Radio Frequencies(RF) are a range of Electro-Magnetic Frequencies(EMF) that Cellular, WiFi, Bluetooth, and other telecommunication technologies are built upon. Radio waves have numerous ways of interacting with an environment. These forms of interaction are referred to as “Wave Behaviors.” The commonly known forms of wave behavior include absorption, reflection, refraction, and diffraction.
When performing a wireless penetration test, it is often important to physically locate and identify scoped wireless access points (APs) and potential Rouge APs. Finding these access points can often be difficult in larger testing sites and requires a degree of skill to do so. Accounting for wave behavior can often make or break attempts to locate APs. Received Signal Strength Indicator(RSSI) is the primary indicator of proximity to wireless devices. In airodump-ng it is displayed under the label PWR. RSSI is measured in dBm(decibel-milliwatts). Measurements are represented as negative numbers, the stronger the RSSI, the closer to 0. In practice, anything higher (closer to zero) than -30 means you are likely close enough to touch the device. Below is an airodump-ng capture taken from antenna inches from a cellphone’s wireless hotspot.
Figure 1: Strong RSSI -Close Proximity to Target
Next is an example of weak RSSI, meaning your antenna is far from the target. In practice, anything lower than -70 indicates that you are either far from the target or have obstructions attenuating the signal.
Figure 2: Weak RSSI – Further from Target
RSSI is a good indicator of proximity, particularly in open environments with few obstructions. Unfortunately, due to the complexity and diverse use of materials in modern buildings, it is not always as simple as following strong RSSI and avoiding weak RSSI. For the duration of this article, we will discuss how to use the physics of the various wave behaviors to locate and identify APs.
Absorption is one of the easiest to implement and most directly applicable wave behaviors that can be manipulated to find and locate an AP. Water is a potent material for absorbing radio waves. Fortunately, humans are about 70% water, meaning your body can be a crucial element in your wireless penetration toolkit. By placing your body or sometimes even just a hand in front of your antenna and observing the loss of signal strength, you can estimate the target’s general direction. The greater the loss in RSSI, the more likely it is in the direction your hand or body was blocking. This technique is helpful in quickly narrowing down the potential direction of a device without having to walk through every part of a building physically. Often times it is used to determine which direction of a hallway to walk down. Concrete walls are also fairly absorbent and can significantly attenuate signals. Knowing this, if you experience a sharp decline in signal strength after rounding a corner where a concrete or cinder-block wall replaces drywall, then it is likely that the target AP is on the opposite side of that wall.
Understanding reflection can also help in locating access points. Many materials can be reflective. Mirrors and most metals are reflective, some polishes or finishes can make otherwise permeable or absorptive surfaces reflective of RF. Reflection can oftentimes be deceptive and lead a penetration tester into spending time investigating a location that turns out to be a false positive. Concave reflective surfaces create something called a focal point. When situated at or near a focal point, the signal strength will be stronger than the signal closer to or further from the concave reflective surface. This can lead a penetration tester to believe they are standing near the target, even if they are a fair distance away.
Fortunately, it is uncommon (though not extremely rare) to encounter a concave reflective surface large enough to create a focal point capable of deceiving a penetration tester.
A more common example would be a reflective wall (typically metal) or mirror. A reflective wall, depending on the angle, can bounce the signal of an AP from one hallway down a different hall. If approaching from the latter hallway, the penetration tester would experience stronger RSSI as they approached the wall. A penetration tester could reasonably presume that the AP must be on the opposite side of the wall that they are picking up a strong signal from. A tester with a solid understanding of reflection as a wave behavior would note the material of the wall, posit that reflection was in play, look for possible directions the signal could be coming from, and find the AP more expediently.
