Your SlideShare is downloading. ×
0
Radio Reconnaissance in
Penetration Testing
By: Matt Neely
Date: October 20, 2010
Location: Rochester Security Summit
About Me
•  Matt Neely (CISSP, CTGA, GCIH, and GCWN)
–  Manager of the Profiling Team at SecureState
–  Areas of expertise...
Radio Spectrum
What Most Penetration
Tests Look At
2.4GHz
5GHz
What Are You Missing?
2.4GHz
5GHz
Guards
Headsets
Cordless
Phones
Security
Cameras
Legal Issues
•  I am not a lawyer
•  Know the wiretap laws and do not violate them
–  Some states require that both partie...
Illegal Activity to Avoid
•  I am still not a lawyer
•  Additional activities to avoid:
–  Jamming transmissions
–  Decodi...
PROFILING A TARGET
Finding Frequencies to Monitor
Off-Site Profiling
•  Before arriving on site try to determine as much
information as possible such as:
–  In house or con...
Ask the Oracle
•  Ask the Oracle:
–  “Company name” scanner/frequency/guard frequency/MHz
–  Look for press releases from ...
Example: Off Site Profiling -
Church Hill Downs
•  Gave this presentation two weeks ago at the
Louisville Information Secu...
Example: Off Site Profiling -
Church Hill Downs Talkgroup
In summary, everything needed
to monitor their radio system
On-Site Profiling -
Frequency Counters
•  Displays the frequency of the strongest “near field”
signal
•  Can quickly ident...
On-Site Profiling -
Visual Recon
•  In the field:
–  Try to identify make and model of radios
–  Note the length and type ...
On Site Profiling -
Common Frequency Ranges
•  Labor intensive process
•  Common frequencies
–  FRS, GMRS and “Dot” freque...
HARDWARE
Recommended Scanners
AOR 8200 Uniden Bearcat BCD396T Uniden Bearcat SC230
~$620 ~$500 ~$180
Images provided by AOR U.S.A. ...
If You Have Unlimited Budget
•  0.005-3335 MHz coverage
•  Quadruple conversion
•  Very sensitive and selective receiver
•...
Recommended Accessories
•  A good antenna can make the difference
between hearing and missing a signal
•  Recommended ante...
REAL WORLD EXAMPLES
Case Study #1
•  Scenario: Physical penetration test of a casino
•  Off-site profiling:
–  Discovered frequency for the ra...
Case Study #1
•  On-site profiling:
–  Visually identified handheld radios
•  Appeared to be Motorola HT
Pro Series, most ...
Case Study #1
•  In the car: pulled frequencies from the Scout and noted
those in the 136-174 and 403-407 MHz range
•  Pro...
Case Study #2
•  Scenario: Internal penetration test against insurance
provider
–  While being escorted through the buildi...
Case Study #2
•  We heard:
–  Many phone calls
–  Lots of helpdesk calls
–  Employees checking
voicemail
–  Conversations ...
Case Study #3
•  Scenario: Physical penetration test on a power plant
•  On-site profiling:
–  Noticed video cameras aroun...
Case Study #3
•  What we found:
–  Video feeds from security cameras
•  What we learned:
–  Holes in camera coverage
–  Wh...
On the Horizon
•  VOIP enabled radio dispatch systems
•  DECT interception
•  Software defined radios
Defenses
•  Test your equipment – Make sure headsets and
cordless phones are secure
•  Check your facility for unencrypted...
Thank you for your time!
mneely@SecureState.com
@matthewneely
A	

Q&
Upcoming SlideShare
Loading in...5
×

Radio Reconnaissance in Penetration Testing

864

Published on

Tired of boring old pentests where the only wireless traffic you see is 802.11 and maybe a little Bluetooth? With this amazing new invention, the radio, your eavesdropping options can be multiplied! Come to this talk to learn techniques for discovering, monitoring, and exploiting a wide array of radio traffic with real world examples illustrating how these techniques have been used to gather information on a target's physical security, personnel, and standard operating procedures.

