoS Attack

Target Organization
URL
Target RFID System
Performed DoS Attack Successfully against:
1. RFID Tag YES NO
2. RFID Reader YES NO
3. Backend Server YES NO

Techniques Used to 1.
Perform DoS Attack
2.
3.
4.
5.

Response Received 1.
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.
5.

Confidential 38 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 39 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.6: Perform RFID Cloning/Spoofing

Target Organization
URL
Target RFID System
Captured Data from the Legitimate RFID Tag and Created a Clone of it Yes No
using a New Chip Successfully?
Overwritten Existing RFID Tag Data with the Spoofed Data (Obtained by Yes No
Eavesdropping) Successfully?
Data Transmitted from an
RFID Tag

Devices/Tools Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 40 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.7: Perform an RFID Replay Attack

Target Organization
URL
Target RFID System
Techniques Used 1.
2.
3.
4.
5.

Intercepted Communication between the RFID Reader and Tag, and Yes No
Captured an RFID Signal Successfully?
Is the RFID Replay Attack Successful? Yes No
Information Gathered 1.
2.
3.
4.
5.

Identified Vulnerabilities 1.
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.

Confidential 41 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

5.

Results Analysis:

Confidential 42 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 2.8: Perform a Virus Attack

Target Organization
URL
Target RFID System
Injected Infective Viruses to the Memory Space of RFID Tags Yes No
Successfully?
Compromised Backend RFID Middleware Systems via an SQL Injection Yes No
Attack?
Identified Vulnerabilities 1.
that leads to Virus Attacks
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 43 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 3: NFC Penetration Testing

Test 3.1: Perform Eavesdropping

Target Organization
URL
Target NFC Device
Eavesdropping of the Communication between NFC Devices Successful? Yes No
Information 1.
Obtained
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 44 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 3.2: Perform a Data Modification Attack

Target Organization
URL
Target NFC Device
Interfered with the NFC Data Exchange Successfully? Yes No
Is Modifying the Control-Flow of Programs Successful? Yes No
Running Data 1.
Captured
2.
3.
4.
5.

Memory Corruption 1.
Techniques Used to
2.
Override Data
3.
4.
5.

Identified 1.
Vulnerabilities
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.
5.
Confidential 45 CPENT Template Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 46 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 3.3: Perform Data Corruption Attack

Target Organization
URL
Target NFC Device
Performed Data Corruption Attack Successfully? Yes No
Techniques Used to 1.
Perform Data
2.
Corruption
3.
4.
5.

Identified 1.
Vulnerabilities
2.
3.
4.
5.
6.
7.
8.
9.
10.

Devices/Tools Used 1.
2.
3.
4.
5.

Confidential 47 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Results Analysis:

Confidential 48 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council Certified Penetration Testing Professional

Test 3.4: Perform a MITM Attack

Target Organization
URL
Target NFC Device
Eavesdropped, Manipulated and Transmitted the Data to the NFC Yes No
Reader Successfully?
Identified 1.
Vulnerabilities
2.
3.
4.
5.

Devices/Tools Used 1.
2.
3.
4.
5.

Results Analysis:

Confidential 49 CPENT Template Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.