Despite being very common, refraction is not as evidently applicable to a penetration tester as absorption or reflection. Refraction becomes significantly more impactful in long-distance site-to-site connections. Rain, fog, humidity, pressure, temperature, and other factors can induce refractive behavior, the effect of which is exacerbated by distance. Keeping this in mind can be helpful for a penetration tester conducting a wireless assessment of a large outdoor footprint, but in most cases, it does not apply. Regarding smaller, mostly indoor environments, it can be useful to note that all sorts of materials, including, drywall, wood, plastic, and windows, elicit refractive wave behavior. A pentester should keep in mind that receiving a strong signal in front of a window does not inherently mean that the AP or target device is directly in front of them, on the other side of that window. Refraction could be taking place and altering the angle of the signal. Additionally if the rest of the building is made with stone or cinder-block, diffraction could be pushing signal through the windows.
Diffraction plays a huge factor in the interactions between RF and the local environment, especially in urban or mountainous locations. Thick stone, brick, and cinder-block are common materials that cause diffraction. Within a building, diffraction can “push” signal through hallways, and out doorways or windows. This can create some interesting scenarios depending on the layout of a building and the placement of APs. For example, in a stone hallway aligned in the North-South direction, a penetration tester could get a stronger signal from the north end of the hall despite the AP being on the south end of the building on the other side of the wall. In a diffraction-heavy environment like the one just described, the presence of thick metal doors could also create a scenario where the “flow” of RF can drastically change whether doors are open or closed.
It is also important to remember that diffraction can create something called a dead zone. A dead zone is an area with little to no signal on the outer side of a diffractive object. For example, picture an AP behind a stone wall with a window about two feet above head height running the length of the wall. Diffraction from the wall will cause the signal exiting the window to follow several different angles. Most of the RF waves will push straight out of the window with a decreasing gradient of signal strength when approaching the external face of the wall until there is little to no signal. This creates both a dead zone next to the wall and a “sweet spot” several meters away from the wall. A tester may become deterred by the lack of signal near the wall and follow the increasing signal to the “sweet spot” leading them in the opposite direction of the AP. Understanding this principle can be crucial to finding an AP in a timely manner.
One final note a penetration tester should keep in mind is that diffraction is heavily influenced by the wavelength of the signal, 2.4GHz WIFI diffracts more easily and retains power significantly better than the 5GHz band. This means that 5GHz signal can be “trusted” to a greater degree in environments where diffraction is abundant. For this reason, it is recommended to listen on both frequency bands. Use the 2.4GHz band to get a broad approximate location and the 5GHz band to do the more precise locating. Bluetooth can also be used for ultra-precise identification but is rarely required as the 5GHz band is typically more than accurate enough to get the job done.
The difficulty of physically locating an AP is largely dependent on the environment. Some environments induce a plethora of wave behaviors that can complicate the process. Having a strong understanding of the fundamentals of wave behavior can be integral to the timely and expedient location of a target. Knowledge of wave behavior can allow a penetration tester to use techniques that exploit wave behavior in their favor. Additionally, understanding the fundamentals of radio waves can assist them in avoiding the deceptive nature and effects of wave behaviors. This can help a tester spend less time running around a site hunting for devices, allowing them to successfully locate Rouge APs, and assess the security of the placement of scoped APs and whether they are at risk of easy physical access to a malicious actor.
Conner brings 6+ years of military cyber operations experience and served as a Cyber Operations Specialist with the work roles of Special Activities Team (SAT) Technician, Expeditionary Cyber Operator (ECO), Information Operations Operator, and Pilot Operator. Conner emulates malicious actors and provides the customer with the knowledge necessary to prevent a security incident before it happens – Simulating Real World Attacks – Before they Become Real…
Our expert team will help scope your project and provide a fast and accurate project estimate.
Contact Redbot Security
Should an Employee Report Security Incidents Involving Family Members? Is your business or job at risk if a bad actor gets access to your family. Will they gain access to you?
Malicious actors leveraging OSINT to uncover confidential and sensitive information that is publicly available online. Learn how to prevent risks.
Is your security team sharing sensitive data unknowingly?
Cymbiotic Hive: The Simple, Rapid-Deployment Solution to Access Management
Client-side desyncs are a class of browser-powered HTTP smuggling attacks. What you need to know and how to prevent a malicious actor from taking advantage of this vulnerability.
Active Directory Certificate Services (AD CS) presents various security risks for organizations. This article will help you understand a Relay Attack.
