EC-Council Certified Security
Analyst
Methodology: Wireless Network Penetration Testing
Penetration Tester:
Organization:
Date:
Confidential
Location:
1
Template WNPT/13
EC-Council
EC-Council Certified Security Analyst
WLAN Penetration Testing
Test 1: Discover the wireless networks
Target Organization
URL
Technique Used
Access Points
Discovered
Data of Discovered Access Points
SSID
BSSIDs
Encryption
Technique
Beacon Strength
1.
2.
3.
4.
5.
6.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
2
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 2: Detect hidden SSIDs
Target Organization
URL
SSIDs Discovered on
Interface
1.
2.
3.
4.
5.
Hidden SSIDs
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
3
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 3: Check physical security of the AP
Target Organization
URL
Physical Location of
Authorized APs
Physical Access to
APs Is Controlled
Tools/Services Used
YES
NO
1.
2.
3.
4.
5.
Results Analysis:
Confidential
4
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 4: Detect wireless connections
Target Organization
URL
Scanning Methodologies
Wireless Connections Detected using Active
Scanning
Wireless Connections Detected using Passive
Scanning
1.
1.
2.
2.
3.
3.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
5
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 5: Sniff the traffic between the AP and linked devices
Target Organization
URL
Information gathered from Sniffed Traffic
BSSID
STATION
PWR
PWR
Beacons
Packets
#Data
Probes
CH
Others:
HB
ENC
ESSID
BSSID
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
6
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 6: Create ad hoc associations with the unsecured AP
Target Organization
URL
Ad Hoc Mode used
YES
NO
Ad Hoc Association to Unsecured AP
YES
NO
Enterprise Client
Operating in Ad Hoc
Mode
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
7
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 7: Create a rogue access point, and try to create a promiscuous client
Target Organization
URL
Location of Rogue
Access Point
SSID Broadcast Disabled
YES
NO
AP behind Firewall
YES
NO
Promiscuous Client Creation Successful
YES
NO
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
8
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 8: Use a wireless honeypot to discover vulnerable wireless clients
Target Organization
URL
Discovered Vulnerable Wireless Clients
YES
NO
1. Captured any email or FTP connections
YES
NO
YES
NO
YES
NO
2. Able to Access the User’s File Shares
3. Captured login credentials via captive
portal or spoofed DNS caching
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
9
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 9: Perform a Denial-of-Service Attack (De-authentication Attack)
Target Organization
URL
“de-authenticate”
command syntax
used
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
10
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 10: Attempt rapid traffic generation
Target Organization
URL
Source MAC
Destination MAC
BSSID
Hosts on a bridged
LAN
Hosts on a wired LAN
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
11
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 11: Jam the signal
Target Organization
URL
Device used to jam
the signal
Frequency used to
jam the signal
List of access points
discovered
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
12
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 12: Attempt single-packet decryption
Target Organization
URL
Source MAC address
Destination MAC
address
Command syntax
used
First Pass
Second Pass
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
13
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 13: Perform a fragmentation attack
Target Organization
URL
Packets received from AP
YES
NO
Obtained 1500 bytes of PRGA
YES
NO
Injection Attacks
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
14
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 14: Perform an ARP poisoning attack
Target Organization
URL
IP Address of ARP
MAC Address of ARP
ARP Poisoning Attack Successful
Tools/Services Used
YES
NO
1.
2.
3.
4.
5.
Results Analysis:
Confidential
15
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 15: Try to inject the encrypted packet
Target Organization
URL
Auth Frame
Auth Type
Share Key
BSSID
Source MAC
Command syntax
used
Data read from
prgafile.dat
1. BSSID:
2. Source MAC:
3. IV:
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
16
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 16: Crack static WEP keys
Target Organization
URL
Information gathered by Cracking Static WEP Keys
BSSID:
CIPHER:
PWR:
AUTH:
RXQ:
ESSID:
Beacons:
Others:
#Data:
CH:
MB:
ENC:
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
17
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 17: Crack WPA-PSK keys
Target Organization
URL
Command used to
Monitor Traffic
Command used to
Collect Traffic Data
Information gathered by Cracking WPA-PSK Keys
BSSID:
CIPHER:
PWR:
AUTH:
RXQ:
ESSID:
Beacons:
Others:
#Data:
CH:
MB:
ENC:
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
18
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 18: Crack WPA/WPA2 Enterprise Mode
Target Organization
URL
Man-in-the-Middle
(MITM) Attack
Successful
YES
NO
Captured and
Recovered Login
Credentials
YES
NO
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
19
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 19: Crack WPS PIN
Target Organization
URL
Wireless Router
Susceptible to WPS
PIN
Cracked WPS PIN
YES
NO
1.
