Chapter 3. Exploiting Wireless Devices

After our wireless scanning phase is complete, we will have a prioritized list of potential targets that are in scope for our penetration test. This list should be ordered by their relevance to the organization, ease of exploitation, or devices or clients that may contain critical information, such as those accessed by administrators. You can think of the access points as being similar in nature to servers in a DMZ, the primary difference being that these critical servers are typically behind a firewall and other layered defenses, whereas the access points, or "tiny servers with routing capabilities", can be directly accessed by users usually without the benefit of traditional security mechanisms to protect them. Wireless access points can more or less be seen as a potential backdoor to enterprise networks. Like other devices that contain embedded systems, like printers, they are commonly overlooked by administrators and security professionals. Wireless network devices, specifically access points, have been the target of hackers and regularly have vulnerabilities that are publicly disclosed. Once a vulnerability is publicized, it is common to see exploits released into the wild that can be used during your pentest. Compared to other devices on the network like workstations and servers, the patching cycle for network devices is typically sporadic, if it happens at all, widening your window for the successful exploitation of these devices. If wireless at a residence is in scope, there is a very high likelihood that the device's firmware has not been upgraded since it was deployed and default security settings, like administrative credentials, have not been changed. More often than not, an exploitable vulnerability will be discovered in the device firmware but will be left unpatched due to the administrator's reluctance to disrupt the communication provided by the AP, or lack of knowledge of how to patch these devices. By taking advantage of these vulnerabilities in a wireless device, an attacker can gain access to the device, can attack the clients that use the device for access, and can often use these devices as a pivot point to get further into the network.

In this chapter, we will cover the following topics:

• Attacking the firmware
• Attacking the services
• Checks on misconfiguration