Insecure Direct Object Reference (IDOR) vulnerabilities pose a significant risk to the security of web applications, allowing attackers unauthorized access to sensitive data and functionalities. By understanding the implications of IDOR and adopting secure coding practices, web developers can protect their applications and users from potential exploitation.
Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.
The following article is a discussion that explores Wave Behaviors to Locate Wireless Access Points and Devices
The following article is a discussion that explores JavaScript Web Tokens
While plenty of articles cover the Modbus protocol with varying degrees of detail and usage, this article aims to examine the Modbus protocol with an offensive security lens.
Today, cybercriminals have plenty of entry points to exploit. Therefore, it has become crucial for organizations to improve their attack surface visibility to have more effective protection. This is where attack surface management (ASM) comes into play. This article will explore all about attack surface management (ASM), including its importance, working principle, and benefits.
With data breaches surging by 68% last year alone, cybersecurity has evolved from a low-key technical matter into a defining issue demanding top-level attention.
Through repeated random sampling, allows us to simulate a wide array of social engineering attacks with a depth and breadth previously unimaginable.
Machine Learning (ML) is a subset of AI, and, more than likely, closely aligns with what we consider to be AI in the media.
Recent reports of significant cybersecurity layoffs in the United States have raised concerns about the nation’s preparedness to defend against cyber threats
While penetration testing is valuable in identifying technical vulnerabilities, red teaming provides a more holistic assessment by simulating realistic threat scenarios. By embracing red teaming, organizations can bolster their defenses, uncover weaknesses, and stay one step ahead of sophisticated adversaries.
Internal network penetration testing is essential for identifying security gaps within an organization’s infrastructure. Attackers exploit misconfigured permissions, weak credentials, and unpatched vulnerabilities to escalate privileges and move laterally within networks. A thorough penetration test helps uncover these risks before they are exploited, ensuring stronger security controls, improved access management, and compliance with industry standards. Redbot Security’s expert-led penetration testing provides in-depth assessments to fortify your internal network against evolving threats.
Our nation is under attack and overwhelmed. Modern Security teams face numerous challenges in managing network and application security effectively.
Attackers can manipulate the serialized data to execute malicious code, compromise the application, or gain unauthorized access.
Increasingly, investors see proactive cybersecurity spending as a hallmark of strong corporate governance. It can be factored into how they value a company’s resilience and risk profile
What is an API? APIs, including local and remote, come in various forms and are fundamental to modern software development. They serve as the bridge between different software components, enabling them to work together seamlessly.
Our nation is under attack and overwhelmed. Modern Security teams face numerous challenges in managing network and application security effectively.
Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities.
Redbot Security’s senior-level cloud security team brings years of expertise in AWS, GCP, and Azure security. Our approach is rooted in manual-controlled testing and deep-dive security analysis, ensuring that we uncover hidden vulnerabilities that automated tools often miss.
The following article is a discussion about helping you to best utilize your military skills to successfully transition into the commercial space.
Becoming proficient in Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) network testing can appear daunting as there are fewer learning resources.
Mass Assignment Vulnerability occurs when a web application allows users to submit a more extensive set of data than is intended or safe. The potential consequences of this vulnerability can be severe
The likelihood of a cyber attack on a mobile platform is significantly high, but how difficult is it for a malicious actor to generate malware? You might be surprised.
Check out the latest cybersecurity news around the globe
Cymbiotic will provide unparalleled security insight with the ability to manage teams, clients, on-demand testing with rapid internal VM deployment […]
A new survey of security leaders has revealed a stark contrast between AI expectations and […]
Cloudflare has been steadily expanding its portfolio of security services over the last several […]
Das Rathaus in Kirkel ist aufgrund eines Cyberangriffs geschlossen.www.kirkel.de Wie der […]
Zuerst waren nur einzelne GitHub-Repositories mit Malware infiziert. Mittlerweile geraten auch […]
Alphabet has agreed to acquire Israeli cybersecurity firm Wiz for $32 billion, a move that will […]
Our expert team will help scope your project and provide a fast and accurate project estimate.
Contact Redbot Security