Matt Neely, Profiling Team Manager, SecureState

Matt Neely (CISSP, CTGA, GCIH and GCWN) is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState, Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews, and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography, and all things wireless. Matt is also a host on the Security Justice podcast.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
864
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Radio Reconnaissance in Penetration Testing"

  1. 1. Radio Reconnaissance in Penetration Testing By: Matt Neely Date: October 20, 2010 Location: Rochester Security Summit
  2. 2. About Me •  Matt Neely (CISSP, CTGA, GCIH, and GCWN) –  Manager of the Profiling Team at SecureState –  Areas of expertise: wireless, penetration testing, physical security, security convergence, and incident response –  10 years of security experience •  Prior Life –  Formed and ran the TSCM team at a Fortune 200 company •  Outside of work: –  Co-host on the Security Justice podcast –  Co-founder of the Cleveland Chapter of TOOOL –  Licensed ham radio operator (Technician) for almost 20 years •  First radio I hacked: –  Fisher-Price Sky Talkers Walkie Talkie
  3. 3. Radio Spectrum
  4. 4. What Most Penetration Tests Look At 2.4GHz 5GHz
  5. 5. What Are You Missing? 2.4GHz 5GHz Guards Headsets Cordless Phones Security Cameras
  6. 6. Legal Issues •  I am not a lawyer •  Know the wiretap laws and do not violate them –  Some states require that both parties consent to a phone call being recorded •  Know the scanner laws for the state in which you are operating; remember to check this before traveling out of state –  Example: Kentucky Law 432.570 - Restrictions on possession or use of radio capable of sending or receiving police messages •  Make sure your activities are authorized in the written rules of engagement •  In most states it is legal to monitor any radio transmission as long as it is not a telephone call or pager traffic
  7. 7. Illegal Activity to Avoid •  I am still not a lawyer •  Additional activities to avoid: –  Jamming transmissions –  Decoding pager traffic –  Illegally transmitting
  8. 8. PROFILING A TARGET Finding Frequencies to Monitor
  9. 9. Off-Site Profiling •  Before arriving on site try to determine as much information as possible such as: –  In house or contract guard force –  Frequencies they are licensed to use –  Make and model of equipment they use
  10. 10. Ask the Oracle •  Ask the Oracle: –  “Company name” scanner/frequency/guard frequency/MHz –  Look for press releases from radio manufactures and reseller regarding the target –  Look for press releases from guard outsourcing companies talking about contracts with the target company –  Etc… •  Other online resources: –  http://www.radioreference.com/apps/db/ •  Free part of the site containing a wealth of information –  http://www.nationalradiodata.com/ •  FCC database search •  $29 per year –  http://www.perconcorp.com/ •  FCC database search •  Paid site •  Custom rates
  11. 11. Example: Off Site Profiling - Church Hill Downs •  Gave this presentation two weeks ago at the Louisville Information Security Conference hosted at Church Hill Downs •  A quick Google Search for “Church Hill Downs frequencies” reveals –  Church Hill Downs used a Motorola Type IIi Hybrid 800 MHz trunked radio system –  Voice traffic is analog and not encrypted –  System ID, fleetmap, frequencies, and talkgroups
  12. 12. Example: Off Site Profiling - Church Hill Downs Talkgroup
  13. 13. In summary, everything needed to monitor their radio system
  14. 14. On-Site Profiling - Frequency Counters •  Displays the frequency of the strongest “near field” signal •  Can quickly identify the transmit frequency of a radio •  Problems: –  Can have problems in signal rich urban areas –  Only locks on to very strong signals •  Recommend: Optoelectronic Scout
  15. 15. On-Site Profiling - Visual Recon •  In the field: –  Try to identify make and model of radios –  Note the length and type of antenna used –  Do all targets use the same radio, or do they use a mix? •  Use the information gathered above to determine: –  Frequency range –  Features of the radio such as digital, trunk, and encryption support •  BatLabs (www.batlabs.com) is a great source of information on Motorola radios