2.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
20
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 20: Check for MAC filtering
Target Organization
URL
Target Access Point used MAC Filtering
YES
NO
Fake Auth
Commands
Authentication Successful
YES
NO
Association Successful
YES
NO
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
21
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 21: Spoof the MAC address
Target Organization
URL
Name of the SSID
tested
Spoofed MAC
Address
1.
2.
3.
4.
5.
New MAC Address
and Vendor Settings
MAC Filtering Active
Tools/Services Used
YES
NO
1.
2.
3.
4.
5.
Results Analysis:
Confidential
22
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 22: Create a direct connection to the wireless access point
Target Organization
URL
DHCP Enabled
Wireless AP
YES
NO
Laptop
YES
NO
IP Address of
Wireless AP
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
23
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 23: Attempt an MITM attack
Target Organization
URL
Victim IP Address
Victim MAC Address
MITM IP Address
MITM MAC Address
Interesting Packets
Captured
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
24
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 24: Test for wireless driver vulnerabilities
Target Organization
URL
Wireless Adapter
Device Drivers
Associated Vulnerabilities
1.
1.
1.
2.
2.
2.
3.
3.
3.
4.
4.
4.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
25
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
RFID Penetration Testing
Test 1: Perform Reverse Engineering
Target Organization
URL
RFID Reverse
Engineering
Successful
Information
Collected
YES
NO
1.
2.
3.
4.
Methods/Techniques
Used
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
26
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 2: Perform Power Analysis Attack
Target Organization
URL
Performed Power
Analysis Attack
Successfully
YES
NO
YES
NO
YES
NO
RFID Card Receives:
Correct Password
Bits
Incorrect Password
Bits
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
27
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 3: Perform Eavesdropping
Target Organization
URL
Eavesdropping the
Legitimate
Transmission
between the RFID
Tag and the Reader
Successful
Information
Obtained
YES
NO
1.
2.
3.
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
28
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 4: Perform an MITM Attack
Target Organization
URL
Interception of the
Communication
between the RFID
Tag and the Reader
Successful
YES
NO
Data Transmitted in
Clear Text
YES
NO
Information
Recovered
1.
2.
3.
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
29
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 5: Perform a DoS Attack
Target Organization
URL
Performed DoS Attack Successfully against:
1. RFID Tag
2. RFID Reader
3. Backend Server
YES
YES
YES
NO
NO
NO
YES
YES
NO
NO
Techniques Used:
1. Jamming
2. Interference
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
30
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 6: Perform RFID Cloning/Spoofing
Target Organization
URL
Captured Data from
the Legitimate RFID
Tag and Created a
Clone of it using a
New Chip
Successfully
YES
NO
Overwritten Existing
RFID Tag Data with
the Spoofed Data
(Obtained by
Eavesdropping)
Successfully
YES
NO
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
31
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 7: Perform an RFID Replay Attack
Target Organization
URL
Intercepted
Communication
between the RFID
Reader and Tag, and
Captured a RFID
Signal Successfully
Devices/Tools Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
32
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 8: Perform a Virus Attack
Target Organization
URL
Injected Infective
Viruses to the
Memory Space of
RFID Tags
Successfully
YES
NO
Compromised
Backend RFID
Middleware Systems
via an SQL Injection
Attack
YES
NO
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
33
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
NFC Penetration Testing
Test 1: Perform Eavesdropping
Target Organization
URL
Eavesdropping the
Communication
between NFC
Devices Successful
Information
Obtained
YES
NO
1.
2.
3.
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
34
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 2: Perform a Data Modification Attack
Target Organization
URL
Interfered with the
NFC Data Exchange
Successfully
Information
Obtained
YES
NO
1.
2.
3.
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
35
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 3: Perform Data Corruption Attack
Target Organization
URL
Performed Data
Corruption Attack
Successfully
YES
NO
YES
YES
NO
NO
Techniques Used:
1. Jamming
2. Interference
Devices/Tools Used
1.
2.
3.
4.
