Archive for the 'Wireless Security & Pentesting' Category

WPA / WPA2 Cloud Cracking

Author: Martin Voelk
February 17, 2016

In a recent Pentesting engagement for a client we came across across a large WPA2 PSK deployment with 6 different SSIDs. As the customer used generic SSID names such as VOIP-5GHz and INTERNAL-STAFF, which do not allow to trace the customer back, we decided to try one of those numerous Cloud cracking services.

The results were stunningly good. Out of 6 WPA2 handshakes 4 were cracked (incl. the most important ones). Funnily enough the secured GUEST Network wasn’t crackable with a rainbow attack.

This highlights the danger of WPA/WPA2 PSK once again. The key is only as secure as the complexity. We advice Enterprise RADIUS multi factor authentication with client site certificates and preferably RSA tokens instead.



December 29, 2015

Wireless Drone In-Security

Author: Martin Voelk
April 6, 2015

We were recently engaged by a toy drone manufacturer to test how secure/in-secure those Wireless drones are. The results were somewhat expected as with most things in technology. Upon research we stumbled across a website from Poland which detailed the process of taking over other Wireless drones. After some more research we assembled a little test setup and tested against the manufacturer drone. The takeover took less than 5 minutes. Whilst the threats to toy drones are not really a huge risk, commercial drones delivering goods to the home are on the horizon and many new agencies report on such efforts. A customer would not be happy if the ordered goods never arrive etc.

It’s surprisingly easy on how to take control of toy drones. For those interested in learning more about the methodologies behind, here is the full How-To:


March 25, 2015

Bluetooth is part of many aspects of our lives. From garage openers to headsets, speakers to gaming consoles. A lot of Wireless communication is via Bluetooth. Now a lot of the modern smart phones implement Bluetooth security. However what about all those 3rd. party vendors who just want to push their products to market, neglecting heavy security? And what about older phone models. By far not everyone has an iPhone, Samsung or Android.

In fact a lot of people and businesses have older phones like Nokia, Motorola etc. Those ones can be quite small in size and are the preferred choice for on-call people, work phones for guards on premises etc.

A lot of the Bluetooth devices lack on security and they can be infiltrated in a matter of seconds. From reading out confidential information, address books or even placing rogue phone calls. A lot of damage can be done here.

We can only advice to turn Bluetooth off whenever it’s not in use. Unfortunately we find in our Pentests that a lot of people leave it on all the time. Not only does it drain the battery, but it also allows someone in the proximity to silently hack in. With the introduction of Ubertooth One (a USB monitoring device for an affordable $100 USD) things haven’t gone better.

This video we have found on Youtube, demonstrates how easy BT can be compromised:


March 17, 2015

We often get to hear from customers: We use WPA2-PSK, so you will not be able to crack it in your Pentest. We don’t use WEP. Well, 8 of 10 Wifi Pentests we perform result in a full crack of the so-called secure WPA2-PSK.

Now why is that? Performing an action to capture the WPA handshake is a piece of cake really. The biggest challenge Pentesters and the bad guys face alike, is to crack the WPA2 key. You usually need a lot of processing power, large rainbow tables with pro-computed hashes or both. Having dictionary and permutation dictionary files can easily result in hundred of Gig.

But hang on, why is it yet so easy? Well there are numerous cloud cracking services out there. Upload the WPA handshake, wait a day and get the result delivered by email.

What can users and companies do to secure their WPA-PSK?

  • Don’t leave it to the ISP factory default. It’s usually set to numeric and at best numeric and alphanumeric values
  • Choose a wise PSK with can’t be found in a dictionary or permuted dictionary
  • Adding a number or a special character at the end is NOT the solution
  • Change the PSK every 3 to 6 months
  • Move away from PSK and use EAP-TTLS or EAP-TLS

For those interested in trying a cloud cracker:

As always, use at your own risk and only against your own network or with the customer authorization as part of a Pentest.


How insecure Wireless really is…

Author: Martin Voelk
December 9, 2014

Forget anything you have heard about Wireless Security. In our Wireless Penetration Tests we are able to break into 95% of all tested systems. Why? Because there are so many attack vectors against Wireless Networks.

WEP Encryption

WEP Encryption = No encryption. Breaking a WEP key with or without clients is a matter of minutes.


Capturing the 4 way handshake is a matter of minutes. Having a 34 Gbyte dictionary along with pre-computed rainbow tables of several hundreds of Gigs and Cloud based Crackers gives a success chance of 80%. The remaining 20% are in one or the other way crackable through a social engineering attack where users simply enter their key into a real looking authentication portal. Once the key has been obtained, the possibilities for further attacks are unlimited.

Client Side Attacks

Corporate and private user devices will connect to Evil Twin APs set up by the attacker. This time the goal is to infect the client browsers with malicious malware which in turn provides the attacker with full control over the victim machine.

Man in the Middle Attacks

Fake Hotspots which look legitimate to capture credentials such as emails and passwords, credit card information or PayPal logins. Thereafter any user activity is captured (Websites visited, credentials entered, images browsed). Even SSL connections are being broken by SSL strip where the attacker proxies the SSL connection to an HTTPS website and the user gets simply presented everything in clear text.

Denial of Service

Wireless Jammers are becoming cheaper and cheaper. They can be bought in China and ship without any problems to any country. The chinese companies label it as Access Point and shipping goes through without any problem. The high end boxes cost like $200 each, are twice the size of a cigarette box and come with power packs. Those Jammers block Cell, Wifi and GPS in their vicinity. Imagine 10 of those strategically placed at a competitor office! Many look like air refreshening devices.

Attacks against RADIUS / Corporate Wifi 802.1x

Attacked simulates the Radius server. Users enter credentials. Challenges are captured and can be decrypted, username comes in clear text. This works well because the full mutual client/server authentication circle is often not implemented by default.

Think again if the vendors tell you about great Wireless Security. It’s not that great after all….


November 30, 2014


Cracking WPA/WPA2 PSK

Author: Martin Voelk
November 30, 2014


November 30, 2014


November 30, 2014