  16. 16. On Site Profiling - Common Frequency Ranges •  Labor intensive process •  Common frequencies –  FRS, GMRS and “Dot” frequencies •  Common ranges –  Business •  150 – 174 MHz •  420 – 425 MHz •  450 – 470 MHz •  851 – 866 MHz –  Cordless telephones and headsets (Make sure this is in scope and legal!) •  43.7– 50 MHz •  902 – 928 MHz •  2400 – 2483.5 MHz – Most are digital
  17. 17. HARDWARE
  18. 18. Recommended Scanners AOR 8200 Uniden Bearcat BCD396T Uniden Bearcat SC230 ~$620 ~$500 ~$180 Images provided by AOR U.S.A. and Uniden
  19. 19. If You Have Unlimited Budget •  0.005-3335 MHz coverage •  Quadruple conversion •  Very sensitive and selective receiver •  Spectrum scope •  Built in video decoding •  FSK demodulator and decoder •  ~$14,000 Image provided by Icom of America
  20. 20. Recommended Accessories •  A good antenna can make the difference between hearing and missing a signal •  Recommended antennas –  Flexible “rubber duck” –  Telescoping whip –  Magnetic-mount mobile –  Frequency specific antennas •  Max Systems 800 Mhz discone •  Scout frequency counter •  Recording equipment •  Camera •  DTMF decoder •  Video converter
  21. 21. REAL WORLD EXAMPLES
  22. 22. Case Study #1 •  Scenario: Physical penetration test of a casino •  Off-site profiling: –  Discovered frequency for the radio link between casino security and state police from forum postings •  Started monitoring the radio link between the casino and state police the night we arrived in town –  Casino dispatchers often chatted with the police –  Learned names of the 2nd and 3rd shift dispatchers
  23. 23. Case Study #1 •  On-site profiling: –  Visually identified handheld radios •  Appeared to be Motorola HT Pro Series, most likely GP-338 •  Operate in 29.7-42, 35-50, 136-174 and 403-470 MHz •  Do not support encryption or trunking •  Short antenna suggested target radios operate in 136-174 or 403-470 MHz range –  Carried the Scout through hotel and gaming floor Image provided by BatLabs.com
  24. 24. Case Study #1 •  In the car: pulled frequencies from the Scout and noted those in the 136-174 and 403-407 MHz range •  Programmed relevant frequencies into scanner and listened •  We heard: –  General chatter –  Guards going on and off shift •  We learned: –  Lingo –  Guard names –  When shift changes occur –  Schedule and locations of guards on rounds
  25. 25. Case Study #2 •  Scenario: Internal penetration test against insurance provider –  While being escorted through the building, noticed a number of wireless headsets –  Requested permission to add monitoring conversations over headsets into scope of engagement •  Permission granted: started scanning ranges commonly used by headsets –  Found several dozen headsets in use in the 902-928 MHz range –  Used signal strength and geographic information to determine which headsets were located inside the target’s building (!) •  Started monitoring traffic
  26. 26. Case Study #2 •  We heard: –  Many phone calls –  Lots of helpdesk calls –  Employees checking voicemail –  Conversations even when the phone was hung up •  We learned: –  Passwords from helpdesk calls –  PII used to reset passwords –  Voicemail passwords, recovered using a DTMF decoder
  27. 27. Case Study #3 •  Scenario: Physical penetration test on a power plant •  On-site profiling: –  Noticed video cameras around back perimeter had antennas –  Antennas appear to be tuned to 900 MHz range •  What we did: –  Scanned frequencies commonly used by wireless cameras Images provided by AOR U.S.A.
  28. 28. Case Study #3 •  What we found: –  Video feeds from security cameras •  What we learned: –  Holes in camera coverage –  Where the PTZ cameras were looking –  Personnel movement inside the property
  29. 29. On the Horizon •  VOIP enabled radio dispatch systems •  DECT interception •  Software defined radios
  30. 30. Defenses •  Test your equipment – Make sure headsets and cordless phones are secure •  Check your facility for unencrypted radio traffic •  Only use encrypted cordless phone and headset –  DECT may not count as encrypted •  Consider switching to digital or encrypted radios •  Train guards to be aware that what is said on the radio is public
  31. 31. Thank you for your time! mneely@SecureState.com @matthewneely A Q&
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×