Results Analysis:
Confidential
36
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 4: Perform an MITM Attack
Target Organization
URL
Eavesdropped,
Manipulated, and
Transmitted the Data
to the NFC Reader
Successfully
Devices/Tools Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
37
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Mobile Penetration Testing
Test 1: Rooting the Android Phones
Target Organization
URL
Target Android
Phone
Android Phone
rooted Successfully
Tools Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
38
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 2: Jailbreaking iPhones
Target Organization
URL
Target iPhone
iPhone jailbreak
Successfully
Tools Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
39
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 3: Intercept HTTP Requests Sent from Phone Browser/Applications
Target Organization
URL
Interception of HTTP
Requests Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
40
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 4: Intercept HTTP Requests using Proxy when Using Android Emulator
Target Organization
URL
Interception of HTTP
Requests when using
Android Emulator
Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
41
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 5: Intercept HTTP Requests using Proxy on iPhone
Target Organization
URL
Interception of HTTP
Requests using Proxy
on iPhone Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
42
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 6: Intercept HTTP Requests using Proxy on iOS Simulator
Target Organization
URL
Interception of HTTP
Requests using Proxy
on iOS Simulator
Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
43
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 7: Intercept iOS Traffic using Burp Suite
Target Organization
URL
Interception of iOS
traffic using Burp Suite
Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
44
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 8: Sniff the Traffic using WireShark
Target Organization
URL
Sniffing Traffic Using
Wireshark Successful
YES
NO
Authorization Tokens
Sent in Clear Text
YES
NO
Information
Recovered
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
45
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 9: Sniff the Traffic Using FaceNiff
Target Organization
URL
Sniffing and
intercepting web
session profiles over
the Wi-Fi Using
FaceNiff Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
46
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 10: Setting Up the Environment for Android Apps Penetration Testing
Target Organization
URL
Is Android Apps
Penetration Testing
performed on the
same mobile phone
YES
NO
Is Android Apps
Penetration Testing
performed using
Android Emulator
YES
NO
Installed Android
Studio
YES
NO
Is Android Emulator
configured and
launched
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
47
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 11: Identify Whether Android is Rooted or Not
Target Organization
URL
Commands Used to
Identify Whether
Android is Rooted or
Not
1.
2.
3.
4.
Android is Rooted
Tools/Services Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
48
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 12: Test for Application Least Privilege
Target Organization
URL
AndroidManifest.xml
file of target
application obeys
Least Privilege
Principle
Tools/Services Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
49
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 13: Explore Installed Packages on Android Phone with Package Play
Target Organization
URL
Exploring Installed
Packages on Android
Phone with Package
Play Successful
Installed Package
Details Viewed
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
50
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 14: Perform Intent Sniffing
Target Organization
URL
Sniffing Android App
Intents Successful
Information
Recovered
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
51
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 15: Test Android App using Intent Fuzzer
Target Organization
URL
Testing Android App
Using Intent Fuzzer
Successful
YES
NO
Bugs Found
Related Consequences
1.
1.
2.
2.
3.
3.
4.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
52
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 16: Test whether Application Stores Any Sensitive Information
Target Organization
URL
Target Mobile Phone
Is Application
Insecurely Stored any
Sensitive Information
Tools/Services Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
53
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 17: Test whether Log of Application Reveals Any Sensitive Information
Target Organization
URL
Target Mobile Phone
Is Application revealed
any Sensitive
Information
YES
NO
Command Used
Command Syntax
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
54
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 18: Try to Reverse Engineer the Android Application
Target Organization
URL
Reverse Engineering
the Android App
Successful
Information Collected
from the Source Code
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
55
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 19: Try to Discover the Processes Running on the Android Device
Target Organization
URL
Commands Used
1.
2.
3.
4.
5.
Processes Running
on the Android
Device
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
56
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 20: Try to Discover the System Calls Made by Processes
Target Organization
URL
Commands Used
1.
2.
3.
4.
5.
System Calls made
by Processes
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
57
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 21: Check for Sensitive Data on SD card
Target Organization
URL
Commands Used
1.
2.
3.
4.
5.
Information
Collected from SD
Card
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
58
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 22: Test whether SQLite Database Reveals any Sensitive Data
Target Organization
URL
Commands Used
1.
2.
3.
4.
