Wireless Penetration Testing

Wireless Penetration Testing Services

Using Wave Behavior to Locate Wireless Access Points and Devices

The following article is a discussion that explores Wave Behaviors to Locate Wireless Penetration Testing Points and Devices

Table of Contents

Background

  • Radio Frequencies(RF) are a range of Electro-Magnetic Frequencies(EMF) that Cellular, WiFi, Bluetooth, and other telecommunication technologies are built upon. Radio waves have numerous ways of interacting with an environment. These forms of interaction are referred to as “Wave Behaviors.” The commonly known forms of wave behavior include absorption, reflection, refraction, and diffraction. 

    • Absorption: The incoming waves strike a substance that stops or attenuates the signal. Typically, the energy of the wave is dissipated in the form of heat after causing atoms to vibrate. Water is well known for absorbing radio waves.
    • Reflection: Incoming waves bounce off a material or substance. Mirrors are common examples of reflection.
    • Refraction: Waves pass through a medium but exit from a different angle than they entered. A common example of refraction is a pencil in a glass of water. The pencil enters the water at one angle but, the refracting light causes the angle of the pencil to appear warped.
    • Diffraction: An incoming wave can warp or bend around the edge of objects. An easy-to-understand example of this is a boulder in the ocean. When a strong wave hits a boulder, some water shoots up and over the boulder, while some curve around the sides. Radio waves respond similarly to certain structures, typically stone or concrete buildings and roads.
     
     

Identifying Wireless Access Points

When performing a wireless penetration test, it is often important to physically locate and identify scoped wireless access points (APs) and potential Rouge APs. Finding these access points can often be difficult in larger testing sites and requires a degree of skill to do so. Accounting for wave behavior can often make or break attempts to locate APs.  Received Signal Strength Indicator(RSSI) is the primary indicator of proximity to wireless devices. In airodump-ng it is displayed under the label PWR. RSSI is measured in dBm(decibel-milliwatts). Measurements are represented as negative numbers, the stronger the RSSI, the closer to 0. In practice, anything higher (closer to zero) than -30 means you are likely close enough to touch the device. Below is an airodump-ng capture taken from antenna inches from a cellphone’s wireless hotspot.

Strong RSSI

Figure 1: Strong RSSI -Close Proximity to Target

Next is an example of weak RSSI, meaning your antenna is far from the target. In practice, anything lower than -70 indicates that you are either far from the target or have obstructions attenuating the signal.

Figure 2: Weak RSSI - Further from Target

Figure 2: Weak RSSI – Further from Target

 
 

RSSI is a good indicator of proximity, particularly in open environments with few obstructions. Unfortunately, due to the complexity and diverse use of materials in modern buildings, it is not always as simple as following strong RSSI and avoiding weak RSSI. For the duration of this article, we will discuss how to use the physics of the various wave behaviors to locate and identify APs.

How to use the physics of the various wave behaviors to locate and identify Access Points

Absorption is one of the easiest to implement and most directly applicable wave behaviors that can be manipulated to find and locate an AP. Water is a potent material for absorbing radio waves. Fortunately, humans are about 70% water, meaning your body can be a crucial element in your wireless penetration toolkit. By placing your body or sometimes even just a hand in front of your antenna and observing the loss of signal strength, you can estimate the target’s general direction. The greater the loss in RSSI, the more likely it is in the direction your hand or body was blocking. This technique is helpful in quickly narrowing down the potential direction of a device without having to walk through every part of a building physically. Often times it is used to determine which direction of a hallway to walk down. Concrete walls are also fairly absorbent and can significantly attenuate signals. Knowing this, if you experience a sharp decline in signal strength after rounding a corner where a concrete or cinder-block wall replaces drywall, then it is likely that the target AP is on the opposite side of that wall.

Understanding reflection can also help in locating access points. Many materials can be reflective. Mirrors and most metals are reflective, some polishes or finishes can make otherwise permeable or absorptive surfaces reflective of RF. Reflection can oftentimes be deceptive and lead a penetration tester into spending time investigating a location that turns out to be a false positive. Concave reflective surfaces create something called a focal point. When situated at or near a focal point, the signal strength will be stronger than the signal closer to or further from the concave reflective surface. This can lead a penetration tester to believe they are standing near the target, even if they are a fair distance away.

Fortunately, it is uncommon (though not extremely rare) to encounter a concave reflective surface large enough to create a focal point capable of deceiving a penetration tester.

A more common example would be a reflective wall (typically metal) or mirror. A reflective wall, depending on the angle, can bounce the signal of an AP from one hallway down a different hall. If approaching from the latter hallway, the penetration tester would experience stronger RSSI as they approached the wall. A penetration tester could reasonably presume that the AP must be on the opposite side of the wall that they are picking up a strong signal from. A tester with a solid understanding of reflection as a wave behavior would note the material of the wall, posit that reflection was in play, look for possible directions the signal could be coming from, and find the AP more expediently.

