Copyright
Acquiring Editor: Chris Katsaropoulos
Development Editor: Meagan White
Project Manager: Mohanambal Natarajan
Designer: Russell Purdy
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
Copyright 2013 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
For information on all Syngress publications visit our website at www.syngress.com
ISBN: 978-1-59749-731-2
Printed in the United States of America
13 14 15 10 9 8 7 6 5 4 3 2 1
Dedication
Id like to start out by thanking Joan Amaratti for believing I could write a book all those years ago. Id also like to thank Ken Stasiak and the SecureState family for supporting me throughout the entire writing process. Finally I dedicate this book to Meagan Call for being a wonderfully supportive wife through this and all my projects.
--Matt
I dedicate this book to BNH, ELH, and JAH.
--Alex
Author Biography
Matt Neely (CISSP and CTGA) is the Director of Research, Innovation and Strategic Initiatives at SecureState, a security management consulting firm. At SecureState Matt leads the Research and Innovation team which focuses on imagining, researching and developing new offensive and defensive capabilities. His research interests include the convergence of physical and logical security, lock and lock picking, cryptography and all things wireless.
Mr. Neely is actively involved in public speaking and has spoken as a subject matter expert over seventy-five times at various local, national and international conventions and user group meetings including BlackHat EU, DefCon, ShmooCon, Thotcon and Notacon. Mr. Neely also guest lectures at local colleges on topics on security and risk management. He is a founding member of the Cleveland Chapter of TOOOL and is a host on the Security Justice podcast.
Alex Hamerstone is the Compliance Officer for TOA Technologies, an international workforce management software company. He is an RABQSA certified ISO27001 Auditor and is active in the security community. When he isnt working or writing, he enjoys tinkering with electronics and spending time with his family.
Chris Sanyk is an IT professional with over twelve years of experience in everything from desktop publishing and web design, PC and server hardware, to user support, system administration, and software development. In his spare time, he blogs and develops video games at his website, csanyk.com.
Preface
Radio waves surround us and more and more devices are being made wireless. Most penetration testers focus only on the very small portion of the radio spectrum using by 802.11 and Bluetooth devices. Physical penetration tests often miss guard radios, wireless headsets, wireless cameras, and many other radio devices commonly used in the modern corporation. These systems transmit a wealth of information which can aid a penetration tester in a targeted attack.
This book aims to educate penetration testers on how to find these too often ignored radios and mine them for information. The following chapters include information ranging from choosing the best equipment to use and how to find frequency information, to actual case studies demonstrating how this information has been used during penetration tests. The authors draw on a combined knowledge derived from performing hundreds of penetration tests and decades of radio experience to share tips, tricks and helpful notes about this less explored avenue of attack. This book is the definitive resource for anyone interested in adding radio profiling to his or her arsenal of penetration testing tools.
The book is also a great resource for the people who need to defend computer systems and companies. Like penetration testers, defenders often ignore wireless traffic outside of 802.11. This book shows various radios that might be deployed in various environments and how attackers could exploit the information leaked by these radio systems. Essential information on how to prevent this information leakage from occurring is also included.
How this Book is Organized
The best way to read this book is in the order its presented, but the chapters are structured to assist the reader should he decide to read out of order. When key concepts are mentioned which were covered in earlier chapters, the page will reference the earlier chapter so the reader can flip back if he needs a refresher or is reading the chapters out of order. A glossary is also included at the end of the book to help with unfamiliar terms.
Chapter 1: Why Radio Profiling?
In the first chapter of the book the reader will learn what radio reconnaissance is and how it is useful during penetration tests. The chapter concludes with a short case study of radio reconnaissance used during a physical penetration test at a power company.
Chapter 2: Basic Radio Theory and Introduction to Radio Systems
In the reader will learn the theory behind how radios work and gain an introduction to the different radios systems you will encounter while performing radio reconnaissance. The chapter starts by discussing basic radio theory. The authors cover the terminology needed to understand underlying concepts, give an overview of the radio spectrum and discuss how radio waves behave at different frequencies. Next, they cover how a radio works and the different components found in a radio receiver. After the reader learns how radios work, she will read about the most important part of a radio: the antenna. This part of the chapter starts out by covering antenna theory and wraps up with a discussion of the most common types of antennas one might encounter while performing radio reconnaissance during a penetration test. After antennas are discussed, the chapter moves on to the different ways radios encode data (modulation types). This section covers analog, digital and spread spectrum modulation types. Next is a rundown of the different types of most commonly used radio systems. This starts out simply, discussing simplex verses duplex radio systems, expands to cover repeaters, and concludes with an explanation of trunked radio systems. The chapter ends with recommendations on where to learn more about radios and radio theory.