SQLite Database
Reveals Sensitive Data
on Android
Information Collected
from SQLite Database
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
59
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 23: Perform a DoS Attack on Android Phone
Target Organization
URL
DoS Attack on Android
Phone Successful
Tools/Services Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
60
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 24: Find and Exploit Android app Vulnerabilities using Drozer
Target Organization
URL
Exploiting Android
App Vulnerabilities
Using Drozer
Successful
Information Collected
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
61
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 25: Conduct Penetration Testing using Smartphone Pentest Framework
Target Organization
URL
Android Device
Security Assessment
Using Smartphone
Pentest Framework
Successful
Device is Susceptible
to Attacks:
YES
NO
1.
2.
3.
4.
Information Collected
1.
2.
3.
4.
Results Analysis:
Confidential
62
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 26: Conduct Vulnerability Scanning using zANTI
Target Organization
URL
Scanning Android
Device for
Vulnerabilities using
zANTI Successful
Vulnerabilities Found
YES
NO
Device is Susceptible to Attacks
Information Exposed
1.
1.
1.
2.
2.
2.
3.
3.
3.
4.
4.
4.
Results Analysis:
Confidential
63
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 27: Perform Android Penetration Testing using dSploit
Target Organization
URL
Android Device
Penetration Testing
Using dSploit
Successful
Techniques Used
YES
NO
1.
2.
3.
4.
Information Collected
1.
2.
3.
4.
Results Analysis:
Confidential
64
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 28: Setting Up the Environment for iOS Apps Penetration Testing
Target Organization
URL
Is iOS Apps
Penetration Testing
performed on the
same mobile iphone
YES
NO
Is Android Apps
Penetration Testing
performed using iOS
Simulator
YES
NO
Installed Xcode app
development kit
YES
NO
Is iOS Simulator
configured and
launched
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
65
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 29: Identify whether iPhone Is Jailbroken or not
Target Organization
URL
iPhone is Jailbroken
Evidence Found
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
66
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 30: Inspect the Plist for Sensitive Information
Target Organization
URL
Commands Used
1.
2.
3.
4.
Inspecting Plist File
Successful
Information Collected
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
67
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 31: Investigate the Keychain Data Storage
Target Organization
URL
Contents of the iOS
Keychain
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
68
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 32: Check the iPhone Logs for Leakage of Sensitive Information (Insecure Logging)
Target Organization
URL
Sensitive
Information
Collected from
iPhone Logs
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
69
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 33: Explore and Look for Sensitive Files in iOS File System
Target Organization
URL
Sensitive Files found
in iOS File System
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
70
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 34: Inspecting SQLite Databases
Target Organization
URL
Commands Used
1.
2.
3.
4.
SQLite Database
Reveals Sensitive Data
on iPhone
Information Collected
from SQLite Database
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
71
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 35: Inspect Error Application Logs
Target Organization
URL
Sensitive
Information
Collected from Error
Application Logs
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
72
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 36: Inspect Device Logs
Target Organization
URL
Sensitive
Information
Collected from
Device Logs
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
73
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 37: Look for Sensitive Data Cached in Snapshots
Target Organization
URL
Sensitive
Information
Collected from
Snapshot Folder
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
74
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 38: Inspect Keyboard Cache
Target Organization
URL
Sensitive
Information
Collected from
Keyboard Cache
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
75
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 39: Inspect cookies.binarycookies File for Leakage of Sensitive Information
Target Organization
URL
Sensitive Information
Collected from
cookies.binarycookies
file
1.
2.
3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:
Confidential
76
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 40: Check URL Schemes used by Applications
Target Organization
URL
Applications
URL Schemes Used
Validated Properly
1.
1.
YES
NO
2.
2.
YES
NO
3.
3.
YES
NO
4.
4.
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
77
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 41: Check for Broken Cryptography
Target Organization
URL
Broken Cryptography
Vulnerability Exists
Tools/Services Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
78
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 42: Try to Reverse Engineer the iOS application
Target Organization
URL
Reverse Engineering
the iOS App Successful
Information Collected
from the Source Code
YES
NO
1.
2.
3.
4.
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
79
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
IoT Penetration Testing
Test 1: Test an IoT Device for Insecure Web Interface
Target Organization
URL
Can Change the Default
Login Credentials during
Initial Product Setup
YES
NO
User Account is Locked
after a Predefined
Number of Failed Login
Attempts
YES
NO
Found Valid Accounts
using Password Recovery
Mechanisms or New User
Pages
YES
NO
Web Interface is
Susceptible to XSS, CSRF,
SQLi, etc.