Despite being very common, refraction is not as evidently applicable to a penetration tester as absorption or reflection. Refraction becomes significantly more impactful in long-distance site-to-site connections. Rain, fog, humidity, pressure, temperature, and other factors can induce refractive behavior, the effect of which is exacerbated by distance. Keeping this in mind can be helpful for a penetration tester conducting a wireless assessment of a large outdoor footprint, but in most cases, it does not apply. Regarding smaller, mostly indoor environments, it can be useful to note that all sorts of materials, including, drywall, wood, plastic, and windows, elicit refractive wave behavior. A pentester should keep in mind that receiving a strong signal in front of a window does not inherently mean that the AP or target device is directly in front of them, on the other side of that window. Refraction could be taking place and altering the angle of the signal. Additionally if the rest of the building is made with stone or cinder-block, diffraction could be pushing signal through the windows.

Diffraction plays a huge factor in the interactions between RF and the local environment, especially in urban or mountainous locations. Thick stone, brick, and cinder-block are common materials that cause diffraction. Within a building, diffraction can “push” signal through hallways, and out doorways or windows. This can create some interesting scenarios depending on the layout of a building and the placement of APs. For example, in a stone hallway aligned in the North-South direction, a penetration tester could get a stronger signal from the north end of the hall despite the AP being on the south end of the building on the other side of the wall. In a diffraction-heavy environment like the one just described, the presence of thick metal doors could also create a scenario where the “flow” of RF can drastically change whether doors are open or closed.

Dead Zones

It is also important to remember that diffraction can create something called a dead zone. A dead zone is an area with little to no signal on the outer side of a diffractive object. For example, picture an AP behind a stone wall with a window about two feet above head height running the length of the wall. Diffraction from the wall will cause the signal exiting the window to follow several different angles. Most of the RF waves will push straight out of the window with a decreasing gradient of signal strength when approaching the external face of the wall until there is little to no signal. This creates both a dead zone next to the wall and a “sweet spot” several meters away from the wall. A tester may become deterred by the lack of signal near the wall and follow the increasing signal to the “sweet spot” leading them in the opposite direction of the AP. Understanding this principle can be crucial to finding an AP in a timely manner.

2.4GHz vs 5GHz

One final note a penetration tester should keep in mind is that diffraction is heavily influenced by the wavelength of the signal, 2.4GHz WIFI diffracts more easily and retains power significantly better than the 5GHz band. This means that 5GHz signal can be “trusted” to a greater degree in environments where diffraction is abundant. For this reason, it is recommended to listen on both frequency bands. Use the 2.4GHz band to get a broad approximate location and the 5GHz band to do the more precise locating. Bluetooth can also be used for ultra-precise identification but is rarely required as the 5GHz band is typically more than accurate enough to get the job done.

Conclusion

The difficulty of physically locating an AP is largely dependent on the environment. Some environments induce a plethora of wave behaviors that can complicate the process. Having a strong understanding of the fundamentals of wave behavior can be integral to the timely and expedient location of a target. Knowledge of wave behavior can allow a penetration tester to use techniques that exploit wave behavior in their favor. Additionally, understanding the fundamentals of radio waves can assist them in avoiding the deceptive nature and effects of wave behaviors. This can help a tester spend less time running around a site hunting for devices, allowing them to successfully locate Rouge APs, and assess the security of the placement of scoped APs and whether they are at risk of easy physical access to a malicious actor.

Picture of Conner Buell

Conner Buell

Conner brings 6+ years of military cyber operations experience and served as a Cyber Operations Specialist with the work roles of Special Activities Team (SAT) Technician, Expeditionary Cyber Operator (ECO), Information Operations Operator, and Pilot Operator. Conner emulates malicious actors and provides the customer with the knowledge necessary to prevent a security incident before it happens – Simulating Real World Attacks – Before they Become Real…

Citations

Blattenberger , Kirt. “Understanding Electromagnetic Wave Physics.” RF Cafe, 4 Mar. 2020, https://www.rfcafe.com/references/electrical/electromagnetic-wave-behavior.htm.

Stone, W. (1997), Electromagnetic Signal Attenuation in Construction Materials, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.6055 (Accessed January 5, 2023)

Science Mission Directorate. “Wave Behaviors” NASA Science. 2010. National Aeronautics and Space Administration. 09 Jan. 2023 http://science.nasa.gov/ems/03_behaviors

Pen-Test Project Quote

Penetration Testing Service Provider

Our expert team will help scope your project and provide a fast and accurate project estimate.

Contact Redbot Security

Related Articles

Pen Testing Industrial Control Systems

ICS/SCADA Penetration Testing: Where to Start

Becoming proficient in Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) network testing can appear daunting as there are fewer learning resources.

Read More »
How to prevent active directory attack

AS-REP Roasting

Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.

Read More »
mass assignment vulnerability- Web Application Security

Mass Assignment Vulnerabilities

Mass Assignment Vulnerability occurs when a web application allows users to submit a more extensive set of data than is intended or safe. The potential consequences of this vulnerability can be severe

Read More »

Additional Articles
that you may find helpful

Cyber threat news feed

Check out the latest cybersecurity news around the globe

Cymbiotic will provide unparalleled security insight with the ability to manage teams, clients, on-demand testing with rapid internal VM deployment […]

Pen-Test Project Quote

Penetration Testing Service Provider

Our expert team will help scope your project and provide a fast and accurate project estimate.

Contact Redbot Security

Security Management Platform

Cymbiotic is a revolutionary, scalable platform providing unparalleled security management: on-demand testing, secure reporting, and remediation tracking, while also acting as an advanced attack surface management platform ... for every network.
Show Buttons
Hide Buttons