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
80
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 2: Test an IoT Device for Poor Authentication/Authorization
Target Organization
URL
Test for Poor Authentication:
Able to Login with Simple
Passwords across all interfaces
YES
NO
Network Traffic Transmits
Credentials in Clear Text
YES
NO
Re-authentication is Necessary
for Sensitive Data
YES
NO
Device Accepts Weak
Passwords or No Password
YES
NO
Interfaces allow Separation of
Roles
YES
NO
Able to Perform Privilege
Escalation with the Current
Access Controls
YES
NO
Tools/Services Used
1.
2.
3.
Test for Poor Authorization:
Tools/Services Used
1.
2.
3.
Results Analysis:
Confidential
81
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 3: Test an IoT Device for Poor Insecure Network Services
Target Organization
URL
Open Ports Identified
Associated Vulnerabilities
Possible Attacks
1.
1.
1.
2.
2.
2.
3.
3.
3.
Open Ports if any
exposed to the Internet
via UPnP
Tools/Services Used
YES
NO
1.
2.
3.
4.
Results Analysis:
Confidential
82
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 4: Test an IoT Device for Lack of Transport Encryption
Target Organization
URL
Information Associated
with Network Traffic of
the Device, its Mobile
Application and any Cloud
Connections is sent in
Clear Text
YES
NO
SSL/TLS is Up-to-date and
Properly Implemented
YES
NO
Encryption Protocols in
Use are Recommended
and Accepted
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
83
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 5: Test an IoT Device for Privacy Concerns
Target Organization
URL
Nature of data collected
by the device, its mobile
app and any cloud
interfaces (only data
required for the
functionality should be
collected).
1.
Who has access to the
personally identifiable
information?
1.
Tools/Services Used
1.
2.
3.
4.
2.
3.
2.
3.
4.
Results Analysis:
Confidential
84
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 6: Test an IoT Device for Insecure Cloud Interface
Target Organization
URL
Can Change the Default
Login Credentials during
Initial Product Setup
YES
NO
User Account is Locked
after a Predefined
Number of Failed Login
Attempts
YES
NO
Found Valid Accounts
using Password Recovery
Mechanisms or New User
Pages
YES
NO
Cloud Interface is
Susceptible to XSS, CSRF,
SQLi, etc.
YES
NO
Cloud Interfaces
Associated Vulnerabilities
1.
1. API Interfaces
2.
1.
2. Cloud-based Web Interfaces
Tools/Services Used
2.
1.
2.
3.
4.
Results Analysis:
Confidential
85
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 7: Test an IoT Device for Insecure Mobile Interface
Target Organization
URL
Can Change the Default
Login Credentials during
Initial Product Setup
YES
NO
User Account is Locked
after a Predefined
Number of Failed Login
Attempts
YES
NO
Found Valid Accounts
using Password Recovery
Mechanisms or New User
Pages
YES
NO
Credentials are Exposed
While Connected to
Wireless Networks
YES
NO
Options for Two-factor
Authentication are
Available
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
86
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 8: Test an IoT Device for Insufficient Security Configurability
Target Organization
URL
Administrative Interface of the Device has:
Options to strengthen
security (e.g. creating strong
passwords)
YES
NO
Ability to separate admin
users from normal users
YES
NO
Options to encrypt data
YES
NO
Options to enable secure
logging of various security
events
YES
NO
Options to enable alerts and
notifications to the end user
for security events
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
87
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 9: Test an IoT Device for Insecure Software/Firmware
Target Organization
URL
Update File Exposes
Sensitive Data in Clear Text
on using a Hex Edit tool
YES
NO
Production File is Properly
Encrypted using Renowned
Algorithms and is Signed
YES
NO
Cloud Update Server has
Up-to-date and Properly
Configured Transport
Encryption Methods, and
that the Server Itself is not
at Risk
YES
NO
Device ensures Proper
Validation of Signed Update
Files
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
88
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council
EC-Council Certified Security Analyst
Test 10: Test an IoT Device for Poor Physical Security
Target Organization
URL
Can Disassemble the Device
and Gain Access to the Data
Storage Mediums or
Remove Them
YES
NO
Can Access the Data on
Device via External Ports
such as USB
YES
NO
All the Available Physical
External Ports are Required
for Proper Device Function
YES
NO
Can Deactivate External
Ports from the
Administrative Interface of
the Device
YES
NO
Can Limit Administrative
Capabilities to Local Access
only from the
Administrative Interface of
the Device
YES
NO
Tools/Services Used
1.
2.
3.
4.
Results Analysis:
Confidential
89
Template WNPT/13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.